Andreas Pashalidis (2005) Interdomain User Authentication and Privacy.
Full text access: Open
This thesis looks at the issue of interdomain user authentication, i.e. user authentication in systems that extend over more than one administrative domain. It is divided into three parts. After a brief overview of related literature, the first part provides a taxonomy of current approaches to the problem. The taxonomy is first used to identify the relative strengths and weaknesses of each approach, and then employed as the basis for putting into context four concrete and novel schemes that are subsequently proposed in this part of the thesis. Three of these schemes build on existing technology; the first on 2nd and 3rd-generation cellular (mobile) telephony, the second on credit/debit smartcards, and the third on Trusted Computing. The fourth scheme is, in certain ways, different from the others. Most notably, unlike the other three schemes, it does not require the user to possess tamper-resistant hardware, and it is suitable for use from an untrusted access device. An implementation of the latter scheme (which works as a web proxy) is also described in this part of the thesis. As the need to preserve one’s privacy continues to gain importance in the digital world, it is important to enhance user authentication schemes with properties that enable users to remain anonymous (yet authenticated). In the second part of the thesis, anonymous credential systems are identified as a tool that can be used to achieve this goal. A formal model that captures relevant security and privacy notions for such systems is proposed. From this model, it is evident that there exist certain inherent limits to the privacy that such systems can offer. These are examined in more detail, and a scheme is proposed that mitigates the exposure to certain attacks that exploit these limits in order to compromise user privacy. The second part of the thesis also shows how to use an anonymous credential system in order to facilitate what we call ‘privacy-aware single sign-on’ in an open environment. The scheme enables the user to authenticate himself to service providers under separate identifier, where these identifiers cannot be linked to each other, even if all service providers collude. It is demonstrated that the anonymity enhancement scheme proposed earlier is particularly suited in this special application of anonymous credential systems. Finally, the third part of the thesis concludes with some open research questions.
This is a Published version This version's date is: 23/12/2005 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/e613c6f4-4b74-bc85-b2e9-ed2403a048ad/1/
Deposited by () on 13-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010
[1] M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computationalsoundness of formal encryption). Journal of Cryptology, 15(2):103{127, 2002.
[2] B. Aboba, L. Blunk, J. Vollbrecht, and J. Carlson. RFC 3748: Extensible Authenti-cation Protocol (EAP), 2004.
[3] G.-J. Ahn, D. Shin, and S.-P. Hong. Information assurance in federated identitymanagement: Experimentations and issues. In X. Zhou, S. Y. W. Su, M. P. Papa-zoglou, M. E. Orlowska, and K. G. Je®ery, editors, Web Information Systems | WISE2004, 5th International Conference on Web Information Systems Engineering, Bris-bane, Australia, November 22-24, 2004, Proceedings, number 3306 in Lecture Notes inComputer Science, pages 79{90. Springer Verlag, Berlin, November 2004.
[4] M. A. Al-Meaither and C. J. Mitchell. A secure GSM-based Murabaha transaction.In Proceedings of the 1st International Conference on Information & CommunicationTechnologies from Theory to Applications (ICTTA), pages 77{78. IEEE Press, April2004.
[5] American National Standards Institute. ANSI 9.84-2003: Biometric InformationManagement and Security for the Financial Services Industry, 2003.
[6] T. Aura and P. Nikander. Stateless connections. In Y. Han, T. Okamoto, and S. Quing,editors, ICICS '97: Proceedings of the First International Conference on Informationand Communication Security, volume 1334 of Lecture Notes in Computer Science,pages 87{97, London, UK, 1997. Springer-Verlag.
[7] A. Back, U. MÄoller, and A. Stiglic. Tra±c analysis attacks and trade-o®s in anonymityproviding systems. In I. S. Moskowitz, editor, Information Hiding, 4th InternationalWorkshop, IHW 2001, volume 2137 of Lecture Notes in Computer Science, pages 245{257. Springer Verlag, Berlin, 2001.
[8] M. Backes and B. P¯tzmann. A cryptographically sound security proof of theNeedham-Schroeder-Lowe public-key protocol. IEEE Journal on Selected Areas inCommunications, 22(10):2075{2086, 2004.
[9] B. Balache®, L. Chen, S. Pearson, D. Plaquin, and G. Proudler. Trusted ComputingPlatforms: TCPA Technology in Context. Prentice-Hall, 2003.
[10] G. Barish and K. Obraczka. World wide web caching: Trends and techniques. IEEECommunications Magazine, 38(5):178{185, May 2000.
[11] M. Bellare, R. Canetti, and H. Krawczyk. Pseudorandom functions revisited: Thecascade construction and its concrete security. In Proceedings of the 37th AnnualSymposium on the Foundations of Computer Science (FOCS), pages 514{523. IEEE,1996.
[12] M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design andanalysis of authentication and key exchange protocols. In Proceedings of the 30thAnnual Symposium on the Theory of Computing, pages 419{428. ACM, 1998.
[13] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment ofsymmetric encryption. In Proceedings of the 38th Annual Symposium on Foundationsof Computer Science (FOCS), pages 394{403. IEEE Computer Society, 1997.
[14] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notionsof security for public-key encryption schemes. In H. Krawczyk, editor, Advances inCryptology { CRYPTO 1998, volume 1462 of Lecture Notes in Computer Science,pages 26{45. Springer-Verlag, 1998.
