Anonymous Authorisation in Smart Environments Florian Baumann Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen August 13, 2014 Florian Baumann: Anonymous Authorisation in Smart Environments 1
Outline Motivation & Context 1 Research Questions 2 3 Analysis Requirements Approaches Comparison of the approaches 4 Solution Schedule 5 Florian Baumann: Anonymous Authorisation in Smart Environments 2
Motivation & Context IDEM Customizable and Tenant-aware System for Energy Control Privacy concerns Tracking of individuals Profiling of individuals and their habits, especially with other sensor data Identity of individual often unnecessary to make authorisation decision Prevention of data breaches and abuse (if there is no data, it can’t be breached or abused) Florian Baumann: Anonymous Authorisation in Smart Environments 3
Scenario Administration rents parts of its building to different companies Companies have Employees, who need to use the different services provided Employees have to authorise, to use services (e.g. Meeting Rooms, Cafeteria) Florian Baumann: Anonymous Authorisation in Smart Environments 4
Research Questions Research Questions What is a suitable solution for secure, yet anonymous authorisation? What properties does the system need for an anonymous authorisation? How does the user interact with the system? Florian Baumann: Anonymous Authorisation in Smart Environments 5
Requirements Requirements (R1) Non-linkability of authorisations by the same person (R2) Revocation of Anonymity in special cases (e.g. fraud) (R3) Preventing unauthorised Lending (R4) Non-repudiation (R5) Revocation (R6) Limited show Token Florian Baumann: Anonymous Authorisation in Smart Environments 6
Approaches Existing Authorisation Solutions (Shibboleth, OAuth, Kerberos) Building Tokens/Coins Similar to coin money, Tokens can be only used once User receives Tokens into a digital wallet (Smartcard, Smartphone) Tokens contain a serial number, building remembers which serial numbers have been used Digital Credentials Proposed by Stefan Brands in 1993, borrowing heavily from work by David Chaum Similar to X.509 Certificates, as they contain attributes about the holder Allows for selective disclosure of these attributes, through proofs of knowledge Florian Baumann: Anonymous Authorisation in Smart Environments 7
Approaches Existing Authorisation Solutions (Shibboleth, OAuth, Kerberos) Building Tokens/Coins Similar to coin money, Tokens can be only used once User receives Tokens into a digital wallet (Smartcard, Smartphone) Tokens contain a serial number, building remembers which serial numbers have been used Digital Credentials Proposed by Stefan Brands in 1993, borrowing heavily from work by David Chaum Similar to X.509 Certificates, as they contain attributes about the holder Allows for selective disclosure of these attributes, through proofs of knowledge Florian Baumann: Anonymous Authorisation in Smart Environments 7
Approaches Existing Authorisation Solutions (Shibboleth, OAuth, Kerberos) Building Tokens/Coins Similar to coin money, Tokens can be only used once User receives Tokens into a digital wallet (Smartcard, Smartphone) Tokens contain a serial number, building remembers which serial numbers have been used Digital Credentials Proposed by Stefan Brands in 1993, borrowing heavily from work by David Chaum Similar to X.509 Certificates, as they contain attributes about the holder Allows for selective disclosure of these attributes, through proofs of knowledge Florian Baumann: Anonymous Authorisation in Smart Environments 7
Comparison R1 R2 R3 R4 R5 R6 Existing Solutions � � � ✗ ✗ Building Coins � � � ✗ ✗ ✗ Digital Credentials � � � � � � (R4) Non-repudiation (R1) Non-linkability (R5) Revocation (R2) Anonymity Revocation (R6) Limited show Token (R3) Unauthorised Lending Florian Baumann: Anonymous Authorisation in Smart Environments 8
Digital Credentials Source: ABC4Trust Implemented by idemix (IBM) and U-Prove (Mircosoft) Privacy-Preserving Attribute-Based Credential Engine (ABC4Trust) provides interoperability Florian Baumann: Anonymous Authorisation in Smart Environments 9
Credential Types Credential Types CompanyCred CompanyID, Name, NotBefore, NotAfter, Revocation Handle EmployeeCred UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred ServiceCred ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred Florian Baumann: Anonymous Authorisation in Smart Environments 10
Credential Types Credential Types CompanyCred CompanyID, Name, NotBefore, NotAfter, Revocation Handle EmployeeCred UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred ServiceCred ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred Florian Baumann: Anonymous Authorisation in Smart Environments 10
Credential Types Credential Types CompanyCred CompanyID, Name, NotBefore, NotAfter, Revocation Handle EmployeeCred UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred ServiceCred ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred Florian Baumann: Anonymous Authorisation in Smart Environments 10
Credential Types Credential Types CompanyCred CompanyID, Name, NotBefore, NotAfter, Revocation Handle EmployeeCred UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred ServiceCred ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred Florian Baumann: Anonymous Authorisation in Smart Environments 10
Issuance Issuance Administration Issues CompanyCreds to Companies Issues ServiceCreds to Users, requires EmployeeCred Companies Issues EmployeeCreds to Users, requires CompanyCred Issues ServiceCreds to Users, requires EmployeeCred Florian Baumann: Anonymous Authorisation in Smart Environments 11
Verification Verification User states his CompanyID to Verifier Verifier retrieves the Issuing Public Key of the Company from the Knowledge Base (Trusted Storage) Verifier sends PresentationPolicy to User, stating which types of Credentials and Attributes he wants to see User chooses an appropriate combination from his Credentials to satisfy the policy Verifier check the received PresentationToken Verifier can store this token for later inspection Florian Baumann: Anonymous Authorisation in Smart Environments 12
Revocation Normal Revocation Revocation Authority periodically publishes Revocation Info (List of Revocation Handles) User proofs, that the Revocation Handle of its Credential is not in the list of revoked Handles Revocation of all Credentials issued by a Company Once a Company leaves the building its Public Key is deleted from the Knowledge Base As a consequence all Credentials issued will not be verifiable anymore Florian Baumann: Anonymous Authorisation in Smart Environments 13
Revocation Normal Revocation Revocation Authority periodically publishes Revocation Info (List of Revocation Handles) User proofs, that the Revocation Handle of its Credential is not in the list of revoked Handles Revocation of all Credentials issued by a Company Once a Company leaves the building its Public Key is deleted from the Knowledge Base As a consequence all Credentials issued will not be verifiable anymore Florian Baumann: Anonymous Authorisation in Smart Environments 13
Schedule July August September October 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Familiarisation Concept This Talk Implementation Testing Thesis Submission Defense Florian Baumann: Anonymous Authorisation in Smart Environments 14
Thank you Thank you for listening. Any Questions? Florian Baumann: Anonymous Authorisation in Smart Environments 15
Recommend
More recommend