Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research – Zurich
ROADMAP Anonymous onymous Credentia edentials ls ▪ – privac ivacy-pres preservin rving (use ser) r) authe hentic ntication ation Pseud eudonym onym Syste tems ms ▪ – privac ivacy-pres preservin rving & a auditable ditable data ta excha hange nge 2
Strong User Authentication ▪ Strong (user) authentication via certificates / attribute-based credentials – Many European countries have or will introduce eID cards – Desirable for security, but detrimental for privacy – Existing schemes require full information disclosure & user is linkable in all transactions → This is a privacy and security problem! – Linkability enables tracking & profiling of users Aha, you are Alice Doe – Acquired personal data requires protection born on Dec 12, 1978 live at Waterdrive 22, Berlin eID expires Aug 4, 2018 Name Alice Doe Date Of Birth Dec 12, 1978 Address Waterdrive 22 City Berlin Country Germany Servic ice Expiry Date Aug 4, 2018 Prov ovid ider Movie Streaming Service 3
Strong & Privacy-Preserving User Authentication ▪ Envisioned by Chaum in 1981, first full scheme by Camenisch & Lysyanskaya in 2001 – User can selective ively ly disclose each attribute – User can prove predicates over the attribut utes , e.g., “I'm over 18” – Unlink nkable le authentication as default, linkability as an option Aha, you are user “ Moviefan ”, from Germany, have valid eID and are over 18! Pseudonym Moviefan Name Alice Doe Date of Birth > 18 ye years ago Address 7 Waterdrive City 8003 Zurich Country Germany Servic ice Expiry Date > tod oday Prov ovid ider Movie Streaming Service 4
Strong & Privacy-Preserving User Authentication ▪ Envisioned by Chaum in 1981, first full scheme by Camenisch & Lysyanskaya in 2001 – User can selective ively ly disclose each attribute – User can prove predicates over the attribut utes , e.g., “I'm over 18” – Unlink nkable le authentication as default, linkability as an option Aha, you have are user “Alice2000”,... Alice2000 = Moviefan ? Pseudonym Alice200 Name Alice Doe Date of Birth > 18 ye years ago Address 7 Waterdrive City 8003 Zurich Country Germany Servic ice Expiry Date > tod oday Prov ovid ider Movie Streaming Service 5
Privacy-Enhancing Credentials | Existing Solutions ▪ Most prominent core-credential/signature schemes: Identity Mixer (IBM) U-Prove (Microsoft) One-time use credentials Multi-use credentials (multi-use via batch-issuance) Zero-Knowledge Proofs Blind Signatures Strong RSA, pairings (LRSW, qSDH) RSA, DL 6
Privacy-Enhancing Credentials | Extended Features ▪ Many more extensions & properties: – Revocation, multi-credential proofs, issuance with carry-over attributes, conditional disclosure, „symmetric“ credentials ▪ Various cryptographic realizations 7
Privacy-Enhancing Credentials | Generic Framework ABC4Trust (EU project) ▪ Technology- independent & „easy -to- use“ framework – Comprehensive & standardized language framework – Technology-agnostic credential & policy handling on top of crypto engine – Generic, automated crypto engine www.zurich.ibm.com/idemix request resource Access Control presentation policy Browser/ Application Engine Application presentation token application Credential Wallet layer User er Crede redent ntia ial l Engine ngine Verifie Veri fier Cred eden ential ial Engin gine policy policy credential policy token storage storage matcher matcher layer evidence verification evidence generation token credential orchestration orchestration mgr mgr Crypt pto o Engin gine Crypt pto o Engin gine crypto layer ZKP Sig Com ZKP Sig Com 8
Privacy-Enhancing Credentials | New Applications Pseudonym CA Long-term CA revocation ▪ V2X communication (vehicles (V2V) and infrastructure (V2I)) status – Security needs: authentication & privacy – Current approach: pseudonym CA long-term – Privacy-credentials fit perfectly! (almost) certificate status msg pseudonym certificates ▪ Hardware-based device/user attestation (DAA) – Draft for FIDO standard TPM – FIDO ("Fast IDentity Online") Alliance = industry consortium developing standardized strong user/device authentication ▪ Blockchain: “eternal” and public transaction ledger – Privacy credentials needed to avoid privacy nightmare – Identity Mixer being integrated into Hyperledger Fabric – IBM joined the Sovrin Foundation – decentralized digital identity network 9