[15] M. Bellare and C. Namprempre. Authenticated encryption: Relations among notionsand analysis of the generic composition paradigm. In T. Okamoto, editor, Advances inCryptology | Asiacrypt 2000, Proceedings, volume 1976 of Lecture Notes in ComputerScience, pages 531{545. Springer-Verlag, Berlin, 2000.
[16] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designinge±cient protocols. In ACM Conference on Computer and Communications Security,pages 62{73. ACM, 1993.
[17] M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. Stinson,editor, Advances in Cryptology { CRYPTO 1993, volume 773 of Lecture Notes inComputer Science, pages 232{249. Springer-Verlag, Berlin, 1994.
[18] M. Bellare and P. Rogaway. Provably secure session key distribution: The three partycase. In Proceedings of the 27th Annual ACM Symposium on Theory of ComputingSTOC, pages 57{66. ACM, 1995.
[19] M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures: The case ofdynamic groups. In A. Menezes, editor, Topics in Cryptology - CT-RSA 2005, TheCryptographers' Track at the RSA Conference 2005, San Francisco, CA, USA, Feb-ruary 14-18, 2005, Proceedings, volume 3376 of Lecture Notes in Computer Science,pages 136{153. Springer, 2005.
[20] S. M. Bellovin and M. Merritt. Limitations of the Kerberos authentication system. InUSENIX Conference Proceedings, pages 253{267, Dallas, TX, Winter 1991. USENIX.[21] T. Berners-Lee, L. Masinter, and M. M. (editors). Uniform Resource Locators, 2004.
[22] O. Berthold and M. KÄohntopp. Identity management based on P3P. In H. Federrath,editor, Designing Privacy Enhancing Technologies, International Workshop on DesignIssues in Anonymity and Unobservability, July 2000, number 2009 in Lecture Notesin Computer Science, pages 141{160. Springer-Verlag, Berlin, 2001.
[23] A. Biryukov, J. Lano, and B. Preneel. Cryptanalysis of the alleged SecurID hashfunction. Cryptology ePrint Archive, Report 2003/162, 2003. http://eprint.iacr.org/.
[24] S. Blake-Wilson and A. Menezes. Authenticated Di±e-Hellman key agreement pro-tocols. In S. E. Tavares and H. Meijer, editors, Selected Areas in Cryptography '98,SAC'98, Kingston, Ontario, Canada, August 17-18, 1998, Proceedings, volume 1556of Lecture Notes in Computer Science, pages 339{361. Springer Verlag, Berlin, 1999.
[25] C. W. Blanchard. Wireless security. In R. Temple and J. Regnault, editors, Internetand wireless security, chapter 8, pages 147{162. IEE, 2002.
[26] A. Boldyreva. E±cient threshold signature, multisignature and blind signatureschemes based on the gap-Di±e-Hellman-group signature scheme. In Y. Desmedt,editor, International Workshop on Practice and Theory in Public Key Cryptography {PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 31{46. Springer-Verlag, 2003.
[27] C. Boyd. A framework for design of key establishment protocols. In J. Pieprzyk andJ. Seberry, editors, Australasian Conference on Information Security and Privacy,volume 1172 of Lecture Notes in Computer Science, pages 146{157. Springer Verlag,Berlin, 1996.
[28] C. Boyd and W. Mao. On a limitation of BAN logic. In T. Helleseth, editor, Advancesin Cryptology | EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science,pages 240{247. Springer-Verlag, Berlin, 1994.
[29] C. Boyd and A. Mathuria. Key establishment protocols for secure mobile communi-cations: A selective survey. In C. Boyd and E. Dawson, editors, Information Securityand Privacy: Third Australasian Conference, ACISP'98, Brisbane, Australia, July1998. Proceedings, volume 1438 of Lecture Notes in Computer Science, pages 344{355.Springer Verlag, Berlin, 1998.
[30] C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment.Springer Verlag, 2003.
[31] S. Brands. Rethinking Public Key Infrastructures and Digital Certi¯cates | Buildingin Privacy. The MIT Press, Cambridge, Massachusetts, 2000.
[32] D. Branstad. Security aspects of computer networks. In AIAA Computer NetworkSystems Conference, Huntsville, Alabama, April 1973. AIAA Paper No. 73-427.
[33] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In CCS '04:Proceedings of the 11th ACM Conference on Computer and Communications Security,pages 132{145, New York, NY, USA, 2004. ACM Press.
[34] G. Brown. The use of hardware tokens for identity management. Information SecurityTechnical Report, 9(1):22{25, January{March 2004.
[35] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Technical Re-port 39, Digital Systems Research Center, February 1989.
[36] J. Camenisch. Better privacy for trusted computing platforms: (extended abstract).In P. Samarati, D. Gollmann, and R. Molva, editors, Computer Security - ESORICS2004: 9th European Symposium on Research in Computer Security, Sophia Antipo-lis, France, September 13 - 15, 2004. Proceedings, volume 3193 of Lecture Notes inComputer Science, pages 73{88, 2004.
[37] J. Camenisch and A. Lysyanskaya. An e±cient system for non-transferable anonymouscredentials with optional anonymity revocation. In B. P¯tzmann, editor, Advances in Cryptology | EUROCRYPT 2001, International Conference on the Theory and Appli-cation of Cryptographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceedings,volume 2045 of Lecture Notes in Computer Science, pages 93{118. Springer Verlag,Berlin, 2001.
[38] J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to e±cientrevocation of anonymous credentials. In M. Yung, editor, Advances in Cryptology |CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara,California, USA, August 18-22, 2002, Proceedings, volume 2442 of Lecture Notes inComputer Science, pages 61{76. Springer Verlag, Berlin, 2002.
