Privacy in Business Processes by User-Centric Identity Management

FIDIS Research Event 2006, Budapest

Sven Wohlgemuth Albert-Ludwig University Freiburg, Germany

Privacy in Business Processes by User-centric Identity Management

FIDIS - Future of Identity in the Information Society (No. 507512)

11.09.2006 2

Agenda

I. Scenario: Personalized Services and Business Processes

II. Example: Data Economy in Business Processes

III. WP14: Areas of Work


11.09.2006 3

I. Personalized Services and Business ProcessesObjectives of an attacker: • Tracing user

• Misusing user‘s attributes

I want a holiday trip, here are my attributes

UserHoliday trip

Service 1

1:n

To known service

Challenge: Trust in Service 1?

U wants a car, Here is what I know of U

Car

1:n:m

To unknown service(s)U =

profile

Service 2

user profiles


16.05.16 4

Survey for Germany (ECE IV) Most Important Barriers for Personalized Services

0 %

25 %

50 %

75 %

100 %

20,700 %20,700 %18,100 %15,800 %15,984 %12,012 %

58,400 %56,700 %

47,700 %49,800 %46,753 %44,344 %

20,900 %22,600 %34,200 %34,400 %37,263 %

43,644 %

highmediumno

Costly integration in processes

Expected neg. reaction since

privacy violation

Doubts wrt. data

protection laws

Low customer acceptance

Other legal doubts

Pot. loss of reputation

http://www.telematik.uni-freiburg.de/ece.php


5

Car?

Driving licence?

Privacy Attacks1:n Relationships

Privacy: User is able to to determine on the disclosure and use of his own personal data.


UserHoliday trip

Service 1Service 1

1:n

To known service U=

profile

11.09.2006


5

Car?

Driving licence?

Threat: Misuse of personal data by services

Driving licence

Stella Freiburger Classes: ABEFriedrichstr. 50 D-79098 FreiburgGermany IP: 132.15.16.3

Motorbike

Claudia Freiburger

Harley Davidson

IP: 132.15.16.3

Car

Stella Freibuger VW Beetle

IP: 132.15.16.3

Privacy Attacks1:n Relationships

Privacy: User is able to to determine on the disclosure and use of his own personal data.


UserHoliday trip

Service 1Service 1

1:n

To known service U=

profile

11.09.2006

Driving licence?

Car?

Car

Car

Stella Freiburger

VW Beetle

IP: 132.15.16.3

Driving licence


Vacation trip?

Privacy Attacks1:n:m Relationships


U wants a car,Here is what I know of U

UserCarHoliday trip

Service 1Service 1

1:n 1:n:m

To known service To unknown service(s)U=

profile

Service 2Service 2

userprofiles

Driving licence?

Informational self-determination?

Driving Licence Stella Freibuger Classes: ABEFriedrichstr. 50 D-79098 FreiburgGermany IP: 132.15.16.3

Holiday

Stella Freiburger VW Beetle

...

IP: 132.15.16.3

Car?

Car

Car

Stella Freiburger

VW Beetle

IP: 132.15.16.3

Driving licence


Vacation trip?

Privacy Attacks1:n:m Relationships


U wants a car,Here is what I know of U

UserCarHoliday trip

Service 1Service 1

1:n 1:n:m

To known service To unknown service(s)U=

profile

Service 2Service 2

userprofiles


7

II. Problem: Data EconomyIdentity management and multi-staged business processes

□ Single Sign On: central or several CA(Microsoft .NET Passport or Liberty Alliance)

□ Partial identities (Freiburg iManager)

□ Anonymous credentials (IBM idemix)

11.09.2006


16.05.16 8

Case 1: Single Sign-On1:n:m Relationships

3: Authentification

1: Request for booking 1: Request for car

2: Redirection

4: Connect

5: Request for pers. data: driving licence

7: Allow / deny access8: Booking confirmation

6: Pers. data: driving licence


16.05.16 8

Case 1: Single Sign-On1:n:m Relationships

• Proxy needs secret token of user for authentication ➔ Linkability + Misuse• CA is in every authentication involved ➔ Linkability

3: Authentification

1: Request for booking 1: Request for car

2: Redirection

4: Connect

5: Request for pers. data: driving licence

7: Allow / deny access8: Booking confirmation

6: Pers. data: driving licence


16.05.16 9

Stella

543ag

I am Stella

Dig. driving licence

I am 543ag

Booking confirmation

• Non-Transferability Mechanismen: All credentials and pseudonyms are based on one secret key kMax

Car for 543ag

Car

CA certifies personal data and issues anonymous credentials

skStella

Case 2: Anonymous Credentials 1:n:m Relationships


16.05.16 9

Stella

543ag

I am Stella

Dig. driving licence

I am 543ag

Booking confirmation

• Non-Transferability Mechanismen: All credentials and pseudonyms are based on one secret key kMax