ROADMAP Anonymous onymous Credentia edentials ls ▪ – privacy ivacy-pres preservin rving (use ser) r) authe hentic ntication ation Pseud eudonym onym Syste tems ms ▪ – privacy ivacy-pr pres eservin rving & au audi ditable table data ta excha hang nge [CL15] Camenisch, Lehmann. (Un)linkable Pseudonyms for Governmental Databases . CCS15. [CL17] Camenisch, Lehmann. Privacy-Preserving User-Auditable Pseudonym Systems . IEEE EuroSP17. 10
Pseudonym System | Motivation ▪ How to exchange and correlate (pseudonymous) data ? Labor Lab oratory – E.g., eHealth records, social security system He Healt alth – User-centric conversion inconvenient & unreliable Ins nsurance Doc octor A P89d P8 9dy ID ID Dat Data Hba02 Doc octor B P89dy 912uj Uniq nique ID Bob.0411 ML3 L3m5 Hos Hospit ital ID ID Dat Data ML3m5 sD7Ab y2B4m 11
Pseudonym System | Globally Unique Pseudonyms ▪ Data gets associated with globally unique identifiers / pseudonyms Lab Labor oratory – E.g., social security number in US, Belgium, Sweden, ... He Healt alth Ins nsurance Doc octor A ML3 L3m5 ID ID Dat Data Hba02 Doc octor B ML3m5 912uj Uniq nique ID Bob.0411 ML3 L3m5 Hos Hospit ital ID ID Dat Data ML3m5 sD7Ab ▪ Unique identifiers are secu ecurit ity & & pri privacy ri risk y2B4m – no control about data exchange & usage – if associated data is lost, all pieces can be linked together – linkability of data allows re- identification of “anonymized” data (e.g. Netflix challenge) 12
Pseudonym System | Local Pseudonyms & Trusted Converter ▪ User data is associated with random looking local identifiers – the pseudonyms ▪ Only central entity – the converter – can link & convert pseudonyms Doctor A Doc new Japan eID / social ID ID Data Record of P89dy security number system (?) from Hospital? Hba02 P89dy Converter 912uj Main ain ID Doc octor A Hospit Hos ital Record of Alice.1210 Hba02 7twnG ML3m5 ? Bob.0411 P89dy ML3m5 Hos ospital Carol.2503 912uj sD7Ab ID ID Data ML3m5 sD7Ab + control about data exchange y2B4m + + if records are lost, pieces cannot be linked together 13
Pseudonym System | Local Pseudonyms & Trusted Converter ▪ User data is associated with random looking local identifiers – the pseudonyms ▪ Only central entity – the converter – can link & convert pseudonyms Doc Doctor A ID ID Data Record of P89dy User Por ortal l for or Bob.0411 from Hospital? Hba02 Doctor A → Hospital. 02/26/2017 P89dy Converter … 912uj Main ain ID Doc octor A Hos Hospit ital Record of Alice.1210 Hba02 7twnG ML3m5 ? Bob.0411 P89dy ML3m5 Hos ospital Carol.2503 912uj sD7Ab ID ID Data ML3m5 sD7Ab + control about data exchange y2B4m Uniq nique ID + + if records are lost, pieces cannot be linked together Bob.0411 + + converter can provide audit logs to users (GDPR-requirement) – converter lear earns al all req equest & & kno knows al all corr orrela latio ions 14
Pseudonym System | Local Pseudonyms & Oblivious Converter ▪ User data is associated with random looking local identifiers – the pseudonyms ▪ Only central entity – the converter – can link & convert pseudonyms Doctor A Doc ID ID Data Record of P89dy User Por ortal l for or Bob.0411 from Hospital? Hba02 Doctor A → Hospital. 02/26/2017 P89dy Converter … 912uj Main ain ID Doc octor A Hos Hospit ital Record of Alice.1210 Hba02 7twnG ML3m5 ? Bob.0411 P89dy ML3m5 Hos ospital Carol.2503 912uj sD7Ab ID ID Data ML3m5 sD7Ab + control about data exchange y2B4m Uniq nique ID + if records are lost, pieces cannot be linked together + Bob.0411 + converter can provide audit logs to users (GDPR-requirement) + – converter lear earns al all req equest & & kno knows al all corr orrela latio ions 15
(Un)linkable Pseudonyms | Pseudonym Generation ▪ User, converter & server jointly derive pseudonyms from unique identifiers P89d P8 9dy Doctor A Doc ID ID Data Hba02 Converter P89dy 912uj Hos ospital ML3 L3m5 ID ID Data ML3m5 Uniq nique ID sD7Ab Bob.0411 y2B4m ▪ [CL15] generation triggered by converter, knows unique IDs ▪ [CL17] oblivious pseudonym generation triggered by user 16
(Un)linkable Pseudonyms | Pseudonym Conversion ▪ Only converter can link & convert pseudonyms, but does so in a blind way Doc Doctor A ID ID Data Record of Record of Record of P89dy P89dy Hba02 P89dy at Hospital at Hospital at Hospital Converter P89dy blind conversion request blind conversion 912uj unblinding conversion response Record of P89dy ? Record of Record of P89dy ? ML3 L3m5 ? Hos ospital ID ID Data ML3m5 sD7Ab y2B4m 17
Recommend
More recommend