Introduction Settings Requirements Building Blocks Protocol Description Discussion Privacy-Preserving Telemonitoring for eHealth Mohamed Layouni ⋆ , Kristof Verslype † , Mehmet Tahir Sandıkkaya ‡ , Bart De Decker † , Hans Vangheluwe ⋆ ⋆ School of Computer Science, McGill University, Canada † Department of Computer Science, KULeuven, Belgium ‡ Katholieke Hogeschool Sint-Lieven, Gent, Belgium MSDL 2009 Summer Presentations 27 August 2009 McGill University 1 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Motivation Telemonitoring ≡ monitoring patients’ health in their natural environment (home, work, family etc.) Why is it useful? Reduces the burden on public healthcare system Helps patients remain active and improves the healing process Helps elderly people remain active/independent and avoid nursing homes . . . 2 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Motivation But! Privacy concerns are still a big obstacle to the adoption of such a system/service Patients are skeptical about the way their data is handled Patients are also concerned about the dependability/ reliability of the system 3 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Focus of this work : Information Security and Privacy We try to answer questions such as : Who gets to see the patient’s information? How is this information stored? retained? processed? Can the patient decide what information gets revealed? to whom? In case a monitoring device is used, is it possible to control what data this device communicates to the outside world? 4 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Outline Introduction 1 Settings 2 Requirements 3 Building Blocks 4 Protocol Description 5 6 Discussion 5 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Overview ... Master Monitoring Doctor M Device ... Patient ... ... Patient Home Hospital Figure: Setting of the Health Telemonitoring System 6 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Sample Security and Privacy Requirements Privacy Requirements Selective disclosure Patient-centricity Pseudonimity Conditional deanonymization Security Requirements Confidentiality Integrity 7 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion General Overview Patient−controlled Patient SmartCard U Computer (Observer ) O Joint Signing Measuremnent Sanitized Data SymEnc (D1) Device 1 Encrypted Signed Master Monitoring Monitoring Center ... ... M (Hospital) Device Sanitized Data Measuremnent SymEnc (Dn) Device n Figure: Health Telemonitoring System – General Overview Execution sequence : Black , Blue , Red 8 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion General Overview Proposed construction based on : Wallet-based Anonymous Credentials. Perfectly Blinding Commitment Schemes. Conventional Symmetric-Key Cryptosystems. 9 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Anonymous Credentials Show Cred A1,..,An Prove Pred(A1,...,An) Issuer User Verifier Cred Provide Service Deposit Verifiers Showing Transcript Figure: Anonymous Credential Issuing, Showing, and Depositing 10 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Anonymous Credentials Properties of Privacy-preserving (Anonymous) Credentials Selective disclosure (in the sense of Zero Knowledge) Unforgeability (issuing) Soundness (no false claims) No framing (showing transcript unforgeability) Untraceability (showings unlinkable to user’s identity) Unlinkability (between showings) Limited-show unlinkability, untraceability . . . Existing Commercial Implementations IBM’s IDEMIX (Camenisch and Lysyanskaya) Credentica’s (now Microsoft) U-Prove (Brands) 11 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials User−controlled User SmartCard Verifier/Issuer Computer U (Observer ) O Joint Credential Showing / Issuing Figure: Wallet-based Anonymous Credential Showing (Wallet-based Issuing is similar) ◮ Wallet-with-Observer paradigm invented by Chaum and Pedersen [CP92]. Improved by Cramer and Pedersen [CP93], and later by Brands [Br00]. ◮ Properties of wallet-based Anonymous Credentials: Inflow/Outflow prevention Cred showing fraud prevention Two-factor authentication . . . 