The last few years have witnessed a significant growth in the number of identity management solutions. Because of the nature of the information that is handled by such systems, and because of their potential ubiquity, privacy and practicality issues are of great importance for such schemes. This thesis aims to enhance the privacy and practicality of web-based identity management systems by presenting a number of novel enhancements to such schemes. We focus on two categories of identity management systems, namely Information Card-based and Federated identity management systems.
Two novel schemes to enhance the privacy of identity management systems are given. The first is based on the concept of Secured from Identity Theft (SIT) attributes, and can be employed to improve the privacy of Information Card-based identity management systems. It addresses two security limitations in Microsoft CardSpace (as an Information Card-based identity management system) namely its reliance on user judgements of the trustworthiness of service providers, and its reliance on a single layer of authentication. The second scheme aims to enhance user authentication within Information Card-based identity management systems by adding an additional authentication layer. We propose two possible implementations of this layer. The first approach requires a user machine to present to the service provider certain information sent to it by the service provider during the most recent successful use of the scheme. A proof-of-concept implementation of this scheme has been produced. The second approach involves a challenge-response exchange between the user and the service provider. This requires a minor modification to the service provider XML-based security policy declaration message.
With regard to practicality, the thesis presents two novel schemes designed to enhance the practicality of identity management systems. The first enables the integration of Information Card-based and Federated identity management systems. The integration scheme relies on the resemblance between the Microsoft CardSpace framework and the Liberty Alliance ID-WSF LEC SSO profile framework. The scheme introduces the concept of an identity adaptor, which is located on the user machine and converts messages exchanged between an identity provider and a relying party during the authentication process. The second scheme aims to enhance the practicality of Federated identity management systems by introducing a framework for delegation services. This framework takes advantage of the trust relationships that exist by definition within the Liberty Alliance circles of trust, and extends the use of attribute statements in SAML 2.0 assertions. The framework supports both direct and indirect delegation.