Technologies to Protect eprivacy
|
|
- Edmund Kennedy
- 6 years ago
- Views:
Transcription
1 Technologies to Protect eprivacy Lecture 1 Introduction Jan Camenisch IBM Research
2 We leave etraces, lots of etraces!
3 and are observed by lots of sensors
4 Information leaked, some examples! Network layer MAC address, physical characteristics IP address, location,...! OS & Applications Browser (fonts, plugins, time zone, screen size, color depth) Infrastructure services (instant messaging, downloading, ) Cloud storage, syncing of devices! Usage Web searches (Google, bing,...) Shopping history Friends networks (Facebook, Linked-in) egovernment 4
5 Why are these information collected?! To offer (better) services Shipping address Not having to enter information each time! To prevent attacks... DoS Wikipedia edits! To make money Advertisements (loads of money) Better service to customer Tailored products Price discrimination! Homeland security, police,! Criminals :-( 5 (source: wikipedia) 2014 IBM Corporation
6 Some opinions...! You have zero privacy anyway get over it. Scott McNealy, CEO Sun Microsystems, January 1999! If you have something that you don t want anyone to know, maybe you shouldn t be doing it in the first place. Eric Schmidt, CEO Google, December 2009! People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time. Marc Zuckerman, CEO Facebook, January
7 You have no privacy, get over it...?!?! Huge security problem! Millions of hacked passwords (100'000 followers $ ) Lost credit card numbers ($5-2013) Stolen identities ($ , $ , $5 2013) Lots of not reported issues (industrial espionage, etc)! Difficult to put figures down Credit card fraud Spam & marketing Manipulating stock ratings, etc..! We know secret services can do it easily, but they are not the only ones this is not about homeland security and there are limits to the degree of protection that one can achieve! end we have not event discussed social issues such as democracy etc! last but not least: data are the new money, so need to be protected Privacy by Design 7
8 Need to protect our data!! devices, sensors, etc cannot all be physically protected authentication of all devices authentication of all data...makes it even worse :-(! data cannot be controlled 8 minimize information encrypt information attach usage policies to each bit
9 So what can we do! Legal approach Regulate what information can be collected How to collect it How to use and protect it Issue fines for misbehavior Very different for different countries and cultures! Technological approach Protect data by encryption Govern data by policies Minimize data that needs to be used
10 A Closer Look at Data Collection
11 More data is collected! Collect more Expand an existing person-specific data collection.! Collect specifically Replace an existing aggregate data collection with a person-specific one.! Collect if you can Data collection per encounter for Illinois (bytes) Examples (based field size) Hospital visit Grocery visit Birth L. Sweeney. Information Explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies
12 Identifiability in the Internet! Every device connected to the Internet gets an Internet Protocol (IP) address assigned by the Internet Service Provider (ISP).! As long as the device stays connected, the IP address is a unique device identifier within the Internet.! Connection data may/must be logged for various reasons (e.g., billing purposes, advertisement, law enforcement, etc.)! Connection data/time/duration & contacted server IP address! In case of criminal offense, police may ask ISP for log files! ISP has customer s postal address (and bank data) for billing! Service providers (SP) may also log activities of their users! Linking data of SP and ISP reveals user s activities on the Web! MAC (media access control) addresses are unique identifiers per network interface (Ethernet, Bluetooth, Wifi, ) IETF considers random MACs! Hardware is unique and can be traced, even through hops..
13 We leak data e.g., browsers Property (bits of identifying info)! User Agent (13.76 bits)! HTTP ACCEPT Headers (3.8 bits)! Browser Plugin Details (19.56 bits)! Time Zone (2.58 bits)! Screen Size and Color Depth (4.98 bits)! System Fonts (19.56 bits)! Are Cookies Enabled? (1.95 bits)! Limited supercookie test (3.28 bits) Your browser fingerprint appears to be unique among the 3,872,607 tested so far
14 Disk Storage per Person (DSP) A rough measure of the growth in personal data [Sweeney 2001]: DSP = hard disk storage sold world population 28 MB in 1996 (Sweeney) 472 MB in 2000 (Edelstein, 2003) 5,200 GB in 2020 (IDC, 2012) Remarks Figures consider only non-removable media, and new devices sold Of course, other things that PII are stored From 2012 until 2020, the digital universe will about double every two years [Gantz and Reinsel, 2012]
15 Big Data A new generation of technologies and architectures, designed to economically extract value from very large volumes of a wide variety of data by enabling highvelocity capture, discovery, and/or analysis. Also: many organizations (government and private) make data publicly available Source: privacy that was previously protected only by the fact that data gathering was difficult can now be trivially violated. Samuel Weber, National Science Foundation (2012) Example: How To Break Anonymity of the Netflix Prize Dataset: Arvind Narayanan, Vitaly Shmatikov
16 Radical Change in Advertising , Web, social networks and mobile devices join in the conventional marketing channels (print media and TV / cinema, outdoor advertising, telemarketing, direct mail).! Benefits of digital media for the advertising industry Reaction of the target consumers is directly measurable in number of page views, click-through rate or conversion rate Scattering losses can be much better minimized Pay-per-click better validation of campaigns effectiveness! Advertising inserts according to time of day, weather, region, behavior audience-targeted advertisement Facts:
17 Ad Networks Source:
18 Summary! Networks, Devices, Apps are built to leak much more data than necessary! It has become very profitable to mine data for money! Big data mining money from all possible data has just started
