Identity management and user authentication and access are critical issues for Web usage, mobile services, wireless communications and other services. There are a number of authentication and access protocols. For example, OpenID is an open, decentralized framework and method for user authentication and access control. A single digital identity allows users to log on once and gain access to multiple services. The digital identity is generally in the form of a unique universal resource locator (URL) that is typically hosted by an identity provider. The identity provider authenticates the user when the user desires to access a service provider with the digital identity. The OpenID framework allows for different authentication methods to authenticate a user. To claim an identity at the identity provider, several methods can be used; most common is the use of logon forms, where the user provides a password. However, without the use of trusted systems, the relying party will not gain enough evidence to establish a trust relationship to the communication partner submitting the authentication credentials. The user credentials (e.g. in the form of username/password combination) are not bound to the platform and thus could have been stolen. The attacker could use the stolen credentials to access services in the name of the legitimate user. By binding the authentication credentials for the OpenID protocol to the platform and its trustworthy state, the security and safety of the OpenID protocol can be enhanced.
In a ticket based authentication and authorization protocol, software tokens (i.e., tickets) are used to prove the identity of a single entity/user. Based on these tokens, access to certain systems is restricted to entities/users producing appropriate tokens. Additionally, data embodied in the token may be used to implement an authorization control enabling a token based access control scheme besides mere authentication.
Another authentication and authorization protocol uses attestation identity keys (AIKs), generated by a trusted platform module (TPM) in a trusted computing environment, as identifying credentials in ticket systems. AIKs are used to sign trust measurements and certify keys generated by a TPM. Current implementations of such a trusted ticket based system require the use of a central database to maintain a shared key database or Public Key Infrastructure (PKI) for the encryption of the tickets and all service providers need to be modified to evaluate and accept the received tickets.