Conference PaperPDF Available

Mathematical Modelling of Trust Issues in Federated Identity Management

Authors:

Abstract and Figures

With the absence of physical evidence, the concept of trust plays a crucial role in the proliferation and popularisation of online services. In fact, trust is the inherent quality that binds together all involved entities and provides the underlying confidence that allows them to interact in an online setting. The concept of Federated Identity Management (FIM) has been introduced with the aim of allowing users to access online services in a secure and privacy-friendly way and has gained considerable popularities in recent years. Being a technology targeted for online services, FIM is also bound by a set of trust requirements. Even though there have been numerous studies on the mathematical representation, modelling and analysis of trust issues in online services, a comprehensive study focusing on the mathematical modelling and analysis of trust issues in FIM is still absent. In this paper we aim to address this issue by presenting a mathematical framework to model trust issues in FIM. We show how our framework can help to represent complex trust issues in a convenient way and how it can be used to analyse and calculate trust among different entities qualitatively as well as quantitatively. © IFIP International Federation for Information Processing 2015.
Content may be subject to copyright.
Mathematical Modelling of Trust Issues in
Federated Identity Management
Md. Sadek Ferdous1, Gethin Norman1, Audun Jøsang2and Ron Poet1
1School of Computing Science, University of Glasgow, Glasgow, G12 8QQ, Scotland
2Department of Informatics, University of Oslo, Oslo, 0316, Norway
{sadek.ferdous,gethin.norman,ron.poet}@glasgow.ac.uk, josang@mn.uio.no
Abstract. With the absence of physical evidence, the concept of trust
plays a crucial role in the proliferation and popularisation of online ser-
vices. In fact, trust is the inherent quality that binds together all involved
entities and provides the underlying confidence that allows them to inter-
act in an online setting. The concept of Federated Identity Management
(FIM) has been introduced with the aim of allowing users to access online
services in a secure and privacy-friendly way and has gained consider-
able popularities in recent years. Being a technology targeted for online
services, FIM is also bound by a set of trust requirements. Even though
there have been numerous studies on the mathematical representation,
modelling and analysis of trust issues in online services, a comprehensive
study focusing on the mathematical modelling and analysis of trust is-
sues in FIM is still absent. In this paper we aim to address this issue by
presenting a mathematical framework to model trust issues in FIM. We
show how our framework can help to represent complex trust issues in
a convenient way and how it can be used to analyse and calculate trust
among different entities qualitatively as well as quantitatively.
Keywords: Trust, Federated Identity Management, Mathematical Modelling.
1 Introduction
Unlike the brick and mortar world, the physical evidence and visual cues that
can be used to establish trust and gain confidence are largely absent in online
services. Despite this, the popularity of online services has grown exponentially
in the last decade or so. The concept of trust played a crucial role in popular-
ising online services. In fact, trust is the inherent quality that binds together
all involved entities and provides the underlying confidence that allows them to
interact in an online service. The mathematical modelling and analysis of dif-
ferent trust requirements in online services are abound and is a well established
research area. Such a model helps to express and to reason with trust issues in a
formal way which can ultimately help to create novel ways for determining trust
among involved entities.
The concept of Federated Identity Management (FIM) has been introduced
to ease the burden of managing different online identities and to allow users
to access online services in a secure and privacy-friendly way [1]. FIM offers
The original publication is available at www.springer.com
2 Ferdous, Norman, Jøsang and Poet
an array of advantages to different stakeholders and has gained considerable
popularities in recent years. Being a technology targeted for the online setting,
FIM is also bound by a set of trust requirements. Surprisingly, the mathematical
representation, modelling and analysis of different trust requirements of FIM
have received little attention so far. The aim of this paper is to fill this gap.
Here, we present a comprehensive mathematical framework considering dif-
ferent trust aspects targeted for FIM. In doing so, we show how our framework
can formally express trust in FIM and how such expressions can be used to anal-
yse and evaluate trust qualitatively and quantitatively. The main contributions
of the paper are:
1. Inspired by the notation of trust presented in [14], we present a notation to
express trust between different entities in FIM.
2. We use this notation to develop the first mathematical framework to model,
analyse and derive trust in different types of identity federations.
3. We explore trust transformations resulting from interactions in FIM.
4. Finally, we present a simple method to evaluate trust quantitatively in FIM.
The paper is structured as follows. Section 2 provides a brief introduction to FIM
and the required trust issues in this setting. Section 3 introduces the notation
and the interaction model that will be used in our framework. The trust issues in
different types of identity federations are modelled in Sections 4 and 5. We show
how trust transformations occur within different federations using our framework
in Section 6 and how trust can be calculated quantitatively in Section 7. Section 8
discusses the related work and finally Section 9 concludes the paper.
2 Background
In this section, we provide a brief introduction to FIM, to different aspects of
trust in general and to trust issues in FIM specifically.
Federated Identity Management. Identity Management consists of tech-
nologies and policies for representing and recognising entities using digital iden-
tifiers within a specific context [7]. A system that is used for managing the
identity of users is called an Identity Management System (IMS). Each IMS
includes the following types of parties: Service Providers (SPs) or Relying
Parties (RPs) - entities that provides services to users or other SPs, Identity
Providers (IdPs) - entities that provides identities to users to enable them
to receive services from SPs and Clients/Users - entities that receive services
from SPs. Among different IMS, the Federated Identity Management (FIM) has
gained much attention and popularity.
The Federated Identity Management is based on the concept of Identity Fed-
eration. A federation with respect to Identity Management is a business model
in which a group of two or more trusted parties legally bind themselves with a
business and technical contract [1,17]. It allows a user to access restricted re-
sources seamlessly and securely from other partners residing in different Identity
Domains. An identity domain is the virtual boundary, context or environment
in which an identity of a user is valid [17]. Single Sign On (SSO) is the capa-
bility that allows users to login to one system and then access other related
Mathematical Modelling of Trust Issues in FIM 3
but autonomous systems without further logins. It alleviates the need to login
every time a user needs to access those related systems. A good example is the
Google Single Sign On service which allows users to login a Google service, e.g.,
Gmail, and then allows them to access other Google services such as Calendar,
Documents, YouTube, Blogs and so on.
(a) Type 1. (b) Type 2.
Fig. 1. Federated Identity Domain.
A federated identity domain can be formed by one IdP in an identity domain
and a number of SPs with each SP residing in a separate identity domain (Type
1 in Figure 1(a)). Several federated identity domains can be combined to form
a larger federated identity domain where each smaller federated domain is of
Type 1 (Type 2 in Figure 1(b)). A Type 2 federation allows an IdP of a Type 1
federation to delegate the authentication task to another IdP in a different Type
1 federation. To enable this, both IdPs need to act as both IdPs and SPs. The
issue of trust is a fundamental concept in FIM as different autonomous bodies
need to trust each other inside the federation. Such parties inside a federation
are said to form the so-called Circle of Trust (CoT).
