Smart Identity Card

Artist conception of the Smart Identity Card (the actual prototype has the chip of the back)I've been leading an initiative to establish anonymous credential systems on electronic identity cards, more generally on the Java Card platform. We coined this Smart Identity Card, and contributed it to the FP7 EU project PrimeLife. Whereas we follow the same goal of strong authentication combined with privacy, the Java Card's trust model, limited access to crypto primitives and resource constraints make this a challenge. The system must be secure in face of untrusted terminals and, thus, cannot easily delegate computation to a more powerful device and still achieve practical response times with secure keys. Nevertheless, we were the first to establish a practical and autonomous anonymous credential system on a standard Java Card (on a JCOP 41/v2.2 to be precise).

Read more: Smart Identity Card

Identity 2.0

I've been doing research in IBM's internal project on Identity 2.0, at that time supported by Tivoli and the IBM's CIO. We've established an abstraction for Identity 2.0 protocols with potential implementations for anonymous credential systems and other user-centric identity management protocols. At that time, I've been a contributor to the open-source project Higgins, contributing to the Identity Mixer Secure Token Service (STS) plug-in and Identity Selector Service.

Read more: Identity 2.0

Cryptography for Privacy-enhanced Identity Management

I'm researching cryptography applications to identity management, mostly in the areas of privacy-enhancing technology (PET), zero-knowledge proofs of knowledge and anonymous credential systems. My overall goal is to establish a combination of strong authentication and privacy in identity management. Much of my past research has been on IBM's anonymous credential system Identity Mixer. Watch IBM's Identity Mixer YouTube video!. Beyond its integration into standardized identity federation protocols, I've contributed to a highly efficient attribute encoding for resource-constrained environments based on prime numbers and divisibility. I'm a contributor to the Identity Mixer community page.

Read more: Cryptography for Privacy-enhanced Identity Management

Federated Identity Management

I was responsible for research in Federated Identity Management at IBM Research, a technology that facilitates authentication and attribute exchange across trust domains. This research involves the application of cryptography and formal methods to protocol standards such as the Security Assertion Markup Language (SAML), Liberty Alliance Project, and WS-Federation. I contributed significantly to the architecture and research prototype of the Tivoli Federated Identity Manager (TFIM). I continue this line of work with new Identity Management projects in Newcastle.

Read more: Federated Identity Management

Security Assurance for Virtualized Environments (SAVE)

I've been researching in how far virtualized infrastructures and clouds can be abstracted sufficiently to allow a systematic analysis of their security properties. In particular, I'm interested in the applications and benefits of formal methods and model checking for large-scale heterogeneous systems. With the IBM Research project Security Assurance for Virtualized Infrastructures (SAVE), we've had some first promising results on verifying isolation properties of a production infrastructure of a global financial institution and continue to explore further properties. This project is a contribution to the validation work package of the FP7 EU project TCLOUDS.

Read more: Security Assurance for Virtualized Environments (SAVE)