Formal Treatment of Privacy- Enhancing Credential Systems · 8/12/2015 · Oracle queries of Adv are first filtered by filter F that know all the information and ... Mplex Customer

© 2015 IBM Corporation

Formal Treatment of Privacy-Enhancing Credential SystemsJan Camenisch, Stefan Krenn, Anja Lehmann, Gerd Læssøe Mikkelsen, Gregory Neven, and Michael Østergaard Pedersen

© 2015 IBM Corporation2 Jan Camenisch - EIC 2015 - Identity MixerOctober 15, 2015

Outline

Defining security of complex cryptographic schemes, constructing them, and proving the security of the latter

§ Brief overview of basic credential systems

§ and their extended features

§ Definitional approaches and their difficulties

§ Modular construction of credentials & related security proofs


Privacy-Enhancing Credential System

© 2015 IBM Corporation October 15, 2015

Privacy-protecting credential system (Privacy-ABC)

Verifiers(Movie Streaming Service)

Issuers(Government)

Users(Alice)



usk ← UKGen(s)

s ← SPGen(k)

(ipk,isk,RI)s ← IKGen(s)


Assume user has obtained a number of credentials from different issuers.

Presentation:Unlike traditional (attribute) credentials:§ Alice does not send credential§ Alice chooses which attributes to disclose§ Alice applies cryptographic transformation


Alice - eID with age ≥ 12

(nym,pt) ← Present(usk, scope, {ipk, RI, cred, attr},E,M)

© 2015 IBM Corporation7 October 15, 2015


Alice

(Public Verification Key of issuer)

Aha, you are- older than 12

(nym,pt) ← Verify(nym,pt, scope, {ipk, RI, attr}, E, M)



Name = Alice DoeBirth date = April 3, 1997

(pit,sit,nym) ← ITGen(usk,ipk,scope, rh, attr, {ipk, cred, attr}, E, M)

(cred, RI') ← (U.Issuance(),i.Issuance()

0/1 ← ITVer(...)

Issuance token can contain § (hidden) attributes§ presentation tokens w/ carry over of attributes


Discussion: Key Binding & Pseudonym

Key binding: Alice has a secret key to which credentials get bound → cannot share same credential between different keys.

Not all credentials must be key-bound.

Domain Pseudonyms: Each pseudonym has a scope. Pseudonyms by the same user are linkable w/in the same scope, but unlinkeable otherwise.


There are many different use cases and many solutions• Anonymized CLRs (using crypto to maintain anonymity)

• Accumulators• Signing entries & Proof, ....

• Limited validity – certs need to be updated • ... For proving age, a revoked driver's license still works

Discussion – Revocation

RI ← Revoke(isk, RI,rh)

October 28, 201411 © 2013 IBM Corporation

Constructing & Defining and Proving the Security of Privacy-ABCs


zero-knowledge proofs

Definition, Construction and Security Proofs of Credentials

Want to have modular constructions from simple building blocks to handle complexity:

privacy-enhancing attribute signatures pseudonyms

revocation scheme commitmentscheme

Privacy ABCs

Components need to be compatible, i.e., work on attributes:

§ secret key, revocation handle, etc all are treated as attributes

This Paper:§ Security definitions for each building block and the overall system § Generic construction and security proof§ Instantiation and security proof for each building block


Definition, Construction and Security Proofs of Credentials

Definitional approaches

§ Property based (game based)– less complex – consider each properties separately– not always clear to what extend different properties are related/overlapping– complexity grows in proofs of larger systems, however– simultaneous fulfillment of all properties not guaranteed (but typically true)

§ Ideal specification (UC-like, simulation based)– get complex quickly– hard to deal with cryptographic values– need additional property analysis– no re-winding when composability is wanted → efficiency penalty in constructions– somewhat easier w.r.t. modular construction and proofs of large systems


Security Definition of Privacy ABCs – 4 Properties

4 Properties§ Correctness

§ Pseudonym Collision Resistance

§ Unforgeability

§ Privacy (weak, strong)

Correctness: … the obvious one, plusPseudonym be a deterministic fct(syspar, scope, usk)→ same nym output by ITGen and Present

Pseudonym Collision Resistance:§ No adversary can find two usk's for the

same pseudonym & scope



Unforgeability: Problem: not like signatures b/c one only sees presentation tokens

Definition: No adversary can output valid presentation tokens that are not consistent, i.e., there exists sets of secret keys and credentials (list of attributes) such

§ not more credentials than issuance records (for honest issuers and per rh)

§ all presentation & issuance token correspond to legitimately obtained un-revoked credentials:– attributes are consistent– credentials are non-revoked w.r.t. epoch of presentation token– pseudonyms and credentials consistent with secret keys and scope

Discussion:

§ no existential forgery (e.g., no forgery re-use of pt and pit generated by honest user)

§ blind attributes in pit only satisfy relation E (Adv could use same pit leading to different creds)

§ tokens can be generated of epochs earlier than the one of the underlying credential

OI

OU



Privacy (strong, weak):Idea: Simulator that generates pit, pt, nym given only revealed information, i.e., § no user ID, hidden attributes, which issuance & presentation done by same user § Adversary cannot distinguish between interacting with simulator and honest users

Problem: Simulator that is not enough information b/c of future interactions§ Dependencies caused by nyms and revocation across issuance and presentation§ Dependencies between revealed values in pit, pt and issued credentials

→ cannot know which queries can be satisfied

Solution:

Oracle queries of Adv are first filtered by filter F that know all the information and then tells the simulator what to do. → similar to ideal fkt



Privacy (strong, weak):

Instructions credIDF

SIM

Filter F: no crypto

Weak privacy: Sim is told to which pior presentation link should be made

Instructions & credID: no crypto


Related Work

§ Chaum (1981):– Concept of Privacy-ABCs

§ Many authors but not formal definitions for Privacy-ABCs.

