SIdeCAR: Secure Identity Consent and Authentication Responder

The Identity Metasystem is an interoperable, platform independent and protocol independent architecture for user centric identity management. User centric identity management is a new paradigm of identity management that addresses some of the drawbacks of the prevalent identity management models. This technology assumes that certain security sensitive functions of identity management are performed at trusted client machines. Such an assumption is not valid when a machine which is infested with undetected malware, possibly on a publicly accessible "kiosk" machine. We explore techniques that provide the user with: a) portability between machines; and b) enhanced security when using the Identity Metasystem from untrusted machines. We present the threats that untrusted machines pose and describe two protocols we've implemented which allow secure use of the Identity Metasystem from untrusted clients without changes to the widely implemented protocols. Both the protocols leverage the use of a trusted personal device (e.g. cellular phone) to authorize actions that are performed at the client and perform secret-based computations. The security protections and implementation details of both the protocols are described. We conclude with the future directions that we intend to take with regard to our work.

By: Ravi Chandra Jammalamadaka; Michael McIntosh; Paula Austel

Published in: RC24359 in 2007

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rc24359.pdf

Questions about this service can be mailed to reports@us.ibm.com .