To enhance security in managing personal data by web systems, it is not sufficient to only secure web applications and web services that exploit data associated with identities. The systems that offer data have to be protected as well. It is evident from the IdM life cycle (cf. Figure 4.5) and the architecture (cf. Figure 4.4) that we have to particularly protect identity (service) providers, as they make personal data on identities available. The fact that our proposal towards self-deterministic identity management involves centralized data repository in control of identity owners further- more underlines the absolute necessity to specially focus on protecting IdPs. Nevertheless, the cooperation by SPs is mandatory for implementing a holis- tic and comprehensive approach towards protection. When identities are
about to be employed by entities, SPs have to confirm that protective mea- sures are in place and taken into account during authentication attempts. In line with delivering Result 3, we consequently dedicate key components to safeguard personal data managed by identity (service) providers from three main types of threats, i.e., improper use, tampering and identity theft, and unwanted retrieval (cf. Activities 3.1 to 3.3 on page 58). As the use of the components is part of the IdM life cycle as per our proposal, we symbolically illustrate the intrinsic processes related to them at the top of Figure 4.5, with detailed explanations to follow in Chapters 5 to 7. For taking advantage of these key components, we integrate them into the WebID authentication sequence and, thus, extend the original process shown in Figure 4.2. There, entity e, exemplarily named Alice, wanted to retrieve an access-controlled resource and had to authenticate with her WebID certificate before. The extension to this process by our solution is labeled “Security enhancement by proposal” and highlighted bold in Figures 4.7 and 4.8. Here, 1 to 5 are analogous to Figure 4.2. Our proposal adds 6 and 7 , as shown in Figure 4.7. These two extra steps are responsible for coping with Problem Cause 3.2: “Risk of Identity Theft and Tampering of Personal Data” and Problem Cause 3.1: “Insufficient Control of Identity Based on Individual Context” (cf. pages 45 and 47) through verifying both the integrity of personal data and the delegation rights stored within an identity owner’s WebID profile. Both allow detecting tampering and improper use of personal data corresponding to WebID identity owners. As an example, this assists in discovering malicious requests originating by profile data compromised by aggressors or subjects seemingly acting on the identity owner’s behalf yet not within mutually agreed upon scopes. On the side of the IdP hosting Alice’s WebID profile, our proposal adds a mechanism to address Problem Cause 3.3: “Incomplete Range and Granu- larity of Access Control” (cf. page 48) through creating customized views
SP with security enhancements by proposal
TLS-Light
service Guard verifierWebID
User agent
of entity e Security enh. by proposal
1 2 5 4 TLS setup WebID certificate request
WebID certificate for identity I and private
key verification Request of WebID
profile of identity i Response of WebID profile of identity i Verification of profile integrity 6 Verification of delegate s rights 7 9 3 8 Authorization at the resource level
Access control check
Resource
Figure 4.7: Security-Enhanced WebID Authentication Sequence for SPs
that are specific to requesting entities and, thus, avoid unwanted disclosure of Alice’s personal data, as depicted in Figure 4.8.
All three key components are complementary, rely on pre-existing security artifacts and help to increase the protection of personal data (Wild et al., 2015). They are intended to seamlessly fit into the RDF-based semantic
IdP with security enhancements by proposal hosting WebID profile
Guard verifierWebID Security enh.by proposal profile of WebID identity i Customized profile view creation Request of WebID profile of identity i Response of WebID profile of identity i WebID verification
Figure 4.8: Security-Enhanced WebID Authentication Sequence for IdPs
landscape and contribute assuring quality and maintainability by reduc- ing adjustments and extensions to the necessary minimum. Unlike both verification mechanisms that are integrated on the service provider’s side, protection against unwanted disclosure is only available on a system host- ing an identity owner’s WebID profile, i.e., an IdP. Since an IdP hosting a WebID profile serves incoming profile requests as well, the verification mechanisms could be also integrated there in order to check requests initiated by subjects authenticated via WebID.
The next three subsections briefly describe the key components enriching our proposal by measures for increased protection and control. While
Subsection 4.3.1 outlines a way for avoiding improper use of personal data by subjects acting outside their scope yet on behalf of identity owners (cf.
7
in Figure 4.7), Subsection 4.3.2 explains how WebID profiles can be secured from malicious manipulation by offering an integrity protection and detection mechanism (cf. 6 in Figure 4.7). Subsection 4.3.3 presents the third key component. There, we show our contribution against unwanted retrieval attempts using fine-grained filters.
