T-FIM: Transparency in Federated Identity Management for Decentralized Trust and Forensics Investigation

Federated Identity Management (FIM) has gained significant adoption as a means to simplify user authentication and service authorization across diverse domains. It serves as a centralized authentication and authorization method, enabling users to access various applications or resources using credentials issued by a universally trusted identity provider (IdP). However, recent security incidents indicate that the reliability of credentials issued by IdP is not absolute in practice. If the IdP fails, it can persistently access any application that trusts it as any user. This poses a significant security threat to the entire system. Furthermore, with the increasing adoption of FIM across diverse scenarios, there is a growing demand for the development of an identity management system that can effectively support digital forensics investigations into malicious user behavior. In this work, we introduce transparency to federated identity management, proposing T-FIM to supervise unconditional trust. T-FIM employs privacy-preserving logs to record all IdP-issued tokens, ensuring that only the true owner can access the exact token. We utilize identity-based encryption (IBE), but not just as a black box, encrypting tokens before they are publicly recorded. In addition, we propose a decentralized private key generator (DPKG) to provide IBE private keys for users, avoiding the introduction of a new centralized trust node. T-FIM also presents a novel approach to digital forensics that enables forensic investigators to collect evidence in a privacy-preserving manner with the cooperation of the DPKG. We conduct a comprehensive analysis of the correctness, security, and privacy aspects of T-FIM. To demonstrate the practical feasibility of T-FIM, we evaluated the additional overhead through experimental evaluations. Additionally, we compared its performance with other similar schemes to provide a comprehensive understanding of its capabilities and advantages.