A federation can be of two types depending on how it is created. The tra-
ditional federation, also called a Static Federation, is where the federation is
created at the admin level and is bound with a legal contract using a specified
set of administrative procedures. On the other hand, in a Dynamic Federation
any user, not only administrators, can create the federation in a dynamic fashion
without administrative intervention or a legally binding contract [3].
Trust. The concept of trust and trust management in the setting of online
services is a widely studied topic and has been defined in numerous ways. For
the purpose of this paper, we use the following definition taken from [11] which
was originally inspired by [13].
Trust is the extent to which one party is willing to depend on something or
somebody in a given situation with a feeling of relative security, even though
negative consequences are possible.”
The definition gives a directional relationship between two entities: the first is
regarded as the Trustor and the second the Trustee. The trustor and trustee can
be any entity, however, in the scope of this paper, only those involved in FIM
will be considered (i.e. users, IdPs and SPs). The pairwise trust relations we
consider are user-IdP, user-SP, IdP-SP and IdP-IdP which is inline with current
IMS setting and the relationships that occur inside a federation.
4 Ferdous, Norman, Jøsang and Poet
Trust can be of two types: Direct Trust (DT ) and Indirect Trust (IT ) [12].
Direct trust signifies that there exists a trust relationship between the entities
based on first hand experience and evidence. On the other hand, indirect trust,
also known as Transitive Trust, is a trust relationship between two entities based
on referral from one or more intermediate third parties.
Every trust relationship has a scope that signifies the specific purpose or
context into which that trust relationship is valid. The trust strength (also known
as the trust degree) signifies the level of trust a trustor has over a trustee [14].
The type and value used to define the level of trust will vary depending on the
trust scopes as well. Trust can be defined as Mutual Trust only if there is a
bi-directional trust relationship with the same trust type, scope and strength
between the corresponding entities. In such case, both entities can act as the
trustor and the trustee. Trust often exhibits the transitivity property [11]: if an
entity Atrusts another entity Band Btrust another entity C, a trust relation
can be derived between Aand C. To derive such a transitive trust relation, the
trust scope must be same. The trust transformation is the process when a trust
relationship between two entities changes due to the change of trust strength
while the trust type remains the same. Such a transformation occurs normally
for two reasons: i) when the trust is derived following the transitivity property
and ii) when one entity interacts with another entity to perform a certain action
which ultimately triggers the change in the trust strength. The transformation
can be positive, meaning the new trust strength is higher than what was before,
or can be negative, meaning the new trust strength is lower than what was
before.
A trust with a single scope can be defined as atomic trust. Compound trust
can be defined as the combined trust of several different atomic trusts where the
trustor, trustee and the trust direction and strength between them remain the
same. The compound trust will also have the same trust direction and strength.
Trust Issues in Identity Management. The issue of trust is a fundamental
concept in FIM as different participating organisations need to trust each other
inside the federation at a sufficient level to allow them to exchange and trust
user information. We will consider such trust issues using two separate instances.
The first, called High Level trust, is the abstract level of trust that is assumed
between federated entities (IdPs and SPs) in a federation. This level of trust is
common in the existing literature on FIM. For example, it is common to express
that two entities trust each other if they belong to the same CoT. In such an
expression, the trust is treated at an abstract level and is used mostly to signify
their architectural relation inside a federation.
The second, called Fine-grained trust, is a detailed expression of trust includ-
ing the scope between entities (including users) in a federation. The expression
may (optionally) include a trust type or strength. Inspired by the requirements
outlined in [8,12], the authors in [2] have outlined a set of fine-grained trust
requirements in the traditional federation which are applicable for both Type 1
and Type 2 federations. We will use their requirements to represent fine-grained
trusts in Section 4.
Mathematical Modelling of Trust Issues in FIM 5
Trust in a dynamic federation is modelled using three classes of entities [3]:
Fully Trusted entities are IdPs and SPs in the traditional SAML (Security
Assertion Markup Language) federation which have a legal contract between
them [18]; Semi-trusted entities are SPs in a dynamic federation that have
been added dynamically to an IdP inside the federation under some conditions
without a contract and to whom any user of the IdP has agreed to release a
subset of her attributes and Untrusted entities are IdPs and SPs in a dynamic
federation which have been added dynamically under some conditions without
a contract. A detailed discussion of these classes can be found in [3].
3 Notation
In this section we will introduce the notation that will be used to build up the
model. We use Eto denote the set of entities, with Uthe set of users, SP the
set of service providers and IDP the set of identity providers. Since each user,
SP and IdP is also an entity, we have E=UIDP SP. In addition, Fdenotes
the set of federations and will use subscript from Fto define the contexts of
entities (i.e. the federation in which they belong). For example, Efwill be used
to denote the sets of entities in a federation f. We use Tto denote the set of trust
types. As explained above, we consider two types of trust: direct trust (denoted
by DT ) and indirect trust (denoted by IT ). Therefore, T={DT ,IT }.
We use Sfor the set of trust scopes. Different trust scopes can be defined
depending on the trust requirements. We consider the following trust scopes for
FIM based on the fine-grained trust requirements of [2]:
REG is trust in the implementation of the registration process;
STO is trust in secure attribute storage;
AUTHN is trust in the implementation of the authentication mechanism;
AP is trust in allowing the use of anonymous or pseudonymous identifiers;
CONSENT is trust in the release of only those attributes consented to;
ABU is the trust that an entity will not abuse attributes released to it;
CARE is the trust an entity handles her attributes with adequate care;
HON is the trust that an entity provides attribute values honestly;
ACDA is the trust that an entity adheres to the agreed policies and procedures
during access control and delegated access;
SRV is the trust in service provisioning;
MIN -ATT is the trust that an entity requests only minimal attributes;
REL is the trust in an entity correctly releasing attributes;
ND is the trust in an entity adhering to the non-disclosure of attributes;
FED is trust between federated entities.
We consider the following types of trust strengths in FIM.
Subjective Trust. This defines the subjective trust a user may have in IdPs
and SPs in a federation and will be denoted with conf . It can have different
levels, however, we have opted for three levels: LOW (L), MED (M), HIGH (H).
Level of Assurance (LoA). This defines the trust strength between federated
IdPs and SPs and is used during service provisioning. It is based on the NIST
6 Ferdous, Norman, Jøsang and Poet
LoA guidance of 1 to 4 where Level 1 can be used to model the lowest trust and
Level 4 the highest [15]. It will be denoted as loa with values from 1 to 4.
Federation Trust. The last type concerns the trust strength between feder-
ated IdPs and SPs with respect to their architectural relations. It is denoted
with fed-trust and can take four different values: UNTRUSTED (UT),SEMI-
TRUSTED (ST),RESTRICTED-TRUSTED (RT) and FULLY-TRUSTED (FT).