§ Chase et al (2009): – Property based definitions for delectable credentials & p-signatures– no attributes, revocation, advanced issuance

§ Camenisch & Lysyanskaya (2000):– ideal/real work definition, but not UC, no attributes

§ Camenisch et al. (2015 - e-print)– UC definition of credentials w. attributes, but no other features

§ Realizations: – IBM identity mixer – Microsoft Uprove


Conclusion

§ Defining security is notoriously hard– property based vs simulation based

§ Need modular approaches – constructions– definitions– proofs

§… while retaining efficiency

§ Current construction approaches often have “proof” artifacts– verifiable encryptions – equivocal commitments

§ Security proofs are not appreciated sufficiently by our community– hard to read, always in the appendix, .... – minority of papers about wrong proofs or better proofs

§ Regarding this work (security definitions of credentials)– incorporating more features (inspection, verifier driven revocation/blacklisting,.. )– UC/simulation based definitions & comparing the two


Thank you!§ me

– [email protected]– ibm.biz/jancamenisch– @JanCamenisch

§ Links:– www.abc4trust.eu– www.futureID.eu– www.au2eu.eu– www.PrimeLife.eu – www.zurich.ibm.com/idemix– idemixdemo.zurich.ibm.com

§ Code– github.com/p2abcengine & abc4trust.eu/idemix

mailto:[email protected]

http://www.abc4trust.eu/

http://www.futureID.eu/

http://www.PrimeLife.eu/

http://www.zurich.ibm.com/idemix


Privacy-protecting authentication with Privacy ABCs

Alice

Movie Streaming Service

12 < age

(Issuer parameter)

Credential

Presentation token

Presentation policy

Pseudonym

(Verifier parameter)

Credential specification


Alice wants to watch a movie at Movie Streaming Service

Alice


I wish to see Alice in Wonderland


Alice wants to watch a movie at Movie Streaming Service

Alice


You need:- subscription- be older than 12


Watching the movie with the traditional solution

Alice


ok, here's - my eID - my subscription

Using digital equivalent of paper world, e.g., with X.509 Certificates



Alice


Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018

Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016

...with X.509 Certificates



Alice


Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018

Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016

This is a privacy and security problem! - identity theft - profiling - discrimination



Alice


With OpenID and similar solution, e.g., log-in with Facebook



Alice



Aha, Alice is watching a 12+ movie



Alice



Aha, you are- [email protected] 12+Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016

Aha, Alice is watching a 12+ movie


Privacy ABCs such as Identity Mixer solve this.

When Alice authenticates to the Movie StreamingService with Identity Mixer, all the services learns isthat Alice

has a subscriptionis older than 12

and no more!


Like PKI, but better:§ One secret Identity (secret key)§ Many Public Pseudonyms (public keys)


Concepts: Key binding & Pseudonyms


Like PKI, but better:

§ Issuing a credential


Concept: credentials

Name = Alice DoeBirth date = April 3, 1997



Alice






Alice




Alice




Alice




Concept: presentation policy


Like PKI§ but does not send credential§ only minimal disclosure


Alice


- valid subscription - eID with age ≥ 12

Concept: presentations token



Alice

Aha, you are- older than 12- have a subscription

Movie Streaming ServiceMovie Streaming Service

Like PKI§ but does not send credential§ only minimal disclosure (Public Verification Key

of issuer)


So, let's watch a movie!

idemixdemo.mybluemix.netidemixdemo.zurich.ibm.com


A couple of use cases


Identity, Identity Management, & Authentication

name

salary

credit card number

hobbies

phone number

address

language skills

leisure

shopping

work

public authority

nick nameblood group

health care

marital status

birth date

health status

insurance

■ ID:– (dynamic) set of attributes shared w/ someone– different with different entities

■ ID Management: two things to make identities useful– authentication means: strong e-authentication– means to transport attributes between parties: certified attributes


Age verification

§ Movie streaming services

§ Gaming industry

§ Online gambling platforms

§ Dating websites

§ Social benefits for young/old people

Proving 12+, 18+, 21+ without disclosing the exact date of birth – privacy and compliance with age-related legislation


Healthcare Use Case

Anonymous consultations with specialists– online chat with a psychologist – online consultation with IBM Watson

1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment

Alice gets a health insurance credential

Insurance

Insurance

Health portal

5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.

4. Alice gets treatment from physician, hospital, etc

Documents

Formal Treatment of Privacy- Enhancing Credential Systems · 8/12/2015 · Oracle queries of Adv are first filtered by filter F that know all the information and ... Mplex Customer