19 Is this all legal?
20 Laws and regulations History! Notion of privacy has changes throughout history Curtains, shades, etc! Code of fair information practices (1973) Notice/Awareness Choice/Consent Access/Participation Integrity/Security Enforcement/Redress! Many laws follow the same principles US Privacy Act 1974 OECD Guidelines 1980 EU data protection directive 1995! But: Often only own citizens are protected! See, e.g., US laws! Laws are always lagging behind technology, often difficult to capture
21 OECD Privacy Principles! Collection Limitation There should be limits to the collection of personal data and any such data obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject.! Data Quality Personal data should be relevant to the purposes for which they are to be used, and, to the extend necessary for those purposes, should be accurate, complete and kept up-to-date.! Purpose Specification The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes.
22 OECD Privacy Principles! Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified under the preceding purpose specification principle except with the consent of the data subject, or by the authority of law.! Security Safeguards Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure.! Accountability A data controller should be accountable for complying with measures that give effect to the principles stated above.
23 OECD Privacy Principles! Openness There should be a general policy of openness about developments, practices and policies with respect to personal data.! Individual Participation An individual should have the right: to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; to have communicated to him, data relating to him within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and Individual Participation in a form that is readily intelligible to him; to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
24 Laws Throughout the World Privacy laws & regulations vary widely throughout the world! European Data Protection Directive privacy = fundamental human right requires all European Union countries to adopt similar comprehensive privacy laws revision in process (higher fines are foreseen)! US sets on self-regulation, some sector-specific laws, with relatively minimal protections Constitutional law governs the rights of individuals wrt the government Tort (Schadenersatz) law governs disputes between private individuals or other private persons Federal Trade Commission (FTC) deals with consumer protection HIPAA (Health Insurance Portability and Accountability Act, 1996) COPPA (Children s Online Privacy Protection Act, 1998) GLB (Gramm-Leach-Bliley-Act, 1999) over 7,000 State Legislations & Enforcement activity/class Actions! Australia: Privacy Act 1988, Amendment 2012 Notify users about collection; Notice if data are sent overseas, stronger access rights In most countries, fines are minimal. More information
25 The Worst Data Breaches of breaches during 2011 that involve 30.4 million sensitive records (2013: 601 breaches recorded, involving 55 million records)! Sony after over a dozen data breaches Sony faces class action lawsuits over its failure to protect over 100 million user records.! Epsilon 60 million customer s addresses! Sutter Physicians Services stolen desktop contained 3.3 million patients medical details including name, address, phone number, address & health insurance plan.! Tricare and SAIC backup tapes were stolen from the car of a Tricare employee; led to a $4.9 billion lawsuit being filed. Privacy Rights Clearinghouse (PRC) ( And the trend continues :-( Importance of strict privacy & security policies (incl. data retention) Avoid breaches simply by properly encrypting sensitive data or, better, using privacy enhancing technologies...
26 What can be do?... privacy by design!
27 of course there are limits...! tracing is so easy each piece of hardware is quite unique log files everywhere!. but that's not the point! it's not about NSA et al. active vs. passive adversaries... still, privacy by design!
28 Our Vision In the Information Society, users can act and interact in a safe and secure way while retaining control of their private spheres.