The lowest trust strength UT means a trustor does not trust a trustee at all and
is associated between entities federated in a dynamic fashion or between entities
in a transitive trust in static federations (see below). The strength ST means
a trustor trusts a trustee upto a certain level. An example is the trust strength
between a dynamically federated IdP and an SP and the fact that the IdP may
not want release sensitive attributes to the SP as there are no formal agreement
between them. The strength RT is higher than ST, but lower than FT. Such a
strength is exhibited when the trust relationship between a trustor and trustee is
derived using transitivity and the trustor may not fully trust the trustee as there
are no formal agreements between them. The strength FT signifies the highest
strength and is exhibited when the trustor and trustee are part of a traditional
federation. The federation trust strengths are ranked:
UT <ST <RT <FT .
To indicate an entity e1Ef(the trustor) has tTtrust over an entity e2Ef
(the trustee) in a federation f∈ F with a trust scope of sSand the trust
strength of v, we will use the following notation, inspired by [14]:
e1t:s
ve2
where vrepresents the trust strength (either conf ,loa or fed-trust). To express
the same trust tbetween two entities e1and e2with same trust strength vin a
number of different scopes, s1, . . . , sn, we extend the notation to:
e1
t:{s1,...,sn}
ve2
If there exists a mutual trust (t) between two entities in the same trust scope(s)
with the same trust strength (v), we use the notation:
e1t:s
ve2
3.1 Interaction Model
To enable a protocol flow in a federation, each entity interacts with another
entity in order to perform an action at another entity. A user interacting with
an IdP to authenticate herself by providing an identifier (e.g. username) and
a credential (e.g. password) is example of an interaction. Interaction between
entities to perform an action can cause the trust between the involved entities
to transform. The interaction model consists of the actions that an entity can
perform at another entity in a federation. Such interactions must be carried out
Mathematical Modelling of Trust Issues in FIM 7
using a communication channel. We will use the notation CHANNEL to define
the set of channels. Two types of channels will be considered: secure channels,
denoted SC , model secure HTTPS connections whereas unsecured channels,
denoted UC , model unsecured HTTP connections.
To denote an interaction that represents an entity e1performs action aat
entity e2using communication channel c, we will use the following notation:
c(e1ae2). There could be many interactions in a federation, however, to the
scope of this paper, we restrict attention to the following interactions:
-c(uRG idp) representing user uregistering at IdP idp through channel c;
-c(uAidp) representing user uauthenticating herself at IdP idp through
channel c;
-c(idp AP u) representing IdP idp allowing user uto use anonymous or
pseudonymous identifiers through channel c;
-c(idp Cu) representing IdP idp providing user uwith the opportunity to
provide consent for releasing selected attributes through channel c;
-c(idp RL sp) representing IdP idp releasing user u’s selected attributes to
the SP sp through channel c.
4 Trust Modelling in Traditional (Static) Federations
In this section, we model trust between different entities in traditional federa-
tions. We will consider first high level trust and then fine-grained trust.
4.1 High Level Trust Modelling
We can express the high level trust in a Type 1 federation f∈ F between an
IdP idp IDPfand an SP sp SPfby:
idp DT :FED
FT sp
This signifies that idp and sp have a mutual direct trust in the scope of the
federation. Since it is a Type 1 federation, the entities trust each other fully,
hence the trust strength is fully trusted (FT ).
Let us now consider a Type 2 Federation consisting of two Type 1 federations,
say f1, f2∈ F. Since f1and f2are Type 1 federations, we have for i∈ {1,2},
idpiIDPfiand sp iSPfi:
idpi
DT :FED
FT spi
Trust between an IdP idp1f1and an IdP idp2f2deserves further attention.
Since they are in a Type 2 federation, these IdPs will act as both IdPs and SPs
depending on the use-cases. Without specifying which entity acts as what, we
can model the underlying trust relations between these IdPs as follows:
idp1
DT :FED
FT idp2
Next we model the trust transitivity property of [11] by introducing the following
rules to derive a transitive trust between entities in a Type 2 Federation.
8 Ferdous, Norman, Jøsang and Poet
Rule 1 (Trust Type in a Transitive Trust.) A derived transitive trust be-
tween entities in a traditional Type 2 Federation must be of indirect trust type.
Rule 2 (Trust Strength in a Transitive Trust.) The strength of the derived
trust is that immediately below the lowest value of the intermediate trusts except
when no such value exists, in which case the strength will be the lowest value.
The trust type between the entities changes in a transitive trust since they are
not directly connected with each other. Changes in the trust strength between
entities in a transitive trust is because there need not exist a formal agreement
between the entities, and hence the rule ensures that the derived level of trust is
the lowest among (or lower than) any intermediate trust levels in the transitive
path. The rule also includes a limiting condition to ensure that the trust strength
does not reduce to an undetermined value as it is reduced along a transitive path
of trust.
Next, let us consider a Type 2 Federation consisting of two Type 1 federations
f1, f2∈ F. For sp1SPf1,idp1IDP f1and idp2IDP f2the transitive trust
between sp1and idp2can be derived using Rule 1 and Rule 2 as follows:
sp1
DT :FED
FT idp1 idp 1
DT :FED
FT idp2
sp1
IT :FED
RT idp2
We can use these rules to derive trust between any number of entities in a Type
2 federation. For example, consider three federations f1, f2, f3∈ F with three
different IdPs idp1IDPf1,idp2IDPf2and idp3IDPf1. Furthermore,
suppose there is a Type 2 federation between f1and f2and another between f2
and f3, and hence both idp1and idp2, and idp 2and idp3are directly connected.
For an SP sp1in federation f1we can derive the trust relations between sp1and
idp3using Rule 1 and Rule 2 and the following proof tree:
sp1
DT :FED
FT idp1 idp 1
DT :FED
FT idp2
sp1
IT :FED
RT idp2 idp2
DT :FED
FT idp3
sp1
IT :FED
ST idp3
4.2 Fine-grained Trust Modelling
Now, we model fine-grained trust for a Type-1 Federation as outlined in [2]. In the
following scenarios, each trust will include a strength conf or level of assurance
loa in a Type 1 federation f∈ F between a user uUf, IdP idp IDPfor SP
sp SPf. The trust strength conf is assumed when one of the entities is a user
and loa when the trust is between an IdP and SP.
User Trust in the IdP.
Mathematical Modelling of Trust Issues in FIM 9
T1. The user trusts that the IdP has correctly implemented user registration
procedures and authentication mechanisms (denoted T2 in [8]):
uDT :{REG,AUTHN }
conf idp
Note the direction between the said entities. Since it is not a mutual trust, the
direction of trust is from the user to the IdP. Also, as there are two trust scopes
(registration and authentication).
