Authentication in context aware smart environments is typically device-centric and based on for example RFID tokens, Smartcards or - more advanced - cell or smart phones. Users have to carry these authentication tokens all the time and present them to technical or human safeguards. This makes it relatively easy, however, to impersonate authenticated users by cloning, borrowing or stealing their authentication token. Therefore recent publications [ 1 ] proposed a new user-centric paradigm based on user tracking called PAISE - Persistent Authentication in Smart Environments. That means that once you have been authenticated at a particular security gate you will be continuously tracked in a smart environment, e.g. by sensors or cameras, until you leave the area covered. In this paper we will deal with the implications of this physical single-sign-on experience balancing security requirements and privacy concerns and propose appropriate enhancements to the existing PAISE architecture. 1.1

Persistent Authentication [ 1 ] has been proposed as a proactive authentication mechanism, which combines existing authentication mechanisms based on passwords, smartcards or biometrics, with person tracking using "Time-of-Flight" (TOF) cameras. Users are authenticated when they enter the smart environment and the TOF cameras are subsequently used to track the user as he moves around in the smart environment, which makes the event of authentication "stick" to the user, thus making it persistent. This means that the persistent authentication mechanism can proactively authenticate the user to a service in the smart environment whenever the user requests access to that service. Ideally, this means that users would only have to authenticate when they arrive at work in the morning and the system will be able to authenticate them to physical access control services, computing services and other services throughout the day. Similar ideas have been explored in other projects, but these have all required users to carry a small authentication token with them at all times and it is e ectively this token that is authenticated, so we refer to such mechanisms as device-centric authentication. The problem with device-centric authentication is that users must always remember to carry the token with them and authentication tokens can be borrowed, lost or stolen. We therefore believe that tracking the user, rather than the token, is a more convenient and secure way to authenticate users in emerging smart environments. However, constant tracking of users will be seen as a serious violation of privacy by many people, so it is important to develop a system that limits the problem of privacy violation in location-based persistent authentication. 1.2

Identity Management (IdM) refers to the maintenance of the complete lifecycle of digital virtual identities. Virtual identities are characterized by a collection of personalized information containing for example names, address(es), eMail and telephone, account data, bank or credit card information, as well as preferences, pro les, histories of service usages and contexts. We can say that virtual identities re ect at least parts of one's real identity and basically consist of an open and dynamic set of attributes for a speci c period of time. In smart environments IdM gains even more attention and importance. Smart environments are enabled by IT systems working in the background gathering and reasoning on context information including analyzing and predicting user behavior. On the one hand these systems will provide useful and convenient personalized services in the future - persistent authentication based on TOF cameras is such a service; on the other hand the information collected might - in principle - violate the users' privacy if you do not establish reasonable mechanisms to tackle these concerns by managing personalized information in a secure way. Identity Management Systems enable both users as well as service providers to manage virtual identities in a secure and e ective way. Users are able to maintain for example a set of virtual identities depending on account and authorization information for speci c services and contexts. Service providers are at the same time able to distinguish di erent users acting in di erent contexts attaching di erent authorization and access rights in order to assure accountability and the establishment of appropriate security policies. Therefore, we introduce in this paper IdM concepts, including an Identity Metasystem, to PAISE in order to address raising privacy concerns in smart environments equipped with TOF cameras and to balance these concerns with security requirements from service providers. Users who work in such environments IdM helps to choose the right virtual identity with the minimum set of necessary attributes. Service providers who run smart environments relying on persistent authentication IdM helps to attach the right privileges and access rights to users. The proposed Identity Metasystem will nally ensure that di erent IdM Systems will be able to interoperate across di erent contexts and scenarios. 1.3

The paper is organized in the following way: Section 2 presents a short overview of the PAISE model and identi es the privacy concerns that must be addressed if persistent authentication is to be widely deployed. Section 3 introduces the interoperability concept of Identity Metasystems followed by Section 4 where according to the privacy concerns the state of the art in identity management technologies will be analyzed. Section 5 proposes an architecture that integrates Identity Metasystems with the existing persistent authentication architecture and Section 6 presents an evaluation and discussion of the proposed architecture. Finally, we present our conclusions in Section 7. 2 2.1

The PAISE model de nes four major components in a persistent authentication system: an authentication system, which is able to authenticate principals; a smart environment, which delivers the sensor data needed for tracking; an access control mechanism, which acts on the result of persistent authentication and the core component of PAISE, which combines the information from the authentication system and the smart environment, tracks authenticated principals in the smart environment and forward the necessary data to the access control mechanism. These components are shown in Figure 1.

