Skenario Implementasi Sistem Informasi Identitas Digital Dengan Menggunakan WSO2 IS Di STMIK “AMIKBANDUNG”

Semakin berkembangnya teknologi menjadikan banyaknya aplikasi yang digunakan dalam berbagai aktifitas. Sebagian besar pengguna menggunakan berbagai macam credential (username dan password) yang berbeda untuk login ke berbagai layanan aplikasi yang tersedia. Berdasarkan permasalahan, maka diusulkan sistem Single Sign On (SSO). untuk authentifikasi terhadap pengguna, dimana pengguna bisa mengakses beberapa aplikasi tanpa harus login di masing-masing aplikasi. Dalam penerapan SSO digunakanlah WSO2 IS sebagai Identity Provider dimana aplikasi server ini memfasilitasi keamanan saat menghubungkan dan mengelola banyak identitas di berbagai aplikasi. Dalam pengembangannya dibuat juga aplikasi yang bertindak sebagai Service Provider (pihak yang memerlukan otentikasi) dengan berbagai macam protokol seperti SAML dan OPENID. Hasil dari penerapan SSO menggunakan WSO2 IS dan aplikasi dengan protokol SAML dan OPENID berhasil membuat sistem untuk mengizinkan pengguna dapat mengakses seluruh sumber daya dalam jaringan hanya dengan menggunakan satu credential saja

The OLYMPUS Architecture—Oblivious Identity Management for Private User-Friendly Services

Privacy enhancing technologies (PETs) allow to achieve user’s transactions unlinkability across different online Service Providers. However, current PETs fail to guarantee unlinkability against the Identity Provider (IdP), which becomes a single point of failure in terms of privacy and security, and therefore, might impersonate its users. To address this issue, OLYMPUS EU project establishes an interoperable framework of technologies for a distributed privacy-preserving identity management based on cryptographic techniques that can be applied both to online and offline scenarios. Namely, distributed cryptographic techniques based on threshold cryptography are used to split up the role of the Identity Provider (IdP) into several authorities so that a single entity is not able to impersonate or track its users. The architecture leverages PET technologies, such as distributed threshold-based signatures and privacy attribute-based credentials (p-ABC), so that the signed tokens and the ABC credentials are managed in a distributed way by several IdPs. This paper describes the Olympus architecture, including its associated requirements, the main building blocks and processes, as well as the associated use cases. In addition, the paper shows how the Olympus oblivious architecture can be used to achieve privacy-preserving M2M offline transactions between IoT devices.

IdP4IoT: Autenticação de Dispositivos da IoT em Provedores de Identidades SAML

Internet of Things (IoT) covers hardware, software, and services infrastructure able to connect things to the Internet. Things need authentication for secure communication. Support for different authentication mechanisms for devices in the same infrastructure is an open problem in the context of IoT. This lightning talk describes a SAML Identity Provider able to authenticate IoT devices that is available for researchers at GIdLab from RNP. After authentication, IdP issues short-lived tokens in a portable and interoperable manner (SAML tokens).

Trust Relationship Establishment Among Multiple Cloud Service Provider

Trust relationships among multiple Cloud Service Providers is a concept in which multiple cloud service providers from multiple distributed Identity Provider can access resources of each other, only if they are trusted with their Identity Provider. In this chapter a scheme has been proposed to enhance the security of data in a multi-cloud environment by improving trust relationships among multiple clouds. The scheme is also designed to overcome interoperability problem between different clouds. In the proposed scheme concept of proxy is used. Client organization tries to communicate with multiple cloud service providers through proxy. Client organization send resource request to cloud service providers. On receiving the resource request the cloud service provider collect the authentication confirmation from proxy. Then it sends the reply and data to requested client organization. Numerical analysis and comparative study of the proposed scheme with some of the existing scheme has been carried out.

Extending OpenID Connect Towards Mission Critical Applications

Single Sign-On (SSO) decreases the complexity and eases the burden of managing many accounts with a single authentication mechanism. Mission critical application such as banking demands highly trusted identity provider to authenticate its users. The existing SSO protocol such as OpenID Connect protocol provides secure SSO but it is applicable only in the consumer-to-social-network scenarios. Owing to stringent security requirements, the SSO for banking service necessitates a highly trusted identity provider and a secured private channel for user access. The banking system depends on a dedicated central banking authority which controls the monetary policy and it must assume the role of the identity provider. This paper proposes an extension of OpenID Connect protocol that establishes a central identity provider for bank users, which facilitates the users to access different accounts using single login information. The proposed Enhanced OpenID Connect (EOIDC) modifies the authorization code flow of OpenID Connect to build a secure channel from a single trusted identity provider that supports multiple banking services. Moreover, the EOIDC tightens the security mechanism with the help of SAT to avoid impersonation attack using replay and redirect. The formal security analysis and validation demonstrate the strength of the EOIDC against possible attacks such as impersonation, eavesdropping, and a brute force login. The experimental results reveal that the proposed EOIDC system is efficient in providing secured SSO protocol for banking services.

Internet of Things with Lightweight Identities Implemented Using DNS DANE—Architecture Proposal

Domain Name Service (DNS) and its certification related resource records are appealing alternative to the standard X.509 certification framework, in provision of identities for Internet of Things (IoT) smart devices. We propose to also use DNS to store device owner identification data in device certificates. A working demonstration software has been developed as proof of this concept, which uses an external identity provider run by national authorities. As a result, smart devices are equipped with certificates that safely identify both the device and its owner. Hardware requirements make such a framework applicable to constrained devices. It stimulates mutual trust in machine-to-machine and man-to-machine communication, and creation of a friendlier environment for sale, lease, and data exchange. Further extensions of the proposed architecture are also discussed.

Trust Relationship Establishment Among Multiple Cloud Service Provider

Trust relationships among multiple Cloud Service Providers is a concept in which multiple cloud service providers from multiple distributed Identity Provider can access resources of each other, only if they are trusted with their Identity Provider. In this chapter a scheme has been proposed to enhance the security of data in a multi-cloud environment by improving trust relationships among multiple clouds. The scheme is also designed to overcome interoperability problem between different clouds. In the proposed scheme concept of proxy is used. Client organization tries to communicate with multiple cloud service providers through proxy. Client organization send resource request to cloud service providers. On receiving the resource request the cloud service provider collect the authentication confirmation from proxy. Then it sends the reply and data to requested client organization. Numerical analysis and comparative study of the proposed scheme with some of the existing scheme has been carried out.