SIdeCAR: Secure Identity Consent and Authentication Responder

The Identity Metasystem is an interoperable, platform independent and protocol independent architecture for user centric identity management. User centric identity management is a new paradigm of identity management that addresses some of the drawbacks of the prevalent identity management models. This technology assumes that certain security sensitive functions of identity management are performed at trusted client machines. Such an assumption is not valid when a machine which is infested with undetected malware, possibly on a publicly accessible ”kiosk” machine. We explore techniques that provide the user with: a) portability between machines; and b) enhanced security when using the Identity Metasystem from untrusted machines. We present the threats that untrusted machines pose and describe two protocols we’ve implemented which allow secure use of the Identity Metasystem from untrusted clients without changes to the widely implemented protocols. Both the protocols leverage the use of a trusted personal device (e.g. cellular phone) to authorize actions that are performed at the client and perform secret-based computations. The security protections and implementation details of both the protocols are described. We conclude with the future directions that we intend to take with regard to our work.