Microsoft U-Prove technology helps with both security and privacy

At the RSA conference this week, Microsoft announced the availability of the U-Prove Community Technology Preview (CTP).  The U-Prove CTP integrates with the Microsoft identity platform technologies (Windows Identity Foundation, Windows CardSpace 2.0, and Active Directory Federation Services 2.0) and enables the issuance and presentation of cryptographically protected claims in a manner that provides multi-party security. At the same time, the U-Prove technology enables any desired degree of privacy (including authenticated anonymity and pseudonymity) without contravening multi-party security.

Identity solutions enabled with U-Prove technology that provides more secure and private access to on-premise and cloud based applications through the minimal disclosure of information are critical for establishing trust in information and communication technology (ICT) systems for the health industry to encourage adoption and use of these systems by care professionals, patients, and other users of these health ICT systems. This is about the minimal disclosure of patient data, or consumer health data in general.  Whether it is disclosure someone needs to make as a patient to other parties such as insurance, providers, community health, and pharmacies, or disclosures that other parties need to make about someone’s health information. For example, a patient only needs to disclose that they are over a certain age and that they have valid purchasing credentials to buy certain type of OTC medication without having to reveal their full identity or attributes such as their name or date of birth that are not necessarily needed for this specific transaction.

The U-Prove Cryptographic Specification V1.0 specifies the foundational features of the U-Prove technology. This specification has been published under the Open Specification Promise allowing anyone to use or implement the technology. As noted in the U-Prove CTP Whitepaper, the U-Prove cryptographic specification defines the computational steps of each protocol participant; other details (e.g., the encoding, contents, and storage of U-Prove artifacts) must be specified in an application profile. This provides greater flexibility to use the U-Prove technology in various frameworks. For example, existing security token types (e.g., X.509 certificates, SAML tokens, etc.) could be extended to support the U-Prove technology.

Following is an excerpt from the U-Prove Technology Overview document published this month by Dr. Stefan Brands, Principal Architect at Microsoft about the U-Prove technology:

‘More generally, the U-Prove technology can be used to reconcile seemingly conflicting multi-party security and privacy requirements in all sorts of electronic communication and transaction systems. Examples include digital rights management, electronic voting, electronic payment instruments, electronic health records, electronic postage, online auctions, public transport ticketing, road-toll pricing, loyalty schemes, and e-gaming. The U-Prove technology can also be applied to protect identity-related information pertaining to non-human entities, such as computer processes, software applications, hardware devices, and so forth. Furthermore, since entities can securely share information via any untrusted party while delegating partial control over its release to that party, the U-Prove technology enables the design of new applications with no physical-world analogy; one example area of interest is cloud computing services that can perform limited operations on integrity-protected input data from different sources.’

In an interview on Channel 9 with Vittorio Bertocci, Senior Architect Evangelist at Microsoft, Dr. Stefan discusses the U-Prove CTP, including the availability of C# and Java SDKs that Microsoft released under the BSD open-source license and can be downloaded from the MSDN Code Gallery.  Dr. Stefan also covers some interesting scenarios in the health industry where the U-Prove technology brings a lot of value in the area of security and privacy of exchange of health data.

Watch the interview at the following link:

It should be noted that this technology area is covered by the Microsoft Connected Health Platform offering for Security and Compliance highlighted in the diagram below.  Additional information about the Microsoft Connected Health Platform offerings can be accessed at the Health ICT Resource Center at


teddy bachour

senior industry technology strategist, ww health

Skip to main content