In addition to these four components, PAISE also de nes authentication zones and authorization zones in the smart environment. An authentication zone de nes the area in front of the authentication mechanism which is large enough to hold a single principal.

The smart environment delivers a constant stream of sensor data to the core component, but tracking is only initiated when a principal has entered the authentication zone and successfully authenticated himself. The authentication zone must be small enough to ensure that the authentication event can be reliably linked to the principal. A typical authentication zone, in a smart environment, would be an area of 0.5m x 0.5m in front of a swipe-card terminal. An authorization zone de nes the area in which the access control policy of a location based service must be enforced. When new principals enter an authorization zone the persistent authentication is forwarded to the access control mechanism of the location based service provider, which is then able to determine whether access should be granted. In the case of access through a door, in a smart environment, the authorization zone must be small enough to ensure that most principals are able to reach and open the door while it is unlocked, but also large enough to ensure that nobody outside the authorization zone is able to pass through the door while it is open. This allows the system to enforce the constraint that the door can only be unlocked if there are no unauthenticated or unauthorized principals inside the authorization zone, thus preventing tailgating. 2.2

Privacy issue is by no means a new concern in Ubiquitous Computing or smart environments. The foreseer of ubiquitous computing Mark Weiser had already pointed out the issue of privacy in 1991 [ 2 ]. Langheinrich showed how potentially privacy can be endangered in such environments without even the consent of the user [ 3 ]. Similarly, location based tracking systems (LTS) has been shown to be inherently privacy dissenting. Therefore, the privacy issue in smart environments using LTS must be taken into consideration and requirements for privacy compliance has to be de ned. Previous studies show that privacy risk is apparent on LTSs (e.g. RFID, GPS etc.) since LTSs collect information silently, without the consent or even awareness of the user [4{6]. Information can be collected about an individual and can be aggregated to gure out near-perfect knowledge of the individual's whereabouts and activities. If we refer back to the de nition of privacy from Louis Brandeis, 1890 (Harvard Law Review): "The right to be let alone.", LTSs violate privacy of an individual. Although PAISE is inherently designed to be relatively more privacy compliant than other camera based tracking as it uses a non recognizable image (blob) of the object, still it su ers from some traditional privacy issues that any location based tracking system has. If we get back to the de nition of Brandeis and try to apply it in PAISE we see that PAISE is even less compliant to privacy because: in traditional device based tracking system, the user is able to switch o the device when he wants to and thus becomes invisible to the system. On the other hand, it is not possible to switch o tracking in PAISE that easily, so the user's right to be left alone is not easily accomplished. 2.3

Requirements and principles of Identity Management have been analyzed and derived in pervasive computing ever since the very beginning of pervasive computing. Obviously, these related works have some commonalities and disparities among themselves. Our objective in this section is to narrow down the privacy principles of Smart Environments suitable to LTS in such environments. Langheinrich [ 3 ] identi ed six principles and guidelines for privacy aware ubiquitous system. It is important to mention that these principles and guidelines do not ensure total privacy. The goals of these privacy guidelines are to get as close as possible to Brandeis' de nition of privacy. We have picked four of the privacy principles as they are mostly relevant for persistent authentication using LTS. These four principles are outlined below: { Notice: "Transparency" or "Openness" is the most fundamental principle of any data collection system. When the location data about the user is collected in PAISE but not saved, the user should be noti ed about that. { Choice and Consent: A mere notice to the user about its location data being tracked is not enough anymore as EU Directive 3 re ned and extended the well-known fair information practices. There has to be explicit consent of the user about the location tracking. { Anonymity and Pseudonymity: Since in a LTS it is very di cult to have an explicit consent of the user at any given time, a certain degree of anonymity and Pseudonymity is also necessary. { Proximity and Locality: This principle tells us that information should be locally preserved. In terms of LTS we can clarify the principle in a way that if information is not disseminated out of a certain locality or area, the likability of tracking will be harder and thus it will be more privacy compliant. 3 European Commission. Directive 95/46/ec of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, November 1995.

