U-Prove Technology Overview
|
|
- Laura Neal
- 5 years ago
- Views:
Transcription
1 U-Prove Technology Overview November 2010
2 TOC Introduction Community Technology Preview Additional Capabilities RSA Demo Conclusion 2
3 Introduction
4 History U-Prove well established in academia Patent portfolio (granted 93 00) 30+ scientific papers (from 93 onward) E-cash PoC and pilots with Siemens, Gemplus, KPN, DigiCash, Zero-Knowledge, Nokia Credentica acquisition (Feb 2008) Patents, software, people Microsoft incubation Incubated U-Prove-enabled ID platform Public CTP (March 10) 4
5 U-Prove Technology Strong multi-party security technology for user-centric identity, data sharing, strong authentication, and digital signature Allows you to build e-tokens Has unique security, privacy, and efficiency benefits over conventional 5
6 Minimal disclosure Gov Coho Winery 6
7 Minimal disclosure Gov Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B.: Coho Winery 6
8 Minimal disclosure Gov Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: Coho Winery 6
9 Minimal disclosure Gov Coho Winery 6
10 Minimal disclosure Gov The user can prove unanticipated properties about the encoded claims in a U-Prove token issued to her in advance Even in collusion, the issuing and relying parties cannot learn more about the user than what was disclosed Coho Winery 6
11 Minimal disclosure Gov Coho Winery 6
12 Minimal disclosure Gov Coho Winery 7
13 Minimal disclosure Gov Prove that you are over 21 and from WA Coho Winery 7
14 Minimal disclosure Gov Prove that you are over 21 and from WA Coho Winery Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B:
15 Minimal disclosure Gov Prove that you are over 21 and from WA Coho Winery Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: Over-21 proof 7
16 Minimal disclosure Gov Prove that you are over 21 and from WA Coho Winery 7
17 Minimal disclosure Gov Which adult from WA is this? Coho Winery 7
18 Minimal disclosure Gov? Which adult from WA is this? Coho Winery 7
19 Minimal disclosure Gov The user can prove unanticipated? properties about the encoded claims in a U-Prove token issued to her in advance Even in collusion, the issuing and relying parties cannot learn more about the user than what was disclosed Which adult from WA is this? Coho Winery 7
20 Minimal disclosure Gov? Which adult from WA is this? Coho Winery 7
21 What s new? Similar to conventional security tokens (X.509, SAML, Kerberos), but U-Prove tokens contain no inescapable correlation handles E.g., coins (unlinkable) vs. bills (w/ serial#) Users can prove properties of the claims Disclose a subset of the claims Derived claim: birth date to over-21 proof Negation: name not on the control list 8
22 U-Prove CTP Released March 2010
23 U-Prove CTP Specifications (released under Open Specification Promise) U-Prove crypto specification (addressing feature subset) Integration into the ID metasystem specification Open-source crypto SDKs (implementing crypto spec) Posted on Code Gallery, under the BSD license C# and Java versions Identity platform integration (implementing integration spec) Modified version of Windows CardSpace 2.0 Extension to the Windows Identity Foundation Modified version of Active Directory Federation Services
24 Federation + U-Prove Identity Provider Relying Party STS Client 11
25 Federation + U-Prove Identity Provider Relying Party IP STS Client 11
26 Federation + U-Prove Identity Provider Relying Party IP STS trust IP Client 11
27 Federation + U-Prove Identity Provider Relying Party IP STS trust IP A. Token request Client 11
28 Federation + U-Prove Identity Provider Relying Party IP STS trust IP B. Token response A. Token request Client 11
29 Federation + U-Prove Identity Provider Relying Party IP STS trust IP B. Token response A. Token request 1. Request access Client 11
30 Federation + U-Prove Identity Provider Relying Party IP STS trust IP B. Token response A. Token request 1. Request access 2. Policy Client 11
31 Federation + U-Prove Identity Provider Relying Party IP trust IP STS B. Token response A. Token request 1. Request access 2. Policy 3. Token Client 11
32 CTP features The CTP implements the foundational U-Prove features: Selective disclosure (i.e., no derived claims) Unlinkability of token issuance and presentation Long-lived token support User-signed presentation tokens Data signature (in crypto SDKs only) 12
33 U-Prove technology additional capabilities
34 U-Prove technology additional capabilities The following slides provide a U- Prove technology overview (If you miss a step in the animation, press the left arrow to rewind)
35 U-Prove technology additional capabilities
36 Censorable audit logs Gov Coho Winery 14
37 Censorable audit logs Gov Adatum Auditor Coho Winery 14
38 Censorable audit logs Gov Adatum Auditor Coho Winery Provide name and address and get $20 14
39 Censorable audit logs Gov Adatum Auditor Coho Winery Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: Provide name and address and get $20 14
40 Censorable audit logs Gov Adatum Auditor Coho Winery Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: Over-21 proof Provide name and address and get $20 14
41 Censorable audit logs Gov Adatum Auditor Coho Winery 14
42 Censorable audit logs Gov Adatum Auditor Coho Winery Name: Alice Smith Address: 1234 Pine, Seattle, WA DOB: Over-21 proof 14
43 Censorable audit logs Gov Adatum Auditor Coho Winery Name: Alice Smith Address: 1234 Pine, Seattle, WA DOB: Over-21 proof 14
44 Censorable audit logs Gov Adatum Auditor Coho Winery My customer was an adult from WA 14
45 Censorable audit logs Gov Adatum Auditor Relying parties can remove disclosed information from presentation transcripts (without invalidating the issuer s and the user s signatures), keeping only what is necessary for audit compliance Coho Winery My customer was an adult from WA 14
46 Censorable audit logs Gov Adatum Auditor Coho Winery My customer was an adult from WA 14
47 Broker-mediated disclosure Hospital Hospital Contoso Research Broker 15
48 Broker-mediated disclosure Hospital Hospital Name: Alice Smith Address: 1234 Pine, Seattle, WA Disorder: Anxiety Contoso Research Broker 15
49 Broker-mediated disclosure Hospital Hospital Contoso Research Broker 15
50 Broker-mediated disclosure Hospital Hospital Name: Address: Disorder: John Doe 9 16 th N, Seattle, WA Delusional Contoso Research Broker 15
51 Broker-mediated disclosure Hospital Hospital Contoso Research Broker 15
52 Broker-mediated disclosure Hospital Hospital A broker can disclose anonymous data it collected to 3 rd parties, while preserving the authenticity of the issuer s signature on the data Contoso Research Broker 15
53 Broker-mediated disclosure Hospital Hospital Contoso Research Broker 15
54 Broker-mediated disclosure Hospital Hospital Contoso Research Broker
55 Broker-mediated disclosure Hospital Hospital Clients from Seattle with mental disorder? Contoso Research Broker
56 Broker-mediated disclosure Hospital Hospital Clients from Seattle with mental disorder? Contoso Research Name: Alice smith Address: 1234 Pine, Seattle, WA Disorder: Broker Anxiety
57 Broker-mediated disclosure Hospital Hospital Name: Address: Disorder: John Doe 9 16 th N, Seattle, WA Delusional Clients from Seattle with mental disorder? Contoso Research Name: Alice smith Address: 1234 Pine, Seattle, WA Disorder: Broker Anxiety
58 Broker-mediated disclosure Hospital Hospital Name: Address: Disorder: John Doe 9 16 th N, Seattle, WA Delusional Clients from Seattle with mental disorder? Contoso Research Names are different Name: Alice smith Address: 1234 Pine, Seattle, WA Disorder: Broker Anxiety Both from Seattle Both are mental disorders
59 Broker-mediated disclosure Hospital Hospital Name: Address: Disorder: John Doe 9 16 th N, Seattle, WA Delusional Clients from Seattle with mental disorder? Contoso Research Names are different Name: Alice smith Address: 1234 Pine, Seattle, WA Disorder: Broker Anxiety Both from Seattle Both are mental disorders
60 Broker-mediated disclosure Hospital Hospital Clients from Seattle with mental disorder? Contoso Research Names are different Both from Seattle Both are mental disorders Broker
61 Broker-mediated disclosure Hospital Hospital Clients from Seattle A broker can disclose with anonymous mental data it collected to 3 rd parties, disorder? while preserving the authenticity of the issuer s signature on the data Contoso Research Names are different Both from Seattle Both are mental disorders Broker
62 Broker-mediated disclosure Hospital Hospital Clients from Seattle with mental disorder? Contoso Research Names are different Both from Seattle Both are mental disorders Broker
63 Revocation Adatum Auditor Woodgrove Bank 17
64 Revocation Name: Role: Alice Smith Auditor Adatum Auditor Woodgrove Bank 17
65 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Woodgrove Bank 17
66 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Prove that you are a valid auditor Woodgrove Bank asmith@adatum.com 17
67 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Prove that you are a valid auditor Name: Role: Alice Smith asmith@adatum.com Auditor Woodgrove Bank asmith@adatum.com 17
68 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Prove that you are a valid auditor Name: Role: Alice not Smith revoked proof asmith@adatum.com Auditor Woodgrove Bank asmith@adatum.com 17
69 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Prove that you are a valid auditor Woodgrove Bank asmith@adatum.com 17
70 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Prove that you are a valid Issued U-Prove tokens can be revoked auditor by the issuer, even if no connection to the issuer is made when the user presents the tokens Woodgrove Bank asmith@adatum.com 17
71 Revocation Name: Role: Alice Smith Auditor REVOKED Adatum Auditor Prove that you are a valid auditor Woodgrove Bank asmith@adatum.com 17
72 Trusted device Gov University Bookstore
73 Trusted device Gov University Bookstore
74 Trusted device Gov University Bookstore
75 Trusted device Gov University Bookstore
76 Trusted device Gov University Bookstore
77 Trusted device Gov University A trusted device (smartcard, TPM chip, remote service) can hold part of the tokens private key (even those issued by other issuers) and efficiently help presenting them Bookstore
78 Trusted device Gov University Bookstore
79 Data signing Gov Revenue Agency 19
80 Data signing Gov Revenue Agency Tax form 19
81 Data signing Gov Revenue Agency Tax form Alice Smith 19
82 Data signing Gov Revenue Agency Tax form Alice Smith 19
83 Data signing Gov The user can non-interactively sign arbitrary data using a U-Prove token, attaching any encoded claim property to the signature Revenue Agency Tax form Alice Smith 19
84 Data signing Gov Revenue Agency Tax form Alice Smith 19
85 RSA 2010 Demo twc/endtoendtrust/vision/uprove.aspx 20
86 RSA 2010 demo OKS Registration E-Book 1. Register online, get student infocard 2. Prove registered student, view e-book online 3. Leave anonymous feedback OKS Feedback German npa card CardSpace 21
87 RSA 2010 demo details User presents German npa card to prove identity to university when registering online University issues a student (U-Prove) information card supporting claims from the npa card and registration data Student visits online book store, proves that she is a registered computer science student, and can view a book for free Student visits a university feedback portal, discloses her registered classes 22 (and optionally her gender), and submits
88 Conclusion
89 Summary of benefits Support for full spectrum of assurance From anonymity, to pseudonymity, to full identification Maintains strong accountability (revocation, audit trail, misuse tracing) Minimal disclosure and user control Strong multi-party security Phishing-resistant strong authentication Eliminates some insider attacks at IdP / CA Lending / pooling / reuse protections Efficient hardware protection On-demand or disconnected 24
90 Resources Videos: Scott Charney s RSA 2010 announcement: Intro: Microsofts-U-Prove-Community-Technical-Preview-CTP Technology overview: Learn-what-Microsofts-U-Prove-release-is-all-about U-Prove CTP (March 2010): Download location: Developer video: Identity/U-Prove-CTP-a-developers-perspective/ 25
91 The U-Prove mixing enabling a larger use-case spectrum Availability Offline Synchronized Online Security Software Shared Hardware Privacy Anonymity Pseudonymity Full identification 26
92 The U-Prove mixing enabling a larger use-case spectrum Availability Offline Synchronized Online Security Software Shared Hardware Privacy Anonymity Pseudonymity Full identification 26
93 Demo (using March 2010 CTP)
94 Scenario Alice is issued an eid information card The information card is protected by a X.509 certificate, e.g., stored on the eid smartcard. (Here, the certificate is installed on the machine) She then Obtains lab results from a hospital after proving who she is Leaves anonymous comments at her government citizen forum Buys wine online, proving she is over-21 and from Washington, leaving behind an auditable presentation transcript of these facts 28
95 Scenario summary eid IdP Hospital RP Forum RP 1. Obtain eid card eid 2. Access lab results (name, address, DoB) 3. Leave comments (PPID, country) Wine store RP CardSpace 4. Buy wine (state/ province, over-21) 29
96 eid Card Provisioning User downloads eid information card (after appropriate identity proofing) E.g., visits point of service in person and receives an activation code CardSpace efficiently retrieves multiple U- Prove tokens encoding the card claim values The user authenticates to the STS using her X.509 cert Tokens are stored securely encrypted on the machine Benefits: Reduces load on IdP s STS, which won t get hit every time the user presents the card IdP will not be aware of the user s card usage 30
97 Hospital lab results User presents full address, name, and D.o.B., and hospital locates her lab results Same security/privacy as if the user presented her ID in person 31
98 Government forum User leaves comments on a forum using an authenticated pseudonym Users are anonymous, but only members of the community (e.g., US resident) can leave comments No one (including the IdP itself) can hijack the pseudonym and post forged comments PPID claim value is derived from the presented U- Prove token 32
99 Wine store User buys some wine online, proving she is over-21 and in which province/ state she resides CardSpace applies the U-Prove token s private key when presenting the token; resulting presentation token is an auditable proof In contrast, proof keys are not applied by identity selectors in web scenarios 33
100 Crypto Details
101 Blind Signature protocol Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
102 Blind Signature protocol Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
103 Blind Signature protocol Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
104 Blind Signature protocol Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
105 Blind Signature protocol Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
106 Blind Signature protocol Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
107 Blind Signature protocol Name Acct. Number Expiration Issuer Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
108 Blind Signature protocol Name Acct. Number Expiration Issuer Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
109 Blind Signature protocol Name Acct. Number Expiration Issuer Name Acct. Number Expiration Issuer Issuer Illustrates a simple blind signature U-Prove token issuance uses a restrictive blinding technique More complex process to certify attributes 35
110 Proof of Knowledge Protocol Name Acct. Number Expiration Issuer Verifier Notes: Verifier only learns disclosed information, and is convinced that Alice knows the private key 36
111 Proof of Knowledge Protocol Challenge Name Acct. Number Expiration Issuer Verifier Notes: Verifier only learns disclosed information, and is convinced that Alice knows the private key 36
112 Proof of Knowledge Protocol Challenge Name Not revoked Acct. Number Expiration Issuer Verifier Notes: Verifier only learns disclosed information, and is convinced that Alice knows the private key 36
113 Proof of Knowledge Protocol Challenge Name Not revoked Acct. Number Expiration Issuer Proof Verifier Notes: Verifier only learns disclosed information, and is convinced that Alice knows the private key 36
114 Proof of Knowledge Protocol Name Not revoked Acct. Number Expiration Issuer Proof Verifier Notes: Verifier only learns disclosed information, and is convinced that Alice knows the private key 36
115 Schnorr protocol Goal: prove knowledge of α w.r.t. g on the public element h = g α Prover Verifier Pick w at random a := g w a c Pick c at random r := cα + w r Verify g r = ah c 37
116 U-Prove protocols U-Prove public key is a bit more complex: h := (g 0 g x 1 1 g x k k) α The x i values encode the attributes Uses Schnorr protocol as a primitive to prove properties of the attributes, e.g., x 1 = 1 x 2!= alice x 3 >= 21 (x 1 x 3 ) / x 2 > x 4 38
Privacy Privacy Preserving Authentication Schemes: Theory and Applications
Privacy Privacy Preserving Authentication Schemes: Theory and Applications 18 th Infocom World, Athens, Greece, 2016 Yannis C. Stamatiou Computer Technology Institute & Press Diophantus and Business Administration
More informationOn the Revocation of U-Prove Tokens
On the Revocation of U-Prove Tokens Christian Paquin, Microsoft Research September nd 04 U-Prove tokens provide many security and privacy benefits over conventional credential technologies such as X.509
More informationPrivacy with attribute-based credentials ABC4Trust Project. Fatbardh Veseli
Privacy with attribute-based credentials ABC4Trust Project Fatbardh Veseli Deutsche Telekom Chair for Mobile Business and Multilateral Security Goethe University Frankfurt, Germany fatbardh.veseli@m-chair.de
More informationRamnish Singh IT Advisor Microsoft Corporation Session Code:
Ramnish Singh IT Advisor Microsoft Corporation Session Code: Agenda Microsoft s Identity and Access Strategy Geneva Claims Based Access User access challenges Identity Metasystem and claims solution Introducing
More informationIRMA: I Reveal My Attributes
IRMA: I Reveal My Attributes Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl rijswijk@cs.ru.nl Project partners 2 What is an attribute? An attribute is a property of a person: Full name Date of
More informationAnonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationIdentity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation
Identity Mixer: From papers to pilots and beyond Gregory Neven, IBM Research Zurich Motivation Online security & trust today: SSL/TLS for encryption and server authentication Username/password for client
More informationIBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features
Introduction Deployment Use Cases Blockchain More Features IBM Identity Mixer Privacy-preserving identity management and authentication for Blockchain and beyond Dr. Maria Dubovitskaya IBM Research Zurich
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationBlockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric
Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric Elli Androulaki Staff member, IBM Research, Zurich Workshop on cryptocurrencies Athens, 06.03.2016 Blockchain systems
More informationNext Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop
Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop PACS Integration into the Identity Infrastructure Salvatore D Agostino CEO, IDmachines LLC 8 th Annual
More informationDigital Identity Management based on Digital Credentials. Credentica Inc. Version 1.0 of June 2002
Digital Identity Management based on Digital Credentials Stefan Brands and Frédéric Légaré Credentica Inc. Version 1.0 of June 2002 fbrands,legareg@credentica.com Abstract: Today s commercial Digital Identity
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationPotentials and Areas of Application of the Windows CardSpace Technology
Potentials and Areas of Application of the Windows CardSpace Technology Seminar on Internet Technologies by Gunnar Nussbeck Faculty of Mathematics and Computer Science Institute of Computer Science Date:
More informationSWAMID Identity Assurance Level 2 Profile
Document SWAMID Identity Assurance Level 2 Profile Identifier http://www.swamid.se/policy/assurance/al2 Version V1.0 Last modified 2015-12-02 Pages 11 Status FINAL License Creative Commons BY-SA 3.0 SWAMID
More informationPublic Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman
Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National
More informationSWAMID Person-Proofed Multi-Factor Profile
Document SWAMID Person-Proofed Multi-Factor Profile Identifier http://www.swamid.se/policy/assurance/al2mfa Version V1.0 Last modified 2018-09-12 Pages 10 Status FINAL License Creative Commons BY-SA 3.0
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationInteragency Advisory Board Meeting Agenda, August 25, 2009
Interagency Advisory Board Meeting Agenda, August 25, 2009 1. Opening Remarks 2. Policy, process, regulations, technology, and infrastructure to employ HSPD-12 in USDA (Owen Unangst, USDA) 3. Policy and
More informationCertification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
More informationSecurity analysis of OpenID, followed by a reference implementation of an npabased OpenID provider
Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider Sebastian Feld, Norbert Pohlmann Institute for Internet-Security, if(is) Gelsenkirchen University of Applied
More informationHong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)
Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) This document (IMPS) facilitates an organization to provide relevant information to describe how it fulfils the normative
More informationBackground. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33
Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended
More informationCovert Identity Information in Direct Anonymous Attestation (DAA)
Covert Identity Information in Direct Anonymous Attestation (DAA) Carsten Rudolph Fraunhofer Institute for Secure Information Technology - SIT, Rheinstrasse 75, Darmstadt, Germany, Carsten.Rudolph@sit.fraunhofer.de
More informationAttribute-based Credentials on Smart Cards
Attribute-based Credentials on Smart Cards ir. Pim Vullers p.vullers@cs.ru.nl Privacy & Identity Lab Institute for Computing and Information Sciences Digital Security SaToSS Research Meeting 28th February
More informationA privacy-preserving authentication service using mobile devices
A privacy-preserving authentication service using mobile devices Mihai Togan Security Software Architect certsign Context Mobile devices Present everywhere What to consider High performance Computing power
More informationAcknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications
CSE565: Computer Security Lectures 16 & 17 Authentication & Applications Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 Lec 16.1 Acknowledgments Material for some
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationNational Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016
National Identity Exchange Federation Trustmark Signing Certificate Policy Version 1.0 Published October 3, 2014 Revised March 30, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents
More informationSecurity Requirements for Crypto Devices
Security Requirements for Crypto Devices Version 1.0 02 May 2018 Controller of Certifying Authorities Ministry of Electronics and Information Technology 1 Document Control Document Name Security Requirements
More informationINTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD
INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD Jeffy Mwakalinga, Prof Louise Yngström Department of Computer and System Sciences Royal Institute of Technology / Stockholm University
More informationLecture Notes 14 : Public-Key Infrastructure
6.857 Computer and Network Security October 24, 2002 Lecture Notes 14 : Public-Key Infrastructure Lecturer: Ron Rivest Scribe: Armour/Johann-Berkel/Owsley/Quealy [These notes come from Fall 2001. These
More informationCopy-Resistant Credentials with Minimum Information Disclosure
Copy-Resistant Credentials with Minimum Information Disclosure David Bauer and Douglas Blough Georgia Institute of Technology Public-key based certificates provide a standard way to prove one's identity,
More informationPrivacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich
Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving
More informationMoving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.
TEG Progress Update Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model. Fulup Ar Foll Master Architect Sun Microsystems Fulup@sun.com 1 What is the
More informationDeliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift
Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) Version 1.0 Author: Bharadwaj Pulugundla (Verizon) 25.10.2015 Table of content 1. Introduction... 3
More information10 minutes, 10 slides, goals, tech details and why it matters. Decentralized ID & Verifiable Claims
10 minutes, 10 slides, goals, tech details and why it matters Decentralized ID & Verifiable Claims Terminology & Current Model Claim or Assertion a claim or way of communicating what a person or thing
More informationHigher Education PKI Initiatives
Higher Education PKI Initiatives (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009 Overview What are the drivers for PKI in Higher Education? Stronger authentication to resources and services
More informationIdentity Assurance Profiles Bronze and Silver. January 14, 2013 Version 1.2 Rev. 5 Release Candidate
Identity Assurance Profiles Bronze and Silver January 14, 2013 Version 1.2 Rev. 5 Release Candidate EXECUTIVE SUMMARY Identity Assurance Profiles, as described in the InCommon Identity Assurance Assessment
More informationDigital Cash Systems
Digital Cash Systems Xiang Yin Department of Computer Science McMaster University December 1, 2010 Outline 1 Digital Cash 2 3 4 5 Digital Cash Overview Properties Digital Cash Systems Digital Cash Digital
More informationSecurity & Privacy. Larry Rudolph. Pervasive Computing MIT SMA 5508 Spring 2006 Larry Rudolph
Security & Privacy Larry 1 Who cares about Privacy? Everybody? Nobody? Criminals? Governments? Corporations? Privacy is the right to keep information hidden. But there is lots of information. You do not
More informationU-Prove Technology Overview V1.1
U-Prove Technology Overview V1.1 Revision 2 Microsoft Corporation Author: Christian Paquin April 2013 2013 Microsoft Corporation. All rights reserved. Summary The U-Prove technology can be used to reconcile
More informationCan eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010
Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010 Content eid Primary Functions eid Privacy Features and Security
More informationU-Prove Cryptographic Specification V1.1 Revision 3
U-Prove Cryptographic Specification V1.1 Revision 3 Microsoft Corporation Authors: Christian Paquin, Greg Zaverucha December 2013 2013 Microsoft Corporation. All rights reserved. Summary This document
More informationTrusted Computing: Introduction & Applications
Trusted Computing: Introduction & Applications Lecture 5: Remote Attestation, Direct Anonymous Attestation Dr. Andreas U. Schmidt Fraunhofer Institute for Secure Information Technology SIT, Darmstadt,
More informationIndex. NOTE: Boldface indicates illustrations; t indicates a table. 209
A access control, 21, 23, 67-72, 89-100 Extensible Access Control Markup (XACML) and, 70, 72 fine-grained (entitlement management) and, 71-72, 71 identities and, 68 identity stores (multiple) and, 70 (LDAP)
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis SAINT Workshop
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationISSUES FOR RESPONSIBLE USER-CENTRIC IDENTITY
ISSUES FOR RESPONSIBLE USER-CENTRIC IDENTITY November 2009 Version 1.0 In light of the announcement of a series of federal pilots for federated identity providers, we have analyzed the governance and policy
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Authentication Applications We cannot enter into alliance with neighbouring princes until
More informationECA Trusted Agent Handbook
Revision 8.0 September 4, 2015 Introduction This Trusted Agent Handbook provides instructions for individuals authorized to perform personal presence identity verification of subscribers enrolling for
More informationPKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures
Public Key Infrastructures Public Key Infrastructure Definition and Description Functions Components Certificates 1 2 PKI Services Security Between Strangers Encryption Integrity Non-repudiation Key establishment
More informationCERTIFICATE POLICY CIGNA PKI Certificates
CERTIFICATE POLICY CIGNA PKI Certificates Version: 1.1 Effective Date: August 7, 2001 a Copyright 2001 CIGNA 1. Introduction...3 1.1 Important Note for Relying Parties... 3 1.2 Policy Identification...
More informationSAFE-BioPharma RAS Privacy Policy
SAFE-BioPharma RAS Privacy Policy This statement discloses the privacy practices for the SAFE-BioPharma Association ( SAFE- BioPharma ) Registration Authority System ( RAS ) web site and describes: what
More informationIdentity Provider for SAP Single Sign-On and SAP Identity Management
Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with
More informationU.S. E-Authentication Interoperability Lab Engineer
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI
More informationConfiguring SSL. SSL Overview CHAPTER
7 CHAPTER This topic describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section are:
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationAuthentication in Cloud Application: Claims-Based Identity Model
Authentication in Cloud Application: Claims-Based Identity Model Upen H Nathwani 1*, Irvin Dua 1, Ved Vyas Diwedi 2 Abstracts: Basically cloud service provider (CSP) give facility to access Software as
More informationProf. Christos Xenakis
From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis H2020 Clustering
More informationBuilding on existing security
Building on existing security infrastructures Chris Mitchell Royal Holloway, University of London http://www.isg.rhul.ac.uk/~cjm 1 Acknowledgements This is joint work with Chunhua Chen and Shaohua Tang
More informationCA CloudMinder. SSO Partnership Federation Guide 1.51
CA CloudMinder SSO Partnership Federation Guide 1.51 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationTechnical Trust Policy
Technical Trust Policy Version 1.2 Last Updated: May 20, 2016 Introduction Carequality creates a community of trusted exchange partners who rely on each organization s adherence to the terms of the Carequality
More informationFacilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent
Facilitating the Attribute Economy David W Chadwick George Inman, Kristy Siu University of Kent 2011 University of Kent Internet 2 Fall 2011 Member Meeting 1 (Some) Attribute AuthzRequirements Attributes
More informationBugzilla ID: Bugzilla Summary:
Bugzilla ID: Bugzilla Summary: CAs wishing to have their certificates included in Mozilla products must 1) Comply with the requirements of the Mozilla CA certificate policy (http://www.mozilla.org/projects/security/certs/policy/)
More informationSingapore s National Digital Identity (NDI):
Singapore s National Digital Identity (NDI): Leaving no one behind Kwok Quek Sin Director, National Digital Identity Programme Government Technology Agency PART 1 INTRODUCTION TO NDI Better Living For
More informationApple Inc. Certification Authority Certification Practice Statement
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Apple Application Integration - G3 Sub-CA Version 6.2 Effective
More informationPublic Key Infrastructures
Foundations for secure e-commerce (bmevihim219) Dr. Levente Buttyán associate professor BME Hálózati Rendszerek és Szolgáltatások Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu,
More informationMobile Identity Management
Mobile Identity Management Outline Ideas Motivation Architecture Implementation notes Discussion Motivation 1 The mobile phone has become a highly personal device: Phonebook E-mail Music, videos Landmarks
More informationX.509. CPSC 457/557 10/17/13 Jeffrey Zhu
X.509 CPSC 457/557 10/17/13 Jeffrey Zhu 2 3 X.509 Outline X.509 Overview Certificate Lifecycle Alternative Certification Models 4 What is X.509? The most commonly used Public Key Infrastructure (PKI) on
More informationApple Inc. Certification Authority Certification Practice Statement
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Apple Application Integration - G3 Sub-CA Version 6.3 Effective
More informationFPKIPA CPWG Antecedent, In-Person Task Group
FBCA Supplementary Antecedent, In-Person Definition This supplement provides clarification on the trust relationship between the Trusted Agent and the applicant, which is based on an in-person antecedent
More informationTELIA MOBILE ID CERTIFICATE
Telia Mobile ID Certificate CPS v2.3 1 (56) TELIA MOBILE ID CERTIFICATE CERTIFICATION PRACTICE STATEMENT (Translation from official Finnish version) Version 2.3 Valid from June 30, 2017 Telia Mobile ID
More informationConfiguring SSL CHAPTER
7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section
More informationUsing existing security infrastructures
Using existing security infrastructures Chris Mitchell Royal Holloway, University of London http://www.isg.rhul.ac.uk/~cjm 1 Acknowledgements This is joint work with Chunhua Chen and Shaohua Tang (South
More informationNimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]
Nimsoft Service Desk Single Sign-On Configuration Guide [assign the version number for your book] Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document
More informationTrusted National Identity Schemes. Coralie MESNARD
Trusted National Identity Schemes Coralie MESNARD Worldwide digital transactions are booming Digitization The number of G2C digital transactions is said to grow 30% by 2020 Privacy - Convenience Citizens
More informationSSL Certificates Certificate Policy (CP)
SSL Certificates Last Revision Date: February 26, 2015 Version 1.0 Revisions Version Date Description of changes Author s Name Draft 17 Jan 2011 Initial Release (Draft) Ivo Vitorino 1.0 26 Feb 2015 Full
More informationModule 3 Remote Desktop Gateway Estimated Time: 90 minutes
Module 3 Remote Desktop Gateway Estimated Time: 90 minutes A. Datum Corporation provided access to web intranet web applications by implementing Web Application Proxy. Now, IT management also wants to
More informationArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT
ArcGIS Enterprise Security: An Introduction Randall Williams Esri PSIRT Agenda ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users ArcGIS Enterprise Security Model Portal for ArcGIS Authentication
More informationConfiguring SSL. SSL Overview CHAPTER
CHAPTER 8 Date: 4/23/09 This topic describes the steps required to configure your ACE (both the ACE module and the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.
More informationMeasuring Authentication: NIST and Vectors of Trust
SESSION ID: IDY-F01 Measuring Authentication: NIST 800-63 and Vectors of Trust auth Sarah Squire Senior Identity Solution Architect Engage Identity @SarahKSquire Eyewitness News 3 A Play in Five Acts
More informationDigital Signatures Act 1
Issuer: Riigikogu Type: act In force from: 01.07.2014 In force until: 25.10.2016 Translation published: 08.07.2014 Digital Signatures Act 1 Amended by the following acts Passed 08.03.2000 RT I 2000, 26,
More informationDigital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2
Digital Identity Guidelines aka NIST SP 800-63 March 1, 2017 Ken Klingenstein, Internet2 Topics 800-63 History and Current Revision process Caveats and Comments LOA Evolution Sections: 800-63A (Enrollment
More informationCONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014
CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014 1. Welcome 1.1 Welcome to the Connect Transit Card Program. The Connect Card Program makes using public transit easier
More informationOverview of Authentication Systems
Overview of Authentication Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/
More informationOverview of cryptovision's eid Product Offering. Presentation & Demo
Presentation & Demo Benjamin Drisch, Adam Ross cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 General Requirements Government of Utopia Utopia Electronic
More informationGovernment PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission
Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission December 14, 2000 Steve Bruck Khurram Chaudry Francis Yuan 1 EEOC Business Cases for PKI Citizens complaints
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch
More informationCA SiteMinder Federation
CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationNational Identity Exchange Federation. Certificate Policy. Version 1.1
National Identity Exchange Federation Certificate Policy Version 1.1 September 9, 2014 Table of Contents 1 Introduction...4 1.1 Overview... 6 1.1.1 Certificate Policy...6 1.1.2 References...6 1.2 Document
More informationSONERA MOBILE ID CERTIFICATE
Sonera Mobile ID Certificate CPS v2.1 1 (56) SONERA MOBILE ID CERTIFICATE CERTIFICATION PRACTICE STATEMENT (Translation from official Finnish version) Version 2.1 Valid from, domicile: Helsinki, Teollisuuskatu
More informationPrivacy Enhancing Technologies CSE 701 Fall 2017
Privacy Enhancing Technologies Lecture 2: Anonymity Applications Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Anonymous communication mixes, anonymizing proxies,
More informationIntroduction to Identity Management Systems
Introduction to Identity Management Systems Ajay Daryanani Middleware Engineer, RedIRIS / Red.es Kopaonik, 13th March 2007 1 1 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and
More information