direct anonymous attestation daa
play

Direct Anonymous Attestation (DAA) Liqun Chen Trusted Systems - PowerPoint PPT Presentation

Sep 13, 2022 •334 likes •863 views

Direct Anonymous Attestation (DAA) Liqun Chen Trusted Systems Laboratory Hewlett Packard Laboratories, Bristol 12 October 2005 The slides presented here were made for a DAA seminar last year outline outline what is DAA? what is DAA

  1. Direct Anonymous Attestation (DAA) Liqun Chen Trusted Systems Laboratory Hewlett Packard Laboratories, Bristol 12 October 2005 The slides presented here were made for a DAA seminar last year

  2. outline outline • what is DAA? • what is DAA for? • why DAA? • how does DAA work? Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 2

  3. outline • what is DAA? • what is DAA for? • why DAA? • how does DAA work? Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 3

  4. DAA is a signature scheme DAA is a signature scheme designed for TCG • – signer: TPM (trusted platform module) – verifier: an external partner the name of DAA is from • Direct proof – without a TTP involvement – Anonymous – do not disclose the identity of the signer – Attestation – statement/claim from a TPM – DAA was adopted by TCG and specified in TCG TPM • Specification Version 1.2, available at www.trustcomputinggroup.org designers: Ernie Brickell of Intel, Jan Camenisch of IBM and • Liqun Chen of HP Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 4

  5. category of signature schemes – from a verifier’s point of view • 1–out–1 signatures: ordinary signatures – a verifier is given an authenticated public key of a signer • 1–out–n signatures: ring signatures, designated- verifier signatures, concurrent signatures, …… – a verifier is given authenticated public keys of all potential signers • 1–out–group signatures: group signatures, DAA – a verifier is given an authenticated group public key Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 5

  6. group signatures and DAA • a group signature has fixed-traceability and unlinkability – a group member certificate indicates an identity-disclosure authority – the authority can recover the identity of the real signer from a group signature • a DAA signature has flexible-traceability and flexible- linkability – there is no identity-disclosure authority (a DAA signature cannot be opened by any TTP) – a DAA signature provides the user-control link that can be used to link some selected signatures from the same signer for the same verifier Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 6

  7. outline • what is DAA? • what is DAA for? – for TCG • why DAA? • how does DAA work? Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 7

  8. goals of the TCG architecture ensure user’ ’s s ensure user protect protect choice on use of choice on use of user’ ’s s user security security information information mechanism mechanism protect protect protect user’ ’s s protect user user’ ’s s user computing computing privacy privacy environment environment Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 8

  9. obstacle to achieving the goals of the TCG architecture security might be fundamentally incompatible with privacy Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 9

  10. obstacle to achieving the goals of the TCG architecture security might be fundamentally incompatible with privacy high security & low privacy Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 10

  11. obstacle to achieving the goals of the TCG architecture security might be fundamentally incompatible with privacy high security high privacy & & low privacy low security Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 11

  12. obstacle to achieving the goals of the TCG architecture security might be fundamentally incompatible with privacy high security high privacy & & what we want: deliver security and low privacy low security provide user control of privacy Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 12

  13. TPM (trusted platform module) the TPM is the root of trust for reporting - – it offers smartcard-like security capability embedded into the platform – it is trusted to operate as expected (conforms to the TCG spec) – it is uniquely bound to a single platform – its functions and storage are isolated from all other components of the platform (e.g., the CPU) Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 13

  14. TPM (trusted platform module) the TPM is the root of trust for reporting - – it offers smartcard-like security capability embedded into the platform – it is trusted to operate as expected (conforms to the TCG spec) – it is uniquely bound to a single platform – its functions and storage are isolated from all other components of the platform (e.g., the CPU) random num ber N on-volatile generation M em ory Processor M em ory asym m etric hash I/O signing and key encryption H M AC generation clock/tim er pow er detection Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 14

  15. platform attestation • TCG requires a TPM to have an embedded “endorsement key (EK)”, to prove that a TPM is a particular genuine TPM • EK is not a platform identity • TCG lets a TPM control “multiple pseudonymous attestation identities” by using “attestation identity key (AIK)” • AIK is a platform identity, to attest to platform properties we need a link between EK and AIK Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 15

  16. privacy issue I want to know I don’t want to that AIK came disclose which from a TPM TPM the AIK is from AIK an external partner a user TPM – trusted platform module EK – endorsement key AIK – attestation identity key Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 16

  17. privacy issue I want to know I don’t want to that AIK came disclose which from a TPM TPM the AIK is from AIK an external partner a user we seek a solution to convince an TPM – trusted platform module external party that an AIK is held in a EK – endorsement key TPM without identifying the TPM AIK – attestation identity key Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 17

