Recent developments in heterogeneous identity federation systems have heightened the need for the related trust management system.The trust management system evaluates,manages,and shares users’trust values.The servic...Recent developments in heterogeneous identity federation systems have heightened the need for the related trust management system.The trust management system evaluates,manages,and shares users’trust values.The service provider(SP)members of the federation system rely on users’trust values to determine which type and quality of service will be provided to the users.While identity federation systems have the potential to help federated users save time and energy and improve service experience,the benefits also come with significant privacy risks.So far,there has been little discussion about the privacy protection of users in heterogeneous identity federation systems.In this paper,we propose a trust value sharing scheme based on a proxy ring signature for the trust management system in heterogeneous identity federation topologies.The ring signature schemes can ensure the validity of the data and hide the original signer,thereby protecting privacy.Moreover,no group manager participating in the ring signature,which naturally matches with our decentralized heterogeneous identity federation topologies.The proxy signature can reduce the workload of the private key owner.The proposed scheme shortens the calculation time for verifying the signature and then reduces the overall time consumption in the process of trust sharing.Our studies prove that the proposed scheme is privacy-preserving,efficient,and effective.展开更多
To address the scalability and identity federation problems of the traditional single sign-on system, the proposed scheme divides the security systems into different security domains. Each security domain has its own ...To address the scalability and identity federation problems of the traditional single sign-on system, the proposed scheme divides the security systems into different security domains. Each security domain has its own security servers and service providers, and there are trust relationships between different security domains for identity federation. The security server is responsible for authentication and authorization inside the domain, and offers identity federation capability for different domains. The security assertion markup language (SAML) assertion is used as security token in the system for authentication, authorization, and identity federation. The design of the proposed single sign-on process is based on web service security framework and multiple security domains, and the authorization is always deployed in the local area inside the service provider' s security domain, which enables web service clients, both inside and outside their security domains, to access the services in a simple, scalable, standard and secure way.展开更多
基金This work is supported by the National Key Research and Development Project of China(No.2017YFB0802302)the Key Research and Development Project of Sichuan Province(Nos.20ZDYF2324,2019ZYD027,2018TJPT0012)+1 种基金the Science and Technology Support Project of Sichuan Province(Nos.2018GZ0204,2016FZ0112)the Science and Technology Project of Chengdu(No.2017-RK00-00103-ZF).
文摘Recent developments in heterogeneous identity federation systems have heightened the need for the related trust management system.The trust management system evaluates,manages,and shares users’trust values.The service provider(SP)members of the federation system rely on users’trust values to determine which type and quality of service will be provided to the users.While identity federation systems have the potential to help federated users save time and energy and improve service experience,the benefits also come with significant privacy risks.So far,there has been little discussion about the privacy protection of users in heterogeneous identity federation systems.In this paper,we propose a trust value sharing scheme based on a proxy ring signature for the trust management system in heterogeneous identity federation topologies.The ring signature schemes can ensure the validity of the data and hide the original signer,thereby protecting privacy.Moreover,no group manager participating in the ring signature,which naturally matches with our decentralized heterogeneous identity federation topologies.The proxy signature can reduce the workload of the private key owner.The proposed scheme shortens the calculation time for verifying the signature and then reduces the overall time consumption in the process of trust sharing.Our studies prove that the proposed scheme is privacy-preserving,efficient,and effective.
基金The National Natural Science Foundation of China(No60673054)
文摘To address the scalability and identity federation problems of the traditional single sign-on system, the proposed scheme divides the security systems into different security domains. Each security domain has its own security servers and service providers, and there are trust relationships between different security domains for identity federation. The security server is responsible for authentication and authorization inside the domain, and offers identity federation capability for different domains. The security assertion markup language (SAML) assertion is used as security token in the system for authentication, authorization, and identity federation. The design of the proposed single sign-on process is based on web service security framework and multiple security domains, and the authorization is always deployed in the local area inside the service provider' s security domain, which enables web service clients, both inside and outside their security domains, to access the services in a simple, scalable, standard and secure way.
