Privacy in Cloud Computing Identity Management System for Cloud Microsoft CardSpaceOutlineIdentity Management System2.. Laws of Identity Management3. CardSpace Model of Identity Management [2]4. Microsoft Windows CardSpace4. CardSpace Framework4. CardSpace Framework5. Improving Security of CardSpace5. Improving Security of CardSpace5.1 Proposed Approaches5.1 Zero-Knowledge Proofing, Selective DisclosureSlide 136. ConclusionREFERENCES:Privacy in Cloud ComputingIdentity Management System for Cloud Microsoft CardSpacePurdue UniversityHere comes your footerOutline1. Introduction2. Laws of Identity Management3. Microsoft CardSpace’s Model of Identity Management4. CardSpace Framework5. Improving Security of CardSpace 5.1 Proposed Approaches6. ConclusionHere comes your footer Identity Management SystemManages the digital identity of cloud users.Creates digital identities for its user entities and protects their Personally Identifiable Information (PII). Allow users to authenticate themselves, without revealing their actual identity to either vendors or network providers.The user has the ownership of the identity management data.Control the flow of dynamic personal information by the user, over the cloud.Support pseudonyms and multiple and discrete identities to protect user privacy .Minimize the amount of the personal data which a user needs to share with the Relying Party .Having a store of multiple digital identities (Gmail account, network account) with various service providers like e-bay, Gmail available to one entity (e.g., application) helps to uniquely identify a single person.-If not properly protected maybe exploited and abused.-Identity management data may be accessed from the cloud by authorized entitiesPage 3Here comes your footer2.. Laws of Identity ManagementKim Camerson (Microsoft) has identified 7 laws which are meant to be fundamentals of a conformed Identity Management System, of which the following three laws must be basics of any IDM system: [1]• User Control and Consent: An identity management system must only reveal information identifying user with a user’s consent (Law 1)• Minimal Disclosure for a constrained Use: An identity system must disclose the least amount of identifying information possible. (Law 2)•Justifiable Parties: Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. (Law 3)• Directed Identity: An identity system should support both Omni-directional identifiers for use by public entities, and unidirectional identifiers for use by private entities, in order to facilitate discovery while preventing unnecessary release of correlation handles. (Law 4 )http://www.identityblog.comHere comes your footer3. CardSpace Model of Identity Management[2]Here comes your footer4. Microsoft Windows CardSpaceWindows CardSpace is an Identity-metasystem which provides a way, for managing multiple digital identities of a user [2] .It is a new claims based access platform/ architecture, developed for windows XP and is a plug-in for Internet explorer 7 browser. [3] The CardSpace is designed to comply with the seven Laws of identities by Kim Cameron of Microsoft [4].In CardSpace every digital identity transmitted on the network contains some kind of security token. A security token consists of a set of one or more claims, such as a username, a user's first name, last name, home address and even more sensitive information such as SSN, credit card numbers. These security tokens provide information in order to prove that these claims really do belong to the user who's presenting them {authenticating the identity of the user}. To make it user friendly, CardSpace implements an intuitive user interface for working with digital identities in form of a visual “information card”, Infocard, for them to make good decisions about using their digital identities, hence user-centric.Here comes your footer4. CardSpace Framework The CardSpace makes use of “open” XML-based protocols, including Web services (WS-*) protocols and SOAP. The following steps describe message flows of the CardSpace framework: [5](1)CEUA (CardSpace enabled user agent/service requestor) → RP The CardSpace enabled user agent, CEUA (CardSpace enabled browser) requests a service from the relying party, using HTTP and gets a HTTP gets Login HTML Page Request.(2) RP → CEUA: HTML Login Page + InfoCard Tags (XHTML or HTML object tags) The RP identifies itself using a public key certificate (e.g. a SSL/TLS certificate) and declares itself as a CardSpace enabled RP using XHTML or HTML object tags, i.e. a CardSpace enabled website or service provider. (3) CEUA ↔ RP: CEUA retrieves security policy via WS-Security Policy If the RP is card enabled, the CEUA obtains the RP’s security policy described using WS-Security, this policy is retrieved using WS-Metadata Exchange (protocol suites for establishing/ verifying identity and any aspects necessary for using that protocol suite). This policy includes things such as what security token formats the RP will accept, exactly what claims those tokens must contain, and which Idp (identity provider) are trusted to makes such assertions, in order for this user to be granted the service.(4) CEUA ↔ User: User picks an InfoCard In this step the User matches the RP’s security policy with an appropriate InfoCard (containing the type of security token required by the RP), which satisfies the RP’s policy. After the user selects an Infocard, the CEUA initiates a connection with the Idp that issued the Infocard, and step 5 follows.Page 7Here comes your footer4. CardSpace Framework(5) CEUA ↔ IdP : User Authentication The user performs authentication process with the Idp, either using username/password login or using self-issued InfoCard. This is done for the user to prove the ownership of the InfoCard being used. (6) CEUA ↔ IdP: CEUA retrieves security token via WS-Trust If the authentication is successful the user requests the Idp to provide a security token which holds an assertion of the truth of the claims listed within the selected InfoCard. The CEUA obtains the security token using WS-trust. (7) CEUA → RP: CEUA presents the
View Full Document
Unlocking...