  18. outline • what is DAA? • what is DAA for? • why DAA? • how does DAA work? Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 18

  19. previous solution is not good enough the previous solution (before TCG TPM spec. v1.2) - • involves a TTP to issue certificates • allows choice of any (different) certification authorities (privacy-CA) to certify each TPM identity • can help prevent correlation, however anonymity is dependent upon the private-CA Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 19

  20. our goal and solution • our goal: a solution provides – anonymity without a TTP – authentication without a certificate • our solution: – direct anonymous attestation (DAA) direct proof replaces the TTP Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 20

  21. a simple picture of DAA TPM EK AIK #1 DAA AIK #2 Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 21

  22. a simple picture of DAA stock broker medical clinic verifier verifier TPM EK AIK #1 DAA AIK #2 Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 22

  23. a simple picture of DAA stock broker medical clinic verifier verifier a DAA a DAA signature of signature of AIK #1 AIK #2 TPM EK AIK #1 DAA AIK #2 Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 23

  24. a simple picture of DAA I know that AIK #1 I know that AIK #2 came from a TPM, came from a TPM, but I don’t know but I don’t know which one. which one. stock broker medical clinic verifier verifier a DAA a DAA signature of signature of AIK #1 AIK #2 TPM EK AIK #1 DAA AIK #2 Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 24

  25. a simple picture of DAA we can’t tell if We can’t tell if AIK #1 and AIK #2 Key #1 and Key came from the #2 came from the I know that AIK #1 I know that AIK #2 same TPM or not. same TPM or not. came from a TPM, came from a TPM, but I don’t know but I don’t know which one. which one. stock broker medical clinic verifier verifier a DAA a DAA signature of signature of AIK #1 AIK #2 TPM EK AIK #1 DAA AIK #2 Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 25

  26. a simple picture of DAA we can’t tell if We can’t tell if AIK #1 and AIK #2 Key #1 and Key came from the #2 came from the I know that AIK #1 I know that AIK #2 same TPM or not. same TPM or not. came from a TPM, came from a TPM, but I don’t know but I don’t know which one. which one. but stock broker medical clinic if the client behaves verifier verifier badly, I can stop him to use my service a DAA a DAA signature of signature of AIK #1 AIK #2 TPM EK AIK #1 DAA AIK #2 Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 26

  27. outline • what is DAA? • what is DAA for? • why DAA? • how does DAA work? Direct anonymous attestation – a signature scheme for TCG 12/10/2005 page 27

Recommend

Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with

Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with

Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch Direct Anonymous Attestation What

655 views • 31 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
Direct Anonymous Attestation in the Wild 10th January 2019, RWC 2019, San Jose Matuhew Casey,

Direct Anonymous Attestation in the Wild 10th January 2019, RWC 2019, San Jose Matuhew Casey,

Direct Anonymous Attestation in the Wild 10th January 2019, RWC 2019, San Jose Matuhew Casey, Liqun Chen, Thanassis Giannetsos, Chris Newton, Ralf Sasse, Steve Schneider, Helen Treharne, Jorden Whitefjeld 1 Outline DAA in Theory History

338 views • 14 slides
ZISC Information Security Colloquium June 15, 2004 Direct Anonymous Attestation: Achieving

ZISC Information Security Colloquium June 15, 2004 Direct Anonymous Attestation: Achieving

Zurich Research Laboratory ZISC Information Security Colloquium June 15, 2004 Direct Anonymous Attestation: Achieving Privacy in Remote Authentication Jan Camenisch IBM Zurich Research Laboratory jca@zurich.ibm.com Joint work with Ernie

353 views • 24 slides
BEHAVIORAL HEALTH AGENCY (BHA)- LICENSING, ATTESTATION, AND DEEMING Attestation for Substance

BEHAVIORAL HEALTH AGENCY (BHA)- LICENSING, ATTESTATION, AND DEEMING Attestation for Substance

BEHAVIORAL HEALTH AGENCY (BHA)- LICENSING, ATTESTATION, AND DEEMING Attestation for Substance Use Disorder (SUD) Services DOH agrees that an attestation process for SUD services should be an option The attestation process for SUD

474 views • 8 slides
PSA APIs An overview Attestation API 1.0.1 we are in the process of dropping a new

PSA APIs An overview Attestation API 1.0.1 we are in the process of dropping a new

PSA APIs An overview Attestation API 1.0.1 we are in the process of dropping a new release which allows signing using symmetric attestation keys (using COSE Mac0) Fully documented in ARM IHI 0085 TF-M master is slightly behind the

542 views • 17 slides
Attestation (RATS/EAT) Overview Laurence Lundblade February 2020 Entity Attestation Good