OpenID 1.0 was originally developed in 2005 by Brad Fitzpatrick, Chief Architect of Six Apart, Ltd. OpenID, a protocol for light weighted identity, is adopted by a wide range of websites, especially which have heavy user-generated contents. OpenID Authentication 2.0 [15{17] is a fully backward-compatible open community-driven platform that permits and motivates federated identity. OpenID Authentication 2.0 speci cation which is a data transfer protocol to support both push and pull use cases. Besides, the community is coming up with extensions to support the exchange of rich pro le data and user-to-user messaging. There are three key features of OpenID: Single Sing On, decentralized and light weight identity. According to an article published in German online computer magazine "Heise Online 4" on 18th January 2008 there were already 370 million OpenIDs existing globally. However, the real number of active OpenID users is still unknown, because big companies like Yahoo and Aol o ered an OpenID to all their users, which explains the high number of existing OpenIDs. By Design, the OpenID protocol su ers from serious privacy issues. OpenID allows URL to Identify a subject or a user and the URL that is used to identify the Subject is recyclable. Since OpenID permits URL based identi cation, it brings the issue of privacy. The privacy of the user using an URL as his 4 http://www.heise.de/security/Yahoo-will-das-Passwort-Chaos-beenden{ /news/meldung/102001, last viewed on Monday, December 01, 2008 OpenID will be compromised somehow the possession of that URL lost. This is how the principles of users' choice, consent, proximity and locality is violated in case of URL recycling. 4.2

Windows CardSpace is a visual metaphor for identity selector for the end-user. Windows CardSpace provides controlling power to the end-users on the fact that which information (about the end-users) should reach to the Relying Party (RP) and which should not. Windows CardSpace is a production of Microsoft shipped with Windows Vista (or as an add-on in Windows XP); it is not meant to replace the other standards handling digital identity rather to utilize and extend them [ 18 ]. Windows CardSpace is token agnostic. Microsoft codename "Geneva" is coming up with the next version of Windows CardSpace. "Geneva" is a claim based access platform, which includes three components: "Geneva" Server, Windows CardSpace "Geneva" and "Geneva" Framework [ 19 ]. Windows CardSpace has major privacy aws: rstly it relies on the users' judgments on the trustworthiness of RPs. A CardSpace user is given the freedom to choose one of the options of high-assurance certi cate belonging to the RP, ordinary certi cate belonging to the RP or RP with no certi cates [ 20 ]. In terms of the rst privacy principle (choice and consent) this certainly gives a lot of power to the user. At the same time the option of allowing RP with no certi cates weakens the compliance with the fourth principle (proximity and locality) as information may leak out to an unwanted domain. The second vulnerability is that Windows CardSpace rely on a single layer of authentication. The user has to be authenticated to the IdP using traditional authentication mechanism. If a working session is somehow hijacked or password is cracked, the security of the whole system is compromised. This has been practically showed by two IT-Security students at Horst Grtz Institute for IT Security (HGI), Bochum, Germany where they manipulated the DNS server to implement dynamic pharming attack 5. 4.3

Higgins is a software infrastructure that provides a consistent user experience across multiple digital identity protocols, e.g. WS-Trust, OpenID, SAML, XDI, LDAP etc. The main objectives of the Higgins project are the management of multiple contexts, interoperability, and the de nition of common interfaces for an identity system. Various technologies including LDAP, SAML, WS-*, OpenID etc. can be plugged into the Higgins framework. The rst version, Higgins 1.0 was released in February 2008. The next version, Higgins 1.1 was supposed to be released by June 2009. There are also ideas and concepts in discussion beyond Higgins 1.1 [ 21 ]. 5 On the Insecurity of Microsoft's Identity Metasystem CardSpace, Press release, Bochum, Germany, May 27, 2008, http://demo.nds.rub.de/cardspace/PR-HGI-TR2008-003-EN.pdf

Since Higgins supports various IdM protocols and technologies it inherently takes over the aws and vulnerabilities of those technologies and protocols. It also does not fourth principle (proximity and locality). However, the combined approach to provide an umbrella framework for IdM allows Higgins users to choose the best combination of technologies suited to their requirements. Moreover, Higgins architecture is most compliant to other three privacy principles (Section 2.3) among the state of the art technologies that have been considered in this evaluation. Therefore, in our architecture we have taken some of the Higgins architectural approach and integrated to our need. In the next section the evaluation result is summarized. 4.4

Our proposed architecture is based on Identity Federation between three entities: the user, the IdP and the RP. The user requests for access to a certain resource from a RP in the smart environment and gains the access upon required credential is federated by an IdP. Note that same entities can play the role of IdP or RP depending on the context. By means of Identity Federation the proposed architecture will bring more privacy features on top of the PAISE authentication mechanism.

The communication protocol shown in Figure 4 works the following way: 1. The user requests for accessing certain resources. 2. The user is redirected to an IdP by the RP.

This architecture allows decoupling of user identity from IdP and RP, i.e., users can use di erent identities and possibly di erent IdPs towards di erent RPs in the environment. This is how it captures the essence of being ambient in smart environment and switch identity to plug into di erent contexts. It leverages location tracking feature of PASIE and identity federation features of Identity Metasystem to enable multi-party federation in an ambient manner. 6