Privacy and Identity Management in Cloud Rohit Ranchal, Bharat Bhargava, Pelin Angin, Noopur Singh, Lotfi Ben Othmane, Leszek Lilien Department of Computer.

Slides:

Advertisements

Similar presentations

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

CSC 774 Advanced Network Security

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Privacy in Cloud Computing Through Identity Management Purdue University Bharat Bhargava, Noopur Singh U.S Airforce Asher Sinclair.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Core Web Service Security Patterns

Protection of Identity Information in Cloud Computing without Trusted Third Party 作者 :Rohit Ranchal, Bharat Bhargave, Lotfi Ben Othmane, Leszek Lilien,

1 Trust and Privacy in Authorization Bharat Bhargava Yuhui Zhong Leszek Lilien CERIAS Security Center CWSA Wireless Center Department of CS and ECE Purdue.

Trust, Privacy, and Security Moderator: Bharat Bhargava 1 Coordinators: Bharat Bhargava 1, Csilla Farkas 2, and Leszek Lilien 1 1 Purdue University and.

Using Digital Credentials On The World-Wide Web M. Winslett.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Students: Rohit Ranchal and Gen Nishida PI: Bharat Bhargava ( PLM Center of Excellence and CERIAS Computer Sciences Purdue University.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

PhD Prelim Exam Dept. of Computer Science Purdue University

Cloud Computing Cloud Security– an overview Keke Chen.

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Research in Cloud Security and Privacy

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.

Privacy and Identity Management in Cloud

Privacy and Identity Management in Cloud Rohit Ranchal, Bharat Bhargava, Pelin Angin, Noopur Singh, Lotfi Ben Othmane, Leszek Lilien Department of Computer.

1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

© Synergetics Portfolio Security Aspecten.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Privacy Preserving Cross-Domain Data Dissemination (with adaptable service selection) Northrop Grumman TechFest June 2015 PI: Prof. Bharat Bhargava Purdue.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

Karlstad University IP security Ge Zhang

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Privacy in Cloud Computing Identity Management System for Cloud Microsoft CardSpace Purdue University.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized Trust Management. In Proc. of the 17 th Symposium on Security and Privacy, pages IEEE Computer.

CSCE 201 Identification and Authentication Fall 2015.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

VANETs. Agenda System Model → What is VANETs? → Why VANETs? Threats Proposed Protocol → AOSA → SPCP → PARROTS Evaluation → Entropy → Anonymity Set → Tracking.

K. Salah1 Security Protocols in the Internet IPSec.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Application of Active Bundles Bharat Bhargava. A. Identity Management (IDM) Service-Oriented Architecture (SOA) IDM in traditional application-centric.

Cloud Security– an overview Keke Chen

PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471

Radius, LDAP, Radius used in Authenticating Users

Secure Authentication System for Public WLAN Roaming

Privacy and Identity Management in Cloud

Trust-based Privacy Preservation for Peer-to-peer Data Sharing

Presentation transcript:

Privacy and Identity Management in Cloud Rohit Ranchal, Bharat Bhargava, Pelin Angin, Noopur Singh, Lotfi Ben Othmane, Leszek Lilien Department of Computer Science Purdue University, Western Michigan University {rranchal, Mark Linderman Air Force Research Laboratory Rome, NY, USA This research was supported by AFRL Rome, USA and NGC

Outline Motivation Identity Management (IDM) Goals of Proposed User-Centric IDM Mechanisms Description of proposed solution Advantages of the Proposed Scheme Conclusion & Future Work References Questions?

Motivation User on Amazon Cloud Name Password Billing Address Shipping Address Credit Card Name Shipping Address Name Billing Address Credit Card Name Password Billing Address Shipping Address Credit Card Name Shipping Address

Motivation User on Amazon Cloud Name Password Billing Address Shipping Address Credit Card Name Shipping Address Name Billing Address Credit Card Name Password Billing Address Shipping Address Credit Card Name Shipping Address

Identity Management (IDM) IDM in traditional application-centric IDM model ◦ Each service keeps track of identifying information of its users. Existing IDM Systems ◦ Microsoft Windows CardSpace [W. A. Alrodhan] ◦ OpenID [ ◦ PRIME [S. F. Hubner, Karlstad Univ] trusted third party These systems require a trusted third party and do not work on untrusted host. an untrusted host. If Trusted Third Party is compromised, all the identifying information of the users is also compromised leading to serious problems like Identity Theft. AT&T iPad leak [Latest: AT&T iPad leak ]

IDM in Cloud Computing Cloud introduces several issues to IDM ◦ Collusion between Cloud Services multiple accountsmultiple service providers.  Users have multiple accounts associated with multiple service providers. mapping of the identities to the user.  Sharing sensitive identity information between services can lead to undesirable mapping of the identities to the user. ◦ Lack of trust  Cloud hosts are untrusted  Use of Trusted Third Party is not an option ◦ Loss of control  Service-centric IDM Model IDM in Cloud needs to be user-centric

Goals of Proposed User-Centric IDM for the Cloud 1.Authenticate without disclosing identifying information 2.Ability to securely use a service while on an untrusted host (VM on the cloud) 3.Minimal disclosure and minimized risk of disclosure during communication between user and service provider (Man in the Middle, Side Channel and Correlation Attacks) 4.Independence of Trusted Third Party for identity information

Mechanisms in Proposed IDM Active Bundle [L. Othmane, R. Ranchal] Anonymous Identification [A. Shamir] Computing Predicates with encrypted data [E. Shi] Multi-Party Computing [A. Shamir] Selective Disclosure [B. Laurie]

