Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2015 IBM Corporation
Formal Treatment of Privacy-Enhancing Credential SystemsJan Camenisch, Stefan Krenn, Anja Lehmann, Gerd Læssøe Mikkelsen, Gregory Neven, and Michael Østergaard Pedersen
© 2015 IBM Corporation2 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Outline
Defining security of complex cryptographic schemes, constructing them, and proving the security of the latter
§ Brief overview of basic credential systems
§ and their extended features
§ Definitional approaches and their difficulties
§ Modular construction of credentials & related security proofs
© 2015 IBM Corporation3 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-Enhancing Credential System
© 2015 IBM Corporation October 15, 2015
Privacy-protecting credential system (Privacy-ABC)
Verifiers(Movie Streaming Service)
Issuers(Government)
Users(Alice)
© 2015 IBM Corporation October 15, 2015
Privacy-protecting credential system (Privacy-ABC)
usk ← UKGen(s)
s ← SPGen(k)
(ipk,isk,RI)s ← IKGen(s)
© 2015 IBM Corporation October 15, 2015
Assume user has obtained a number of credentials from different issuers.
Presentation:Unlike traditional (attribute) credentials:§ Alice does not send credential§ Alice chooses which attributes to disclose§ Alice applies cryptographic transformation
Privacy-protecting credential system (Privacy-ABC)
Alice - eID with age ≥ 12
(nym,pt) ← Present(usk, scope, {ipk, RI, cred, attr},E,M)
© 2015 IBM Corporation7 October 15, 2015
Privacy-protecting credential system (Privacy-ABC)
Alice
(Public Verification Key of issuer)
Aha, you are- older than 12
(nym,pt) ← Verify(nym,pt, scope, {ipk, RI, attr}, E, M)
© 2015 IBM Corporation October 15, 2015
Privacy-protecting credential system (Privacy-ABC)
Name = Alice DoeBirth date = April 3, 1997
(pit,sit,nym) ← ITGen(usk,ipk,scope, rh, attr, {ipk, cred, attr}, E, M)
(cred, RI') ← (U.Issuance(),i.Issuance()
0/1 ← ITVer(...)
Issuance token can contain § (hidden) attributes§ presentation tokens w/ carry over of attributes
© 2015 IBM Corporation9 October 15, 2015
Discussion: Key Binding & Pseudonym
Key binding: Alice has a secret key to which credentials get bound → cannot share same credential between different keys.
Not all credentials must be key-bound.
Domain Pseudonyms: Each pseudonym has a scope. Pseudonyms by the same user are linkable w/in the same scope, but unlinkeable otherwise.
© 2015 IBM Corporation10 October 15, 2015
There are many different use cases and many solutions• Anonymized CLRs (using crypto to maintain anonymity)
• Accumulators• Signing entries & Proof, ....
• Limited validity – certs need to be updated • ... For proving age, a revoked driver's license still works
Discussion – Revocation
RI ← Revoke(isk, RI,rh)
October 28, 201411 © 2013 IBM Corporation
Constructing & Defining and Proving the Security of Privacy-ABCs
© 2015 IBM Corporation12 October 15, 2015
zero-knowledge proofs
Definition, Construction and Security Proofs of Credentials
Want to have modular constructions from simple building blocks to handle complexity:
privacy-enhancing attribute signatures pseudonyms
revocation scheme commitmentscheme
Privacy ABCs
Components need to be compatible, i.e., work on attributes:
§ secret key, revocation handle, etc all are treated as attributes
This Paper:§ Security definitions for each building block and the overall system § Generic construction and security proof§ Instantiation and security proof for each building block
© 2015 IBM Corporation13 October 15, 2015
Definition, Construction and Security Proofs of Credentials
Definitional approaches
§ Property based (game based)– less complex – consider each properties separately– not always clear to what extend different properties are related/overlapping– complexity grows in proofs of larger systems, however– simultaneous fulfillment of all properties not guaranteed (but typically true)
§ Ideal specification (UC-like, simulation based)– get complex quickly– hard to deal with cryptographic values– need additional property analysis– no re-winding when composability is wanted → efficiency penalty in constructions– somewhat easier w.r.t. modular construction and proofs of large systems
© 2015 IBM Corporation14 October 15, 2015
Security Definition of Privacy ABCs – 4 Properties
4 Properties§ Correctness
§ Pseudonym Collision Resistance
§ Unforgeability
§ Privacy (weak, strong)
Correctness: … the obvious one, plusPseudonym be a deterministic fct(syspar, scope, usk)→ same nym output by ITGen and Present
Pseudonym Collision Resistance:§ No adversary can find two usk's for the
same pseudonym & scope
© 2015 IBM Corporation15 October 15, 2015
Security Definition of Privacy ABCs – 4 Properties
Unforgeability: Problem: not like signatures b/c one only sees presentation tokens
Definition: No adversary can output valid presentation tokens that are not consistent, i.e., there exists sets of secret keys and credentials (list of attributes) such
§ not more credentials than issuance records (for honest issuers and per rh)
§ all presentation & issuance token correspond to legitimately obtained un-revoked credentials:– attributes are consistent– credentials are non-revoked w.r.t. epoch of presentation token– pseudonyms and credentials consistent with secret keys and scope
Discussion:
§ no existential forgery (e.g., no forgery re-use of pt and pit generated by honest user)
§ blind attributes in pit only satisfy relation E (Adv could use same pit leading to different creds)
§ tokens can be generated of epochs earlier than the one of the underlying credential
OI
OU
© 2015 IBM Corporation16 October 15, 2015
Security Definition of Privacy ABCs – 4 Properties
Privacy (strong, weak):Idea: Simulator that generates pit, pt, nym given only revealed information, i.e., § no user ID, hidden attributes, which issuance & presentation done by same user § Adversary cannot distinguish between interacting with simulator and honest users
Problem: Simulator that is not enough information b/c of future interactions§ Dependencies caused by nyms and revocation across issuance and presentation§ Dependencies between revealed values in pit, pt and issued credentials
→ cannot know which queries can be satisfied
Solution:
Oracle queries of Adv are first filtered by filter F that know all the information and then tells the simulator what to do. → similar to ideal fkt
© 2015 IBM Corporation17 October 15, 2015
Security Definition of Privacy ABCs – 4 Properties
Privacy (strong, weak):
Instructions credIDF
SIM
Filter F: no crypto
Weak privacy: Sim is told to which pior presentation link should be made
Instructions & credID: no crypto
© 2015 IBM Corporation18 October 15, 2015
Related Work
§ Chaum (1981):– Concept of Privacy-ABCs
§ Many authors but not formal definitions for Privacy-ABCs.
