A Federated Cloud Identity Broker-Model for Enhanced Privacy via Proxy Re-Encryption

  • Bernd Zwattendorfer
  • Daniel Slamanig
  • Klaus Stranacher
  • Felix Hörandner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8735)


Reliable and secure user identification and authentication are key enablers for regulating access to protected online services. Since cloud computing gains more and more importance, identification and authentication in and across clouds play an increasing role in this domain too. Currently, existing web identity management models are often just mapped to the cloud domain. Besides, within recent years several cloud identity management models such as the cloud identity broker-model have emerged. In the aforementioned model, an identity broker in the cloud acts as hub between various service and identity providers. While this seems to be a promising approach for adopting identity management in cloud computing, still some problems can be identified. A notable issue is the dependency of users and service providers on the same central broker for identification and authentication processes. Additionally, letting an identity broker store or process sensitive data such as identity information in the cloud brings up new issues, in particular with respect to user’s privacy. To overcome these problems, we propose a new cloud identity management model based on the federation between different cloud identity brokers. Thereby, users and service providers can select their favorite cloud identity broker without being dependent on one and the same broker. Moreover, it enhances user’s privacy by the use of appropriate cryptographic mechanisms and in particular proxy re-encryption. Besides introducing the model we also provide a proof of concept implementation thereof.


cloud computing identity management cloud identity cloud identity broker federated cloud identity broker privacy proxy re-encryption 


  1. 1.
    Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with appl. to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006)CrossRefzbMATHGoogle Scholar
  2. 2.
    Bauer, M., Meints, M., Hansen, M.: D3.1: Structured Overview on Prototypes and Concepts of Identity Management System. FIDIS (2005)Google Scholar
  3. 3.
    Bertino, E., Takahashi, K.: Identity Management: Concepts, Technologies, and Systems. Artech House (2011)Google Scholar
  4. 4.
    Cantor, S., Hirsch, F., Kemp, J., Philpott, R., Maler, E.: Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS (2009)Google Scholar
  5. 5.
    Cantor, S., Kemp, J., Philpott, R., Maler, E.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS (2009)Google Scholar
  6. 6.
    De Clercq, J.: Single sign-on architectures. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 40–58. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. Csa (2011)Google Scholar
  8. 8.
    Gopalakrishnan, A.: Cloud Computing Identity Management. SETLabs Briefings 7(7), 45–55 (2009)Google Scholar
  9. 9.
    Goulding, J.T.: Identity and access management for the cloud: CA Technologies strategy and vision. Tech. Rep. May, CA Technologies (2010)Google Scholar
  10. 10.
    Hulsebosch, B., Lenzini, G., Eertink, H.: STORK D2.3 - Quality authenticator scheme. Tech. rep., STORK (March 2009)Google Scholar
  11. 11.
    Alcalde-Morano, J., et al.: STORK D5.8.3b Interface Specification. STORK (2011)Google Scholar
  12. 12.
    JTC1/SC27: ISO/IEC DIS 29115 - Information technology – Security techniques – Entity authentication assurance framework (2013)Google Scholar
  13. 13.
    Leitold, H., Zwattendorfer, B.: STORK: Architecture, Implementation and Pilots. In: ISSE, pp. 131–142 (2010)Google Scholar
  14. 14.
    Nuñez, D., Agudo, I., Lopez, J.: Integrating OpenID with Proxy Re-Encryption to enhance privacy in cloud-based identity services. In: CloudCom, pp. 241–248 (2012)Google Scholar
  15. 15.
    Pearson, S., Benameur, A.: Privacy, Security and Trust Issues Arising from Cloud Computing. In: IEEE CloudCom, pp. 693–702 (November 2010)Google Scholar
  16. 16.
    Burr, W.E., et al.: SP 800-63-1. Elec.Authentication Guideline (2011)Google Scholar
  17. 17.
    Zwattendorfer, B., Slamanig, D.: On Privacy-Preserving Ways to Porting the Austrian eID System to the Public Cloud. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 300–314. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Zwattendorfer, B., Slamanig, D.: Privacy-preserving realization of the stork framework in the public cloud. In: SECRYPT, pp. 419–426 (2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Bernd Zwattendorfer
    • 1
  • Daniel Slamanig
    • 1
  • Klaus Stranacher
    • 1
  • Felix Hörandner
    • 1
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology (TUG)GrazAustria

Personalised recommendations