Car for 543ag

Car

• Proxy requires secret key kStella for showing credential ! Delegation of all credentials: misuse is possible ! Fraud: Revealing anonymity of the user

kStella

CA certifies personal data and issues anonymous credentials

skStella

Case 2: Anonymous Credentials 1:n:m Relationships

Additional criteria for 1:n:m relationships: Delegation of rights on personal data • Integrity of an authorization • Delegation of „least privilege” • Preventing misuse of delegated authorizations • Restricting re-delegation of delegated authorizations • Revoking delegated authorizations • Distinguishing user and proxy

Criteria for 1:n relationships: • Showing personal data depending on service• Non-linkability of transactions• Authentication without revealing identifying data• Non-repudiation of user‘s transactions• Revealing identity of cheating users

Criteria for 1:n and 1:n:m Relationships


16.05.16 11

Idea: Authorization for purpose-based transfer of personal data as a credential (Proxy Credential)

Unobservability by: – Anonymous credentials – Pseudonyms – CA signs Proxy Credential

Purpose-based: – Logging of delegation and use by CA and end service

Limit: – User cannot enforce restrictions of a delegated authorization – Observability if servíce needs identifying data of the user

Wohlgemuth, S., Müller, G.: Privacy with Delegation of Rights by Identity Management, ETRICS 2006.

DREISAM Unlinkable Delegation of Rights

(Mechanisms of PKI + anonymous credentials)

• Integrity of an authorization • Delegation of „least privilege“ • Preventing misuse of delegated authorizations • Restricting re-delegation of delegated authorizations • Revoking delegated authorizations • Distinguishing user and proxy

DREISAM: EvaluationCriteria for a self-determined disclosure of personal data: • Showing personal data depending on service• Non-linkabiltiy of transactions• Authentication without revealing identifying data• Non-repudiation of user‘s transactions• Revealing identity of cheating users

(Partial identity)(Pseudonyms and anonymity service)

(Zero-Knowledge Proof)(Protocol run of showing a credential)

(De-anonymization party)

(Anonymous credential + CA)(One-show anony. credential + Audit)

(Audit)

(Proxy Credential)

(Protocol of showing a credential + CA)

Verifying Use of Personal Data: Certified Service

□ Information flow: Verified sandbox at service provider □ Peer: Attestated service access points of sandbox □ Presumption: TPM and CA infrastructure

serviceOS

hardware

service

OShardware

Service ProviderUser

service

OShardware

service

OShardware

Privacy CA

SoftwareCA

Hohl, A., Lowis, L., Zugenmaier, A.: Look who's talking - Authenticated Service Access Points.

travel agency

untrusted area

trusted end device


16.05.16 14

III. WP 14: Areas of Work


U wants a car, Here is what I know of U

UserCarHoliday trip

Service 1

1:n1:n:m

To known service To unknown service(s)U =

profile

Service 2

user profiles

Identity management

Identity management extended by protocols, TC, …

D14.2: Study on privacy in business processes by identity management D14.3: Study on the suitability of trusted computing to support privacy policies in business processes

Identification of privacy requirements for identity management relating to the use of disclosed personal data

Objective:


15

• Non-Programmed Norms Safe harbor, regulations EU, self-determination politeness, respect

• Programmed Norms P3P, EPAL, …

• Privacy Tools - Distrust in partner - Control service‘s system behavior or knowledge about it - User-controlled only

Approach of WP14

Privacy Principles

Privacy Policy

Privacy ToolsPrevent misuse (Access Control)

Identify misuse (Audit)

Prevent profiling

(Anonymity services)

Minimize profiling

(IMS)

11.09.2006


16

Workshop Agenda – MondaySession 1 14:15-16:15 14:15-14:45 Sven Wohlgemuth (ALU-FR): Privacy in Business

Processes by User-centric Identity Management 14:45-15:15 Mireille Hildebrandt (VUB): The user-centric narrative of

AmI: smart marketing or citizen empowerment? 15:15-15:45 Günter Karjoth (IBM): Achieving Transparency by Applying

an Enterprise Privacy Architecture 15:45-16:15 Simone Fischer-Hübner (KU): The "Data Track" for

increasing transparency for end users

16:15-16:30 Coffee Break

Session 2 16:30-18:30 16:30-17:00 Ammar Alkassar (SIRRIX): Employing Trusted Computing

for User-Friendly Business-Processes 17:00-17:30 Stefan Köpsell (TUD): Overview of Trusted Computing and

possible Applications for Business Processes with Delegates 17:30-18:00 Richard Cissée (TUB): Privacy-preserving Information

Filtering 18:00-18:30 Sven Wohlgemuth (ALU-FR): Further steps to D14.2,

D14.3 and to 4th work plan

11.09.2006


17

Workshop Agenda – TuesdaySession 3 13:45-15:15 13:45-14:15 Martin Meints (ICPP): Compliance in Enterprises -

how can Trends in IT-Security successfully be transfered to Data Protection?

14:15-14:45 Laurent Bussard (Microsoft): TBA 14:45-15:15 Pieter Ribbers (Tilburg University): Privacy and

Business Processes: the approach in PRIME

11.09.2006

Internet

Privacy in Business Processes by User-Centric Identity Management