[39] J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials frombilinear maps. In M. Franklin, editor, Proceedings of the 24th Annual InternationalCryptology Conference, Santa Barbara, California, USA, August 15-19 | CRYPTO2004, volume 3152 of Lecture Notes in Computer Science, pages 56{72. Springer-Verlag, Berlin, 2004.
[40] J. Camenisch and E. Van Herreweghen. Design and implementation of the idemixanonymous credential system. In Proceedings of the 9th ACM Conference on Computerand Communications Security, pages 21{30. ACM Press, New York, 2002.
[41] R. Canetti. Universally composable security: a new paradigm for cryptographic pro-tocols. In Proceedings of the 42nd IEEE Symposium on Foundations of ComputerScience (FOCS), pages 136{145. IEEE Computer Society, 2001.
[42] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. InProceedings of the 13th Annual ACM Symposium on the Theory of Computing, pages209{218. ACM, 1993.
[43] R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use forbuilding secure channels. In B. P¯tzmann, editor, Advances in Cryptology { EURO-CRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 453{474.Springer-Verlag, 2001.
[44] R. Canetti and H. Krawczyk. Universally composable notions of key exchange andsecure channels. In L. Knudsen, editor, Advances in Cryptology { EUROCRYPT 2002,volume 2332 of Lecture Notes in Computer Science, pages 337{351. Springer-Verlag,2002.
[45] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms.Communications of the ACM, 24(2):84{90, 1981.
[46] D. Chaum. Blind signatures for untraceable payments. In R. Rivest, A. Sherman, andD. Chaum, editors, Advances in Cryptology { CRYPTO 82, pages 199{203. PlenumPress, 1983.
[47] D. Chaum. Blind signature system. In D. Chaum, editor, Advances in Cryptology {CRYPTO 83, page 153. Plenum Press, 1984.
[48] D. Chaum. Security without identi¯cation: Transaction systems to make big brotherobsolete. Communications of the ACM, 28(10):1030{1044, October 1985.
[49] D. Chaum. Privacy protected payments: Unconditional payer and/or payee untrace-ability. In D. Chaum and I. Schaumueller-Bichl, editors, SMART CARD 2000, pages69{93. Elsevier Science Publishers B.V., 1989.
[50] D. Chaum. Showing credentials without identi¯cation: Transferring signatures be-tween unconditionally unlinkable pseudonyms. In J. Seberry and J. Pieprzyk, editors,Advances in Cryptology { AUSCRYPT 90, volume 453 of Lecture Notes in ComputerScience, pages 246{264. Springer-Verlag, Berlin, 1990.
[51] D. Chaum. One-show blind signature systems. U.S. Patent ser. no. 4,987,593. FiledApril 1990. Continuation of abandoned application Ser. No. 07/168,802, ¯led March1988, January 1991.
[52] D. Chaum. Unpredictable blind signature systems. U.S. Patent serial number 4,991,210.Filed May 1989., February 1991.
[53] D. Chaum. Achieving electronic privacy. Scienti¯c American, 267(2):96{101, August1992.
[54] D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmit-ting personal information between organizations. In A. M. Odlyzko, editor, Advancesin Cryptology | CRYPTO '86, Santa Barbara, California, USA, 1986, Proceedings,number 263 in Lecture Notes in Computer Science, pages 118{168. Springer Verlag,Berlin, 1987.
[55] D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In S. Goldwasser, editor,Advances in Cryptology { CRYPTO 88, volume 403 of Lecture Notes in ComputerScience, pages 319{327. Springer-Verlag, Berlin, 1988.
[56] L. Chen. Access with pseudonyms. In E. Dawson and J. D. Golic, editors, Cryp-tography: Policy and Algorithms, International Conference, Brisbane, Queensland,Australia, July 3-5, 1995, Proceedings, number 1029 in Lecture Notes in in ComputerScience, pages 232{243. Springer Verlag, Berlin, 1995.
[57] J. Claessens, B. Preneel, and J. Vandewalle. Combining World Wide Web and wirelesssecurity. Informatica, 26(2):123{132, 2002.
[58] S. Clau¼ and M. KÄohntopp. Identity management and its support of multilateralsecurity. Comput. Networks, 37(2):205{219, 2001.
[59] Compaq, Hewlett-Packard, Intel, Lucent, Microsoft, NEC, Philips. Universal SerialBus Speci¯cation, 2nd edition, April 2000.
[60] Computer Security Center of the Department of Defense, Meade, Fort George G.,Maryland 20755. Department of Defense Password Management Guideline, April 1985.CSC-STD-002-85.
[61] S. Contini and Y. L. Yin. Improved cryptanalysis of SecurID. Cryptology ePrintArchive, Report 2003/205, 2003.
[62] B. P. Cosell, P. R. Johnson, J. H. Malman, R. E. Schantz, J. Sussman, R. H. Thomas,and D. C. Walden. An operational system for computer resource sharing. In SOSP'75: Proceedings of the ¯fth ACM symposium on operating systems principles, pages75{81. ACM Press, 1975.
[63] I. Damgºard. Payment systems and credential mechanisms with provable securityagainst abuse by individuals. In S. Goldwasser, editor, Advances in Cryptology |CRYPTO '88: Proceedings, number 403 in Lecture Notes in Computer Science, pages328{335. Springer Verlag, 1990.
[64] D. W. Davies and W. L. Price. Security for computer networks: an introduction todata security in teleprocessing and electronic funds transfer. John Wiley & Sons, Inc.,2nd edition, 1989.
