Upload
thomas-gross
View
1.348
Download
0
Embed Size (px)
DESCRIPTION
Presenting the works of the EU projects PrimeLife and ABC4Trust, on how to employ attribute-based credentials (at the Newcastle security forum). The slides are provided by IBM Research - Zurich, in particular Jan Camenisch, Gregory Neven and Anja Lehmann.
Citation preview
Privacy-enhancing Attribute-based Authentication
Presenting works of the EU ProjectsPrimeLife and ABC4Trust
Slides provided by theIBM Research – Zurich identity and privacy team
(mostly from Jan Camenisch, Anja Lehmann, Gregory Neven)
Authentication and Anonymity?
[ Pictures: PCStelcom, BeautifulRailroadBridgeOverTheSilveryTay.Wordpress ]
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 1
ABC4Trust & PrimeLife Tutorial
Part I: Introduction to
Privacy-Preserving Authentication
Anja Lehmann, IBM Research – Zurich, 10.06.2011
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 7
Authentication
User Verifier
Issuer
I am Alice Doe and I'm over 18!
Convince me! btw … I trust the Issuer
credential
show credential
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 8
Authentication
credential / certificate
signed list of attribute-value pairs
name= Alice Doe
birth date = 1973/01/26
signed by the issuer
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 9
Signature Scheme
priv
Verify( , , ) = true
message
public key
private key
signature
= Sign( , ) priv
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 10
Signature Scheme | Unforgeability
priv
public key
private key
Verify( , , ) = true
such that
© 2009 IBM Corporation
●
● Sechste Gliederungsebene● Siebente Gliederungsebene
● Achte Gliederungsebene● Neunte Gliederungsebene
Classical Authentication
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 12
Standard Public-Key Certificates
e.g., X.509 certificates
In the beginning…
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 13
Standard Public-Key Certificates
e.g., X.509 certificates
Obtaining a certificate…
name = Alice Doe,birth date = 1973/01/26, pk =
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 14
Standard Public-Key Certificates
e.g., X.509 certificates
Using a certificate…
name = Alice Doe,birth date = 1973/01/26, pk =
full attribute disclosurefull attribute disclosure
linkable by certificate & public key linkable by certificate & public key
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 15
Standard Public-Key Certificates
e.g., X.509 certificates
Using a certificate again…
name = Alice Doe,birth date = 1973/01/26, pk =
name = Alice Doe,birth date = 1973/01/26,
pk =
linkable when used multiple times linkable when used multiple times
© 2009 IBM Corporation
●
● Sechste Gliederungsebene● Siebente Gliederungsebene
● Achte Gliederungsebene● Neunte Gliederungsebene
Privacy-Preserving Authentication
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 17
Privacy-Preserving Authentication: General Concepts
Basic Functionality
Minimal Disclosure Tokens
Pseudonyms and Combining/Binding of Multiple Tokens
Minimal Disclosure Wallets
Extensions Revocation Usage Limitation Inspection ...
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 18
Minimal Disclosure Tokens
In the beginning…
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = Alice Doe,birth date = 1973/01/26,
Minimal Disclosure Tokens
Obtaining a token…
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Minimal Disclosure Tokens
Using a token …
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = Alice Doe,birth date = 1973/01/26
Minimal Disclosure Tokens
Using a token …
issuance and showing are unlinkableissuance and showing are unlinkable
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = ?,birth date = 1973/01/26
Minimal Disclosure Tokens
Using a token …
selective attribute disclosureselective attribute disclosure
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Minimal Disclosure Tokens
Protection of user's privacy
anonymity
unlinkeability (single-use)
selective disclosure
Unforgeability of tokens
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = Alice Doe,birth date = 1947/01/26,
Minimal Disclosure Tokens
Unforgeability: Alice should not be able to show a token
that she never obtained
name = Alice Doe,birth date = 1973/01/26
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 25
Privacy-Preserving Authentication: General Concepts
Basic Functionality
Minimal Disclosure Tokens
Pseudonyms and Combining/Binding of Multiple Tokens
Minimal Disclosure Wallets
Extensions Revocation Usage Limitation Inspection ...
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 26
Minimal Disclosure Wallets
extended version of minimal disclosure tokens:
Protection of user's privacy
pseudonymity
unlinkeability (multi-use)
using/combining multiple credentials
selective disclosure
Unforgeability of credentials
Consistency of credentials (no sharing)
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 27
Minimal Disclosure Wallets
In the beginning…
master key= unique private identity
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Minimal Disclosure Wallets
Obtaining a credential…
pseudonym= ephemeral public identity
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = Alice Doe,birth date = 1973/01/26, nym =
Minimal Disclosure Wallets
Obtaining a credential…
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Minimal Disclosure Wallets
Using a credential…
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = ?,birth date = 1973/01/26
Minimal Disclosure Wallets
Using a credential…
selective attribute disclosureselective attribute disclosure
issuance and showing are unlinkableissuance and showing are unlinkable
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = ?,birth date = 1973/01/26
Minimal Disclosure Wallets
multi-show unlinkabilitymulti-show unlinkabilityname = Alice Doe,birth date = ?
