by Bernd Zwattendorfer, Stephan Krenn and Thomas Lorünser
CREDENTIAL is an EU H2020 funded research project that is developing, testing, and showcasing innovative cloud-based services for storing, managing, and sharing digital identity information and other highly critical personal data with a demonstrably higher level of security and privacy than other current solutions. This is achieved by advancing novel cryptographic technologies and improving strong authentication mechanisms.
Digital identity management (IdM) is an essential tool for managing access to information technology (IT) resources and is an enabler for seamless interaction between systems, organizations, and end users in the future. However, in order to be fully and broadly accepted, IdM must involve secure identification and authentication processes and protect user privacy. This is especially true for high-assurance application domains such as e-Business, e-Government, or e-Health, which have a superior demand for security and privacy due to the harm a potential breach or identity theft could cause.
Identity management is currently experiencing a paradigm shift, and existing solutions fall short in many aspects when it comes to federated and heterogeneous environments. In the past, IdM was mainly a local issue and most organizations operated their own, custom-tailored identity management systems within the organization’s domain boundaries. The use of external IdM systems was the exceptional case. Today, we often see mixed systems, mainly because of the increasing use of distributed and inter-connected applications integrating internal and external components, e.g., as in hybrid cloud applications. This situation leads to fragmented, non-standard authentication situations on the IdM level and causes high administrative costs compared with integrated solutions. Many “identity islands” have to be managed outside the corporate IT environment, and the advantages of integrated identity and access management (IAM) solutions are lost. Important features like single sign-on as well as easy and centralized provisioning/de-provisioning, audit, and control of identities are not possible anymore. For these reasons there exists a strong demand for the development and integration of trustworthy IAM systems. Ideally these systems would provide the necessary security and privacy guarantees aspired in federated business environments with the strongest guarantees possible, by cryptography.
Figure 1: Privacy preserving IAM workflow.
The transformation in the identity management world goes hand in hand with the tremendous shift to cloud computing that has shaped the ICT world during recent years. By now, numerous IdM systems and solutions are available as cloud services, providing identity services to applications operated both in closed domains and in the public cloud. This service model is often referred to as Identity (and Access) Management as a Service (IDMaaS). Popular examples for cloud IDMaaS providers are big companies from the sectors of social networks (Facebook, LinkedIn), search engines (Google), business solutions (Microsoft, Salesforce), and online retailers (Amazon). However, no satisfactory approaches currently exist which allow the storage and sharing of identity data by service providers in a privacy preserving manner – meaning without the identity provider learning the credentials and associated data.
The vision of CREDENTIAL is to fill this gap and develop a more trustworthy solution by combining secure and efficient identity management technologies with cryptography for cloud computing [1,2,3]. Users will be able to store identity data in a cloud-based IDMaaS system of an identity provider such that the confidentiality and authenticity of the data is upheld even from the provider. Now, if a user wants to access a specific service at a different provider or from the enterprise environment, she can advise the identity provider to select specific data items and re-encrypt them for the service provider such that (after transmission) the service provider remains the only party capable of accessing the data items in plain text.
In comparison to current IDMaaS systems, which have full access to the identity data they are hosting, the CREDENTIAL solution will significantly improve the privacy of cloud identity service users, whilst maintaining a high degree of usability in order to motivate secure handling of services. Data will be protected with end-to-end encryption, while the authentication of the users against the identity service provider will be secured with efficient and strong state-of-the-art multifactor authentication mechanisms within a consistent and holistic security approach.
CREDENTIAL had its kick-off in October 2015 and will last for three years. The consortium is currently doing a technology assessment and a requirements elicitation for a secure and privacy-preserving IDMaaS solution in the cloud. The CREDENTIAL consortium consists of a balanced team from seven EU countries, including six industry partners, two applied research organizations, three universities, and one SME.
 B. Zwattendorfer, D. Slamanig: “Design Strategies for a Privacy-Friendly Austrian eID System in the Public Cloud”, Computers & Security 2014.
 D. Slamanig, K. Stranacher, B. Zwattendorfer: “User-Centric Identity as a Service-Architecture for eIDs with Selective Attribute Disclosure”, in Proc. of SACMAT 2014.
 B. Zwattendorfer, A. Tauber: “Secure Cloud Authentication using eIDs”, in Proc. of IEEE CCIS 2012.
Graz University of Technology
Tel: +43 (0) 316 8735574
AIT Austrian Institute of Technology GmbH
Tel: +43 (0) 664 88256006