%M C.IDTRUST.09.1
%T Identity, credential, and access management at NASA, from Zachman to
attributes
%S Identity management
%A Irwin, Corinne S.
%A Taylor, Dennis C.
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 1-14
%K attribute-based access control (ABAC), level of assurance (LoA), logical
access control system (LACS)
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527019
%X To achieve the ultimate goal of attribute-based access control (ABAC), a
robust architecture for Identity, Credential, and Access Management must first
be established. The National Aeronautics and Space Administration (NASA) began
formal development of its Identity, Credential, and Access Management
Architecture using the Zachman Framework for Enterprise Architecture in June
2006. The Architecture provided the necessary structure to meet aggressive
deadlines for issuance and use of the PIV smartcard. It also led to the
development of NASA's Logical Access Control infrastructure to support not only
PIV smartcards, but all authentication credentials in use at NASA.
   Use of the Zachman Framework has transformed the way that NASA looks at
Logical Access Control, and has positioned NASA to provide robust
attributed-based access control in the future. In this paper, we will discuss
the Logical Access Control System (LACS) we are implementing at NASA, changes
in the way NASA views Identity Trust and Level of Assurance, technical
challenges to implementation, and our future vision for Identity, Credential,
and Access Management.

%M C.IDTRUST.09.15
%T Personal identity verification (PIV) cards as federated identities:
challenges and opportunities
%S Identity management
%A Gupta, Sarbari
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 15-22
%K PKI, assurance, authentication, authorization, federal bridge certification
authority, smart cards
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527020
%X In this paper, we describe the challenges in using Personal Identity
Verification (PIV) cards and PIV-like cards as federated identities to
authenticate to US Federal government facilities and systems. The current set
of specifications and policies related to the implementation and use of PIV
cards leave a number of gaps in terms of trust and assurance. This paper
identifies these gaps and proposes approaches to address them towards making
the PIV card the standardized, interoperable, federated identity credential
envisioned within Homeland Security Presidential Directive 12 (HSPD-12).

%M C.IDTRUST.09.23
%T A calculus of trust and its application to PKI and identity management
%S Identity management
%A Huang, Jingwei
%A Nicol, David
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 23-37
%K PKI, identity management, risk assessment, semantics of trust, social
networks, trust modeling, uncertainty
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527021
%X We introduce a formal semantics based calculus of trust that explicitly
represents trust and quantifies the risk associated with trust in public key
infrastructure (PKI) and identity management (IdM). We then show by example how
to formally represent trust relationships and quantitatively evaluate the risk
associated with trust in public key certificate chains. In the context of
choosing a certificate chain, our research shows that the shortest chain need
not be the most trustworthy, and that it may make sense to compare the
trustworthiness of a potential chain against a threshold to govern acceptance,
changing the problem to finding a chain with sufficiently high trustworthiness.
Our calculus also shows how quantified trust relationships among CAs can be
combined to achieve an overall trust assessment of an offered certificate.

%M C.IDTRUST.09.38
%T Palantir: a framework for collaborative incident response and investigation
%S Federations and virtual organizations
%A Khurana, Himanshu
%A Basney, Jim
%A Bakht, Mehedi
%A Freemon, Mike
%A Welch, Von
%A Butler, Randy
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 38-51
%K digital investigation, incident response, multi-site collaboration
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527023
%X Organizations owning cyber-infrastructure assets face large scale
distributed attacks on a regular basis. In the face of increasing complexity
and frequency of such attacks, we argue that it is insufficient to rely on
organizational incident response teams or even trusted coordinating response
teams. Instead, there is need to develop a framework that enables responders to
establish trust and achieve an effective collaborative response and
investigation process across multiple organizations and legal entities to track
the adversary, eliminate the threat and pursue prosecution of the perpetrators.
In this work we develop such a framework for effective collaboration. Our
approach is motivated by our experiences in dealing with a large-scale
distributed attack that took place in 2004 known as Incident 216. Based on our
approach we present the Palantir system that comprises conceptual and
technological capabilities to adequately respond to such attacks. To the best
of our knowledge this is the first work proposing a system model and
implementation for a collaborative multi-site incident response and
investigation effort.

%M C.IDTRUST.09.52
%T Safeguarding digital identity: the SPICI (Sharing Policy, Identity, and
Control Information) approach to negotiating identity federation and sharing
agreements
%S Federations and virtual organizations
%A Bodeau, Deborah
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 52-60
%K credentials, identity federation, identity management, information sharing
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527024
%X To perform key business functions, organizations in critical infrastructure
sectors such as healthcare or finance increasingly need to share identifying
and authorization-related information. Such information sharing requires
negotiation about identity safeguarding policies and capabilities, as provided
by processes, technologies, tools, and models. That negotiation must address
the concerns not only of the organizations sharing the information, but also of
the individuals whose identity-related information is shared. SPICI (Sharing
Policy, Identity, and Control Information) provides a descriptive and analytic
framework to structure and support such negotiations, with an emphasis on
assurance.

