Upload
sven-wohlgemuth
View
168
Download
0
Embed Size (px)
Citation preview
FIDIS Research Event 2006, Budapest
Sven Wohlgemuth Albert-Ludwig University Freiburg, Germany
Privacy in Business Processes by User-centric Identity Management
FIDIS - Future of Identity in the Information Society (No. 507512)
11.09.2006 2
Agenda
I. Scenario: Personalized Services and Business Processes
II. Example: Data Economy in Business Processes
III. WP14: Areas of Work
FIDIS - Future of Identity in the Information Society (No. 507512)
11.09.2006 3
I. Personalized Services and Business ProcessesObjectives of an attacker: • Tracing user
• Misusing user‘s attributes
I want a holiday trip, here are my attributes
UserHoliday trip
Service 1
1:n
To known service
Challenge: Trust in Service 1?
U wants a car, Here is what I know of U
Car
1:n:m
To unknown service(s)U =
profile
Service 2
user profiles
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 4
Survey for Germany (ECE IV) Most Important Barriers for Personalized Services
0 %
25 %
50 %
75 %
100 %
20,700 %20,700 %18,100 %15,800 %15,984 %12,012 %
58,400 %56,700 %
47,700 %49,800 %46,753 %44,344 %
20,900 %22,600 %34,200 %34,400 %37,263 %
43,644 %
highmediumno
Costly integration in processes
Expected neg. reaction since
privacy violation
Doubts wrt. data
protection laws
Low customer acceptance
Other legal doubts
Pot. loss of reputation
http://www.telematik.uni-freiburg.de/ece.php
FIDIS - Future of Identity in the Information Society (No. 507512)
5
Car?
Driving licence?
Privacy Attacks1:n Relationships
Privacy: User is able to to determine on the disclosure and use of his own personal data.
I want a holiday trip, here are my attributes
UserHoliday trip
Service 1Service 1
1:n
To known service U=
profile
11.09.2006
FIDIS - Future of Identity in the Information Society (No. 507512)
5
Car?
Driving licence?
Threat: Misuse of personal data by services
Driving licence
Stella Freiburger Classes: ABEFriedrichstr. 50 D-79098 FreiburgGermany IP: 132.15.16.3
Motorbike
Claudia Freiburger
Harley Davidson
IP: 132.15.16.3
Car
Stella Freibuger VW Beetle
IP: 132.15.16.3
Privacy Attacks1:n Relationships
Privacy: User is able to to determine on the disclosure and use of his own personal data.
I want a holiday trip, here are my attributes
UserHoliday trip
Service 1Service 1
1:n
To known service U=
profile
11.09.2006
Driving licence?
Car?
Car
Car
Stella Freiburger
VW Beetle
IP: 132.15.16.3
Driving licence
Stella Freiburger Classes: ABEFriedrichstr. 50 D-79098 FreiburgGermany IP: 132.15.16.3
Vacation trip?
Privacy Attacks1:n:m Relationships
I want a holiday trip, here are my attributes
U wants a car,Here is what I know of U
UserCarHoliday trip
Service 1Service 1
1:n 1:n:m
To known service To unknown service(s)U=
profile
Service 2Service 2
userprofiles
Driving licence?
Informational self-determination?
Driving Licence Stella Freibuger Classes: ABEFriedrichstr. 50 D-79098 FreiburgGermany IP: 132.15.16.3
Holiday
Stella Freiburger VW Beetle
...
IP: 132.15.16.3
Car?
Car
Car
Stella Freiburger
VW Beetle
IP: 132.15.16.3
Driving licence
Stella Freiburger Classes: ABEFriedrichstr. 50 D-79098 FreiburgGermany IP: 132.15.16.3
Vacation trip?
Privacy Attacks1:n:m Relationships
I want a holiday trip, here are my attributes
U wants a car,Here is what I know of U
UserCarHoliday trip
Service 1Service 1
1:n 1:n:m
To known service To unknown service(s)U=
profile
Service 2Service 2
userprofiles
FIDIS - Future of Identity in the Information Society (No. 507512)
7
II. Problem: Data EconomyIdentity management and multi-staged business processes
□ Single Sign On: central or several CA(Microsoft .NET Passport or Liberty Alliance)
□ Partial identities (Freiburg iManager)
□ Anonymous credentials (IBM idemix)
11.09.2006
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 8
Case 1: Single Sign-On1:n:m Relationships
3: Authentification
1: Request for booking 1: Request for car
2: Redirection
4: Connect
5: Request for pers. data: driving licence
7: Allow / deny access8: Booking confirmation
6: Pers. data: driving licence
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 8
Case 1: Single Sign-On1:n:m Relationships
• Proxy needs secret token of user for authentication ➔ Linkability + Misuse• CA is in every authentication involved ➔ Linkability
3: Authentification
1: Request for booking 1: Request for car
2: Redirection
4: Connect
5: Request for pers. data: driving licence
7: Allow / deny access8: Booking confirmation
6: Pers. data: driving licence
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 9
Stella
543ag
I am Stella
Dig. driving licence
I am 543ag
Booking confirmation
• Non-Transferability Mechanismen: All credentials and pseudonyms are based on one secret key kMax
Car for 543ag
Car
CA certifies personal data and issues anonymous credentials
skStella
Case 2: Anonymous Credentials 1:n:m Relationships
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 9
Stella
543ag
I am Stella
Dig. driving licence
I am 543ag
Booking confirmation
• Non-Transferability Mechanismen: All credentials and pseudonyms are based on one secret key kMax
Car for 543ag
Car
• Proxy requires secret key kStella for showing credential ! Delegation of all credentials: misuse is possible ! Fraud: Revealing anonymity of the user
kStella
CA certifies personal data and issues anonymous credentials
skStella
Case 2: Anonymous Credentials 1:n:m Relationships
Additional criteria for 1:n:m relationships: Delegation of rights on personal data • Integrity of an authorization • Delegation of „least privilege” • Preventing misuse of delegated authorizations • Restricting re-delegation of delegated authorizations • Revoking delegated authorizations • Distinguishing user and proxy
Criteria for 1:n relationships: • Showing personal data depending on service• Non-linkability of transactions• Authentication without revealing identifying data• Non-repudiation of user‘s transactions• Revealing identity of cheating users
Criteria for 1:n and 1:n:m Relationships
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 11
Idea: Authorization for purpose-based transfer of personal data as a credential (Proxy Credential)
Unobservability by: – Anonymous credentials – Pseudonyms – CA signs Proxy Credential
Purpose-based: – Logging of delegation and use by CA and end service
Limit: – User cannot enforce restrictions of a delegated authorization – Observability if servíce needs identifying data of the user
Wohlgemuth, S., Müller, G.: Privacy with Delegation of Rights by Identity Management, ETRICS 2006.
