Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

Toward Mending Two Nation-Scale Brokered Identification Systems

Luís T. A. N. Brandão / Nicolas Christin / George Danezis / Anonymous
Published Online: 2015-06-22 | DOI: https://doi.org/10.1515/popets-2015-0022


Available online public/governmental services requiring authentication by citizens have considerably expanded in recent years. This has hindered the usability and security associated with credential management by users and service providers. To address the problem, some countries have proposed nation-scale identification/authentication systems that intend to greatly reduce the burden of credential management, while seemingly offering desirable privacy benefits. In this paper we analyze two such systems: the Federal Cloud Credential Exchange (FCCX) in the United States and GOV.UK Verify in the United Kingdom, which altogether aim at serving more than a hundred million citizens. Both systems propose a brokered identification architecture, where an online central hub mediates user authentications between identity providers and service providers. We show that both FCCX and GOV.UK Verify suffer from serious privacy and security shortcomings, fail to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy. Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users. Within the structural design constraints placed on these nation-scale brokered identification systems, we propose feasible technical solutions to the privacy and security issues we identified. We conclude with a strong recommendation that FCCX and GOV.UK Verify be subject to a more in-depth technical and public review, based on a defined and comprehensive threat model, and adopt adequate structural adjustments.

Keywords: NSTIC; IDAP; identification; authentication; surveillance; privacy enhancing technologies; secure two-party computation


  • [1] A. Afshar, P. Mohassel, B. Pinkas, and B. Riva. Non-Interactive Secure Computation Based on Cut-and-Choose. In P. Nguyen and E. Oswald, editors, Advances in Cryptology – EUROCRYPT 2014, volume 8441 of Lecture Notes in Computer Science, pages 387–404. Springer Berlin Heidelberg, 2014.Google Scholar

  • [2] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, and M. Zohner. Ciphers for MPC and FHE. In E. Oswald and M. Fischlin, editors, Advances in Cryptology – EUROCRYPT 2015, volume 9056 of Lecture Notes in Computer Science, pages 430–454. Springer Berlin Heidelberg, 2015.Google Scholar

  • [3] M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon. XML Signature Syntax and Processing Version 2.0. W3C Working Group Note, April 11, 2013.Google Scholar

  • [4] A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security, pages 75–88. ACM, 2008.Google Scholar

  • [5] P. Beynon-Davies. The UK national identity card. Journal of Information Technology Teaching Cases, 1(1):12–21, 03 2011.Google Scholar

  • [6] L. T. A. N. Brandão. Secure Two-Party Computation with Reusable Bit-Commitments, via a Cut-and-Choose with Forge-and-Lose Technique. In K. Sako and P. Sarkar, editors, Advances in Cryptology – ASIACRYPT 2013, volume 8270 of Lecture Notes in Computer Science, pages 441–463. Springer Berlin Heidelberg, 2013.Google Scholar

  • [7] Bristol Cryptography Group. Circuits of Basic Functions Suitable For MPC and FHE. http://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/, Accessed February 2015.

  • [8] R. Canetti. Universally composable security: a new paradigm for cryptographic protocols. In Foundations of Computer Science, 2001. Proc. 42nd IEEE Symposium on, pages 136–145, 2001.Google Scholar

  • [9] CESG and NTAIA and Cabinet Office. Good Practice Guide No. 43 – Requirements for Secure Delivery of Online Public Services, December 2012. PDF file (46 pages) – gov.uk website. SHA256: .Google Scholar

  • [10] CESG and NTAIA and Cabinet Office. Good Practice Guide No. 45 – Identity Proofing and Verification of an Individual, July, 2014. PDF file (32 pages) – gov.uk website. SHA256: .Google Scholar

  • [11] Cyber-Auth DG Committee – Canada. Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile, March 25, 2011. PDF file (53 pages) – kantarainitiative.org website. SHA256: .

  • [12] I. Damgård, R. Lauritsen, and T. Toft. An Empirical Study and Some Improvements of the MiniMac Protocol for Secure Computation. In M. Abdalla and R. De Prisco, editors, Security and Cryptography for Networks, volume 8642 of Lecture Notes in Computer Science, pages 398–415. Springer International Publishing, 2014.Google Scholar

  • [13] W. Diffie and M. Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6):644–654, 1976.Google Scholar

  • [14] European Court of Human Rights. European Convention on Human Rights, Entry into force on June 2010. (As amended by Protocols No. 11 and 14; supplemented by Protocols Nos. 1,4,6,7 and 13.) PDF file (30 pages) – echr.coe.int website. SHA256: .Google Scholar

  • [15] Federal Chief Information Officers Council and Federal Enterprise Architecture. Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance – Version 2.0, December 2, 2011. PDF file (478 pages) – idmanagement.gov website. SHA256: .Google Scholar

  • [16] T. K. Frederiksen, T. P. Jakobsen, and J. B. Nielsen. Faster Maliciously Secure Two-Party Computation Using the GPU. In M. Abdalla and R. De Prisco, editors, Security and Cryptography for Networks, volume 8642 of Lecture Notes in Computer Science, pages 358–379. Springer International Publishing, 2014.Google Scholar