29 PETs Can Help! Privacy, Identity, and Trust Mgmt Built-In Everywhere!! Network Layer Anonymity... in mobile phone networks... in the Future Internet as currently discussed... access points for ID cards! Identification Layer Access control & authorization! Application Layer Standard e-commerce Specific Apps, e.g., evoting, OT, PIR,... Web 2.0, e.g., Facebook, Twitter, Wikis,... 29
30 RFID Tags & Tracking
31 Hidden Tracking RFID tags Groceries, Clothes, Books Passports also wifi, bluetooth, Problems Covert reading by radio Unique Identity Attacks Tracking and targeting, e.g., London: the bins are watching you Blacklisting, e.g., books Smart Bomb, Smart Robbing (cash) 31
32 RFID tags basics! RFID (Radio frequency id): read the identity of a tag by radio many different methods to communicate with the reader e.g., tree walking when many tags are present! Tag passive, energy from field, sending by field modulation chip (low number of gates & power), antenna, packaging Successor of barcodes: wireless significant improvements no-line of sight, can store (and process ) information multiple tags can be read concurrently 32
33 Use Cases! Tracking and tracing luggage, products, live stock supply chain mgmt inventory control sports timing! counterfeit detection drugs, mechanical parts, etc! access control buildings EZ pass, ticketing credit cards passports & identity cards 33
34 Characteristics Source: Gildas Avoine, Privacy Challenges in RFID, 2011 properties define life time, kind of data that can be stored and processed 34
35 Tag characteristics! supply chain 35! access control
36 Potential Privacy Issues! Unique id for all objects (worldwide)! RFID tags carry sensitive information! User might not be aware of the tags they carry medication, cloths, credit cards, etc! Tag can be read from a distance largely depends on the signal strength of reader! Even if contents is secure, location tracking still possible! Massive data aggregation, tracking and profiling Library! Alter stored data 36
37 Privacy Implications Information obtainable from reading tags, e.g.,! Tag present human present! Determining origin of human E.g., id-cards, credit card, library, cloths, etc! pure tracking (single tag, combination of tags)! hot-listing categorizing users of certain products, books, etc 37
38 RFID Protection Mechanisms
39 Different Categories of Remedies! Destroying Tags Specific commands Physically! Prevent communication of tags with readers blocking implementation of access control schemes! Better protocols, use of crypto difficult due to very limited resources of tags lightweight crypto as a new research field symmetric crypto only key management issues
40 Destroying tags User space solutions! Faraday Cage! RFID Zapper destroy tag emits strong field frying tag Industry provided solutions! Kill Command, deactivates chip needs password protection all or nothing privacy protection potential for misuse vandalism re-enable covertly! Clipping tags consumer choice visual feedback on state maybe read later on close (mechanical?) contact 40
41 some simple protocols
42 Better Protocols and use of Crypto Restrictions! Powered only when in range of reader extremely limited time to perform computations pre-computation impossible when tag is out of range! Extremely few gates as few as 5'000 are left for extra tasks even symmetric crypto impossible (encryption, hash functions, PRF) maybe not even enough for cryptographic PNG some feedback shift-register generators work no cryptographic security only simple password comparison and XOR works! collision avoidance protocols require (separate) identifier must not use static identifier, but random not possible! any solution uses at best symmetric crypto, but will require (complex) password/key management 42
43 Goals! Authenticate Reader towards chip! Using only very simple primitives XOR, maybe hash function, maybe PRF/PRN! Attacker model eavesdropping communication (including replay attacks) opening tags cloning tags initiate own communication with tags tracking 43
44 Simple Authentication (Molnar/Wagner) Assumption:! Channel Reader Tag eavesdroppable, Tag Reader secure.! Shared key s with all tags (library scenario): BIG DRAWBACK (unrealistic) Goal: Authentication of Command, Maintain Privacy of tags Reader shared secret s Tag Hello p=r s r cmd, p chooses random r verify p Analysis: - security against passive eavesdropping on the reader-to-tag link - adversary cannot replay protocol messages - nonce cannot be used to distinguish different tags 44 - but requires a good source of randomness (open problem!)
45 Basic PRF Private Authentication Scheme Assumption: Channel completely eavesdroppable, but can do PRFs on tag Reader random r1 find s s.t. p1 ok p2 = fs(1,r1,r2) shared secret s (per tag) Hello, r1 r2, p1 cmd, p2 Tag chooses random r2 p1 = fs(0,r1,r2) verify p2 Analysis! no system wide secret, but secret per Tag! provides privacy for tags, secure against passive eavesdropper! linear work on reader (can you improve that?) Improved solution requires tags to share keys reduces privacy...! Note: fs(i,r1,r2) can be used to encrypt the i-th messages with XOR 45
46 Sublinear Protocols (Cheon-Hong-Tsudik) Idea:! choose two sets of keys K1 and K2 of size n=sqrt(n)! assign unique pair (k1,k2) to each tag Reader random r1 ui = fk1(i)(r1,r2), i = 1,..,n shared secret (k1,k2) Hello, r1 r2, p Tag chooses random r2 p = fk1(r1,r2) fk2(r1,r2) vj = p fk2(j)(r1,r2), j = 1,..,n find (i,j) s.t. ui = vj Analysis:! Less work for reader!! But privacy decreases if too many tags compromised (forward security and probability of other tags), also no forward privacy 46! Extension: add a third key for authentication (use above protocol for identification)
47 Conclusion RFID! RFID tags are spreading! Tracking of equipment tightly linked to tracking people (hidden!) same or similar issues also exist for other devices (wifi, bluetooth, NFC) but easer to mitigate at least in theory! Privacy poorly addressed, proposed protocols still lacking hopefully more powerful tags in the future key management for large-scale systems might prevent any privacy Excellent RFID literature collection: 47
48 Anonymous Communication
49 Anonymous Communication Today: Internet = Postcard, sometimes encrypted (SSL, S/MIME..) However, communication can be linked by IP addresses and messages! Sender and Receiver might still reveal content of message be dangerous to sender or receiver Defeat the purpose of application (e.g., voting...)
