Conference PaperPDF Available

# Mathematical Modelling of Identity, Identity Management and Other Related Topics

Authors:

## Abstract and Figures

There exist disparate sets of definitions with different se-mantics on different topics of Identity Management which often lead to misunderstanding. A few efforts can be found compiling several related vocabularies into a single place to build up a set of definitions based on a common semantic. However, these efforts are not comprehensive and are only textual in nature. In essence, a mathematical model of iden-tity and identity management covering all its aspects is still missing. In this paper we build up a mathematical model of different core topics covering a wide range of vocabular-ies related to Identity Management. At first we build up a mathematical model of Digital Identity. Then we use the model to analyse different aspects of Identity Management. Finally, we discuss three applications to illustrate the ap-plicability of our approach. Being based on mathematical foundations, the approach can be used to build up a solid understanding on different topics of Identity Management.
Content may be subject to copyright.
A preview of the PDF is not available
... An AC scheme allows the user to disclose all extra information (picture, date of birth, name or all other elements on the id card) only to the issuer. The issuer then provides the user with a certification of an identity attribute [7] (being over 18). This takes the form of a digital signature that the user can employ as a credential with the verifier in order to access its services. ...
... If the set is too small, or if the set contains issuers that do not issue credentials of the right type, the verifier may be able to associate a credential with a specific issuer. 7 To limit this kinds of attacks, the user's SSI client can integrate a conformity checker. The user should be able to input a desired security policy. ...
... Proof. We want to prove that the value output (W ) I of the interactive protocol Commitment reveal exchange in Figure 5 is the same as the one outputted by the original 1 , · · · , g 1 x k 1 ) 5 : (W, sk) ←\$Gen(X 1 , X 2 ,X 1 ) 6 : C * σ = ((C * 1 ), (C * 2 ), 7 : h * , (W ) * I , X ...
Article
Full-text available
Identity Management Systems (IMS) allow users to prove characteristics about themselves to multiple service providers. IMS evolved from impractical, site-by-site authentication, to versatile, privacyenhancing Self Sovereign Identity (SSI) Frameworks. SSI frameworks often use Anonymous Credential schemes to provide user privacy, and more precisely unlinkability between uses of these credentials. However, these schemes imply the disclosure of the identity of the Issuer of a given credential to any service provider. This can lead to information leaks. We deal with this problem by introducing a new Anonymous Credential scheme that allows a user to hide the Issuer of a credential, while being able to convince the service providers that they can trust the credential, in the absence of a trusted setup. We prove this new scheme secure under the Computational Diffie Hellman assumption, and Decisional Diffie Hellman assumption, in the Random Oracle Model. We show that this scheme is efficient enough to be used with laptops, and to be integrated into SSI frameworks or any other IMS.
... An AC scheme allows the user to disclose all extra information (picture, date of birth, name or all other elements on the id card) only to the issuer. The issuer then provides the user with a certification of an identity attribute [7] (being over 18). This takes the form of a digital signature that the user can employ as a credential with the verifier in order to access its services. ...
... If the set is too small, or if the set contains issuers that do not issue credentials of the right type, the verifier may be able to associate a credential with a specific issuer. 7 To limit this kinds of attacks, the user's SSI client can integrate a conformity checker. The user should be able to input a desired security policy. ...
... Proof. We want to prove that the value output (W ) I of the interactive protocol Commitment reveal exchange in Figure 5 is the same as the one outputted by the original 1 , · · · , g 1 x k 1 ) 5 : (W, sk) ←\$Gen(X 1 , X 2 ,X 1 ) 6 : C * σ = ((C * 1 ), (C * 2 ), 7 : h * , (W ) * I , X ...
Conference Paper
Full-text available
Identity Management Systems (IMS) allow users to prove characteristics about themselves to mul- tiple service providers. IMS evolved from impracti- cal, site-by-site authentication, to versatile, privacy- enhancing Self Sovereign Identity (SSI) Frameworks. SSI frameworks often use Anonymous Credential schemes to provide user privacy, and more precisely un- linkability between uses of these credentials. However, these schemes imply the disclosure of the identity of the Issuer of a given credential to any service provider. This can lead to information leaks. We deal with this problem by introducing a new Anonymous Credential scheme that allows a user to hide the Issuer of a creden- tial, while being able to convince the service providers that they can trust the credential, in the absence of a trusted setup. We prove this new scheme secure under the Computational Diffie Hellman assumption, and De- cisional Diffie Hellman assumption, in the Random Ora- cle Model. We show that this scheme is efficient enough to be used with laptops, and to be integrated into SSI frameworks or any other IMS.
... These definitions a re mostly i nconsistent a nd s emantics b ased. A definition founded on mathematical properties would help in providing a uniform definition of digital identity and reduce confusion [30]. A domain can be defined as the namespace in which an entity is represented and uniquely identified. ...