T2. The user trusts that the IdP allows the user to utilise anonymous or
pseudonymous identifiers (denoted T1 in [8]):
uDT :AP
conf idp
T3. The user trusts that the IdP will release only those attributes to the SP
that the user has consented to:
uDT :CONSENT
conf idp
T2 and T3 can be combined to denote the user trusting the IdP to protect the
privacy of the user through the following rule for compound trust of privacy.
Rule 3 (Compound Trust of Privacy.) A compound trust of Privacy (PRIV )
is a user’s trust in the IdP to preserve its privacy to an SP using anonymous
or pseudonymous identifiers (T2) and trust in allowing the user to choose and
provide consent regarding the attributes that it wants to release to the SP (T3).
Formally we have:
"uDT : AP
conf idp# "uDT : CONSENT
conf idp#
"uDT : PRIV
conf idp#
As mentioned earlier, the trust direction and strength must be same in T2 and
T3 and the compound trust will inherit these values.
T4. The user trusts that the IdP has satisfactory mechanisms to store user
attributes safely and securely:
uDT :STO
conf idp
User Trust in the SP.
T5. The user trusts that the SP will ask only for the minimum number of user
attributes that are required to access any of its services:
uDT :MIN-ATT
conf sp
10 Ferdous, Norman, Jøsang and Poet
T6. The user trusts that the SP will not abuse the released user attributes and
will use them only for the stated purpose(s):
uDT :ABU
conf sp
IdP and SP Trust in the User.
T7. The IdP trusts that the user handles their authentication credentials with
adequate care (denoted as T3 in [8]):
idp DT :CARE
conf u
T8. The SP trusts that the user is honest while providing attributes to an IdP:
sp DT :HON
conf u
IdP Trust in the SP:
T9. The IdP trusts that the SP adheres to the agreed privacy policies regarding
non-disclosure of user data (denoted as IdP-T.1in [12]):
idp DT :{ND,ABU }
conf sp
In other words, the SP will not abuse the released user attributes and will use
them only for the stated purpose(s). The policy might include that the SP will
not cache any user-attributes other than those which are absolutely necessary.
This is to ensure that the IdP can always provide the updated attributes re-
garding the user. In cases where the SP needs to cache any attributes (e.g.
IdP-supplied identifiers), the SP must inform the IdP.
T10. The IdP trusts that the SP adheres to the agreed policies and procedures,
if they are available regarding access control and delegated access:
idp DT :ACDA
conf sp
If there are no such policies or procedures, this requirement is ignored.
Like Rule 3, we can combine T9 and T10 to define a compound trust through
the following rule.
Rule 4 (Compound Trust of Policy.) A compound trust of Policy, denoted
as POL, is an IdP trust in a SP adhering to the non-disclosure of attributes and
not abusing the released attributes (T9) and maintaining the agreed policies and
procedures regarding access control and delegated access (T10). Formally:
"idp DT : {ND,ABU}
conf sp# "idp DT : ACDA
conf sp#
"idp DT : POL
conf sp#
Mathematical Modelling of Trust Issues in FIM 11
As before, the trust direction and strength must be same in T9 and T10 and
the compound trust also will have that same trust direction and trust strength.
SP Trust in the IdP.
T11. The SP trusts that the IdP has implemented adequate procedures for
registering users and for issuing credentials (denoted as T7 in [8]):
sp DT :REG
loa idp
This captures the realistic scenarios where a LoA value, determined and released
by the IdP, is used by the SP to evaluate the level of trust it can have on the
IdP in a specific trust scope. A lower LoA value may influence the SP to place
a lower trust and similarly a higher LoA value may influence the SP to have a
higher trust on the IdP for a particular scope.
T12. The SP trusts that the IdP will authenticate the user appropriately as per
the requirement and will release user attributes securely:
sp DT :AUTHN
loa idp
We combine T11 and T12 to define a compound trust using the following rule.
Rule 5 (Compound Trust of Registration-Authentication.) A compound
trust of Registration-Authentication, denoted as RAUTH , outlines the SP trust
that the IdP registers users securely (T11) and authenticates users and releases
attributes as per the requirement (T12). Formally, we have:
sp DT : REG
loa idp sp DT : AUTHN
loa idp
sp DT : RAUTH
loa idp
5 Trust Modelling in Dynamic Federations
In this section, we model trust between different entities in traditional federa-
tions. We only consider high level trust as the fine-grained trust for this federa-
tion is similar to traditional federations.
Type 1 Federation. Here, we have two different types of trust. To an SP,
each dynamically added IdP will be treated as untrusted. Formally, in a Type 1
federation f∈ F for sp SPfand dynamically added idp IDPf:
sp DT :FED
UT idp
However, to the IdP, the SP can be untrusted or semi-trusted depending to
conditions discussed previously:
idp DT :FED
{UT,ST }sp
12 Ferdous, Norman, Jøsang and Poet
Type 2 Federation. This is similar to the traditional Type 2 federation as
discussed previously, except there is no mutual trust between dynamically added
entities and static entities, hence we consider each trust direction separately.
Using Rule 1 and Rule 2 we can derive a transitive trust between any two
entities in a dynamic federation as follows. For f1, f2∈ F,sp1SPf1,sp2
IDPf2,idp1IDPf1,idp 2IDPf2and where idp2has been added dynamically
into federation f1and sp2has been added dynamically into federation f2:
sp1
DT :FED
FT idp1 idp 1
DT :FED
UT idp2
sp1
IT :FED
UT idp2
Since, idp1acts as the SP to idp 2and a dynamically added IdP is always treated
as an untrusted entity to a SP, the trust from idp1to the idp2is regarded as
untrusted. A few more derivation are given below:
idp2
DT :FED
UT idp1 idp 1
DT :FED
FT sp1
idp2
IT :FED
UT sp1
This derives the transitive trust between idp2and sp 1.
sp2
DT :FED
UT idp2 idp 2
DT :FED
UT idp1
sp2
IT :FED
UT idp1
This derives the transitive trust between sp2and idp 1and below we derive the
transitive trust between idp1and sp2.
idp1
DT :FED
UT idp2"idp 2
DT :FED
{UT,ST }sp2#
idp1
IT :FED
UT sp2
6 Trust Transformation with Interactions
We have seen how trust is transformed due to transitivity. Next, we explore how
it is transformed due to interactions. We use the following notation to denote
a change of trust from T1to T2for an interaction A:T1
A
=T2. Sometimes, we
logically join (using the “ operator) more than one interaction to signify the
fact that more than one interaction is required to trigger a trust transformation.