Attestation (RATS/EAT) Overview Laurence Lundblade February 2020 Entity Attestation Good

Attestation (RATS/EAT) Overview Laurence Lundblade February 2020 Entity Attestation Good Devices Token Chip & device manufacturer Banking risk engine IoT backend Device ID (e.g. serial number) Boot state, debug state

956 views • 34 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Two cool ideas: Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons and/or menu items in your VectorGraphics project Three approaches for responding to the events from selecting those buttons /

406 views • 6 slides
12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship of men and women who share their experience, strength and hope with each other that they may solve their common problem and help others to recover

1.11k views • 76 slides
Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The CA Group Cocaine Anonymous Is The 12 Steps Cocaine Anonymous Is Not Spirituality History of Cocaine Anonymous Sponsorship

700 views • 37 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr Kuznetsov Telecom ParisTech I am here to talk about ... the computability issues of failure-prone anonymous broadcast models. Anonymous Model

660 views • 21 slides
A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B. Rasmussen, Gene Tsudik UC Irvine Overview Motivation Definition of Remote Attestation From Definition to Properties From Properties

452 views • 17 slides
THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous , the concept, God as you understand Him including everyone. In 2017 not so much How Many Atheists are there? (last updated May 31,

400 views • 21 slides
Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine The Free

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine The Free

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine The Free Haven Project http://tor.eff.org/ April 12, CFP 2005 Talk Outline Motivation: Why anonymous communication? Myth 1: This is only for privacy

488 views • 33 slides
-1- 1 CONTENTS 1. INTRODUCTION 2. HISTORY 3. PRODUCTS 4. ATTESTATION 5. CUSTOMERS 6. VISION

-1- 1 CONTENTS 1. INTRODUCTION 2. HISTORY 3. PRODUCTS 4. ATTESTATION 5. CUSTOMERS 6. VISION

-1- 1 CONTENTS 1. INTRODUCTION 2. HISTORY 3. PRODUCTS 4. ATTESTATION 5. CUSTOMERS 6. VISION 7. PICTURES -2- 2 1.INTRODUCE COMPANY NAME : HY ROBOTICS CO., LTD ( SOUTH KOREA ) HYROBOTICS CORP ( USA ) PRESIDENT : KANG, DAE

364 views • 10 slides
7.1 TEMPORARY INSCRIPTION ATTESTATION What is TIA? Controlling TIA: Every foreign vessel under

7.1 TEMPORARY INSCRIPTION ATTESTATION What is TIA? Controlling TIA: Every foreign vessel under

7.1 TEMPORARY INSCRIPTION ATTESTATION What is TIA? Controlling TIA: Every foreign vessel under contract to operate on BJW shall be subscribed on Inspection Management System SISGEVI. Expire Date of the TIA: The expiring date of the TIA

336 views • 17 slides
Anonymous Communications (I) 01010010010101010101010101 01001010010010111010100

Anonymous Communications (I) 01010010010101010101010101 01001010010010111010100

010100100101010101010101010101010101001001001011 010100100101110101001011100100101000010101100 100101010001010101010001001000011110 0010101011100110010101001011100 10010101010011101001011100101 Anonymous Communications (I)

641 views • 29 slides
Disclaimer "C.A.", "Cocaine Anonymous, we're here and we're free and the C.A.

Disclaimer "C.A.", "Cocaine Anonymous, we're here and we're free and the C.A.

Disclaimer "C.A.", "Cocaine Anonymous, we're here and we're free and the C.A. Logo are registered trademarks of Cocaine Anonymous World Services, Inc. All rights reserved. Some of the items contained in this presentation are

439 views • 29 slides
Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven Project Electronic Frontier Foundation http://tor.eff.org/ 17 September 2005 Talk Outline Motivation: Why anonymous communication? Myth 1:

703 views • 47 slides
SC Self Audit Attestation & SQMD Plan Affirmation Elaine Siegel Market Services Policy Lead

SC Self Audit Attestation & SQMD Plan Affirmation Elaine Siegel Market Services Policy Lead

SC Self Audit Attestation & SQMD Plan Affirmation Elaine Siegel Market Services Policy Lead Stakeholder Web Conference August 23, 2018 1:00 PM 2:00 PM (PDT) CAISO Public CAISO Public SC Self Audit Attestation & SQMD Plan

564 views • 12 slides
Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force Agenda Item 8-D IAASB Meeting, September 21-25, 2015 New York, USA Page 1 Increasing

444 views • 17 slides
MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History Manages signed images Handles updates, maintaining security Currently, custom manifest (SUIT maybe some day) What is TF-M Reference

91 views • 8 slides

More recommend