... Assume that D denotes the set of domains and d ∈ D defines the domain of a single organization whereas U D stands for the set of users in that domain. In [30] Ferdous et al. define A d as the set of attributes and AV d as the set of their values within d. Then they describe the attributes for a user in a particular domain d as ...
... An identifier is a unique value used to distinguish an entity in a given a domain [30]. e identifier i ∈ A d in domain d is defined as an attribute that always exists and is unique within the context. ...
Preprint
Full-text available
Self-sovereign identity is the next evolution of identity management models. This survey takes a journey through the origin of identity, defining digital identity and progressive iterations of digital identity models leading up to self-sovereign identity. It then states the relevant research initiatives, platforms, projects, and regulatory frameworks, as well as the building blocks including decentralized identifiers, verifiable credentials, distributed ledger, and various privacy engineering protocols. Finally, the survey provides an overview of the key challenges and research opportunities around self-sovereign identity.
... ese definitions are mostly inconsistent and semantics based. A definition founded on mathematical properties would help in providing a uniform definition of digital identity and reduce confusion [30]. A domain can be defined as the namespace in which an entity is represented and uniquely identified. ...
... An identifier is a unique value used to distinguish an entity in a given a domain [30]. e identifier i ∈ A d in domain d is defined as an attribute that always exists and is unique within the context. ...
... An attribute is a distinct and measurable name-value property belonging to an entity in a given context. e value of an attribute may be used to identify the entity, albeit the identification may not be unique to the entity [30]. ...
Article
Full-text available
Self-sovereign identity is the next evolution of identity management models. This survey takes a journey through the origin of identity, defining digital identity and progressive iterations of digital identity models leading up to self-sovereign identity. It then states the relevant research initiatives, platforms, projects, and regulatory frameworks, as well as the building blocks including decentralized identifiers, verifiable credentials, distributed ledger, and various privacy engineering protocols. Finally, the survey provides an overview of the key challenges and research opportunities around self-sovereign identity.
... The identification process begins with the holder of an electronic identity presenting a unique attribute in a given context, i.e., an identifier that differentiates it from all other electronic identities in that context [34]. The most common example is providing an email address when signing up for a subscription service. ...
Article
Full-text available
Self-Sovereign Identity (SSI) is an identity model centered on the user. The user maintains and controls their data in this model. When a service provider requests data from the user, the user sends it directly to the service provider, bypassing third-party intermediaries. Thus, SSI reduces identity providers' involvement in the identification, authentication, and authorization, thereby increasing user privacy. Additionally, users can share portions of their personal information with service providers, significantly improving user privacy. This identity model has drawn the attention of researchers and organizations worldwide, resulting in an increase in both scientific and non-scientific literature on the subject. This study conducts a comprehensive and rigorous systematic review of the literature and a systematic mapping of theoretical and practical advances in SSI. We identified and analyzed evidence from reviewed materials to address four research questions, resulting in a novel SSI taxonomy used to categorize and review publications. Additionally, open challenges are discussed along with recommendations for future work.
... Based on the digital identity mathematical model defined by Ferdous, Norman, and Poet [15], E denotes the digital entity, which corresponds to a specific student, an academic or an administrative staff in the university context. A set of contexts, C, and subsets of contexts could be considered, inside and outside university. ...
Conference Paper
Full-text available
user-centred identifier enables verifiable and decentralized digital identity, and lead users to control and to generate their own identifiers using systems they trust. This is how Self-Sovereign Identity works. This paper presents the case of universities, where several different agents need their own identifier and shows a digital identity mathematical model. Moreover, the Alastria model for the university context is detailed.
... The identification process consists of an electronic identity holder showing a unique attribute in a given context, i.e., an identifier used to distinguish it from all other electronic identities in that context [46]. The classic example is providing an email address when subscribing to a subscription service. ...
Preprint
Full-text available
Self-Sovereign Identity is a user-centric identity model. In this model, the user maintains and controls their data. When requested by a service provider, user data is sent directly by the user, without the intermediation of third parties. Thus, in Self-Sovereign Identity, the participation of known identity providers for proof of identity is reduced, which increases user privacy. This identity model has attracted the attention of researchers and organizations around the world. All this interest increased the number of scientific articles published on the subject. The analysis of published materials showed that ideas and proposals are very diverse and dispersed. Although there are few systematic reviews, they lack methodological rigor and are limited to a small subset of published works. This study presents a rigorous systematic mapping and systematic literature review covering theoretical and practical advances in Self-Sovereign Identity. We identified and aggregated evidence from publications to answer four research questions, resulting in a classification scheme used to categorize and review publications. Open challenges are also discussed, providing recommendations for future work.
