PRIMA: Privacy-Preserving Identity and Access Management at Internet-Scale

TL;DR

PRIMA introduces a privacy-preserving federated identity management system that prevents identity providers from tracking user behavior while allowing controlled disclosure of private information, with high request processing performance.

Contribution

It presents a novel credential-based authentication system that enhances privacy in federated identity management without requiring interaction between service and identity providers.

Findings

Identity provider can process up to 3,332 requests/sec.

PRIMA prevents identity providers from profiling users.

System supports controlled disclosure of private information.

Abstract

The management of identities on the Internet has evolved from the traditional approach (where each service provider stores and manages identities) to a federated identity management system (where the identity management is delegated to a set of identity providers). On the one hand, federated identity ensures usability and provides economic benefits to service providers. On the other hand, it poses serious privacy threats to users as well as service providers. The current technology, which is prevalently deployed on the Internet, allows identity providers to track the user's behavior across a broad range of services. In this work, we propose PRIMA, a universal credential-based authentication system for supporting federated identity management in a privacy-preserving manner. Basically, PRIMA does not require any interaction between service providers and identity providers during the authentication process, thus preventing identity providers to profile users' behavior. Moreover, throughout the authentication process, PRIMA provides a mechanism for controlled disclosure of the users' private information. We have conducted comprehensive evaluations of the system to show the feasibility of our approach. Our performance analysis shows that an identity provider can process 1,426 to 3,332 requests per second when the key size is varied from 1024 to 2048-bit, respectively.