4.3.1 Context-Aware Control
In order to resolve Problem Cause 3.1: “Insufficient Control of Identity Based on Individual Context”, 3.1.1: “Inadequate Consideration of Individual User Conditions”, 3.1.2: “Risk of Improper Use of Identity Data in Delegation Scenarios” and 3.1.2.1: “Missing Control of Delegation Conditions by Dele- gators” by carrying out Activity 3.1: “Improve Control of Identity Based on Individual Context”, the component for context-aware control complements the proposed solution by measures for an improved consideration of individ- ual conditions, stated preferences and current contexts of users by web sys- tems, including web applications and web services (Wild, Ast, et al., 2013; Wild and Gaedke, 2014). Here, we focus on the provision in the IdM life cycle because decisions made by identity owners at this stage fundamentally affect the security in managing personal data also during future operations. When recalling the bank analogy we first employed when describing the problem in Section 1.2, it is obvious that customers choose banks that fit their preferences and security needs by offering appropriate assurances, like a solid legitimization process. That is, customers can control the terms their monetary capital is managed and protected. Similar to limited authorities of bank accounts, which bank customers can issue to other entities to access certain information or perform particular functions (like transfer money,
but not delete the account), we enable web users to both define and control the scope of actions of the entities authority has been issued to. As a consequence, the component furthermore allows for mitigating risks of improperly employing authority as well as personal data in delegation scenarios (Wild et al., 2015). By enabling delegators to clearly specify the scope in which a delegate is allowed to operate on the delegator’s behalf, we provide more control about the conditions of delegations (Scholtz et al., 2015a).
Chapter 5 details this synopsis of the component for context-aware control through providing insights on analysis, development and evaluation.
4.3.2 Tamper-Evidentness
In order to resolve Problem Cause 3.2: “Risk of Identity Theft and Tam- pering of Personal Data” and 3.2.1: “Lack of Means to Detect Identity Theft and Manipulation” by carrying out Activity 3.2: “Mitigate Risk of Identity Theft and Tampering of Personal Data”, the component for tamper- evidentness complements the proposed solution by protective means to detect identity theft and malicious manipulation of personal data. With this component, we particularly aim for reducing the risk originating from potentially compromised IdPs, regardless whether aggressors are operating outside or within the premises of IdPs (Wild et al., 2015).
Coming back to the analogy, imagine all employees of a bank—from the director over management to regular staff members—would have the keys to the safety deposit lockers containing their customers’ monetary capital. With the keys, they could open the safety deposit lockers, take a look inside as well as add, modify or remove content. If such behavior would be obvious to potential bank customers, they would probably not trust the
bank any longer. Applied to the web-based management of personal data, malicious IdP operators or aggressors might have or already have acquired such extended read/write access to sensitive data, which bears the danger of data tampering happens without the data owner’s knowledge. Encrypting personal data is not a practicable choice, as it would largely complicate matters through issues like affirming public accessibility or distributing and updating cryptographic means. Although there is no sat- isfying solution available to prevent personal data from various kinds of manipulation (like replacement, altering, removal, addition), this compo- nent enables sound proof of the identity owner’s intent by verifying the integrity of personal data stored in WebID profiles and detecting possible anomalies (Wild et al., 2014). That is, identity owners are put in the posi- tion to assure SPs and other requesting entities that the personal data they obtained is as intended by these identity owners. Through ensuring that especially identity data was not altered by unauthorized entities, we in- crease the authenticity of personal data and, thus, the credibility of identity owners during diverse operations, like authentication.
Chapter 6 details this synopsis of the component for tamper-evidentness through providing insights on analysis, development and evaluation.
4.3.3 Fine-Grained Filtering
In order to resolve Problem Cause 3.3: “Incomplete Range and Granularity of Access Control” and 3.3.1: “Limitation of Access Control Facilities to Specific SPs” by carrying out Activity 3.3: “Increase Range and Granularity of Access Control”, the component for fine-grained filtering (FGF) comple- ments the proposed solution by measures for controlling access to sensitive data at the attribute level. By shifting the default location of typically storing personal data from various SPs to individual IdPs, the proposed
solution for self-deterministic IdM already facilitates implementing holistic access control by identity owners. Unlike other systems that involve pro- tection of data only at the resource level, we increase the granularity on the one hand and, on the other hand, reduce the efforts identity owners would have when dividing and distributing their personal data manually among web-accessible resources (Wild et al., 2015).
Relying on the bank analogy once again, it is evident that employees do not share the same view on account data of customers. On the contrary, the privilege to access certain information is specific to particular persons, depending on their trust level and position in the company. Transferring these characteristics concerning the management of monetary capital to social capital would result in establishing requester-specific customized views on personal data. For protecting data stored within resources, i.e., in particular WebID profiles containing personal data, this component applies a facade design pattern to create customized views on data (Wild, Chudnovskyy, et al., 2013a). Depending on the identity of the requesting entity, we filter semantic data within URI-addressable RDF resources in a fine-grained manner (Wild, Chudnovskyy, et al., 2013b).
Chapter 7 details this synopsis of the component for FGF through providing insights on analysis, development and evaluation.
Following the introduction of the key components that extend the pro- posed solution architecture in diverse security respects on IdP and SP side, the next section proceeds with explaining how to substantiate and verify the underlying concepts in practice.