Article
Full-text available
With the rise of the popularity in blockchain, there has been a major shift in its adoption towards real-world applications. In this paper, we explore the already available identity models and propose new methods to increase their scalability. It also talks about the "Laws of Identity" and how Self-Sovereign Identities abide by these laws. We explored different blockchains for identity models and proposed a framework to analyze their architecture and constraints regarding the Identity models. In the end we also discussed some real world applications and the companies currently working on decentralized identities.
Article
The traditional centralized digital identity management system (DIMS) has been subject to threats such as fragmented identity, single point of failure, internal attacks and privacy leakage. Emerging blockchain technology allows DIMSs to be deployed in it, which largely alleviates the problems caused by the centralized third party, but its inherent transparency and lack of privacy pose a huge challenge to DIMSs. In this regard, we leverage the smart contracts and zero-knowledge proof (ZKP) algorithms to improve the existing claim identity model in blockchain to realize the identity unlinkability, effectively avoiding the exposure of the ownership of attributes. Furthermore, we implement a system prototype named BZDIMS that includes a challenge-response protocol, which allows users to selectively disclose their ownership of attributes to service providers to protect users’ behavior privacy. Performance evaluation and security analysis show that our scheme achieves effective attribute privacy protection and a wider application scope compared with the prior model.
Article
Full-text available
In the last decade or so, we have experienced a tremendous proliferation and popularity of different Social Networks (SNs), resulting more and more user attributes being stored in such SNs. These attributes represent a valuable asset and many innovative online services are offered in exchange of such attributes. This particular phenomenon has allured these social networks to act as Identity Providers (IdPs). However, the current setting unnecessarily imposes a restriction: a user can only release attributes from one single IdP in a single session, thereby, limiting the user to aggregate attributes from multiple IdPs within the same session. In addition, our analysis suggests that the manner by which attributes are released from these SNs is extremely privacy-invasive and a user has very limited control to exercise her privacy during this process. In this article, we present Social Anchor, a system for attribute aggregation from social networks in a privacy-friendly fashion. Our proposed Social Anchor system effectively addresses both of these serious issues. Apart from the proposal, we have implemented Social Anchor following a set of security and privacy requirements. We have also examined the associated trust issues using a formal trust analysis model. Besides, we have presented a formal analysis of its protocols using a state-of-the-art formal analysis tool called AVISPA to ensure the security of Social Anchor. Finally, we have provided a performance analysis of Social Anchor.
Article
Full-text available
Digital identity is the ground necessary to guarantee that the Internet infrastructure is strong enough to meet basic expectations such as security and privacy. Anywhere anytime mobile computing is becoming true. In this ambient intelligent world, the choice of the identity management mechanisms will have a large impact on social, cultural, business and political aspects: privacy is a human need and the all of society would suffer from the de-mise of privacy; people have hectic life and cannot spend their whole time administering their digital identities. The choice of identity mechanisms will change the social, cultural, business and political environment. Furthermore, the identity management is also a promising topic for modern society. Recent technological advance in user identity management has highlighted the paradigm of federated identity management and user-centric identity management as improved alternatives. The first one empowers the management of identity and the second the users to actively manage their identity information and profiles. It also allows providers to deal easily with privacy aspects regarding user expectations. This problem has been tackled with some trends and emerging solutions. Firstly, we provide an overview of identity management from identity 1.0 to identity 2.0 with emphasis on user centric approaches. Also we survey how have evolved the requirements for user-centric identity management and their associated technologies with emphasis on the federated approaches and user-centricity. Secondly, we will focus on related standards XRI and LID issued from Yadis project, and platforms mainly ID-WSF, OpenID, InfoCard, Sxip and Higgins. At the end, we treat the identity management in the field of mobility and focus on the future of mobile identity management.
Article
Full-text available
OpenStack is an open source cloud computing project that is enjoying wide. While many cloud deployments may be stand-alone, it is clear that secure federated community clouds, i.e., inter-clouds, are needed. Hence, there must be methods for federated identity management (FIM) that enable authentication and authorisation to be flexibly enforced across federated environments. Since there are many different FIM protocols either in use or in development today, this paper addresses the goal of adding protocol independent federated identity management to the OpenStack services. After giving a motivating example for secure cloud federation, and describing the conceptual design for protocol independent federated access, a detailed federated identity protocol sequence is presented. The paper then describes the implementation of the protocol independent system components, along with the incorporation of two different FIM protocols, namely SAML and Keystone proprietary. Finally performance measurements of the protocol independent components, and the two different protocols dependent components are presented, before the paper concludes with the current limitations.
Article
Full-text available
‘Identity thieves make thousands of victims!’ is a typical headline of current e-zines. One pictures thousands of people panicking and pursuing thieves running away with their identities. Reality is different, of course. Identity criminals do no steal identities: they use identity as a tool to steal money. And the typical victim does not notice the crime until long after the criminal has booked a one-way ticket to the tropics. A good reason to have a look at the terminology of identity ‘theft’, identity fraud, and identity-related crime.
Article
Full-text available