(IJCNS) International Journal of Computer and Network Security, 45

Vol. 2, No. 8, August 2010

Improved User-Centric ID Management Model

for Privacy Protection in Cloud Computing
Moonyoung Hwang1, Jin Kwak2
1
Dept. of Information Security Engineering, Soonchunhyang University,
Asan si, Chunghcheongnam-do, Korea
Myhwang@sch.ac.kr
2
Dept. of Information Security Engineering, Soonchunhyang University,
Asan si, Chunghcheongnam-do, Korea

through an imaginary server network. In the cloud

Abstract: The development of the Internet has caused many
different Internet services to appear, including cloud computing,
computing system, users can authenticate and use the
which is getting a lot of attention recently. Users of cloud services they need, but do not know detailed information
computing services must give personal information to get about these services.[4]
services. However, users can still experience privacy The structure of cloud computing is depicted in Figure 1.
infringement because users cannot have direct control over the
exchange of personal information between service providers.

Keywords: Security, Privacy Protection, Cloud Computing, ID

management

1. Introduction

Due to the rapid growth in popularity of new computing

environments, cloud computing [1] has become an
important research issue. Cloud computing is Internet-based
computing whereby shared resources, software, and
information are provided to computers and other devices on
demand, similar to the function of the electricity grid.
Almost every cloud computing system uses ID Federation
for ID management. ID Federation [2] provides secure Figure 1. Structure of cloud computing
access to user data, a Single Sign On (SSO) that functions
as both access control and ID creation and management. To use cloud services, a user must supply credentials to a
However, business partners can only exchange Federated ID service provider each time. Therefore most users of cloud
information with each other by prior consultation. Because services much manage many different Ids in order to
all rights are transferred to service providers, users cannot connect to many different cloud services.
control their own information. Therefore, users need a new The general procedure of cloud services is depicted in
model that can give them control of their own information Figure 2..
and prevent privacy infringement [3] or the piracy of a
user’s data.
In this paper, we propose a user-centric ID management
model that provides the security and rights to control a
person’s own information in a cloud computing
environment.

2. Related work

2.1 Summary of Cloud Computing

Cloud service providers build an imaginary resource pool
from diffuse physical infrastructure and efficiently divide up
virtual resources according to a user’s workload in a cloud
computing environment. Users request cloud services Figure 2. Cloud service procedure
through a catalog and a service provider’s system
administration module supplies the necessary resources
46
2.2 ID Management
2.2.1 SAML Protocol
SAML is eXtensible Markup Language (XML) framework
developed by the Organization for the Advancement of
Structured Information Standards (OASIS). Transaction
partners of a platform were designed so that disparate
systems can exchange certification information, grant
privileges, and safely profile analysis information. This
system offers a Single Sign-On between enterprises, and is
not subject to base security infrastructure. SAML is derived
from Security Services Markup Language (S2MLs) and
Authorization XML (AuthXML).
These days SAML 2.0 has been selected for many ID
management systems and access control solutions. Google is
using SAML 2.0 to authenticate customers in Google Apps,
and NTT developed SASSO in which users are individual
ID offerers who can achieve SSO and take advantage of
certification functions of their mobile phone with a PC using
SAML 2.0. SAML offers the following functions in
different environments..
- Single Sign-on
SSO is a connection technology that does all certifications in
a system. With this technology a user logs in once and gains
access to all systems without being prompted to log in again
for each independent software system.
- Identity Federation
SAML 2.0 can connect an existing ID of a user from a
service provider (SP) to an identity provider (IDP). This
method can connect a user's name or attribute information
or connect creating a pseudonym that consists of random
numbers for privacy protection.
- Single Logout
The end user's certification session of IDP and SP by
logging out once through the SSO function.
- Securing Web Service
Uses SAML 2.0 assertions by method that define and protect
web service messages in the SAML Token Profile.
2.2.2 CardSpace
Information Cards are personal digital identities that people
can use online. Visually, each Information Card has a card-
shaped picture and a name associated with it that enables
people to organize their digital identities and to easily select
the one that they want to use for any given interaction. It has
an IDP’s position and actual user information. In other
words, CardSpace does not play the IDP role by actually
issuing a user’s ID information, and achieves the role of an
informing ID meta-system for IDP.[5] First, if user requests
services from a service provider, the service provider
delivers logs on a page that have special tags that can run
CardSpace in a user's web browser. The user’s browser
confirms user ID information required from the service
provider through tag information and displays that
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010
information included in the ID card. The user selects a
suitable ID card on the screen, and user information is
requested from the IDP which is the relevant ID offerer
according to selected card information. If IDP passes user
information to CardSpace, CardSpace passes this
information to the service provider again.
CardSpace offers high security because it acts in a system
environment that is not a general user environment and has
the advantage of reducing phishing attacks since the
function that displays information about ID cards includes
IDP information
2.2.3 OpenID
OpenID is a way to log into all web sites using one ID. In
other words, it embodies the concept of SSO technology.
Internet users do not need to depend on one service provider
to manage their own ID information and can log in to any
services with an ID which is a type of web address. Since
they do not need to input their name and personal address
information continuously, it is no danger to lose a user’s ID
information. Therefore, a user manages one account only.[6]
OpenID - User-centric ID management technology -
authenticates a user using IDP, therefore it authenticates the
user with a URL only, without additional information.
OpenID has some characteristics in common with general
ID management engineering. First, it’s not a centralized
system but a distributed processing system. Everybody
involved in OpenID becomes an IDP, and does not need
permission or registration from any central authority.
Furthermore, users can select the IDP that they wish to use,
and in case of a change in IDP, a user can keep their own
ID. Second, the service area is expanded by using OpenID
at any web site that uses OpenID. Third, OpenID achieves
user certification using existing web browsers on-line
without the request of additional ID information.
2.3 ID management in cloud computing
The ID management systems in cloud computing are
depicted in Figure 3. Cloud service providers construct a
relationship of mutual trust through prior consultations and
provide a service by Federated ID.[6]
Each cloud service provider takes charge of creation of ID
and stores personal information like an independent service
provider.
Users can use web service providers who construct a
relationship of mutual trust by agreeing to a mutual
exchange of information without special certification
formality. In other words, a registered user of a web service
provider can use other web services with a relationship of
mutual trust.
Therefore it is called the Circle of Trust (CoT).
 (IJCNS) International Journal of Computer and Network Security, 47
Vol. 2, No. 8, August 2010

