Security Protocols in Identity Management (IDM)
Led by Prof. Dr. Sjouke Mauw
Project duration:
1/10/2007 - 1/10/2010
Funding source(s):
FNR AFR
Nowadays, our identity is represented by an ever growing pile of paper and plastic documents such as passports, social security cards, bank cards, store loyalty cards, and company employee badges. Each of these items is backed by an entry in an electronic database – our electronic identity.
With increasing frequency we are also being represented by so-called virtual identities, for instance when purchasing items in online stores, visiting social networking websites, or simply accepting a website's "cookies". We can create and abandon these virtual identities at will and even share them with others.
Identity management is the assignment, verification, and revocation of the privileges, rights, and duties of electronic and virtual identities. The increase in electronic and virtual identities over the years has been dramatic. As a consequence, today, identity management is recognized as an important and expensive business problem. The number of electronic and virtual identities per individual, however, will grow even larger, due to the continuing effort to connect and network every aspect of our lives.
The advancement of a technology promotes new possibilities, new applications, but also new threats. The proposed project will focus on security threats arising at the communication level of identity management systems.
For example, the imminent pervasiveness of Radio-frequency identification (RFID) tags and increased access to RFID readers will make it possible to cheaply collect and cross-reference a vast amount of data in order to infer sensitive personal information, unless security mechanisms are put in place. Many alarming scenarios are conceivable, but regardless of the scenario considered, it is clear that in order to prevent deficiencies the communication between RFID tags and RFID readers needs to be secure.
Thus, the primary objective of the proposed work is the design and verification of secure communication protocols related to identity management and with a view towards emerging technologies such as RFID tags. We intend to achieve this objective by developing advanced formal verification methods and implementing an automatic tool. This development requires a fundamental study of non-standard security properties, such as non-traceability and no-theft-of-service, and an extension of a formal model to support the modeling of physical tokens.
