Privacy in Web services is of great importance and a critical requirement for any business and non-business environments. The growth of Web services has been accompanied by sharing more and more user personal information with Web service providers between diverse and heterogeneous computing systems, which has raised concern about possible malicious or accidental unauthorized abuse of user information. The security assertion markup language (SAML) architecture is an XML standard for exchanging authentication and authorization data. However privacy preserving in SAML is inadequate for user privacy protection. In this paper, the SAML architecture is extended to address this shortcoming. A privacy enforcement model-based on ring signature is presented, which provides unconditional anonymity for Web service users. This model enables verification of individuals who belong to a specific group with access right without actually being identified by their IDs or names. Therefore the risk of information leak is reduced. Furthermore, even if the third party is corrupted or the ID correspondence relationship is leaked, the individual remains unrecognizable. Meanwhile most SAML authorization between individual and web services can be done without the presence of the third party, which largely decreases communication overhead and enhances the privacy. Finally, a web services conversation establishment protocol is constructed based on this model, which has been implemented in Java/Tomcat.
Copyright 2008 IEEE. Reprinted from 2008 IEEE Congress on Services : SERVICES 2008 : Part 2 : 23-26 September 2008, Beijing, China. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of Macquarie University’s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to email@example.com. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.