3.2 Composition and concept

In this subsection, we explain the composition and concept.
The proposed model consists of a UCIDP that provides an
ID management service, a user who controls the UCIDP, a
cloud service provider, and the assumption that there exists
a certificate authority (CA) who is responsible for issuing
certificates to ensure the UCIDP.
The composition of the proposed model is depicted in
Figure 4.

Figure 3. Federated ID in cloud computing

2.4 Problem Analysis

2.4.1 Absence of right to control own information
Service providers almost always require more personal
information than is necessary when offering services to
users. But a user must give all the information to a service
provider even if they do not want to. Furthermore, if users
enter their own private information into the system
individually they can no longer control own personal
information, because of the characteristics of the cloud
computing environment.
Therefore users do not know where their own personal Figure 4. Concept of proposed model
information was stored, which can lead to an invasion of
privacy or the theft of user information without noticing. 3.3 Service process of the proposed model
In this subsection, we explain the simple service process of
2.4.2 Centralized ID information the proposed model, which is also depicted in Figure 5.
Cloud service providers such as Google, Microsoft, Amazon
and Facebook provide cloud services to general users.
Therefore, the amount of personal information about a user
that each service provider collects is increasing. This means
that privacy infringement outside of a user’s control is
possible because of the centralized storage system.

3. Proposed model

3.1 TERMINOLOGY
Table 1. Terminology
composition explanation
Someone who uses cloud
User computing services using UCIDP
and controls the UCIDP
Manages authentication
Figure 5. The service process of the proposed model
User-Centric ID
information and personal
Provider (UCIDP) information between users and Step 1: user selects UCIDP in the UCIDP list and creates an
cloud service providers ID
Certificate Authority Authorizes the UCIDP Step 2: user requests cloud computing services
Unique information for user Step 3: cloud service provider asks user for an ID and PW
Personal ID authentication Step 4: user transmits ID and PW to cloud service provider
information such as social security number, Step 5: cloud service provider requests personal information
PIN for the service
Required information from user for Step 6: user confirms and transmits required information
Authentication ID
cloud service provider such as an
Information Step 7: cloud service provider offers service
id or password
Additional information for cloud
Common ID
services such as address, age, e-
information
mail, or phone number
48
3.4 Management function of ID information
The proposed model provides ID management of all ID
information. The functions offered are as follows.
(a) Issuance of ID
Figure 6. The process of ID issuance
Step 1 : user selects UCIDP in the UCIDP list and requires
an ID to UCIDP
Step 2 : UCIDP requires a user’s personal ID information
Step 3 : user transmits a Personal ID to UCIDP
Step 4 : UCIDP issues ID to user
(b) Federated ID
Step 1 : UCIDP creates intermediate information for
Federated ID from user's certificate information
Step 2: UCIDP transmits created intermediation information
to each service provider
Step 3 : Service provider verifies information and stores
information after verification ends
Step 4 : Service provider transmits verification sequence to
UCIDP
Step 5 : All processes for Federated ID are ended
(c) SSO(Single Sign-On)
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010
Step 1 : User authenticates to UCIDP
Step 2 : UCIDP delivers certification confirmation
information to user
Step 3 : UCIDP delivers IDP certification confirmation
information to each service provider
Step 4 : Service provider verifies certification confirmation
information and publishes service provider's
certification information
Step 5 : User has possible SSO function with certification
information from the service provider
(d) Change of common ID information
Figure 7. The process of change common ID information
Step 1 : user changes a common ID in UCIDP
Step 2 : UCIDP requires that the common ID change is
reflected to the cloud service provider
Step 3 : Cloud service provider requires authentication ID
information from UCIDP
Step 4 : UCIDP transmits authentication ID information to
cloud service provider
Step 5 : Cloud service provider confirms authentication ID I
nformation and if it’s correct, reflects the changed
common ID information.
4. Comparison
The proposed model differs from existing ID management
systems in the areas of ID information management and
control. In the proposed model, users can choose the UCIDP
 (IJCNS) International Journal of Computer and Network Security, 49
Vol. 2, No. 8, August 2010