  • [17] General Services Administration. Solicitation Number QTA0014AWA3005 – Identity Services Support. Federal Business Opportunities (FedBizOpps), Updated on August 19, 2014. ZIP files – fbo.gov website: “Amendment_1.zip” (Aug 06, 2014) SHA256: . “Amendment_2.zip” (Aug 19, 2014) SHA256: .Google Scholar

  • [18] Y. Huang, J. Katz, V. Kolesnikov, R. Kumaresan, and A. Malozemoff. Amortizing Garbled Circuits. In J. Garay and R. Gennaro, editors, Advances in Cryptology – CRYPTO 2014, volume 8617 of Lecture Notes in Computer Science, pages 458–475. Springer Berlin Heidelberg, 2014.Google Scholar

  • [19] IACR Members Meeting held at Eurocrypt 2014. IACR Statement On Mass Surveillance – “Copenhagen Resolution”, May 14, 2014.Google Scholar

  • [20] Identity Assurance Programme. Identity Assurance Hub Service SAML 2.0 Profile v1.1a, September 11, 2013. PDF file (36 pages) – gov.uk website. SHA256: .Google Scholar

  • [21] Identity Assurance Programme. Identity Assurance Hub Service Profile – SAML Attributes v1.1a, September 11, 2013. PDF file (12 pages) – gov.uk website. SHA256: .Google Scholar

  • [22] T. Imamura, B. Dillaway, and E. Simon. XML Encryption Syntax and Processing. W3C recommendation, December 10, 2002.Google Scholar

  • [23] Internet Engineering Task Force (IETF) – Network Working Group. Request for Comments: 5246 – The Transport Layer Security (TLS) Protocol (Version 1.2), August 2008. RFC5246. See also: the Errata; and RFC6176 from March 2011.Google Scholar

  • [24] ISO/IEC. Anonymous Digital Signatures. Information technology – Security techniques, ISO/IEC 20008-1:2013, 2013.Google Scholar

  • [25] M. Jawurek, F. Kerschbaum, and C. Orlandi. Zero-knowledge Using Garbled Circuits: How to Prove Nonalgebraic Statements Efficiently. In Proc. 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13, pages 955–966. ACM New York, NY, USA, 2013.Google Scholar

  • [26] A. John. Challenges in Operationalizing Privacy in Identity Federations – Part 1, Part 2 and Part 3. IDMGOV Info – U.S. FICAM program, 2012. Blog posts – info.idmanagement.gov website.Google Scholar

  • [27] Y. Lindell and B. Riva. Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings. In J. Garay and R. Gennaro, editors, Advances in Cryptology – CRYPTO 2014, volume 8617 of Lecture Notes in Computer Science, pages 476–494. Springer Berlin Heidelberg, 2014.Google Scholar

  • [28] D. K. Nilsson, U. E. Larson, and E. Jonsson. Auxiliary Channel Diffie-Hellman Encrypted Key-exchange Authentication. In Proc. 5th Int. Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, QShine, pages 18:1–18:8. ICST, 2008.Google Scholar

  • [29] NIST – Computer Security. NIST Special Publication 800-130– A Framework for Designing Cryptographic Key Management Systems, August 2013. SHA256: .Google Scholar

  • [30] NSTIC National Program Office. NSTIC Requirements Document, September 10, 2013. Xlsx spreadsheet – idecosystem.org website. SHA256: .

  • [31] OASIS. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard – March 15, 2005. PDF file (86 pages) – oasisopen. org website. SHA256: .Google Scholar

  • [32] OpenID Foundation. OpenID Connect. Available online at the openid.net website.

  • [33] Privacy and Consumer Advisory Group (PCAG). Identity Assurance Principles – v3.1 (for publication), 2014. PDF file (12 pages) – gov.uk website. SHA256: .

  • [34] The White House. National Strategy for Trusted Identities in Cyberspace – Enhancing Online Choice, Efficiency, Security, and Privacy, April 2011. PDF file (52 pages) – whitehouse.gov website. SHA256: .

  • [35] United States Postal Service. Solicitation Number 1B-13-A-0003 – Federal Cloud Credential Exchange (FCCX). Federal Business Opportunities (FedBizOpps), 2013. ZIP files – fbo.gov website: “RFP_Documents.zip” (January 10) SHA256: ; "Amendment_5.zip" (January 28) SHA256: .

  • [36] USPS – Information Security and Privacy Advisory Board. FCCX Briefing, June 13, 2014. PDF presentation (24 slides) – csrc.nist.gov website. SHA256: .

  • [37] L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using Hard AI Problems for Security. In E. Biham, editor, Advances in Cryptology – EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 294–311. Springer Berlin Heidelberg, 2003.Google Scholar

  • [38] S. Wreyford. Identity Assurance goes to Washington. GDS Blog, May 29, 2012. Blog posts – gds.blog.gov.uk website.

About the article

Received: 2015-02-15

Revised: 2015-05-12

Accepted: 2015-05-15

Published Online: 2015-06-22

Published in Print: 2015-06-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2015, Issue 2, Pages 135–155, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0022.

Export Citation

© Luís T. A. N. Brandão et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in