Elisa Bertino CS Department Purdue University West Lafayette, Indiana firstname.lastname@example.org Federica Paci CS Department Purdue University West Lafayette, Indiana email@example.com Ning Shang CS Department Purdue University West Lafayette, Indiana firstname.lastname@example.org
Tools and techniques for digital identity management represent animportant technology for enabling transactions and interactions across the Internet. Because identity information is often privacy sensitive, it is important that suitable privacy and security techniques be adopted for its protection. In this paper we discuss relevant concepts and issues and survey an approach based on the notion of multifactor veriﬁcation. Such approach, developed for federateddigital identity management systems, is based on privacypreserving cryptographic protocols and thus achieves high assurance privacy. In the paper we also discuss relevant open research issues, including interoperability, and protocols to support sophisticated policies for identity veriﬁcation.
ability in business transactions, and in complying with regulatory controls. Digital identity can bedeﬁned as the digital representation of the information known about a speciﬁc individual or organization. Such information can be used for different purposes, ranging from allowing one to prove his/her claim to identity (very much like the use of a birth certiﬁcate or passport) to establishing permissions (like the use of a drivers license to establish the right to operate a vehicle). It may includenot only “attributive information” about an individual, such as social security number or passport number, but also “biometric information”, such as iris or ﬁngerprint features. For this technology to fully deploy its potential, it is crucial that strong protection of digital identity be achieved. Identity management (IdM) systems must assure that such information is not misused and individualsprivacy is guaranteed.
Today a global information infrastructure connects remote parties worldwide through the use of large scale networks, relying on application level protocols and services, such as recent web service technology. Execution of activities in various domains, such as shopping, entertainment, business and scientiﬁc collaboration, and at various levels within thosecontexts, is increasingly based on the use of remote resources and services. The interaction between different remotely-located parties may be (and sometimes should be) based on little knowledge about each other. Thus, as the richness of our cyberspace lives begins to parallel our physical world experience, more convenient IT (Information Technology) infrastructures and systems are expected. Weexpect, for example, that personal preferences and proﬁles of users be readily available when shopping over the Web, without requiring the users to repeatedly enter them. In such a scenario, digital identity management (DIM) technology is fundamental in customizing user experience, protecting privacy, underpinning accountlxix
In this paper we focus on a solution for the privacypreservingveriﬁcation of digital identity information, based on multi-factor veriﬁcation strategy. By multi-factor veriﬁcation we mean that whenever some identity information, referred to as identity attribute, about an individual needs to be veriﬁed by a party, for example a service provider, such party may verify the identity by requiring several identity proofs. The speciﬁcation of which identity attributes have tobe presented is stated by veriﬁcation policies. Different parties in a distributed system may specify different policies. To assure that such an approach does not undermine privacy, we have developed a cryptographic protocol, referred to as aggregate zero knowledge proof protocol. Such a protocol allows a user to prove the knowledge of multiple secrets to a party, that is, a veriﬁer,...