and control personal ID information, authentication ID [6] H.K.Oh,S.H.Jin,”The Security Limitations of SSO in
information, and common ID information. Furthermore, the OpenID”, Advanced Communication Technology,
user has the authority to offer, alter, or discard his or her 2008. ICACT 2008. 10th International Conference on,
own ID information. pp.1608-1611, 2008
The comparison of the proposed model with other systems [7] Juniper Networks, "Identity Federation in a hybrid
is depicted in Table 2. cloud computing environment solution guide",
JuniperNetworks, pp.1-6. 2009
Table 2. Comparison with other system [8] Y.S Cho, S.H. Jin, “Practical use and investigation of
SAML 2.0 OpenID Card OASIS SAML(Security Assertion Markup Language)
UCIDP
[8] [6][9] Space v2.0”, korea multimedia society, Vol.10, No. 1, pp.59-
70, 2006.
User User [9] http://en.wikipedia.org/wiki/OpenID
Agreement Existing
Certification chooses chooses
between Model
Method the IDP the IDP
IDP and SP integration
and SP and SP Authors Profile
ID federation o x o o
Moonyoung Hwang was received the B.S.
ID information
x x o o degrees from Department of Information Security
offer Engineering, Soonchunhyang University, Asan,
Korea in 2008. Now he is a student of
Change of M.S.course in Department of Information
x x x o
ID information Security Engineering, Soonchunhyang
University, Korea.
SSO o o o o

Jin Kwak was received the BE, ME and PhD

5. Conclusion
The appearance of the cloud computing environment has
become an issue to all users who use services through a
network environment. However, users can’t control their
own personal ID information, authentication ID
information, or common ID information. This problem can
result in the infringement of user privacy. Therefore we
have proposed a new user-centric ID management model.
This model offers another ID management system and
controls user information naturally.
6. References
degrees from Sungkyun-Kwan University,
Seoul, Korea in 2000, 2003, and 2006
respectively. He has joined Kyushu University
in Japan as a visiting scholar at the Graduate
School of Information Science and Electrical
Engineering. After that, he joined MIC(Ministry
of Information and Communication, Korea) as a
Deputy Director. Now he is a professor and Dean of Department of
Information Security Engineering, and also Director of SCH BIT
Business Incubation Center, Soonchunhyang University, Korea.
His main research areas are Cryptology, Information security
applications includes Cloud computing security, Multimedia
security, Embedded System security, and IT product
evaluation(CC). He is a member of the KIISC, KSII, KKITS, and
KDAS.

[1] G.H. Nam “trend of cloud computing technology”

ETRI, 2009
[2] Y.S. Cho, S.H. Jin, P.J. Moon, K.I. Chung, “Internet
ID management System based ID Federation”, the
institute of electronics engineers of korea, Vol. 43, No.
7, pp. 104-113, 2006
[3] Salmon, J. “Clouded in uncertainty – the legal pitfalls
of cloud computing”, Computing magazine, September
24, 2008.
[4] Rich Maggiani, "Cloud Computing Is Changing How
We Communicate" Professional Communication
Conference, pp.1-4, 2009.
[5] AlrodhanW.A,MitchelC.J,”Addressing privacy issues
in CardSpace”, Information Assurance and Security,
2007. IAS 2007. Third International Symposium on,
pp.285-291,2007.