%M C.IDTRUST.09.61
%T Usable trust anchor management
%S Federations and virtual organizations
%A Pala, Massimiliano
%A Rea, Scott A.
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 61-72
%K PKI, PRQP, digital certificate, discovery system, trust anchor
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527025
%X Security in browsers is based upon users trusting a set of root Certificate
Authorities (called Trust Anchors) which they may know little or nothing about.
Browser vendors face a difficult challenge to provide an appropriate interface
for users. Providing usable Trust Anchor Management (TAM) for users,
applications and PKI deployers is a complex task. The PKIX working group at
Internet Engineering Task Force (IETF) is working on a new protocol, the Trust
Anchor Management Protocol (TAMP), which will provide a standardized method to
automatically manage trust anchors in applications and devices. Although
promising, this protocol does not go far enough to allow users to gather
information about previously unknown trust anchors in an automatic fashion. We
have proposed the PKI Resource Query Protocol (PRQP) -- which is currently an
Internet Draft on Experimental Track with IETF -- to provide applications with
an automatic discovery system for PKI management. In this paper we describe the
basic architecture and capabilities of PRQP that allow Browsers to provide a
more complete set of trust anchor management services. We also provide the
design of a PRQP enabled infrastructure that uses a trust association mechanism
to provide an easy solution for managing Trust Anchors for Virtual
Organizations.

%M C.IDTRUST.09.73
%T Privacy-preserving management of transactions' receipts for mobile
environments
%S Applied cryptography
%A Paci, Federica
%A Shang, Ning
%A Kerr, Sam
%A Steuer, Kevin, Jr.
%A Woo, Jungha
%A Bertino, Elisa
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 73-84
%K privacy, registrar, transaction record
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527027
%X Users increasingly use their mobile devices for electronic transactions to
store related information, such as digital receipts. However, such information
can be target of several attacks. There are some security issues related to
M-commerce: the loss or theft of mobile devices results in a exposure of
transaction information; transaction receipts that are send over WI-FI or 3G
networks can be easily intercepted; transaction receipts can also be captured
via Bluetooth connections without the user's consent; and mobile viruses, worms
and Trojan horses can access the transaction information stored on mobile
devices if this information is not protected by passwords or PIN numbers.
Therefore, assuring privacy and security of transactions' information, as well
as of any sensitive information stored on mobile devices is crucial. In this
paper, we propose a privacy-preserving approach to manage electronic
transaction receipts on mobile devices. The approach is based on the notion of
transaction receipts issued by service providers upon a successful transaction
and combines Pedersen commitment and Zero Knowledge Proof of Knowledge (ZKPK)
techniques and Oblivious Commitment-Based Envelope (OCBE) protocols. We have
developed a version of such protocol for Near Field Communication (NFC) enabled
cellular phones.

%M C.IDTRUST.09.85
%T Quantum resistant public key cryptography: a survey
%S Applied cryptography
%A Perlner, Ray A.
%A Cooper, David A.
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 85-93
%K public key cryptography, quantum computers
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527028
%X Public key cryptography is widely used to secure transactions over the
Internet. However, advances in quantum computers threaten to undermine the
security assumptions upon which currently used public key cryptographic
algorithms are based. In this paper, we provide a survey of some of the public
key cryptographic algorithms that have been developed that, while not currently
in widespread use, are believed to be resistant to quantum computing based
attacks and discuss some of the issues that protocol designers may need to
consider if there is a need to deploy these algorithms at some point in the
future.

%M C.IDTRUST.09.94
%T FileSpace: an alternative to CardSpace that supports multiple token
authorisation and portability between devices
%S Information cards
%A Chadwick, David
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 94-102
%K CardSpace, X.509 certificates, authorisation, federated identity management,
information cards
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527030
%X This paper describes a federated identity management system based on long
lived encrypted credential files rather than virtual cards and short lived
assertions. Users obtain their authorisation credential files from their
identity providers and have them bound to their public key certificates, which
can hold any pseudonym the user wishes. Users can then use these credentials
multiple times without the identity providers being able to track their
movements and without having to authenticate to the IdP each time. The
credentials are worthless to an attacker if lost or stolen, therefore they do
not need any special protection mechanisms. They can be copied freely between
multiple devices, and users can use multiple credentials in a single
transaction. Users only need to authenticate to their private key store in
order for it to produce a signed token necessary for the service provider to
authenticate the user and decrypt the authorisation credentials. The signed
token is bound to the service provider and is short lived to prevent man in the
middle attacks.

%M C.IDTRUST.09.103
%T Usable secure mailing lists with untrusted servers
%S Usability
%A Bobba, Rakesh
%A Muggli, Joe
%A Pant, Meenal
%A Basney, Jim
%A Khurana, Himanshu
%B Proceedings of the 2009 Symposium on Identity and Trust on the Internet
%D 2009-04-14
%P 103-116
%K e-mail list security, proxy re-encryption, usability study
%* (c) Copyright 2009 ACM
%W http://doi.acm.org/10.1145/1527017.1527032
%X Mailing lists are a natural technology for supporting messaging in
multi-party, cross-domain collaborative tasks. However, whenever sensitive
information is exchanged on such lists, security becomes crucial. We have
earlier developed a prototype secure mailing list solution called SELS (Secure
Email List Services) based on proxy encryption techniques [20], which enables
the transformation of cipher-text from one key to another without revealing the
plain-text. Emails exchanged using SELS are ensured confidentiality, integrity,
and authentication. This includes ensuring their confidentiality while in
transit at the list server; a functionality that is uniquely supported by SELS
through proxy re-encryption. In this work we describe our efforts in studying
and enhancing the usability of the software system and our experiences in
supporting a production environment that currently is used by more than 50
users in 11 organizations. As evidence of its deployability, SELS is compatible
with common email clients including Outlook, Thunderbird, Mac Mail, Emacs, and
Mutt. As evidence of its usability, the software is being used by several
national and international incident response teams.