Privacy with attribute-based credentials ABC4Trust Project. Fatbardh Veseli

Transcription

1 Privacy with attribute-based credentials ABC4Trust Project Fatbardh Veseli Deutsche Telekom Chair for Mobile Business and Multilateral Security Goethe University Frankfurt, Germany 1

2 Overview Motivation Identity Management Issues Privacy-ABCs - Architecture, Concepts and features ABC4Trust Project Overview Standardisation efforts 2

3 Identity Management (IdM) 2 sides of a medal with enormous economic potential ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies Organisations aim to sort out User Accounts in different IT systems Authentication Rights management Access control Unified identities help to ease administration manage customer relations Identity management systems ease single-sign-on by unify accounts solve the problems of multiple passwords People live their life in different roles (professional, private, volunteer) using different identities (pseudonyms): accounts, SIM cards, ebay trade names, chat names, Facebook names, ) Differentiated identities help to protect privacy, especially anonymity personal security/safety enable reputation building at the same time Identity management systems support users using role based identities help to present the right identity in the right context 3

4 Identity Management (IdM) 2 sides of a medal with enormous economic potential ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies People live their life in different roles (professional, private, volunteer) using different identities (pseudonyms): accounts, SIM cards, ebay trade names, chat names, Facebook names, ) Differentiated identities help to protect privacy, especially anonymity personal security/safety enable reputation building at the same time Identity management systems support users using role based identities help to present the right identity in the right context Organisations aim to sort out User Accounts in different IT systems Authentication Rights management Access control Unified identities help to ease administration manage customer relations Identity management systems ease single-sign-on by unify accounts solve the problems of multiple passwords 4

5 Identity Management (IdM) One of many definitions An integrated concept of processes, policies and technologies that enable organizations and individual entities to facilitate and control the use of identity information in their respective relations 5

6 Privacy (and security) issues of typical federated IdM architectures Identity Service Provider (IdSP) Relying Party (RP) trust 4. token response 3. token request 1. request access 2. policy 5. token User 6

7 Partial Identities needed Based on [Clauß, Köhntopp 2001] 7

8 Identity Definition in ISO/IEC to reduce the risk of over-identification Identity (partial identity): Set of attributes related to an entity From A Framework for Identity Management (ISO/IEC 24760) Part 1: Terminology and concepts (IS:2011) Part 2: Reference framework and requirements (CD) Part 3: Practice (WD) [standards.iso.org/ittf/publiclyavailablestandards/index.html, 8

9 Attribute Based Credentials (Privacy-ABCs) Certifying relevant attributes Token issuance and presentation unlinkable Rather coins (that cannot be distinguished) than bank notes (that have a serial number) Users can disclose (minimal) subsets of the encoded claims To respond to unanticipated requests of RPs Without invalidating the token integrity E.g. Certificate for birth date -> Claim for being over 21 Two major approaches and technologies U-Prove (Credentica -> Microsoft) Idemix (IBM) 9

10 Two approaches for Privacy- ABCs Blind Signatures Zero-Knowledge Proofs Issuer Issuer User Verifier User Verifier U-Prove Brands, Paquin et al. Discrete Logs, RSA,.. Idemix (Identity Mixer) Damgard, Camenisch & Lysyanskaya Strong RSA, pairings (LMRS, q-sdh) 10

11 ABC4Trust Objectives A common, unified architecture for ABC systems to enable Comparing their respective features Combining them on common platforms Lock-In free usage of ABC systems Open reference implementations of selected ABC systems Deployments in actual production enabling Minimal disclosure Provision of anonymous feedback to a community proving one is accredited as a member 11

12 ABC4Trust Partners Johann Wolfgang Goethe- Universität Frankfurt, DE Alexandra Institute AS, DK Computer Technology Institute & Press DIOPHANTUS, GR IBM Research - Zurich, CH Miracle A/S, DK Nokia Solutions and Networks, DE Technische Universität Darmstadt, DE Unabhängiges Landeszentrum für Datenschutz, DE Eurodocs AB, SE CryptoExperts SAS, FR Microsoft NV, BE Söderhamn Kommun, SE 12

13 Architecture, entities and features Issuer Revocation Authority Credential Revocation Credential Issuance Revocation info retrieval User Presentation Token Revocation info retrieval Token Inspection Inspector Verifier 13

14 ABC4Trust Pilot Söderhamn: Community Interaction School internal platform for communication among pupils, teachers, and personnel Provide trusted authentication while protecting anonymity Usability: make privacy technology understandable for non-technical users (e.g. pupils) Norrtullskolan School Söderhamn, Sweden 14

15 Söderhamn pilot - Student consultation name = Kari Johannson Grade= 5 Class = 5A Gender = F name =? Grade = 5 Class =? 15

16 ABC4Trust Pilot Patras: Course Rating Course ratings conducted anonymously without learning participants identities Conduct polls based on attendance Verify with anonymous proofs towards untrusted infrastructure Computer Technology Institute Patras, Greece 16

17 Course Evaluation Course = 536 Matriculation nr: 1295 Attendance units: 6 name = Maria Papadopoulou Department = CEI Type = Student Matriculation nr: 1295 name =? Department =? Student = Yes CourseID = 536 #Attendance units > 5 = Yes 17 17

18 Privacy-ABCs and eid eids can be considered as credentials with several attributes. Privacy-ABCs can be used to disclose only some of the attributes.

19 Standardisation relevant projects within ISO/IEC JTC 1/SC A framework for identity Management Anonymous digital signatures Access control framework WG 5 -Identity management and privacy technologies Privacy framework WG 2 Cryptography and security mechanisms Partially anonymous, partially unlinkable authentication Privacy architecture framework Anonymous Entity Authentication 19

20 Conclusions & Outlook ICT and related services are coming ever closer to people. A more privacy friendly Internet requires: Partial Identities and Identifiers Minimum Disclosure Privacy-respecting Attribute Based Credentials ABC4Trust Summit Event: , Brussels, Representation of the State of Hesse fatbardh.veseli@m-chair.de, coord-abc4trust@m-chair.de

21 Back-Up Attribute-based Credentials for Trust

22 Identity Theft (?) 22 22

23 ABC4Trust Project Facts Scheduled duration: November 2010 February 2015 Partners: 12 partners from industry, academia, research centres and data protection authorities Costs: Million ( 8.85 Million EU funded) Funding: The ABC4Trust project receives research funding from the European Union's Seventh Framework Programme under grant agreement n as part of the ICT Trust and Security Research theme. Web Page: Project coordination: Chair of Mobile Business & Multilateral Security Goethe University Frankfurt Frankfurt am Main, Germany contact@abc4trust.eu 23