Mathematical Modelling of Trust Issues in FIM 13
Trust transformation in Static Federations. Our first example explores
how the trust can be transformed between a user (the trustor) and an IdP (the
trustee). At the initial stage, the confidence (trust strength) of the user could be
low. Once the user is registered and authenticated using a secure communication
channel (e.g. HTTPS), the trust strength could increase to medium since it
reflects that the IdP is careful to maintain the confidentiality and integrity of
her data. For a federation f∈ F,uUfand idp IDPf, this is modelled by:
uDT :RAuth
Lidp{S C(uRG idp )}∧{SC (uAidp)}
=====================uDT :RAuth
Midp
The user may have another boost in trust when she has a positive interaction
with the IdP for a period. One example is the use of a consent form that allows
the user to select the attributes that she wants to release to an SP, and thus
allows her the option to provide consent to release data to the SP. Formally:
uDT :SRV
Midp{S C(idp cu)}
=========uDT :SRV
Hidp
Our second example involves transforming privacy trust with interactions. The
involved interactions are the IdP allowing the user to use anonymous or pseudony-
mous identifiers and offering the opportunity to provide consent regarding at-
tributes. The trust strength will initially be low and will transform to either
medium or high depending on different factors. Example factors are a user-
friendly interface that makes it easier for the user to choose anonymous or
pseudonymous identifiers or allows the user to choose attributes and provide
consent. The trust transformation is modelled by:
uDT :PRIV
Lidp{S C(idp AP u)}∧{S C(idp Cu)}
====================="uDT :PRIV
{M,H }idp#
Trust transformation in Dynamic Federations. For federation f∈ F,u
Uf,idp IDPfdynamically added by uand sp SPf, the trust transformation
occurs only if uhas agreed to release her attributes from idp to sp:
idp DT :FED
UT sp{S C(uCidp )}∧{SC (idp RL sp)}
=====================idp DT :FED
ST sp
7 Quantifying Trust
In real life, trust is an analogue property, and hence it is difficult to represent with
discrete values. However, it might be useful to compute the trust between in-
volved entities using discrete values when the entities belong to a computational
system and require a discrete value to represent the trust in that system. Among
three pieces of information used to represent trust (type, scope and strength), we
only use type and strength to compute a trust value. This is because scope only
represents a context, a qualitative attribute, in which trust holds, while both
type and strength can be represented numerically. For example, direct trust rep-
resents a higher confidence as it is based on first-hand experience, unlike indirect
14 Ferdous, Norman, Jøsang and Poet
trust. We introduce the following formula to quantify trust in a federation f∈ F
between entities e1, e2Effor trust scope swhere e1is the trustor and e2is
the trustee:
QT e2
e1(s) = te2
e1(s)·ve2
e1(s)
where QT e2
e1(s), te2
e1(s) and ve2
e1(s) represent the quantified trust, trust type and
strength of e1over e2in the scope sfor federation f.
In the formula the trust strength quantifies how much trust one entity may
have over another entity and the trust type signifies the confidence on that
quantification. Trust type can be thought as the weight of the trust strength.
Note that, this is one way of quantifying a trust and there are other possibilities.
We now consider a few examples. As stated above to quantify trust we need
to give values to trust types and strengths. Regarding types, we assign 1 and 2
to indirect and direct trust respectively, and for strength, we assign 1, 2 and 3
to conf and 1, 2, 3 and 4 to fed-trust.
(a) Static Federation. (b) Dynamic Federation.
Fig. 2. Quantifying trust example.
We can now quantify trust in the federations illustrated in Figure 2. The left
box of Figure 2(a) illustrates a Type 1 static federation while Figure 2(a) and
Figure 2(b) illustrate a Type 2 static and dynamic federations respectively. The
direct trust between sp1and idp1for the Type 1 static federation is given by:
QT idp1
sp1(FED )=2·4=8
since the entities have direct trust between them (tidp1
sp1(FED ) = 2) and they
fully trust each other (vidp1
sp1(FED ) = 4).
For the static Type 2 federation in Figure 2(a), the indirect trust between
sp1and the idp 2is given by:
QT idp2
sp1(FED ) = 1 ·3 = 3
This is because the entities have indirect trust between them (tidp2
sp1(FED ) = 1)
and according to 2, the trust strength between them (vidp2
sp1(FED ) = 3).
Similarly, for the dynamic Type 2 federation in Figure 2(b) and calculating
the indirect trust between sp1(the trustor) and the idp2(the trustee), where
the trust strength between the transitive entities are not same, we have:
QT idp2
sp1(FED ) = 1 ·1 = 1
Mathematical Modelling of Trust Issues in FIM 15
8 Related Work
A few major papers on the general topic of trust and trust management can be
found in [5,9,10,11,16]. These works mainly concentrated on the discussion and
analysis of trust and trust management and the discussion of trust regarding
identity management was mainly absent.
A comprehensive taxonomy of trust requirements for the FIM can be found
in [2]. Unfortunately, the requirements have been outlined in textual formats and
none of requirements has been modelled and analysed mathematically. The au-
thors in [14] have presented an integrated trust management model with respect
to context-aware services. The model is based on different trust relationships
which have been analysed using mathematical notations. The paper did not
consider the underlying trust requirements that hold together the involved en-
tities in that trust relationship. In this paper we have adopted their notation to
illustrate the trust relationship. Huang et al. [6] have presented a trust calculus
targeted for the PKI (Public Key Infrastructure) and have shown how the cal-
culus can be used to derive trust between entities in a certification chain. The
focus of their work is quite different than ours in the sense that they did not
deal with any underlying trust requirements in the FIM. The authors in [4] have
presented a formalisation of authentication trust for the FIM. The authors did
not consider any other trust requirements, and hence their formal representation
is not comprehensive in nature.
9 Conclusions
Trust in the traditional Type 1 Federation is a complex issue with the involve-
ment of several different autonomous parties and their disparate security do-
mains. The complexity increases with the introduction of a Type 2 Federation.
The advent of the dynamic federation adds up another layer of complexity. Even
though there exist numerous works on the mathematical modelling of trust in
the online setting, there is a gap on the mathematical modelling and analysis of
trust in the setting of FIM. In this paper we have introduced a mathematical
framework to represent and analyse complex trust issues in FIM. We have used
our model to represent trust in different settings. We have introduced a model
of interactions for FIM and have shown how interactions and the trust transitiv-
ity can transform trust. Finally, we have proposed a simple formula to quantify
trust. Our model can be used in a wide range of applications. It can be used to ex-
press and derive trust between any number of entities in any type of federations.
A larger federation where there are many IdPs and SPs that exhibit a highly
dynamic nature where changes are common. Trust transformation using inter-
actions can be the ideal way to represent trust in such a dynamic environment.
Finally, the way we have evaluated trust can be used to assess trust between
any entities in a federation or to assess the quality of service provided by an IdP
or an SP. Next, we plan to use our model to analyse other aspects of identity
management such as attribute aggregation and mobile identity management.
16 Ferdous, Norman, Jøsang and Poet
References
1. David W Chadwick. Federated Identity Management. In FOSAD 2008/2009,
number 5705 in LNCS, page 96-120. Springer, 2009.