[65] J. De Clercq. Single sign-on architectures. In G. I. Davida, Y. Frankel, and O. Rees,editors, Infrastructure Security, International Conference, InfraSec 2002 Bristol, UK,October 1-3, 2002, Proceedings, volume 2437 of Lecture Notes in Computer Science,pages 40{58. Springer Verlag, 2002.
[66] Y. Demchenko. Virtual organisations in computer grids and identity management.Information Security Technical Report, 9(1):59{76, January{March 2004.
[67] A. Dent and C. Mitchell. User's Guide to Cryptography and Standards. Artech House,2005.
[68] C. D¶³az, S. Seys, J. Claessens, and B. Preneel. Towards measuring anonymity. InR. Dingledine and P. F. Syverson, editors, Proceedings of Privacy Enhancing Tech-nologies, 2nd International Workshop, PET 2002, number 2482 in Lecture Notes inComputer Science, pages 54{68. Springer-Verlag, Berlin, 2002.
[69] W. Di±e and M. E. Hellman. New directions in cryptography. IEEE Transactions onInformation Theory, IT-22(6):644{654, 1976.
[70] D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactionson Information Theory, 29(2):198{208, March 1983.
[71] J. R. Douceur. The Sybil attack. In P. Druschel, F. Kaashoek, and A. Rowstron, ed-itors, Peer-to-Peer Systems: First International Workshop, IPTPS 2002, Cambridge,MA, USA, March 7-8, volume 2429 of Lecture Notes in Computer Science, pages251{260. Springer-Verlag, Berlin, 2002.
[72] J. Edwards. Single sign-on technology streamlines network access. Software Magazine,13(17):35{42, 1993.
[73] Electronic Industries Alliance. EIA232E: Interface between Data Terminal Equipmentand Data Circuit Terminating Equipment employing serial binary data interchange,1991.
[74] J. H. Ellis. The possibility of secure non-secret digital encryption. Report, CESG,January 1970.
[75] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version4.0 | Book 1: Application Independent ICC to Terminal Interface Requirements,December 2000.
[76] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version4.0 | Book 2: Security and Key Management, December 2000.
[77] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version4.0 | Book 3: Application Speci¯cation, December 2000.
[78] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version4.0 | Book 4: Cardholder, Attendant and Acquirer Interface Requirements, December2000.
[79] European Telecommunications Standards Institution (ETSI). Digital cellular telecom-munications system (Phase 2+); Security aspects (GSM 02.09 version 8.0.1), June2001.
[80] European Telecommunications Standards Institution (ETSI). Digital cellular telecom-munications system (Phase 2+); Security related network functions (GSM 03.20 ver-sion 8.1.0), July 2001.
[81] D. Flanagan. Java in a Nutshell. O'Reilly, 3rd edition, November 1999.
[82] W. Ford and M. Baum. Secure Electronic Commerce. Prentice Hall, 1996.
[83] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, andL. Stewart. RFC 2617: HTTP Authentication: Basic and Digest Access Authentica-tion. Internet Engineering Task Force, June 1999.
[84] S. Galbraith and W. Mao. Invisibility and anonymity of undeniable and con¯rmersignatures. In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, The Cryptog-raphers' Track at the RSA Conference 2003, San Francisco, CA, USA, April 13-17,2003, Proceedings, volume 2612 of Lecture Notes in Computer Science, pages 80{97.Springer, 2003.
[85] R. Ganesan. Yaksha: augmenting Kerberos with public key cryptography. In SNDSS'95: Proceedings of the 1995 Symposium on Network and Distributed System Security(SNDSS'95), pages 132{143, Washington, DC, USA, 1995. IEEE Computer Society.
[86] M. Ghanbari, C. Hughes, M. Sinclair, and J. Eade. Principles of Performance En-gineering for Telecommunication and Information Systems. Institution of ElectricalEngineers, 1997.
[87] O. Goldreich. Randomness, interactive proofs, and zero-knowledge { a survey. InR. Herken, editor, The Universal Turing Machine: A Half Century Survey, pages377{405. Oxford University Press, 1988.
[88] O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their valid-ity or all languages in np have zero-knowledge proof systems. Journal of the ACM,38(3):690{728, 1991.
[89] D. M. Goldschlag, M. G. Reed, and P. F. Syverson. Onion routing for anonymousand private internet connections. Communications of the ACM, 42(2):84{88, January1999.
[90] S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure againstadaptive chosen-message attacks. SIAM J. Comput., 17(2):281{308, 1988.
[91] S. Gritzalis, D. Spinellis, and P. Georgiadis. Security protocols over open networksand distributed systems: Formal methods for their analysis, design, and veri¯cation.Computer Communications, 22(8):697{709, May 1999.
[92] T. Gross. Security analysis of the SAML single sign-on browser/artifact pro¯le. InProceedings of the 19th Annual Computer Security Applications Conference, pages298{307. IEEE Press, December 2003.
[93] T. Gross and B. P¯tzmann. Proving a WS-federation passive requestor pro¯le. InACM Secure Web Services Workshop. ACM Press, 2004. to appear.
[94] M. F. Grubb and R. Carter. Single sign-on and the system administrator. In Proceed-ings of the Twelfth Systems Administration Conference (LISA 98). Usenix, 1998.
[95] M. Hansen, P. Berlich, J. Camenisch, S. Clau, A. P¯tzmann, and M.Waidner. Privacy-enhancing identity management. Information Security Technical Report, 9(1):35{44,January{March 2004.