12 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials Public Info: ( g i ) 0 ≤ i ≤ ℓ , h 0 = g x 0 0 , ( g x 0 i ) 1 ≤ i ≤ ℓ , h x 0 0 , q, G q , H, g O Observer O User’s computer U Issuer CA ( x, e, cert CA ( e )) ( x 3 , · · · , x ℓ − 1 ) ( x 0 , x ℓ ′ +1 , · · · , x ℓ − 1 ) m 0 m 0 x 1 , x 2 ∈ R Z q ← − − ← − − m 0 = nonce || ... com 1 := g x 1 1 g x 2 2 com x 0 := ( g x 0 1 ) x 1 ( g x 0 2 ) x 2 1 ) com 1 , com x 0 , ( e , cert CA ( e )) − − − − − − − − − − − − − 1 − − − − − − − − − − − − − − → M 1 SPK { α 1 ,α 2 ,β : com 1 = g α 1 g α 2 ∧ e = g β O } ( m 0 ) 1 2 x ℓ ∈ R Z q x ′ com 2 := g x 3 ℓ ′ g x ℓ Store ( x 1 , x 2 ) 3 · · · g ℓ ℓ com 2 ,M 1 − − − − − − − − − − − − − − − − − − − − − − − − − → ε ′ SPK { ε 3 , ··· ,ε ℓ ′ ,ε ℓ : com 2 = g ε 3 ℓ ′ g εℓ 3 ··· g ℓ ℓ ∧ P ( ε 3 , ··· ,ε ℓ ′ ,ε ℓ )=TRUE } ( m 0 ,M 1 ) w 0 ∈ R Z q a 0 := g w 0 0 b 0 := ( com 1 . com 2 . x ℓ ′ +1 x ℓ − 1 . h 0 ) w 0 g ℓ ′ +1 · · · g ℓ − 1 a 0 ,b 0 α 1 , α 2 , α 3 ∈ R Z q , ← − − − − − − − − x ℓ ′ +1 x ℓ − 1 f := com 1 . com 2 . g ℓ ′ +1 · · · g . h 0 ℓ − 1 h := f α 1 z = f x 0 := com x 0 1 . ( g x 0 3 ) x 3 · · · ( g x 0 ℓ − 1 ) x ℓ − 1 .h x 0 0 z ′ := z α 1 a ′ 0 := h α 2 0 g α 3 0 a 0 b ′ 0 := ( z ′ ) α 2 h α 3 b α 1 0 c ′ 0 := H ( h, z ′ , a ′ 0 , b ′ 0 ) c 0 := c ′ c 0 0 + α 2 mod q − − − − − − − → r 0 ← − − − − − − − r 0 := c 0 x 0 + w 0 r ′ 0 := r 0 + α 3 0 = ( g 0 h ) r ′ 0 ( h 0 z ′ ) − c ′ Accept iff a ′ 0 b ′ 0 Store h , σ CA ( h ) = ( z ′ , r ′ 0 , c ′ 0 ) , com 1 , α 1 , ( x 3 , · · · , x ℓ ) Figure: Wallet-based Anonymous Credential Issuing 13 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials Issuing Protocol Summary At the end of the issuing protocol, the pair ( O , U ) obtains an anonymous credential ( h , σ CA ( h )) with attributes x 1 , · · · , x ℓ , such that: U knows only x 3 , · · · , x ℓ . O knows only x 1 , x 2 . Issuer knows only x ℓ ′ + 1 , · · · , x ℓ − 1 , where ℓ ′ ≤ ℓ − 2. O and Issuer do not learn information on ( h , σ CA ( h )) . 14 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials Public Info: ( g i ) 0 ≤ i ≤ ℓ , h 0 = g x 0 0 , ( g x 0 i ) 1 ≤ i ≤ ℓ , h x 0 0 , q, G q , H, g O Observer O ( x 1 , x 2 ) U ( x 3 , · · · , x ℓ , α 1 , com 1 , h, σ CA ( h )) Verifier σ CA ( h ) = ( z ′ , r ′ 0 , c ′ 0 ) h = ( h 0 . Q ℓ i =1 g x i i ) α 1 = h α 1 0 . Q ℓ i =1 g ( α 1 x i ) i m ← − − − m := nonce || .. w 1 , w 2 ∈ R Z q β, γ 1 , γ 2 , w 0 , w i ∈ R Z q , where i ∈ [3 , ℓ ] a O := g w 1 1 g w 2 a O a U := h w 0 0 . Q ℓ i =3 g w i − − → 2 i a := a O .a U . com ( α 1 β ) g γ 1 1 g γ 2 1 2 c := H ( h, a, m ) c O r O , 1 := w 1 + c O x 1 ← − − c O := α 1 ( c + β ) r O , 1 ,r O , 2 r O , 2 := w 2 + c O x 2 − − − − − − → r 1 := r O , 1 + γ 1 r 2 := r O , 2 + γ 2 r i := w i + c ( α 1 x i ), where i ∈ [3 , ℓ ] h,σ CA ( h ) ,a, ( r 0 , ··· ,r ℓ ) r 0 := w 0 + cα 1 − − − − − − − − − − − − − − → c := H ( h, a, m ) accept iff σ CA ( h ) is valid AND ? “ ” h r 0 0 . Q ℓ i =1 g r i .h − c a = i Figure: Wallet-based Anonymous Credential Showing 15 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials Showing Protocol Summary At the end of the showing protocol, the Verifier is convinced that: U holds a valid credential ( h , σ CA ( h )) . U knows the attributes x 3 , · · · , x ℓ (ie., is the cred owner). O approved the showing. The verifier learns only information willingly disclosed by the pair ( O , U ) . 16 / 19
Introduction Settings Requirements Building Blocks Protocol Description Discussion High-level description Monitoring Center Master Monitoring M (Hospital) Device (c) Enc Hospital {Sig M (SPK),sEHR} (a) sanitized EHR (sEHR) (b) SPK Patient (sEHR) Patient Patient−Controlled O U SmartCard Computer x 1 ,x 2 x ,...,x l 3 Jointly compute signature SPK Figure: High-level Protocol Architecture (with two-factor message authentication) 17 / 19
Recommend
More recommend