Towards Practical Attribute-Based Identity Management: The IRMA Trajectory

Abstract

IRMA is an abbreviation for "I Reveal My Attributes", and at the same time it is the name of a project run by the Digital Security group of the University of Nijmegen and its partners to get attribute-based identity management up and running. This hands-on approach forces us to elaborate many unexplored issues, leading to a better understanding of attributes and their possibilities and challenges. Cryptographic techniques that enable secure and privacy-friendly attribute-based au-thentication have been around for more than a decade, see [3, 5, 6, 8]. But what is new is that the latest generation of smart cards is powerful enough to perform the required (non-trivial) cryptographic operations in an adequately efficient manner [9]. Hence only now we see efforts to actually deploy attributes in practice, like the IRMA project 1 at Nijmegen. Two other pilot projects should be mentioned, both of which are carried out by the EU-sponsored ABC4Trust consortium [4]. The Swedish pilot [2] gives anonymous access for elementary school pupils to on-line resources (e.g., chat room), while the Greek pilot [1] enables university students to evaluate lectures anonymously. In both cases eligibility and privacy are of primary importance. Although the IRMA pilot uses the same underlying technology, the objective of our research is more general as we investigate a broad variety of attributes and applications. The associated kind of challenges does not appear in these ABC4Trust pilots since each focusses on a single context. This document gives a brief overview of some of the more salient aspects of the IRMA project. First of all, attributes are used in a very broad sense as describing some property of a person. This property may be anonymous (non-identifying), such as your gender, or whether or not you are over 18, but in the IRMA context it may also identify you, for example when the attribute is your bank account or social security number. While the underlying technology provides full unlinkability, the attribute values may provide linkability. This usage of identifying attributes may go against the original intention that attributes should be anonymous, but extending their interpretation to (partial) identification greatly extends the application scenarios. For instance, we foresee registration and status attributes for medical personnel (giving access to medical files), for employees (giving access to premises, networks, and PCs), and for customers (giving benefits, and online access to their purchase/bonus history). Additionally, attributes may be used for a micro medical dossier, with essential (emergency) information. 1 See www.irmacard.org for up-to-date information and developments.