SafeMashups Inc. is an intellectual property development company that invented the multi party application level SSL protocol called MashSSL. Its more recent innovations are focused on addressing privacy issues in identity federations. It holds multiple granted and pending patents in these areas. For information about patent licensing please contact us.
Broadly speaking, an identity federation gives Alice the ability to user her credential issued to her by one enterprise to access web services at another enterprise.
Users in an identity federation have credentials issued by Identity Providers (IdPs).These identity providers (IdP) can verify a user’s credential and assert an identity. Relying Parties (RP) can consume these assertions. The net result is that user does not need yet another credential at the Relying Party. Note RPs are also known as Service Providers (SP). We use the terms interchangeably.
In a typical flow the user, the IdP and the SP interact to achieve the result described above.
The steps are:
The SAML and OpenID Connect (OIC) protocols are currently the most widely used standards for identity federations.
As the identify eco system scales up, some practical problems come to the fore. Let us consider the use case where Alice wants to user on-line banking credential to access her hospital’s patient portal. If there 5,000 banks and 5,000 hospitals, then there could be well over ten million pair wise IdP-SP connections. Further, while the federation protocols are standardized each implementation can vary. And each entity may have different policies on whom they are willing to trust. Several of these problems can be addressed by the use of identity exchanges which sit in the middle and broker federation transactions.
There are three major privacy problems in today’s identity eco-system:
A triple blinded identity eco system is needed that will take steps to minimize all three problems.
The 3BIES (Triple Blinding the Identity Eco System) system is designed to overcome the three privacy problems identified above. It does so with minimal impact to today’s existing infrastructure, though in the long run it is expected that the protocols get woven into the specifications and software more closely.
Each of these components are described below briefly.
A key component to the 3BIES design is the use of anonymous certificates for each IdP and SP. Specifically:
The net result is that IdPs and SPs know they are dealing with one of the list of IdPs and SPs they have decided to work with, but do not know which one.
The Discovery Service (DS) maintains:
When the user first goes to an SP, they are redirected to the Discovery Service (standard federation discovery protocols are used). The Discovery Service then presents the user is presented a list of IdPs trusted by that SP, and the user select’s one. The anonymous credentials of the IdP are returned to the SP. The SP will use its own anonymous credentials to initiate the federation request to the IdP. 3BIES Double Blinding without Identity Exchanges
Using just anonymous certificates and the Discovery Service we can achieve the first two levels of blinding even when identity exchanges are not used.
When Identity Exchanges are used we wish to blind the exchanges from seeing the federation traffic contents. This is achieved by front-ending each IdP and SP with a 3BIES proxy (which has the anonymous certificate). The proxies use key exchange protocols such as SSL or MashSSL to exchange short lived session keys. When the federation protocol is run they encrypt all the attribute values before sending on to the Identity Exchange. • e.g. in NAME = ALICE they would encrypt/decrypt ALICE so the exchange would see NAME = A*$412.
Observe that we use proxies to avoid perturbing existing federation software; long term this could become integral to IdPs and SPs.
As the identity eco system grows, privacy concerns are coming to the fore. Double blinded identity eco-systems ensure that the privacy concerns are ameliorated. We also expect identity exchanges to grow in usage for scale and efficiency reasons.
However, they in turn present their own security risks as they are a single point of catastrophic failure. Triple blinding the system ensures that this risk is minimized.