[96] S. M. Hansen, J. Skriver, and H. R. Nielson. Using static analysis to validate the samlsingle sign-on protocol. In WITS '05: Proceedings of the 2005 workshop on Issues inthe theory of security, pages 27{40, New York, NY, USA, 2005. ACM Press.
[97] IEEE. IEEE 1284.1 Standard for Information TechnologyTransport Independent Print-er/System Interface (TIP/SI), 1997.
[98] IEEE. Standard 802.11b-1999/Cor 1-2001(Corrigendum to IEEE Std 802.11b-1999),1999-2001.
[99] Internet Engineering Task Force. RFC 1510: The Kerberos Network AuthenticationService (V5), September 1993.
[100] Internet Engineering Task Force. RFC 2898: PKCS #5: Password-Based Cryptogra-phy Speci¯cation Version 2.0, September 2000.
[101] Internet Engineering Task Force. RFC 2821: Simple Mail Transfer Protocol, April2001.
[102] Internet Engineering Taskforce. Extensible Authentication Protocol Method for GSMSubscriber Identity Modules (EAP-SIM), December 2004. work in progress.
[103] L. Ishitani, V. Almeida, and W. M. Jr. Masks: Bringing anonymity and personalizationtogether. IEEE Security and Privacy, 1(3):18{23, May{June 2003.
[104] ITU-T Recommendation X.509. Information technology | Open Systems Intercon-nection | The Directory: Public-key and attribute certi¯cate frameworks, 2000.
[105] B. Ives, K. R. Walsh, and H. Schneider. The domino e®ect of password reuse. Com-munications of the ACM, 47(4):75{78, April 2004.
[106] U. Jendricke and D. G. tom Markotten. Usability meets security | the identity-manager as your personal security assistant for the internet. In Proceedings of the 16thAnnual Computer Security Applications Conference, pages 344{355. IEEE ComputerSociety, 2000.
[107] J. Jeong, D. Shin, D. Shin, and K. Moon. Java-based single sign-on library supportingSAML for distributed web services. In J. X. Yu, X. Lin, H. Lu, and Y. Zhang, edi-tors, Advanced Web Technologies and Applications, 6th Asia-Paci¯c Web Conference,APWeb 2004, Hangzhou, China, April 14-17, 2004, volume 3007 of Lecture Notes inComputer Science, pages 891{894. Springer Verlag, Berlin, 2004.
[108] A. J¿sang and M. A. Patton. User interface requirements for authentication of com-munication. In CRPITS '18: Proceedings of the Fourth Australian user interfaceconference on User interfaces 2003, pages 75{80, Darlinghurst, Australia, Australia,2003. Australian Computer Society, Inc.
[109] W. K. Josephson, E. G. Sirer, and F. B. Schneider. Peer-to-peer authentication witha distributed single sign-on service. In G. M. Voelker and S. Shenker, editors, Peer-to-Peer Systems III, Third International Workshop, IPTPS 2004, La Jolla, CA, USA,February 26-27, 2004, Revised Selected Papers, volume 3279 of Lecture Notes in Com-puter Science, pages 250{258. Springer, 2005.
[110] A. Juels, M. Luby, and R. Ostrovsky. Security of blind digital signatures. In B. S.Kaliski, editor, Advances in Cryptology { CRYPTO '97, volume 1294 of Lecture Notesin Computer Science, pages 150{164, London, UK, 1997. Springer-Verlag.
[111] J. Katz and M. Yung. Complete characterization of security notions for probabilisticprivate-key encryption. In STOC '00: Proceedings of the thirty-second annual ACMsymposium on theory of computing, pages 245{254. ACM Press, 2000.
[112] C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communicationin a Public World. Prentice Hall, 2nd edition, 2002.
[113] R. A. Kemmerer, C. Meadows, and J. K. Millen. Three systems for cryptographicprotocol analysis. Journal of Cryptology, 7(2):79{130, 1994.
[114] S. T. Kent. Encryption-based protection protocols for interactive user-computer com-munication. Laboratory for Computer Science Technical Report 162, MassachusettsInstitute of Technology, May 1976.
[115] S. T. Kent. Encryption-based protection for interactive user/computer communication.In Proceedings of the ¯fth symposium on data communications, pages 5.7{5.13. ACMPress, 1977.
[116] R. Khare and S. Lawrence. Upgrading to TLS Within HTTP/1.1, 2000.
[117] V. Khu-Smith and C. Mitchell. Using GSM to enhance e-commerce security. InProceedings of the Second ACM International Workshop on Mobile Commerce (WMC'02), pages 75{81, New York, 2002. ACM Press.
[118] N. Koblitz and A. Menezes. Another look at \provable security". Cryptology ePrintArchive, Report 2004/152, 2004. http://eprint.iacr.org/.
[119] J. Kohl, B. Neuman, and T. Ts'o. The evolution of the Kerberos authenticationservice. In Distributed Open Systems, pages 78{94. IEEE Computer Society Press,1994.
[120] D. P. Kormann and A. D. Rubin. Risks of the Passport single signon protocol. InProceedings of the 9th international World Wide Web conference on computer networks: the international journal of computer and telecommunications networking, pages 51{58, Amsterdam, The Netherlands, The Netherlands, 2000. North-Holland PublishingCo.
[121] H. Krawczyk. Simple forward-secure signatures from any signature scheme. In CCS'00: Proceedings of the 7th ACM conference on computer and communications security,pages 108{115, New York, NY, USA, 2000. ACM Press.
