ID system may turn tide on data breaches

British researchers have developed a framework that could help end the string of data breaches by eliminating the need for websites to handle private user data.

The Trusted Attribute Aggregation Service (TAAS) framework allows users to transact online by clicking boxes to pull identity information already validated by trusted sources such as banks, government agencies and education providers.

Rather than requiring users to provide sensitive data to websites, TAAS allows, for example, a bank to validate financial information, a government agency to validate welfare benefit credentials and a school or university to provide student details.

David Chadwick

The website would receive enough information about a customer from trusted sources to process a transaction without itself handling the sensitive data.

"No-one in the system ever needs to see the user's credit card number again," said the service's creator and professor of information systems security at the University of Kent, David Chadwick.

Instead, a bank would send a signed SAML assertion to a website, or service provider, to prove that a user had a credit card.

It would then issue a one-time number to be used for the transaction.

"The advantages however are enormous to service providers, users and identity providers."

"There is no need for service providers to store user credit card numbers anymore, for users to enter credit card numbers, for service providers to store usernames and passwords."

He said trusted user credentials, or attribute assertions, can be provided to service providers by multiple identity providers at once. "Service providers can trust that the user really does possess all of these attributes."

TAAS also provides user control and consent, Chadwick said, because the user selects which attributes will be handed to service providers.

"Then we fulfil the requirements of the EU Data Protection Legislation for both user consent in the release of personal information, and for the minimal disclosure of personal information."

Websites send a new MIME policy to a web browser which activates a TAAS browser plugin - the registered MIME type handler - on the user's computer. Users then enter a URL to access their personal TAAS site where they can validate their credentials.

The plugin is an anti-phishing measure that prevents users from clicking malicious links that could direct users to fake identity provider sites designed to steal credentials.

"The user will typically store this URL in a TAAS bookmark in their browser, and simply click on this without needing to re-enter it each time."

Users can still manually enter the URL without revealing secret information, a function Chadwick said solves a mobility problem inherent in Microsoft's CardSpace.

The ability to choose identity credentials to use in the validation process also solves gaps in the British education identity system, the UK Access Management Federation, which Chadwick said does not provide users with control or consent over identity information.

"The user has no idea which identity attributes are being transferred from their university identity provider to any of the service providers. The user simply logs on and gets access to the service, but the attribute transfer is invisible to them".

Trust issues

TAAS is a technology solution, but it does not address fundamental issues of trust between identity and service providers that have slowed development of federated identity.

"Currently most service providers do not trust most identity providers," Chadwick said. This is worse when trusted credentials are provided by users.

"In other words, the users enter their own information into their identity providers which then send this to the service providers. Consequently the service providers cannot trust this information."

This is what Chadwick sees is the problem with OpenID. And the UK Access Management Federation is restricted in scope since it only validates credentials from education providers, Chadwick said. "A university cannot reliably assert that I have a credit card from a bank. Similarly a bank cannot reliably assert that I am a student at a university".

Yet while a website may trust information from a bank, it could be unlikely that the bank would willingly take on the responsibility of providing and vouching for the credentials.

Steve Wilson, director of LockStep consulting, said the trust problems inherent in federated identity may keep it grounded.

"The main problem of federated identity is the real world," said Wilson, who has worked in identity management and Public Key Infrastructure for more than a decade.

The notion that a bank would vouch for the veracity of a customer identity so that it may be used by other organisations is little more than a "strange love triangle" manufactured by IT engineers, he said.

"That need for third party trust is a show-stopper."

The federated identity schemes have previously and will continue to be voided by finance industry lawyers, Wilson said, because it introduces risk into the world's most mature trust frameworks.

"Banks want to manage liability to zero, but if there is a problem with a trusted identity, the receiver of it will go after the bank."

Obstacles including procedures and processes, regulations and certifications are among the areas that will need to be smoothed out in oder for service providers to trust identities.

"Just as importantly is that when an identity provider issues a false attribute claim, the service provider has some recourse for recompense," Chadwick said.

The Kantara Intiative's Identity Assurance Framework is working in this area and aims to create standards around identity assurance.

Adoption

"Change is never easy, so adoption of TAAS wont be overnight," Chadwick said. He noted that the need for a coordinated effort between service and identity providers to agree to build a TAAS-like system and introduce it to customers will be "particularly difficult".

But he said many large organisations have realised the liability risk of holding private information, thanks to a recent string opf breaches, and have ackonwledged that federated identity systems like TAAS were needed.

He might be right. PayPal, one of the targets of the multiple hacking operations this year, identity management cheif Andrew Nash called for a system that Chadwick said was "TAAS in all but its name.

The TAAS plugin is available by contacting David Chadwick or SC. Chadwick has encouraged user feedback on the system.

Copyright © SC Magazine, Australia