2. Md. Sadek Ferdous and Ron Poet. Analysing Attribute Aggregation Models in
Federated Identity Management. In SIN ’13, page 181-188. ACM, 2013.
3. Md. Sadek Ferdous and Ron Poet. Dynamic Identity Federation Using Security
Assertion Markup Language (SAML). In IFIP IDMAN ’13: Policies and Research
in Identity Management, volume 396 of IFIP Advances in Information and Com-
munication Technology, page 131-146. Springer, 2013.
4. Hidehito Gomi. An Authentication Trust Metric for Federated Identity Manage-
ment Systems. In Security and Trust Management, volume 6710 of LNCS, page
116-131. Springer, 2011.
5. Tyrone Grandison and Morris Sloman. In Trust Management, page 91-107.
Springer, 2003.
6. Jingwei Huang and David Nicol. A Calculus of Trust and Its Application to PKI
and Identity Management. In IDtrust ’09, page 23-37. ACM, 2009.
7. Audun Jøsang, Muhammed Al, and Zomai Suriadi Suriadi. Usability and privacy
in identity management architectures. In ACSW ’07, page 143-152. 2007.
8. Audun Jøsang, John Fabre, Brian Hay, James Dalziel, and Simon Pope. Trust
requirements in identity management. In ACSW Frontiers ’05, page 99-108. Aus-
tralian Computer Society, Inc., 2005.
9. Audun Jøsang, Roslan Ismail, and Colin Boyd. A survey of trust and reputation
systems for online service provision. Decision support systems, 43(2):618-644, 2007.
10. Audun Jøsang, Claudia Keser, and Theo Dimitrakos. Can We Manage Trust? In
Trust Management, volume 3477 of LNCS, page 93-107. Springer, 2005.
11. Audun Jøsang, Elizabeth Gray and Michael Kinateder. Simplification and Analysis
of Transitive Trust Networks. Web Intelli. and Agent Sys., 4(2):139-161, April 2006.
12. U. Kylau, I. Thomas, M. Menzel, and C. Meinel. Trust Requirements in Identity
Federation Topologies. In AINA ’09, page 137-145, 2009.
13. D Harrison McKnight and Norman L Chervany. The meanings of trust. 1996.
14. Ricardo Neisse, Maarten Wegdam, Marten Van Sinderen, and Gabriele Lenzini.
Trust Management Model and Architecture for Context-aware Service Platforms.
In OTM’07, page 1803-1820. Springer-Verlag, 2007.
15. NISTWP. Electronic Authentication Guideline: INFORMATION SECU-
RITY, April 2006. http://csrc.nist.gov/publications/nistpubs/800-63/
SP800-63V1_0_2.pdf.
16. Sini Ruohomaa and Lea Kutvonen. Trust Management Survey. In Trust Manage-
ment, volume 3477 of LNCS, page 77-92. Springer, 2005.
17. Md. Sadek Ferdous, Mohammad Jabed Morshed Chowdhury, Md. Moniruzzaman,
and Farida Chowdhury. Identity federations: A new perspective for Bangladesh.
In ICIEV ’12, page 219-224. IEEE, 2012.
18. OASIS Standard. Assertions and Protocols for the OASIS Security Assertion
Markup Language (SAML) V2.0. 15 March, 2005. http://docs.oasis- open.
org/security/saml/v2.0/saml-core-2.0-os.pdf.
... Dans le cadre de la FIM, de nombreux critères peuvent contribuer à l'établissent d'une relation de confiance entre le CSP et l'IdP [207,36,208]. Cependant, il n'existe pas de norme unifiée pour leur sélection, chaque fédération suit ses propres règles basées sur la technologie de fédération utilisée (e.g. SAML, OpenID Connect, SCIM, etc.), ainsi que sur les objectifs de la fédération elle-même. ...
... Bien que ce problème a été largement étudié soit par des particuliers ou des groupes internationaux, relativement peu d'études ont été réalisées à ce sujet. Dans ce contexte, les études menées dans [37,208,209,210,211] [210], ont été utilisés dans [208] pour évaluer le niveau de confiance d'un IdP. Dans le même contexte, les auteurs dans [153], ont proposé une nouvelle taxonomie de critères de confiance pour la FIM dans le cloud computing. ...
... Bien que ce problème a été largement étudié soit par des particuliers ou des groupes internationaux, relativement peu d'études ont été réalisées à ce sujet. Dans ce contexte, les études menées dans [37,208,209,210,211] [210], ont été utilisés dans [208] pour évaluer le niveau de confiance d'un IdP. Dans le même contexte, les auteurs dans [153], ont proposé une nouvelle taxonomie de critères de confiance pour la FIM dans le cloud computing. ...
Thesis
Full-text available
Secure and efficient management of identities remains one of the greatest challenges that facing cloud computing, where entities belonging to different domains continually exchange and share a huge amount of personal information. Federated Identity Management is considered the most useful solution that simplifies the user experience, by providing secure access to services belonging to different domains, while reducing the complexity and cost of managing a large number of user accounts. However, trust management is considered as one of the biggest obstacles to the wide adoption of this approach in cloud computing. Actually, poor management of trust carries significant security and privacy risks. Most of the proposed solution typically follow a similar architecture based on a preconfigured, static and closed circle of trust, in which interactions are only possible with pre-configured entities. Such a trust model is unsuitable for cloud computing, where interactions are carried out between prior unknown entities. For other frameworks, there is no specified model to manage trust between cloud service providers and identity providers, as cloud service providers must decide by themselves which identity providers are trustworthy. As an answer to these problems, we propose a new trust model that relies on Fuzzy Cognitive Maps and Blockchain for modelling and evaluating trust relationships between the involved entities in federated identity management systems. This trust mechanism facilitates the creation of trust relationships between prior unknown entities in a secure and dynamic way. This makes Federated Identity Management systems more scalable and flexible to deploy and maintain in cloud computing environments. We also propose a set of trust features for federated identity management systems, which serves as a basis for modelling and quantifying the trust level of unknown entities. The proposed set is intended to be generic compared to previous work and useful for any federated identity management protocol. Intensive experiments were conducted on a prototype of this trust model to prove its effectiveness in a cloud computing environment.
... In FIM, there are many features that build trust between CSPs and IdPs [18], [39], [42]. However, there is no unified standard for selecting them, as there are only a few research projects that focus on the analysis and identification of trust features for FIM. ...
... However, there is no unified standard for selecting them, as there are only a few research projects that focus on the analysis and identification of trust features for FIM. Authors in [7], [18], [40]- [42] proposed a comprehensive set of trust features that are needed for the various FIM scenarios and topologies. In all these studies, the set of the required trust features is typically divided into security, privacy, and functional requirements. ...