[122] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An e±cient protocol forauthenticated key agreement. Des. Codes Cryptography, 28(2):119{134, 2003.
[123] C.-C. Lee, W.-P. Yang, and M.-S. Hwang. Untraceable blind signature schemes basedon discrete logarithm problem. Fundam. Inf., 55(3-4):307{320, 2003.
[124] J.-Y. Lee, J. H. Cheon, and S. Kim. An analysis of proxy signatures: Is a securechannel necessary? In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, TheCryptographers' Track at the RSA Conference 2003, San Francisco, CA, USA, April13-17, 2003, Proceedings, volume 2612 of Lecture Notes in Computer Science, pages68{79. Springer, 2003.
[125] B. N. Levine, M. Reiter, C. Wang, and M. Wright. Stopping timing attacks in low-latency mix-based systems. In A. Juels, editor, Proceedings of Financial Cryptography,8th International Conference, FC 2004, Key West, FL, USA, February 9-12, volume3110 of Lecture Notes in Computer Science. Springer, Berlin, 2004.
[126] B. Li, S. Ge, T. Wo, and D. Ma. Research and implementation of single sign-onmechanism for ASP pattern. In H. Jin, Y. Pan, N. Xiao, and J. Sun, editors, Grid andCooperative Computing - GCC 2004: Third International Conference, Wuhan, China,October 21-24, 2004. Proceedings, volume 3251 of Lecture Notes in Computer Science,pages 161{166. Springer, 2004.
[127] Liberty Alliance. Identity Systems and Liberty Speci¯cation, version 1.1, Interoper-ability, January 2003.
[128] Liberty Alliance. Liberty Architecture Glossary v.1.2-04, April 2003.
[129] Liberty Alliance. Liberty Authentication Context Speci¯cation v.1.2-05, April 2003.
[130] Liberty Alliance. Liberty ID-FF Architecture Overview v.1.2-03, April 2003.
[131] Liberty Alliance. Liberty ID-FF Bindings and Pro¯les Speci¯cation v.1.2-08, April2003.
[132] Liberty Alliance. Liberty ID-FF Implementation Guidelines v.1.2-02, April 2003.
[133] Liberty Alliance. Liberty ID-FF Protocols and Schema Speci¯cation v.1.2-08, April2003.
[134] M. Linden and I. Vilpola. An empirical study on the usability of logout in a singlesign-on system. In R. H. Deng, F. Bao, H. Pang, and J. Zhou, editors, Proceedingsof the First Information Security Practice and Experience Conference (ISPEC 2005),volume 3439 of Lecture Notes in Computer Science, pages 243{254. Springer Verlag,Berlin, 2005.
[135] G. Lowe. An attack on the Needham-Schroeder public-key authentication protocol.Inf. Process. Lett., 56(3):131{133, 1995.
[136] G. Lowe. Breaking and ¯xing the Needham-Schroeder public-key protocol using FDR.In T. Margaria and B. Ste®en, editors, Tools and Algorithms for Construction and Analysis of Systems, Second International Workshop, TACAS '96, Passau, Germany,March 27-29, 1996, Proceedings, volume 1055 of Lecture Notes in Computer Science,pages 147{166. Springer-Verlag, 1996.
[137] A. Lysyanskaya. Signature schemes and applications to cryptographic protocol design.PhD thesis, Massachusetts Institute of Technology, Cambridge, Massachusetts, September 2002.
[138] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In H. M.Heys and C. M. Adams, editors, Selected Areas in Cryptography, 6th Annual International Workshop, SAC'99, Kingston, Ontario, Canada, August 9-10, 1999, Proceedings, volume 1758 of Lecture Notes in Computer Science, pages 184{199. Springer Verlag, Berlin, 2000.
[139] W. Mao. Modern Cryptography: Theory and Practice. Prentice Hall PTR, 2003.
[140] C. Meadows. Applying formal methods to the analysis of a key management protocol.Journal of Computer Security, 1(1):5{36, 1992.
[141] A. Menezes, M. Qu, and S. Vanstone. Some new key agreement protocols providing mutual implicit authentications. Proceedings of the 2nd Workshop on Selected Areas in Cryptography (SAC'95), Carleton University, Ottawa, Canada, May 1995, pages 22{32, May 1995.
[142] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997.
[143] R. C. Merkle. Secure communications over insecure channels. Commun. ACM,21(4):294{299, 1978.
[144] Microsoft. Microsoft .NET Passport Review Guide, November 2002.
[145] S. Nanavati, M. Thieme, and R. Nanavati. Biometrics: Identity Veri¯cation in a Networked World. Wiley, March 2002.
[146] National Bureau of Standards, U.S. Department of Commerce, Washington D.C.Federal Information Processing Standards Publication 46-3: Data Encryption Stan-dard(DES), October 1999.
[147] National Institute of Standards and Technology. Federal Information Processing Standards Publication 180-1: Secure Hash Standard, April 1995.
[148] R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993{999, 1978.
[149] OASIS, http://www.oasis-open.org/committees/security/. Security Services Technical Commitee Homepage.
[150] OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), May 2002.
[151] R. Oppliger. Microsoft .NET passport and identity management. Information Security Technical Report, 9(1):26{34, January{March 2004.
[152] P. Pagliusi and C. J. Mitchell. PANA/GSM authentication for Internet access. In Proceedings of SympoTIC '03, Joint IST Workshop on Mobile Future and Symposium on Trends in Communications, pages 146{152. IEEE Press, October 2003.
