This Article 
 Bibliographic References 
 Add to: 
A Delegation Solution for Universal Identity Management in SOA
January-March 2011 (vol. 4 no. 1)
pp. 70-81
Yang Zhang, Beijing University of Posts & Telecommunications, Beijing
Jun-Liang Chen, Beijing University of Posts & Telecommunications, Beijing
The relationship-focused and credential-focused identity managements are both user-centric notions in Service-oriented architecture (SOA). For composite services, pure user-centric identity management is inefficient because each subservice may authenticate and authorize users and users need participate in every identity provisioning transaction. If the above two paradigms are unified into the universal identity management where identity information and privileges are delegatable, user centricity will be more feasible in SOA. The credential-focused system is a good starting point for constructing a universal identity management system. However, how to implement a practical delegation scheme is still a challenge although there are some delegatable anonymous credential schemes that were theoretically constructed. This paper aims to propose a practical delegation solution for universal identity management. For this, a pseudonym-based signature scheme is first designed where pseudonyms are self-generated and unlinkable for realizing user's privacy. Next, a proxy signature is presented with the pseudonyms as public keys where delegation can be achieved through certificate chains. Finally, the security of our scheme is analyzed and proved in the random oracle model.

[1] K. Cameron, Laws of Identity, http:/, 2005.
[2] PRIME CONSORTIUM, Privacy and Identity Management for Europe (PRIME), http:/, 2010.
[3] Identity-Management, Liberty Alliance Project, http:/www., 2010.
[4] C. Kaler and A. Nadalin, Web Services Federation Language, 2003.
[5] A. Bhargav-Spantzel and J. Camenisch, "User Centricity: A Taxonomy and Open Issues," Proc. Second ACM Workshop Digital Identity Management (DIM '06), pp. 493-527, 2007.
[6] D. Chaum, "Security without Identification: Transaction Systems to Make Big Brother Obsolete," Comm. ACM, vol. 28, no. 10, pp. 1030-1044, 1985.
[7] D. Chaum and J.H. Evertse, "A Secure and Privacy-Protecting Protocol for Transmitting Personal Information between Organizations," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '86), pp. 118-167, 1986.
[8] I.B. Damgard, "Payment Systems and Credential Mechanisms with Provable Security against Abuse by Individuals," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '88), pp. 328-335, 1988.
[9] L.D. Chen, "Access with Pseudonyms," Lecture Notes in Computer Science, pp. 232-243, Springer, 1995.
[10] A. Lysyanskaya, R. Rivest, and A. Sahai, "Pseudonym Systems," Proc. Sixth Ann. Int'l Workshop Selected Areas in Cryptography (SAC '99), pp. 184-199, 1999.
[11] J. Camenisch and A. Lysyanskaya, "Efficient Non-Transferable Anonymous Multi-Show Credential System with Optional Anonymity Revocation," Proc. Advances in Cryptology (EUROCRYPT '01), B. Pfitzmann, ed., pp. 93-118, 2001.
[12] J. Camenisch and A. Lysyanskaya, "A Signature Scheme with Efficient Protocols," Proc. Third Conf. Security in Comm. Networks (SCN '02), pp. 268-289, 2002.
[13] J. Camenisch and A. Lysyanskaya, "Signature Schemes and Anonymous Credentials from Bilinear Maps," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '04), pp. 56-72, 2004.
[14] M. Belenkiy, M. Chase, and M. Kohlweiss, "Non-Interactive Anonymous Credentials," Proc. Theoretical Cryptography Conf. (TCC),, 2008.
[15] M. Chase and A. Lysyanskaya, "On Signatures of Knowledge," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '06), C. Dwork, ed., pp. 78-96, 2006.
[16] M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and H. Shacham, Delegatable Anonymous Credentials,, 2010.
[17] J. Camenisch, D. Sommer, and R. Zimmermann, "A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures," Proc. IFIP Int'l Federation for Information Processing, pp. 25-37, 2006.
[18] M. Mambo, K. Usuda, and E. Okamoto, "Proxy signatures: Delegation of the Power to Sign Messages," IEICE Trans. Fundamentals, vol. E79-A, no. 9, pp. 1338-1354, 1996.
[19] S. Kim, S. Park, and D. Won, "Proxy Signatures, Revisited," Proc. Int'l Conf. Information and Comm. Security (ICICS '97), pp. 223-232, 1997.
[20] T. Okamoto, M. Tada, and E. Okamoto, "Extended Proxy Signatures for Smart Card," Proc. Information Security Workshop '99, pp. 247-258, 1999.
[21] J. Herranz and G. Saez, "Revisiting Fully Distributed Proxy Signature Schemes," Proc. Int'l Conf. Cryptology in India (Indocrypt '04), pp. 356-370, 2004.