§ Chase et al (2009): – Property based definitions for delectable credentials & p-signatures– no attributes, revocation, advanced issuance
§ Camenisch & Lysyanskaya (2000):– ideal/real work definition, but not UC, no attributes
§ Camenisch et al. (2015 - e-print)– UC definition of credentials w. attributes, but no other features
§ Realizations: – IBM identity mixer – Microsoft Uprove
© 2015 IBM Corporation19 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Conclusion
§ Defining security is notoriously hard– property based vs simulation based
§ Need modular approaches – constructions– definitions– proofs
§… while retaining efficiency
§ Current construction approaches often have “proof” artifacts– verifiable encryptions – equivocal commitments
§ Security proofs are not appreciated sufficiently by our community– hard to read, always in the appendix, .... – minority of papers about wrong proofs or better proofs
§ Regarding this work (security definitions of credentials)– incorporating more features (inspection, verifier driven revocation/blacklisting,.. )– UC/simulation based definitions & comparing the two
© 2015 IBM Corporation20 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Thank you!§ me
– [email protected]– ibm.biz/jancamenisch– @JanCamenisch
§ Links:– www.abc4trust.eu– www.futureID.eu– www.au2eu.eu– www.PrimeLife.eu – www.zurich.ibm.com/idemix– idemixdemo.zurich.ibm.com
§ Code– github.com/p2abcengine & abc4trust.eu/idemix
© 2015 IBM Corporation21 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
12 < age
(Issuer parameter)
Credential
Presentation token
Presentation policy
Pseudonym
(Verifier parameter)
Credential specification
© 2015 IBM Corporation22 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
© 2015 IBM Corporation23 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need:- subscription- be older than 12
© 2015 IBM Corporation24 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok, here's - my eID - my subscription
Using digital equivalent of paper world, e.g., with X.509 Certificates
© 2015 IBM Corporation25 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
...with X.509 Certificates
© 2015 IBM Corporation26 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
This is a privacy and security problem! - identity theft - profiling - discrimination
© 2015 IBM Corporation27 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
© 2015 IBM Corporation28 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, Alice is watching a 12+ movie
© 2015 IBM Corporation29 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, you are- [email protected] 12+Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
Aha, Alice is watching a 12+ movie
© 2015 IBM Corporation30 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy ABCs such as Identity Mixer solve this.
When Alice authenticates to the Movie StreamingService with Identity Mixer, all the services learns isthat Alice
has a subscriptionis older than 12
and no more!
© 2015 IBM Corporation31 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Like PKI, but better:§ One secret Identity (secret key)§ Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
Concepts: Key binding & Pseudonyms
© 2015 IBM Corporation32 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Like PKI, but better:
§ Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Concept: credentials
Name = Alice DoeBirth date = April 3, 1997
© 2015 IBM Corporation33 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-protecting authentication with Privacy ABCs
Alice
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
Movie Streaming Service
© 2015 IBM Corporation34 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
© 2015 IBM Corporation35 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
© 2015 IBM Corporation36 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-protecting authentication with Privacy ABCs
Alice
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
Movie Streaming Service
Concept: presentation policy
© 2015 IBM Corporation37 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Like PKI§ but does not send credential§ only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
- valid subscription - eID with age ≥ 12
Concept: presentations token
© 2015 IBM Corporation38 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Privacy-protecting authentication with Privacy ABCs
Alice
Aha, you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Like PKI§ but does not send credential§ only minimal disclosure (Public Verification Key
of issuer)
© 2015 IBM Corporation39 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
So, let's watch a movie!
idemixdemo.mybluemix.netidemixdemo.zurich.ibm.com
© 2015 IBM Corporation40 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
A couple of use cases
© 2015 IBM Corporation41 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Identity, Identity Management, & Authentication
name
salary
credit card number
hobbies
phone number
address
language skills
leisure
shopping
work
public authority
nick nameblood group
health care
marital status
birth date
health status
insurance
■ ID:– (dynamic) set of attributes shared w/ someone– different with different entities
■ ID Management: two things to make identities useful– authentication means: strong e-authentication– means to transport attributes between parties: certified attributes
© 2015 IBM Corporation42 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Age verification
§ Movie streaming services
§ Gaming industry
§ Online gambling platforms
§ Dating websites
§ Social benefits for young/old people
Proving 12+, 18+, 21+ without disclosing the exact date of birth – privacy and compliance with age-related legislation
© 2015 IBM Corporation43 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015
Healthcare Use Case
Anonymous consultations with specialists– online chat with a psychologist – online consultation with IBM Watson
1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment
Alice gets a health insurance credential
Insurance
Insurance
Health portal
5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.
4. Alice gets treatment from physician, hospital, etc