[153] A. Pashalidis. A cautionary note on automatic proxy con¯guration. In M. Hamza,editor, IASTED International Conference on Communication, Network, and Information Security, CNIS 2003, New York, USA, December 10-12, 2003, Proceedings, pages 153{158. ACTA Press, December 2003.
[154] A. Pashalidis and C. Mitchell. A security model for anonymous credential systems. In S. J. Y. Deswarte, F. Cuppens and L. Wang, editors, Information Security Management, Education and Privacy, Proceedings of the 3rd Working Conference on Privacy and Anonymity in Networked and Distributed Systems (I-NetSec'04), pages 183{199.Kluwer Academic Publishers, August 2004.
[155] A. Pashalidis and C. Mitchell. Using EMV cards for single sign-on. In S. K. Katsikas,S. Gritzalis, and J. Lopez, editors, Public Key Infrastructure, First European PKI Workshop: Research and Applications, EuroPKI 2004, Samos Island, Greece, June 25-26, 2004, Proceedings, volume 3093 of Lecture Notes in Computer Science, pages 205{217. Springer Verlag, June 2004.
[156] A. Pashalidis and C. J. Mitchell. Single sign-on using trusted platforms. In C. Boyd and W. Mao, editors, Information Security, 6th International Conference, ISC 2003,Bristol, UK, October 1-3, 2003, Proceedings, volume 2851 of Lecture Notes in Computer Science, pages 54{68. Springer-Verlag, October 2003.
[157] A. Pashalidis and C. J. Mitchell. A taxonomy of single sign-on systems. In R. SafaviNaini and J. Seberry, editors, Information Security and Privacy { 8th Australasian Conference, ACISP, volume 2727 of Lecture Notes in Computer Science, pages 249{264. Springer Verlag, July 2003.
[158] A. Pashalidis and C. J. Mitchell. Using GSM/UMTS for single sign-on. In Proceedings of SympoTIC '03, Joint IST Workshop on Mobile Future and Symposium on Trends in Communications, Bratislava, Slovakia, pages 138{145. IEEE Press, October 2003.
[159] A. Pashalidis and C. J. Mitchell. Impostor: A single sign-on system for use from untrusted devices. In Proceedings of the IEEE Globecom Conference, Dallas, Texas,USA, November 29 { December 3. IEEE Press, 2004.
[160] A. Pashalidis and C. J. Mitchell. Single sign-on using trusted platforms. In C. J.Mitchell, editor, Trusted Computing, chapter 6, pages 175{193. IEE Press, London,2005.
[161] A. Pashalidis and C. J. Mitchell. Limits to anonymity when using credentials. In Proceedings of the 12th International Workshop on Security Protocols, Cambridge,U.K., Lecture Notes in Computer Science. Springer Verlag, to appear.
[162] T. P. Pedersen and B. P¯tzmann. Fail-stop signatures. SIAM J. Comput., 26(2):291{330, 1997.
[163] G. Persiano and I. Visconti. An e±cient and usable multi-show non-transferable anonymous credential system. In A. Juels, editor, Proceedings of the Eighth International Financial Cryptography Conference (FC '04), volume 3110 of Lecture Notes in Computer Science, pages 196{211, 2004.
[164] A. P¯tzmann and M. KÄohntopp. Anonymity, unobservability, and pseudonymity - a proposal for terminology. In H. Federrath, editor, Designing Privacy Enhancing Technologies, International Workshop on Design Issues in Anonymity and Unobservability, July 2000, number 2009 in Lecture Notes in Computer Science, pages 141{160.Springer-Verlag, Berlin, 2001.
[165] B. P¯tzmann. Privacy in enterprise identity federation | policies for Liberty 2 singlesign on. Information Security Technical Report, 9(1):45{58, January{March 2004.
[166] B. P¯tzmann. Privacy in enterprise identity federation | policies for Liberty single signon. In Proceeings: 3rd Workshop on Privacy Enhancing Technologies (PET 2003),Dresden, March 2003, Lecture Notes in Computer Science. Springer-Verlag, Berlin, to appear.
[167] B. P¯tzmann and M. Waidner. Privacy in browser-based attribute exchange. In S. Jajodia and P. Samarati, editors, WPES '02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, pages 52{62, New York, NY, USA, 2002. ACM Press.
[168] B. P¯tzmann and M. Waidner. Analysis of Liberty single-sign-on with enabled clients.Internet Computing, 7(6):38{44, November/December 2003.
[169] D. Pointcheval and J. Stern. Provably secure blind signature schemes. In M. Y. Rhee and K. Kim, editors, Advances in Cryptology | Proceedings of ASIACRYPT '96,volume 1163 of Lecture Notes in Computer Science, pages 252{265. Springer-Verlag,1996.
[170] G. J. Popek and C. S. Kline. Encryption and secure computer networks. ACM Comput.Surv., 11(4):331{356, 1979.
[171] J. Postel and J. Reynolds. RFC 959: File Transfer Protocol. Internet Engineering Task Force, October 1985.
[172] S. Prabhakar, S. Pankanti, and A. K. Jain. Biometric recognition: Security and privacy concerns. IEEE Security and Privacy, 1(2):33{42, March-April 2003.
[173] M. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report LCS/TR-212, MIT Lab. for Computer Science, 1979.
[174] C. Radu. Implementing Electronic Card Payment Systems. Computer Security Series.Artech House, Norwood, 2002.
[175] A. J. Rae and L. P. Wildman. A taxonomy of attacks on secure devices. In J. Slay,editor, Proceedings of the Fourth Australian Information Warfare and IT Security Conference, pages 251{263, 2003.
