A LINDDUN-based framework for privacy threat analysis on identification and authentication processes
View/Open
Cita com:
hdl:2117/190711
Document typeArticle
Defense date2020
Rights accessOpen Access
Except where otherwise noted, content on this work
is licensed under a Creative Commons license
:
Attribution-NonCommercial-NoDerivs 3.0 Spain
Abstract
Identification and authentication (IA) are security procedures that are ubiquitous in
our online life, and that constantly require disclosing personal, sensitive information to non-fully
trusted service providers, or to fully trusted providers that unintentionally may fail to protect such information. Although user IA processes are extensively supported by heterogeneous software and hardware, the simultaneous protection of user privacy is an open problem.
From a legal point of view, the European Union legislation requires protecting the processing
of personal data and evaluating its impact on privacy throughout the whole IA procedure. Privacy Threat Analysis (PTA) is one of the pillars for the required Privacy Impact Assessment (PIA). Among the few existing approaches for conducting a PTA, LINDDUN is a very promising framework, although generic, in the sense that it has not been specifically conceived for IA.
In this work, we investigate an extension of LINDDUN that allows performing a reliable and
systematically-reproducible PTA of user IA processes, thereby contributing to one of the cornerstones of PIA. Specifically, we propose a high-level description of the IA verification process, which we illustrate with an UML use case. Then, we design an identification and authentication modelling framework, propose an extension of two critical steps of the LINDDUN scheme, and adapt and tailor the trust boundary concept applied in the original framework. Finally, we propose a systematic methodology aimed to help auditors apply the proposed improvements to the LINDDUN framework.
Description
© <2020>. This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/
CitationRobles, A.; Parra-Arnau, J.; Forne, J. A LINDDUN-based framework for privacy threat analysis on identification and authentication processes. "Computers and security", 2020, vol. 94, núm. June 2020, p. 101755:1-101755:22.
ISSN0167-4048
Publisher versionhttps://www.sciencedirect.com/science/article/pii/S0167404820300390
Files | Description | Size | Format | View |
---|---|---|---|---|
LINDDUN COSE.pdf | 1,355Mb | View/Open |