Research On Key Techniques Of Identity Management For Cross-domain And Federation Networks

As the rapid development of network applications, users’ security threats onidentity theft and identity disclosure and applications’ security threats from external andinternal are more and more serious. Therefore, how to solve identity theft and disclosureis the hot issue of current study. Identity management (IdM) is proposed to solve themajor security threats in the period that users use, maintenance and update identities andin the process while applications using users identities to complete identityidentification, authentication and authorization. IdM refers to a set of policies, rules,methods and systems based on identities that can complete functions like identification,authentication, authorization, access control and behavior audit. IdM aims at controllinguser access to resources, third-party applications access to identity information andidentity disclosure by giving specific identity and making user permissions andconstraints interrelated with user identity. IdM can achieve control of identityinformation and guarantee the security of identity information, improve the clientexperience and security.This paper aims at the difficult in establishing quantitative identity model,achieving cross-domain authentication mechanism, integrating of various authenticationmethods, effectively achieving privacy protection in current IdM systems; and considersto solve identity theft and identity disclosure as a fundamental goal. Key issues of IdMtechnology such as identity modeling, cross-domain authentication, privacy protectionhave been researched; the main contributions of our work are as follows:(1) Survey the related works deeply and comprehensively. As there are a largenumber parallel approaches about IdM technology, we firstly summarize the key issuesof IdM from three aspects: identity definition and modeling, authentication mechanismsand methods, models, methods and evaluating indicators of privacy protection. Thisclarifies the objective of our work.(2) An IdM framework oriented to cross-domain federated environment hasbeen proposed. The requirements of identity modeling, identity authentication andprivacy protection in IdM systems have been analyzed. Functional modules, servicemodules and actual system deployment of IdM systems have been designed and brieflydescripted in order to clear the key issues of IdM that should be researched.(3) An identity information description language-XIDL that can giveidentity quantitative description has been proposed, and a quantitative identitymodel that can be applied in cross-domain federated IdM systems has beendesigned. Draw on the experience of current data description languages, the data types,operations and descriptions of identity, the semantics and expansibility of XIDL havebeen defined and analyzed, an example has been given to show how to describe identifiable information using XIDL. Subsequently, through analysis of existing identitymodels, a quantitative identity model which is suitable for cross-domain federated IdMhas been designed, construction process, state transitions and example of the model hasbeen carried out.(4) A cross-domain active identity authentication mechanism based on thecombination of user identity and behaviors has been proposed. Currentauthentication mechanisms and the characteristics of cross-domain federation have beendiscussed at first. Then the knowledge of keystroke dynamics has been introduced,based on this, a weighted PR-RP model based on the statistical distribution of thespecific keystrokes (luuKey) has been designed and plays as the authentication method,security assertion markup language (SAML) has been used as the authenticationmechanism. Identity assertion, attribute assertion, authorization decision assertion andsecure inter-domain communication can be achieved using SAML. By analyzing thecurrent authentication process in single domain and cross-domain environments, anactive identity authentication mechanism (AAM) has been proposed. The authenticationresults can be generated by a third-party that has been established by AAM, the existingauthentication mechanisms in current IdM systems wouldn’t be changed. Theoreticalanalysis and simulation experiments show that luuKey has a low rate of false positivesand false alarm rate, AAM can achieve better integration with existing authenticationmechanisms.(5) A privacy protection oriented to critical identity and sensitive identityinformation has been proposed. To clear privacy protection subject, existing methodson information importance metrics and privacy protection methods have beenintroduced, draw on the experience of Google PageRank, a critical identity evaluationmethod (CIE) which uses reference between identities and applications to measure theimportance of identity and sensitivity of attributes has been proposed. The analysisshows that the CIE method can effectively measure critical identity and sensitiveattributes. By anonymization of public data, attackers can’t get enough information tofake identity. After measuring the importance and sensitivity of identity, a privacyprotection model which can prevent background knowledge attack called (,)-Risk hasbeen proposed, this model gives the anonymization evaluation parameters (,) at first,by connecting the anonymization with privacy risk, the anonymization can be achieved.This model has been optimized by considering the characters of public data, privacydata, attribute distribution in privacy data. Theoretical analysis and simulation show thatthe model can prevent background knowledge attack and protect the privacy of criticalidentity and sensitive identity information effectively.