[176] K. Rannenberg. Identity management in mobile cellular networks and related applications. Information Security Technical Report, 9(1):77{85, January{March 2004.
[177] J.-F. Raymond. Tra±c analysis: Protocols, attacks, design issues, and open problems. In H. Federrath, editor, Designing Privacy Enhancing Technologies, International Workshop on Design Issues in Anonymity and Unobservability, Berkeley, CA,USA, July 25-26, 2000, Proceedings, volume 2009 of Lecture Notes in Computer Science, pages 10{29. Springer-Verlag, Berlin, 2001.
[178] M. Rennhard and B. Plattner. Introducing MorphMix: Peer-to-Peer based Anonymous Internet Usage with Collusion Detection. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2002), Washington, DC, USA, November 2002. ACM.
[179] E. Rescorla. HTTP Over TLS, 2000.
[180] E. Rescorla. SSL and TLS. Addison-Wesley, Reading, Massachusetts, 2001.
[181] V. Samar. Single sign-on using cookies for web applications. In IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises,pages 158{164. IEEE Press, 1999.
[182] F. Satoh and T. Itoh. Single sign on architecture with dynamic tokens. In Proceedings of the 2004 International Symposium on Applications and the Internet (SAINT'04),pages 197{200. IEEE Press, 2004.
[183] A. Serjantov. On the anonymity of anonymity systems. Technical Report UCAM-CL-TR-604, Computer Laboratory, University of Cambridge, U.K., October 2004.
[184] A. Serjantov and G. Danezis. Towards an information theoretic metric for anonymity.In R. Dingledine and P. F. Syverson, editors, Privacy Enhancing Technologies, Second International Workshop, PET 2002, San Francisco, CA, USA, April 14-15, 2002,Revised Papers, volume 2482 of Lecture Notes in Computer Science, pages 41{53.Springer-Verlag, Berlin, 2002.
[185] G. J. Simmons. Symmetric and asymmetric encryption. ACM Comput. Surv.,11(4):305{330, 1979.
[186] M. Sipser. Introduction to the Theory of Computation. PWS Publishing Company,1997.
[187] M. Small. Business and technical motivation for identity management. Information Security Technical Report, 9(1):6{21, January{March 2004.
[188] N. Smart. Cryptography, An Introduction. McGraw-Hill, 2002.
[189] I. Spagui. Secured Single Signon in a Client/Server Environment. Vervante Corporate Publishing, 1994.
[190] W. Stallings. Cryptography and network security (2nd ed.): principles and practice.Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1999.
[191] S. Steinbrecher and S. Koepsell. Modelling unlinkability. In R. Dingledine, editor,Privacy Enhancing Technologies, Third International Workshop, PET 2003, Dresden,Germany, March 26-28, 2003, Revised Papers, volume 2760 of Lecture Notes in Computer Science, pages 32{47. Springer-Verlag, Berlin, 2003.
[192] J. G. Steiner, B. C. Neuman, and J. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of the Winter 1988 Usenix Conference, pages 191{201. Usenix, February 1988.
[193] R. J. Sutton. Secure Communications: Applications and Management. John Wiley & Sons, 2002.
[194] P. F. Syverson and P. C. V. Oorschot. On unifying some cryptographic protocol logics. In Proceedings of the IEEE Computer Security Foundations Workshop VII,pages 14{29. IEEE Computer Society Press, 1994.
[195] N. T. Trask and M. V. Meyerstein. Smart cards in electronic commerce. BT Technology Journal, 17(3):57{66, July 1999.
[196] Trusted Computing Group. TCG TPM Speci¯cation Version. 1.2 | Structures of the TPM, 2003.
[197] Trusted Computing Group. TCG TPM Speci¯cation Version. 1.2 | TPM Commands,2003.
[198] Trusted Computing Group. TCG TPM Speci¯cation Version. 1.2 Design Principles,2003.
[199] U. Uludag and A. Jain. Attacks on biometric systems: a case study in ¯ngerprints. In Proceedings of SPIE-EI 2004, pages 622{633, San Jose, CA, January 2004. SPIE.
[200] K. Vedder. GSM: Security, services, and the SIM. In B. Preneel and V. Rijmen,editors, State of the Art in Applied Cryptography, volume 1528 of Lecture Notes in Computer Science, pages 224{240. Springer-Verlag, Berlin, 1997.
[201] E. R. Verheul. Self-blindable credential certi¯cates from the Weil pairing. In C. Boyd,editor, ASIACRYPT '01: Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security, volume 2248 of Lecture Notes in Computer Science, pages 533{551. Springer Verlag, Berlin, 2001.
[202] A. Volchkov. Revisiting single sign-on: A pragmatic approach in a new context. IT Professional, 3(1):39{45, January/February 2001.
[203] M. Walker and T. Wright. Security. In F. Hillebrand, editor, GSM and UMTS: The creation of global mobile communication, chapter 14, pages 385{406. John Wiley & Sons, 2002.
[204] J. Wayman, A. K. Jain, D. Maltoni, and D. Maio. Biometric Systems: Technology,Design and Performance Evaluation. Springer Verlag, 2005.
[205] M. J. Williamson. Thoughts on cheaper non-secret encryption. Report, CESG, August 1976.
[206] J. D. Woodward Jr., N. M. Orlans, and P. T. Higgins. Biometrics: Identity Assurance In The Information Age. McGraw Hill, January 2003.
[207] World Wide Web Consortium. The Platform for Privacy Preferences 1.0 (P3P 1.0)Speci¯cation, April 2002.