[22] A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '86), A.M. Odlyzko, ed., pp. 186-194. Aug. 1986.
[23] D. Chaum and E. van Heyst, "Group Signatures," Proc. Advances in Cryptology (Eurocrypt '91), D.W. Davies, ed., pp. 257-265, 1991.
[24] M. Bellare, D. Micciancio, and B. Warinschi, "Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions," Proc. Advances in Cryptology (Eurocrypt '03), pp. 614-629, 2003.
[25] D. Boneh and X. Boyen, "Short Signatures without Random Oracles," Proc. Advances in Cryptology (Eurocrypt '04), pp. 56-73, 2004.
[26] M. Bellare, H. Shi, and C. Zhang, "Foundations of Group Signatures: The Case of Dynamic Groups," Proc. Topics in Cryptology (CT-RSA '05), pp. 136-153, 2005.
[27] C. Delerablee and D. Pointcheval, "Dynamic Fully Anonymous Short Group Signatures," Proc. Progress in Cryptology (VIETCRYPT '06), pp. 193-210, 2006.
[28] E. Brickell, J. Camenisch, and L.Q. Chen, "Direct Anonymous Attestation," Proc. ACM Conf. Computer and Comm. Security, pp. 132-145, 2004.
[29] J. Camenisch, "Protecting (Anonymous) Credentials with the Trusted Computing Group's Trusted Platform Modules Vo1. 2," Proc. 21st IFIP Int'l Information Security Conf. (SEC '06), 2006,
[30] D. Boneh and M. Franklin, "Identity-Based Encryption from the Weil Pairing," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '01), vol. 2139, pp. 213-229, 2001.
[31] P. Barreto, H. Kim, B. Bynn, and M. Scott, "Efficient Algorithms for Pairing-Based Cryptosystems," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '02), pp. 354-368, 2002.
[32] S. Mitsunari, R. Sakai, and M. Kasahara, "A New Traitor Tracing," IEICE Trans. Fundamentals, vol. E85-A, no. 2, pp. 481-484, 2002.
[33] F. Hess, "Efficient Identity Based Signature Schemes Based on Pairings," Proc. Workshop Selected Areas in Cryptography (SAC '02), pp. 310-324, 2002.
[34] F. Zhang and K. Kim, "ID-Based Blind Signature and Ring Signature from Pairings," Proc. Advances in Cryptology (Asiacrypt), 2002.
[35] X. Huang, Y. Mu, W. Susilo, F. Zhang, and X. Chen, "A Short Proxy Scheme: Efficient Authentication in the Ubiquitous World," Proc. Embedded and Ubiquitous Computing (EUC) Workshops, pp. 480-489, 2005.
[36] D. Pointcheval and J. Stern, "Security Arguments for Digital Signatures and Blind Signatures," J. Cryptology, vol. 13, no. 3, pp. 361-396, 2000.
[37] D. Boneh, X. Boyen, and H. Shacham, "Short Group Signatures Using Strong Diffie-Hellman," Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO), pp. 41-55, 2004.
[38] R. Canetti, "Universally Composable Signature, Certification, and Authentication," Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), pp. 219-245, 2004.
[39] Microsoft, A Technical Reference for InfoCard v1.0 in Windows, 2005.
[40] Higgins Trust Framework, http://www.eclipse.orghiggins, 2006.
[41] J. Camenisch and E.V. Herreweghen, "Design and Implementation of the Idemix Anonymous Credential System," Proc. Ninth ACM Conf. Computer and Comm. Security, pp. 21-30, 2002.
[42] J. Camenisch, T. Gross, and D. Sommer, "Enhancing Privacy of Federated Identity Management Protocols," Proc. Fifth ACM Workshop Privacy in Electronic Soc., pp. 67-72, 2006.
[43] IBM, Microsoft, Actional, BEA, Computer Associates, Layer 7, Oblix, Open Network, Ping Identity, Reactivity, and Verisign. Web Services Trust Language (WS-Trust), Feb. 2005.
[44] A. Segev and E. Toch, "Context-Based Matching and Ranking of Web Services for Composition," IEEE Trans. Service Computing, vol. 2, no. 3, pp. 210-222, June 2009.

Index Terms:
Privacy concerns of service-oriented solutions, identity management, privacy governance methods and tools, privacy management in data dissemination, service-oriented architecture.
Yang Zhang, Jun-Liang Chen, "A Delegation Solution for Universal Identity Management in SOA," IEEE Transactions on Services Computing, vol. 4, no. 1, pp. 70-81, Jan.-March 2011, doi:10.1109/TSC.2010.9
Usage of this product signifies your acceptance of the Terms of Use.