摘要:
In claim-based identity management (CBIM) systems, users identify themselves using security tokens that contain personally identifiable information, and that are signed by an identity provider. However, a malicious identity provider could readily impersonate any user by generating appropriate tokens. The growing number of identity theft techniques raises the risk of service providers being deceived by untrustworthy identity providers. We show how this vulnerability can be mitigated by adding an authentication layer, between the user and the service provider, to a CBIM system. We propose two possible implementations of this layer. The first approach requires a user to perform an additional step before the service provider completes the authentication process. That is, the user must present to the service provider certain information sent to the user by the service provider during the most recent successful use of the scheme. A proof-of-concept implementation of this scheme has been produced. The second approach involves a challenge-response exchange between the user and the service provider. This requires a minor modification to the service provider XML-based security policy declaration message. 1
展开