copy 2016 IBM Corporation
Cryptography 4 Privacy
Jan CamenischPrinciple RSM Member IBM Academy of TechnologyIBM Research ndash Zurich
JanCamenischibmbizjancamenisch
SuRI School of Computer and Communication Sciences EPFL
copy 2016 IBM Corporation2 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We all increasingly conduct our daily tasks electronically
Facts
are becoming increasingly vulnerable to cybercrimes
copy 2016 IBM Corporation3 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
copy 2016 IBM Corporation4 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2016 IBM Corporation5 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
$4500000000 cost of identity theft worldwide
Facts
copy 2016 IBM Corporation6 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation2 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We all increasingly conduct our daily tasks electronically
Facts
are becoming increasingly vulnerable to cybercrimes
copy 2016 IBM Corporation3 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
copy 2016 IBM Corporation4 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2016 IBM Corporation5 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
$4500000000 cost of identity theft worldwide
Facts
copy 2016 IBM Corporation6 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation3 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
copy 2016 IBM Corporation4 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2016 IBM Corporation5 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
$4500000000 cost of identity theft worldwide
Facts
copy 2016 IBM Corporation6 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation4 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2016 IBM Corporation5 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
$4500000000 cost of identity theft worldwide
Facts
copy 2016 IBM Corporation6 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation5 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
$4500000000 cost of identity theft worldwide
Facts
copy 2016 IBM Corporation6 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation6 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation7 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation8 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation9 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation10 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation11 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation12 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao
Cryptography to the Aid
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation14 October 15 2015 - Press Day
Today two solutions
Identity mixer privacy protecting authentication
Password-based security from humans to cryptographic keys
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation15 October 15 2015 - Press Day
Identity Mixer
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation16 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation17 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation18 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation19 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation20 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation21 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation22 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation23 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation24 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation25 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation26 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Certified attributes from Identity provider Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation27 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation28 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation29 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation30 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation31 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation32 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Try Identity Mixer for yourself
Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation33 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation34 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation35 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A glimpse at the underlying cryptography
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation36 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation37 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation38 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation39 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation40 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation41 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation42 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation43 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL
Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation44 October 15 2015 - Press Day
Password-based Security
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation45 October 15 2015 - Press Day
Password are insecure arent they
Passwords inherently insecureNo Wersquore just using them incorrectly
username-password the most prominent form of user authentication
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation46 2015 Information Security Summer School - Bilbao
The problem with passwords
password salted PW hash
correctcorrectcorrectcorrectcorrecthellipcorrect
Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation47 October 15 2015 - Press Day
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation48 October 15 2015 - Press Day
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr
p
p2
pp
p1
p1 p2=
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation49 2015 Information Security Summer School - Bilbao
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation50 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation51 October 15 2015 - Press Day
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation52 2015 Information Security Summer School - Bilbao
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usability
ndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation53 2015 Information Security Summer School - Bilbao
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
copy 2016 IBM Corporation54 2015 Information Security Summer School - Bilbao
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch