DECIDE: A Scheme for Decentralized Identity Escrow

Size: px

Start display at page:

Download "DECIDE: A Scheme for Decentralized Identity Escrow"

Samuel Benson
5 years ago
Views:

1 DECIDE: A Scheme for Decentralized Escrow ACM CCS 2005 Workshop on Digital Management Noburou Taniguchi, Koji Chida, Osamu Shionoiri, Atsushi Kanai Social Informatics Group Information Security Project NTT Information Sharing Platform Laboratories Nippon Telegraph and Telephone Corporation

2 Introduction Anonymity: one of the most controversial issues in the Internet Good things: it supports: - Privacy - Freedom of expression, speech, etc. Bad things: it numbs accountability and encourages - Slander, defamation - Fraud - Piracy - 2 -

3 Introduction (cont'd) Escrow [Killian and Petrank '98] - based on revocable anonymity ordinarily anonymous but in special case identity is disclosed - potential solution achieving a good balance between anonymity and accountability - 3 -

4 Goals To find the publicly acceptable "level" of anonymity with accountability.. and deploy it - 4 -

5 Definitions -, Pseudonymity, Anonymity - Digital world persona Specified Unspecified Real world person Specified Unspecified Pseudonymity Anonymity - 5 -

6 Definitions -, Pseudonymity, Anonymity - - Identified: specified as a real person in the real world - A principal (=real person) establishes identity by a set of information to specify the person Pseudonymity - Pseudonymous: specified as an unique virtual persona in the digital world, but unspecified as a real person in the real world - A principal gets pseudonymity by repeatedly-used identifier (=pseudonym) Anonymity - Anonymous: unspecified both in the real and digital world - A principal gets anonymity for example by using no identifier, by sharing the same single identifier with other principals, or by using different identifiers each time when authenticated - 6 -

7 (Another) Definitions -, Pseudonymity, Anonymity - Specified Real world person Unspecified Digital world persona Specified Unspecified Pseudonymity Anonymity - 7 -

8 Original model Escrow Issuer 2nd-tier identity (detailed) 1st-tier identity (anonymous) Verifier Identifier Escrow Agent(s) - 8 -

9 DECIDE DECentralized IDentity Escrow 3-layer model - added "Pseudonymity" layer Certificate issuer Proxy Pseudonymity Anonymity Service authenticator Principal (Person) Pseudonym - 9 -

Pseudonymity Anonymity Authenticator Principal

10 Generic Model - Anonymity Provider - Pseudonymity Provider Pseudonymity- Anonymity Provider Pseudonymity Anonymity Authenticator Principal (Person) Pseudonymity- Anonymity- Pseudonymity Anonymity- Authority

11 Processing Flow (A) (B) information Certificate issuer (C) (D) Revocation list (J) Proxy (F) (L) (I) (E) Service authenticator A) registration Request for escrow certificate B)Issuance of escrow certificate C)Request for anonymous access D)Pseudonymous Authentication E)Anonymous proxy access F)Provision of service Principal (Person) (K) Pseudonym (G) (H) G)Request for pseudonym H)Response for pseudonym I)Revocation list update J)Request for identity K)Response for identity L)Access to identity information

12 Certificate Issuance (A) (B) information Certificate issuer (C) (D) Revocation list (J) Proxy (F) (L) (I) (E) Service authenticator A) registration Request for escrow certificate B)Issuance of escrow certificate C)Request for anonymous access D)Pseudonymous Authentication E)Anonymous proxy access F)Provision of service Principal (Person) (K) Pseudonym (G) (H) G)Request for pseudonym H)Response for pseudonym I)Revocation list update J)Request for identity K)Response for identity L)Access to identity information

13 Certificate Issuance Using fair blind signature technique - Main idea Principal(P) ==[FB(PK P )]==> certificate issuer(ci) CI ==[Sign CI (FB(PK P ))]==> P P unblinds Sign CI (FB(PK P )) => Sign CI (PK P ): to be used as P's certificate - Feature CI doesn't know relation between FB(PKP) and PKP Trustee(s) can disclose relation between FB(PK P ) and PK P (thanks to fairness)

14 Accessing service via proxy (A) (B) information Certificate issuer (C) (D) Revocation list (J) Proxy (F) (L) (I) (E) Service authenticator A) registration Request for escrow certificate B)Issuance of escrow certificate C)Request for anonymous access D)Pseudonymous Authentication E)Anonymous proxy access F)Provision of service Principal (Person) (K) Pseudonym (G) (H) G)Request for pseudonym H)Response for pseudonym I)Revocation list update J)Request for identity K)Response for identity L)Access to identity information

15 Accessing service via proxy Usual proxy: - Proxy(PX) authenticates principal(p) - Then service authenticator(sa) authenticates PX but, in SA-PX authn, PX passes PX-P authn transcript encrypted by threshold encryption to SA - The transcript will be used pseudonymity process, if needed. PX knows relation between P's certificate and service access - Pros: Membership revocation is made to be easy - Cons: Privacy risk Solutions: - Trusted PX - Multiple PXs (PX network => network level anonymity)

16 Pseudonym (A) (B) information Certificate issuer (C) (D) Revocation list (J) Proxy (F) (L) (I) (E) Service authenticator A) registration Request for escrow certificate B)Issuance of escrow certificate C)Request for anonymous access D)Pseudonymous Authentication E)Anonymous proxy access F)Provision of service Principal (Person) (K) Pseudonym (G) (H) G)Request for pseudonym H)Response for pseudonym I)Revocation list update J)Request for identity K)Response for identity L)Access to identity information

17 Pseudonym Service Authenticator (SA) passes thresholdencrypted PX-P authn transcript and asks pseudonym to Pseudonym Disclosure Authorities(PDA), when needed - Threshold encryption enables multiple PDAs configuration, which may help Principals (P) trust the process more k out of n PDAs agree to, the transcript is decrypted and P's certificate is disclosed For membership revocation, the cert is sent to PX(s) to be registered revocation list

18 (A) (B) information Certificate issuer (C) (D) Revocation list (J) Proxy (F) (L) (I) (E) Service authenticator A) registration Request for escrow certificate B)Issuance of escrow certificate C)Request for anonymous access D)Pseudonymous Authentication E)Anonymous proxy access F)Provision of service Principal (Person) (K) Pseudonym (G) (H) G)Request for pseudonym H)Response for pseudonym I)Revocation list update J)Request for identity K)Response for identity L)Access to identity information

19 When further is needed, Service Authenticator (SA) sends Principal's (P) cert to Disclosure Authorities (IDA) IDAs also run process in k-out-of-n manner to decide whether P's identity will be disclosed or not If IDAs decide to disclose, relation between P's cert (= Sign CI (PK P )) and fair blinded public key FB(PK P ) registered in identity database will be revealed and therefore P's identity will be specified

20 Service Analysis from the Viewpoint of "Trust" Every authentication scheme needs to be trusted by participants In the matter of trust, social (human relationship) factor is as important as technology Esp. in identity escrow scheme, principals' trust to authorities is the key - who take on the roles? - how many? (<= k-out-of-n) Three application models are analyzed

21 Service Analysis from the Viewpoint of "Trust" Three application models are analyzed.. - Online discussion community - Whistle blowing - School networking Please see the paper in the proceedings for detail

22 Conclusion New and generalized notion of identity escrow (from the social-scientific point of view) - Based on the intuitive (non-mathematical) definition of identity, pseudonymity, anonymity A concrete framework of identity escrow "DECIDE" - High decentralizability Application service model analysis to get more trust from principals

23 Future work Deeper analysis on application model: - Building a simulation as a strategic game - Laboratory experiments - Field experiments

24 Thanks

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

Identity Mixer: From papers to pilots and beyond Gregory Neven, IBM Research Zurich Motivation Online security & trust today: SSL/TLS for encryption and server authentication Username/password for client