DREISAM Unlinkable Delegation of Rights
(Mechanisms of PKI + anonymous credentials)
• Integrity of an authorization • Delegation of „least privilege“ • Preventing misuse of delegated authorizations • Restricting re-delegation of delegated authorizations • Revoking delegated authorizations • Distinguishing user and proxy
DREISAM: EvaluationCriteria for a self-determined disclosure of personal data: • Showing personal data depending on service• Non-linkabiltiy of transactions• Authentication without revealing identifying data• Non-repudiation of user‘s transactions• Revealing identity of cheating users
(Partial identity)(Pseudonyms and anonymity service)
(Zero-Knowledge Proof)(Protocol run of showing a credential)
(De-anonymization party)
(Anonymous credential + CA)(One-show anony. credential + Audit)
(Audit)
(Proxy Credential)
(Protocol of showing a credential + CA)
Verifying Use of Personal Data: Certified Service
□ Information flow: Verified sandbox at service provider □ Peer: Attestated service access points of sandbox □ Presumption: TPM and CA infrastructure
serviceOS
hardware
service
OShardware
Service ProviderUser
service
OShardware
service
OShardware
Privacy CA
SoftwareCA
Hohl, A., Lowis, L., Zugenmaier, A.: Look who's talking - Authenticated Service Access Points.
travel agency
untrusted area
trusted end device
FIDIS - Future of Identity in the Information Society (No. 507512)
16.05.16 14
III. WP 14: Areas of Work
I want a holiday trip, here are my attributes
U wants a car, Here is what I know of U
UserCarHoliday trip
Service 1
1:n1:n:m
To known service To unknown service(s)U =
profile
Service 2
user profiles
Identity management
Identity management extended by protocols, TC, …
D14.2: Study on privacy in business processes by identity management D14.3: Study on the suitability of trusted computing to support privacy policies in business processes
Identification of privacy requirements for identity management relating to the use of disclosed personal data
Objective:
FIDIS - Future of Identity in the Information Society (No. 507512)
15
• Non-Programmed Norms Safe harbor, regulations EU, self-determination politeness, respect
• Programmed Norms P3P, EPAL, …
• Privacy Tools - Distrust in partner - Control service‘s system behavior or knowledge about it - User-controlled only
Approach of WP14
Privacy Principles
Privacy Policy
Privacy ToolsPrevent misuse (Access Control)
Identify misuse (Audit)
Prevent profiling
(Anonymity services)
Minimize profiling
(IMS)
11.09.2006
FIDIS - Future of Identity in the Information Society (No. 507512)
16
Workshop Agenda – MondaySession 1 14:15-16:15 14:15-14:45 Sven Wohlgemuth (ALU-FR): Privacy in Business
Processes by User-centric Identity Management 14:45-15:15 Mireille Hildebrandt (VUB): The user-centric narrative of
AmI: smart marketing or citizen empowerment? 15:15-15:45 Günter Karjoth (IBM): Achieving Transparency by Applying
an Enterprise Privacy Architecture 15:45-16:15 Simone Fischer-Hübner (KU): The "Data Track" for
increasing transparency for end users
16:15-16:30 Coffee Break
Session 2 16:30-18:30 16:30-17:00 Ammar Alkassar (SIRRIX): Employing Trusted Computing
for User-Friendly Business-Processes 17:00-17:30 Stefan Köpsell (TUD): Overview of Trusted Computing and
possible Applications for Business Processes with Delegates 17:30-18:00 Richard Cissée (TUB): Privacy-preserving Information
Filtering 18:00-18:30 Sven Wohlgemuth (ALU-FR): Further steps to D14.2,
D14.3 and to 4th work plan
11.09.2006
FIDIS - Future of Identity in the Information Society (No. 507512)
17
Workshop Agenda – TuesdaySession 3 13:45-15:15 13:45-14:15 Martin Meints (ICPP): Compliance in Enterprises -
how can Trends in IT-Security successfully be transfered to Data Protection?
14:15-14:45 Laurent Bussard (Microsoft): TBA 14:45-15:15 Pieter Ribbers (Tilburg University): Privacy and
Business Processes: the approach in PRIME
11.09.2006