Active Bundle Active bundle AB Active bundle (AB) protectingdatawithin – An encapsulating mechanism protecting data carried within it data – Includes data metadata – Includes metadata used for managing confidentiality Both privacy of data and privacy of the whole AB – Includes Virtual Machine (VM) operations performing a set of operations protecting confidentiality protecting its confidentiality Active Bundles—Operations Active Bundles—Operations – Self-Integrity check E.g., Uses a hash function – Evaporation/ Filtering Self-destroys (a part of) AB’s sensitive data when threatened with a disclosure – Apoptosis Self-destructs AB’s completely

Active Bundle Scheme – Metadata: Access control policies Data integrity checks Dissemination policies Life duration ID of a trust server ID of a security server App-dependent information … – Sensitive Data: Identity Information... – Virtual Machine (algorithm): Interprets metadata Checks active bundle integrity Enforces access and dissemination control policies … E(Name) E( ) E(Password) E(Shipping Address) E(Billing Address) E(Credit Card) … * E( ) - Encrypted Information

Anonymous Identification User on Amazon Cloud 1. 2.Password 1. 2.Password User Request for service Function f and number k f k ( , Password) = R ZKP Interactive Protocol Authenticated Use of Zero-knowledge proofing for user authentication without disclosing its identifier.

Interaction using Active Bundle Active Bundle (AB) Security Services Agent (SSA) Active Bundle Services User Application Active Bundle Coordinator Active Bundle Creator Directory Facilitator Active Bundle Destination Trust Evaluation Agent (TEA) Audit Services Agent (ASA) Active Bundle AB information disclosure

Predicate over Encrypted Data Verification without disclosing unencrypted identity data. Password E(Name) E(Shipping Address) E(Billing Address) E(Credit Card) E(Name) E(Billing Address) E(Credit Card) Predicate Request* *Age Verification Request *Credit Card Verification Request

Multi-Party Computing To become independent of a trusted third party Multiple Services hold shares of the secret key Minimize the risk E(Name) E(Billing Address) E(Credit Card) Key Management Services K’1K’1 K’2K’2 K’3K’3 K’nK’n Predicate Request * Decryption of information is handled by the Key Management services

Multi-Party Computing To become independent of a trusted third party Multiple Services hold shares of the secret key Minimize the risk Name Billing Address Credit Card Key Management Services K’1K’1 K’2K’2 K’3K’3 K’nK’n Predicate Reply* *Age Verified *Credit Card Verified

Selective Disclosure Password E(Name) E(Shipping Address) E(Billing Address) E(Credit Card) Selective disclosure* E(Name) E(Shipping Address) User Policies in the Active Bundle dictate dissemination *e-bay shares the encrypted information based on the user policy

Selective Disclosure E(Name) E(Shipping Address) Selective disclosure* E(Name) E(Shipping Address) *e-bay seller shares the encrypted information based on the user policy

Selective Disclosure E(Name) E(Shipping Address) Selective disclosure Name Shipping Address Decryption handled by Multi-Party Computing as in the previous slides

Selective Disclosure E(Name) E(Shipping Address) Selective disclosure Name Shipping Address Fed-Ex can now send the package to the user

Identity in the Cloud User on Amazon Cloud Name Password Billing Address Shipping Address Credit Card Name Shipping Address Name Billing Address Credit Card Password

Characteristics and Advantages Ability to use Identity data on untrusted hosts Self Integrity Check Integrity compromised- apoptosis or evaporation Data should not be on this host Establishes the trust of users in IDM ◦ Through putting the user in control of who has his data and how is is used ◦ Identity is being used in the process of authentication, negotiation, and data exchange. Independent of Third Party for Identity Information ◦ Minimizes correlation attacks Minimal disclosure to the SP ◦ SP receives only necessary information.

Conclusion & Future Work Problems with IDM in Cloud Computing ◦ Collusion of Identity Information ◦ Prohibited Untrusted Hosts ◦ Usage of Trusted Third Party Proposed Approaches ◦ IDM based on Anonymous Identification ◦ IDM based on Predicate over Encrypted data ◦ IDM based on Multi-Party Computing Future work ◦ Develop the prototype, conduct experiments and evaluate the approach

References [1] C. Sample and D. Kelley. Cloud Computing Security: Routing and DNS Threats, June 23,2009. [2] W. A. Alrodhan and C. J. Mitchell. Improving the Security of CardSpace, EURASIP Journal on Information Security Vol. 2009, doi: /2009/167216, [3] OPENID, [4] S. F. Hubner. HCI work in PRIME, [5] A. Gopalakrishnan, Cloud Computing Identity Management, SETLabsBriefings, Vol7, [6] A. Barth, A. Datta, J. Mitchell and H. Nissenbaum. Privacy and Contextual Integrity: Framework and Applications, Proc. of the 2006 IEEE Symposium on Security and Privacy, [7] L. Othmane, Active Bundles for Protecting Confidentiality of Sensitive Data throughout Their Lifecycle, PhD Thesis, Western Michigan Univ, [8] A. Fiat and A. Shamir, How to prove yourself: Practical Solutions to Identification and Signature Problems, CRYPTO, [9] A. Shamir, How to Share a Secret, Communications of the ACM, [10] M. Ben-Or, S. Goldwasser and A. Wigderson, Completeness theorems for non-cryptographic fault- tolerant distributed computation, ACM Symposium on Theory of Computing, [11] E. Shi, Evaluating Predicates over Encrypted Data, PhD Thesis, CMU, 2008.