... In all these studies, the set of the required trust features is typically divided into security, privacy, and functional requirements. Proposed features in [41] were used in [42] to evaluate trust between entities in a federation and to assess the quality of service provided by IdPs or CSPs. In [43], the authors proposed a novel taxonomy of trust risks in cloud FIM, which were divided into three main categories: security and privacy, knowledge, and interoperability. ...
Article
Abstract—Efficient identity management system has become one of the fundamental requirements for ensuring safe, secure and transparent use of cloud services. In such a borderless environment, entities belonging to different network domains need to cooperate dynamically with each other by exchanging and sharing a significant amount of personal information in a scalable, effective and seamless manner. The traditional approach to address this challenge has been identity federation, aiming to simplify the user experience by aggregating distributed rights and permissions. However, the current federated identity man- agement solutions are missing mechanisms to achieve agile and dynamic trust management, which remains one of the biggest obstacles to their wide adoption in cloud computing. In this paper, we aim to address this issue by introducing a novel dynamic trust model for Federated Identity Management. The proposed model relies on fuzzy cognitive maps for modelling and evaluating trust relationships between the involved entities in federated identity management systems. This trust mechanism facilitates the creation of trust relationships between prior unknown entities in a secure and dynamic way and makes Federated Identity Management systems more scalable and flexible to deploy and maintain in cloud computing environments. In addition, we pro- pose a set of trust features for Federated Identity Management, which serves as a basis for modelling and quantifying the trust level of unknown entities. The effectiveness of the proposed trust model is proven through performance analysis and experimental results.
... Identity Management (IdM) is the process to manage on online identities [7]. It consists of different technologies and their associated policies which dictate how identities are represented and identified within an application domain and how such identities can be utilized to access the corresponding online services. ...
Preprint
p>As the global industrial complex gears toward fulfilling the tenets of Industry 4.0 and beyond, technologies such as distributed ledger technologies, digital twins, and artificial intelligence become pivotal enablers. In the last decade, metaverse as a concept and technology found its place among crucial enablers for technology and digital advancement across several engineering domains. Metaverse has the potential to combine the elements from distributed computing platforms, the digital evolution of physical systems, and advanced learning systems to unearth a fully digitized world of comparative properties of the real world. We should ensure the privacy, integrity, and confidentiality of personal data. These requirements will lead to proper identity management in the metaverse. Given the complex nature of the metaverse, traditional centralized systems may not offer a viable identity management solution. Therefore, this study explores a decentralized identity management system called the Self-sovereign Identity (SSI) as a logical alternative to traditional centralized identity management systems. The proposed holistic framework aims to ignite new ideas and discussions related to the combined deployment of DLT, SSI, and metaverse to inspire new implementation areas within the Industry 4.0 environment. The paper also discusses various opportunities, enablers, technical \& privacy aspects, legislation requirements, and other barriers related to SSI implementation.</p
... The identity federation can be considered as a business model where a group of computing entities binds themselves with trustworthiness. An identity federation with single IdP is mathematically modelled (Ferdous et al., 2015) as idP $ ...
Article
Full-text available
With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment.
... All these frameworks usually follow a similar architectural concept [6], basically involving Identity Providers (IdP) and Service Providers (SP) in a structure called Circle of Trust, where IdPs and SPs have to trust each other; in particular, IdPs have to trust the SPs to securely handle a user's identity data [3], whereas the SPs have to trust the IdPs to correctly authenticate users that want to access its services and protected resources [5]. While identity federation seems to be a promising approach for adopting identity management in cloud computing, the underlining trust model is poorly defined [3], [7], [8] and manually managed by pre-configured Trust Anchor Lists with a Public Key Infrastructure [9]. In this model, trust is established based on business agreements that must be set well before the interactions take place, which leads in forming closed and isolated communities [10]. ...
Conference Paper
Secure and reliable management of identities has become one of the greatest challenges facing cloud computing today, mainly due to the huge number of new cloud-based applications generated by this model, which means more user accounts, passwords, and personal information to provision, monitor, and secure. Currently, identity federation is the most useful solution to overcome the aforementioned issues and simplify the user experience by allowing efficient authentication mechanisms and use of identity information from data distributed across multiple domains. However, this approach creates considerable complexity in managing trust relationships for both the cloud service providers and their clients. Poor management of trust in federated identity management systems brings with it many security, privacy and interoperability issues, which contributes to the reluctance of organizations to move their critical identity data to the cloud. In this paper, we aim to address these issues by introducing a novel trust and identity management model based on the Blockchain for cloud identity management with security and privacy improvements.
... There are other works, as presented in [16,17,18,19], which discuss and present a threat model in lifelogging, mathematical representation of identity and trust issues. Even though they are not strictly related to the scope of current paper, we have drawn motivations on how to model an attack from these works. ...
Article
Full-text available
In this article, we present a model of cyber attacks which can be used to represent a cyber attack in an intuitive and concise way. With ever-increasing popularities of online services, we have seen a growing number of cyber attacks targeted towards large online service providers as well as individuals and the IoT devices. To mitigate these attacks, there is a strong urge to understand their different aspects. Creating a model is a widely used method towards this goal. Unfortunately, the number of models for cyber attacks is pretty low and even the existing models are not comprehensive. In this paper, we aim to fill this gap by presenting a comprehensive cyber attack model. We have used this model to represent a wide range of cyber attacks and shown its applicability and usefulness. We believe that our model will be a useful tool for the formal analysis of cyber attacks.
Article
Full-text available
In the last decade or so, we have experienced a tremendous proliferation and popularity of different Social Networks (SNs), resulting more and more user attributes being stored in such SNs. These attributes represent a valuable asset and many innovative online services are offered in exchange of such attributes. This particular phenomenon has allured these social networks to act as Identity Providers (IdPs). However, the current setting unnecessarily imposes a restriction: a user can only release attributes from one single IdP in a single session, thereby, limiting the user to aggregate attributes from multiple IdPs within the same session. In addition, our analysis suggests that the manner by which attributes are released from these SNs is extremely privacy-invasive and a user has very limited control to exercise her privacy during this process. In this article, we present Social Anchor, a system for attribute aggregation from social networks in a privacy-friendly fashion. Our proposed Social Anchor system effectively addresses both of these serious issues. Apart from the proposal, we have implemented Social Anchor following a set of security and privacy requirements. We have also examined the associated trust issues using a formal trust analysis model. Besides, we have presented a formal analysis of its protocols using a state-of-the-art formal analysis tool called AVISPA to ensure the security of Social Anchor. Finally, we have provided a performance analysis of Social Anchor.