Using a credential again…
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
passport: birth date = 1973/01/26driver's license: vehicle cat B
Minimal Disclosure Wallets
Using multiple credentials…
passport
driver's license
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 34
Minimal Disclosure Wallets
Protection of user's privacy
pseudonymity
unlinkeability (multi-use)
using/combining multiple credentials
selective disclosure
Unforgeability of credentials
Consistency of credentials (no sharing)
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = Alice Doe,birth date = 1973/01/26
Minimal Disclosure Wallets
name = Alice Doe,birth date = 1973/01/26
Sharing Prevention: Alice and Eve should not be able to share credential
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 36
Minimal Disclosure Wallets
Protection of user's privacy
pseudonymity
unlinkeability (multi-use)
using/combining multiple credentials
selective disclosure
Unforgeability of credentials
Consistency of credentials (no sharing)
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 37
Privacy-Preserving Authentication: General Concepts
Basic Functionality
Minimal Disclosure Tokens
Pseudonyms and Combining/Binding of Multiple Tokens
Minimal Disclosure Wallets
Extensions Predicates over Attributes Revocation Device Binding Inspection Usage Limitation ...
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Predicates over attributes
Credentials on hidden attributes
Device binding
Domain pseudonym
Revocation of credentials
Inspection of credentials/attributes
Usage limitation
Censorable Audit Logs
Extended Functionality
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
name = ?,birth date > 1993/06/10
Predicate Over Attributes
= 1973/01/26
Range ProofsAge > 18, 10 < Age < 16, …
credit card expiration date > today
Set Membershipstatus: {children, student, senior}
Logical Combinations(credit card status = silver or gold) and valid driver's license
is user over 18?
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Predicates over attributes
Credentials on hidden attributes
Device binding
Domain pseudonym
Revocation of credentials
Inspection of credentials/attributes
Usage limitation
Censorable Audit Logs
Extended Functionality
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Credentials on Hidden Attributes
name = Alice Doe birth date =
name = Alice Doe,birth date = 1973/01/26
name = Alice Doe,birth date = 1973/01/26
User can prove statements on hidden attributes
similar to usage of pseudonyms = commitments to master secret
© 2009 IBM Corporation
●
● Sechste Gliederungsebene● Siebente Gliederungsebene
● Achte Gliederungsebene● Neunte Gliederungsebene
The idemix Library
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Implementation available :-)
Identity Mixer is an implementation of Private Credentials Provides a library with all the crypto
Issuing credentials Transforming credentials according to a specified statement
(policy) Includes many of the features discussed
Provides a credential-based AC engine Relying party specifies attributes & credentials requirements User matches that to available credentials and generates
„evidence“ Get it at www.PrimeLife.eu/opensource and use it
..as do a number of projects already :-)
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Authentication/Access Control Engine
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
Card-based access requirements language (CARL)
Policy and proof presentation in CARL and SAML/XACML
• Policy: requirements on owned cards, e.g.,
own p::Passport issued-by admin.ch, fgov.be, governo.it own c::Creditcard issued-by visa.com, amex.comreveal c.number, c.expdatewhere p.name = c.name ^ p.bdate < today-18Y ^ c.expdate > today ^ p.expdate > today+1M
• Authentication = claim over owned cards + evidence, e.g., own p::Passport issued-by admin.chown c::Creditcard issued-by visa.comreveal c.number = “1234567890”reveal c.expdate = “31/12/2012”where p.name = c.name ^ p.bdate < 22/03/1993 ^ p.expdate > 22/04/2011
IBM Identity Mixer: Framework
Signatures on lists of messages
(Credentials)
Efficient zero-knowledge proofs
Crypto Token Layer
PseudonymsCommitments
VerifiableEncryptio0n
VerifiableRandom FunctionsRevocation
Minimal disclosure
tokens
Group signatures
Direct Anonymousattestation
FullCredential
system…
U-Provesigs
CLsigs
Policy Layer
Composedschemes
Buildingblocks
Instan-tiations
ABC4Trust & PrimeLife − Tutorial − 10.06.2011
“Token Transforming” Language
Declaration{ id1:unrevealed:string; id2:unrevealed:string; id3:unrevealed:int; id4:unrevealed:enum; id5:revealed:string; id6:unrevealed:enum }
ProvenStatements{Credentials{ randName1:http://www.ch.ch/passport/v2010/chPassport10.xml =
{ FirstName:id1, LastName:id2, CivilStatus:id4 } randName2:http://www.ibm.com/employee/employeeCred.xml =
{LastName:id2, Position:id5, Band:5, YearsOfEmployment:id3 } randName3:http://www.ch.ch/health/v2010/healthCred10.xml =
{ FirstName:id1, LastName:id2, Diet:id6 } } Inequalities{ {http://www.ibm.com/employee/ipk.xml, geq[id3,4]} } Commitments{ randCommName1 = {id1,id2}; randCommName2 = {id6} } Representations{ randRepName = {id5,id2; base1,base2} } Pseudonyms{ randNymName; http://www.ibm.com/employee/ }
VerifiableEncryptions{ {PublicKey1, Label, id2} } Message { randMsgName = “Term 1:We will use this data only for ...” }}
ABC4Trust & PrimeLife − Tutorial − 10.06.2011 23
ABC4Trust & PrimeLife Tutorial
Questions?
www.abc4trust.eu
www.primelife.eu
www.zurich.ibm.com/security/idemix
Jan Camenisch, IBM Research – Zurich, 10.06.2011