Conference Paper
With the proliferation of Cloud-based services, Federated Identity Management (FIM) has gained considerable attention in recent years. It is considered as a promising approach to facilitate secure resource sharing between collaborating partners in the Cloud. However, current FIM frameworks such as OpenID, SAML, Liberty Alliance, Shibboleth and WS-Federation do not define a suitable trust model to allow dynamic and agile federation establishment. Hence, they cannot be deployed in dynamic and open environments like Cloud Computing. In this paper, we address this issue by presenting a new dynamic trust model that fulfils Cloud requirements. The proposed model introduces the theory of Fuzzy Cognitive Maps (FCM) into modelling and evaluating unknown entities trustworthiness in FIM systems.
Article
Full-text available
Security Assertion Markup Language (SAML, in short) is one of the most widely used technologies to enable Identity Federations among different organisations. Despite its several advantages, one of the key disadvantages of SAML is that it does not allow creating a federation in a dynamic fashion to enable service provisioning (or de-provisioning) in real time. A few approaches have been proposed to rectify this problem. However, most of them require elaborate changes of the SAML and do not provide mechanisms to manage federations dynamically. This paper presents a better approach based on an already drafted SAML Profile and thus requires no change of the SAML, rather it depends on the specific implementation of SAML. Our proposed approach covers all aspects regarding the management of dynamic Identity Federation. It will allow users to create federations dynamically using SAML between two prior unknown organisations and will allow them to manage such federations as long as it is required. Implicit in each identity federation is the issue of trust. Therefore, the trust issues involved in the management of dynamic federations are analysed in details. Moreover, a proof of concept is discussed to elaborate the practicality of our approach for managing dynamic federations. Finally, a few use-cases are outlined to illustrate how federations created dynamically can be used to access online services.
Conference Paper
Full-text available
This paper presents a comparative analysis of different at-tribute aggregation models against a set of requirements in the settings of the Federated Identity Management (FIM). There are several attribute aggregation models currently available which allow the user to collate attributes from multiple identity providers (IdP in short) in a single service. These models impose different novel requirements which have never been analysed before and there lacks a thorough analysis of these models that will compare them side-by-side against a set of requirements. We aim to �ll in these gaps in this work. We have formulated a set of trust, functional, security and privacy requirements that are needed for each model and shown the interlink between these requirements. These requirements have been used to compare the models side-by-side in tabular forms which would allow the readers to instantly identify the requirements for each model, the advantages it offers and the weaknesses it has.
Technical Report
Full-text available
What does the word ‘trust’ mean? Scholars continue to express concern regarding their collective lack of consensus about trust’s meaning. Conceptual confusion on trust makes comparing one trust study to another problematic. To facilitate cumulative trust research, the authors propose two kinds of trust typologies: (a) a classification system for types of trust, and (b) definitions of six related trust types that form a model. Some of the model’s implications for management are also outlined.
Conference Paper
Full-text available
Security Assertion Markup Language (SAML, in short) is one of the most widely used technologies to enable Identity Federation among organisations from different trust domains. Despite its several advantages, one of the key disadvantages of SAML is the mechanism by which an identity federation is established. This mechanism lacks flexibility to create a federation in a dynamic fashion to enable service provisioning (or de-provisioning) in real time. Several different mechanisms to rectify this problem have been proposed. However, most of them require a more elaborate change at the core of the SAML. In this pa-per we present a simple approach based on an already drafted SAML Profile which requires no change of the SAML, rather it depends on the implementation of SAML. It will allow users to create federations using SAML between two prior unknown organisations in a dynamic fashion. Implicit in each identity federation is the issue of trust. Therefore, we also analyse in detail the trust issues of dynamic federations. Finally, we discuss our implemented proof of concept to elaborate the practicality of our approach.
Conference Paper
Full-text available
With a view to provide more effective, enhanced and accessible services to their citizens, Governments around the globe have started different web services under the initiative of e-Government. Many such services extensively utilise the Federated Identity framework due to its huge number of benefits. This paper analyses how different e-initiatives in Bangladesh can take advantage of this technology by illustrating use-cases in two different domains. As the online service and the e-Governance paradigm in Bangladesh are relatively new and evolving rapidly, we believe that this is the high-time to consider the benefits this technology can bring for the Government as well as the citizen.
Article
Full-text available
The SAML V2.0 Assertions and Protocols specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information. This document, known as an "errata composite", combines corrections to reported errata with the original specification text. By design, the corrections are limited to clarifications of ambiguous or conflicting specification text. This document shows deletions from the original specification as struck-through text, and additions as colored underlined text. The "[Enn]" designations embedded in the text refer to particular errata and their dispositions.
Chapter
Full-text available
This paper addresses the topic of federated identity management. It discusses in detail the following topics: what is digital identity, what is identity management, what is federated identity management, Kim Cameron’s 7 Laws of Identity, how can we protect the user’s privacy in a federated environment, levels of assurance, some past and present federated identity management systems, and some current research in FIM.
Conference Paper
A formalisation of authentication trust is proposed for federated identity management systems. Identity federation facilitates user interaction with Web services that control access, but it is more difficult for a service provider to evaluate the assurance of a user’s identity if the creation and propagation of user authentication assertions involve different authentication authorities and mediators. On the basis of this formal representation, an aggregated trust value is calculated for evaluating the trustworthiness of a user’s identity from the user’s authentication assertions propagated through multiple entities. Keywordstrust metric–identity federation
Conference Paper
Federated identity management describes a model to enable users to use their digital identities in collaborating companies regardless of organizational borders. The essential pre-requisite to share the user authentication across different security domains is the establishment of trust between the collaborating partners. Usually, this is done by setting up complex contracts, that describe common policies, obligations and procedures to be followed by each collaboration member. The result is a federation, or Circle of Trust, in which each member is willing to trust on assertions made by someone else. Naturally, federations are no isolated structures and members of one federation might also be part of another one - a constellation possible with current federation technologies. However, whether and how the trust relationships of federations can be used to allow access even across multiple federations is a question which has not been answered yet. In this paper, we investigate trust requirements for identity federation topologies. Starting from the classical structure of a Circle of Trust, we go beyond this and identify more complex patterns such as overlapping federations. For each pattern, we identify risks for identity and service providers as well as the necessary trust requirements that must be met to allow such constellations.
Article
Trust and reputation systems represent a significant trend in decision support for Internet mediated service provision. The basic idea is to let parties rate each other, for example after the completion of a transaction, and use the aggregated ratings about a given party to derive a trust or reputation score, which can assist other parties in deciding whether or not to transact with that party in the future. A natural side effect is that it also provides an incentive for good behaviour, and therefore tends to have a positive effect on market quality. Reputation systems can be called collaborative sanctioning systems to reflect their collaborative nature, and are related to collaborative filtering systems. Reputation systems are already being used in successful commercial online applications. There is also a rapidly growing literature around trust and reputation systems, but unfortunately this activity is not very coherent. The purpose of this article is to give an overview of existing and proposed systems that can be used to derive measures of trust and reputation for Internet transactions, to analyse the current trends and developments in this area, and to propose a research agenda for trust and reputation systems.