50 Anonymous Communication Approaches! Encrypt messages between router, but routers still learn addresses! Hide addresses from routers, how? Limitations! If there is only Alice and Bob and all channels can be observed No anonymity Assume adversary is limited Assume enough messages travel (caching strategies)
51 A simple and elegant solution
52 Dining Cryptographers: Inputs none 1 none
53 Dining Cryptographers: Flip Pairwise Coins Assume we have secure point-to-point channels 0 none 1 none
54 Dining Cryptographers: Flip Pairwise Coins 0 none none
55 Dining Cryptographers: Announce Results 1=0'1 0 none none
56 Dining Cryptographers: Announce Results 1=0'1 1=0'0'1 0 none none
57 Dining Cryptographers: Announce Results 1=0'1 1=0'0'1 0 none 1 1 1=0'1 0 none
58 Dining Cryptographers: Compute Sent Msg 1=0'1 1=0'0'1 0 none 1 1=1'1'1 1 1=0'1 0 none
59 Dining Cryptographers: Discussion Security:! Information theoretic anonymity!! Can easily add encryption (orthogonal) Limitations! Requires broadcast channel! Rather inefficient for the whole internet (everyone would have to participate) Hierarchical schemes have been proposed
60 Trusted Third Party solutions
61 Anonymous Communication Using a Proxy AS Anonymity Service All traffic routed by Anonymity Service (e.g., anonymizer.com, VPNs)! Proxy and encryption (e.g., SSL) Send Web-request via SSL to AS, AS gets and provides page Trust only AS not all the routers anymore AS learns sender & receiver and contents! Using encryption (e.g., SSL to Bob with VPN to AS), so essentially Alice sends c1 = EncAS(Bob,EncBob(m)) to AS AS decrypts c1 and forwards EncBob(m) to Bob. AS learns sender & receiver and is single point of failure
62 Mix Networks To Weaken Trust in AS Route over several Anonymity Services:! Alice selects route she likes! Alice sends to first router (A1) c1 = EncA1(A2,EncA2(A3,EncA3(Bob,EncBob(m))))! Each AS peels off layer and forwards.! Still, there needs to be more that one message at the same time Properties:! Need to trust only one to hide address! Again: if Bob does not use encryption, end server learns content NOTE: SECURITY AGAINST CHOSEN CIPHERTEXT NEEDED!!!
63 Mix Networks Variations Variations:! Free path (onion routing) vs fixed path (mixes)! Provable vs take what you get Dropping, inserting, replaying,! Fixed Batches vs Real-time mixing strategies
64 Onion Routing
65 Onion Routing (Free Routes), e.g., TOR Each User chooses own route Server peels of layer of encryption, discovers whom to send next Problem: & How to mix & Encryption should not reveal number of (current) layers
66 Onion Routing Problem: size of ciphertexts depends on # of remaining routers EncA1(A2,EncA2(A3,EncA3(Bob,EncBob(m)))) Need to add name of next recipient And typical encryption scheme expands length (cf. ElGamal where an encryption of one group element results in a ciphertext of two group elements)
67 Onion Routing Solution: Notation: {m}k denotes the symmetric encryption of m under key k {e}k-1 denotes the symmetric decryption of e under key k Assume sender shares symmetric keys ki with each router: O1 = {{{{m}k4}k3}k2}k1, {{{Bob}k3}k2}k1, {{A3}k2}k1, {A2}k1 Receiving O1, Router A1 will compute: O'1 = {{{m}k4}k3}k2, {{Bob}k3}k2, {A3}k2, A2 A1 needs to grow onion again: chose random R and comp. O2 = {{m}k4}k3}k2, R, {{Bob}k3}k2, {A3}k2 A1 sends O2 to A2
68 Onion Routing! Receiving O2 = {{{m}k4}k3}k2, R, {{Bob}k3}k2, {A3}k2 A2 computes O'2 = {{m}k4}k3, {R }k2-1, {Bob}k3, A3! A2 needs to regrow onion: choose random R' and compute O3 = {{m}k4}k3, R', {R }k2-1, {Bob}k3! And so on. At some point Bob will receive: O4 = {m}k4, R, {R'}k3-1, {{R }k2-1}k3-1 He computes O'4 = m, {R }k4-1, {{R'}k3-1}k4-1, {{{R }k2-1}k3-1}k4-1 and, as {{{R }k2-1}k3-1}k4-1 does not match any name, outputs m
69 Onion Routing! How are keys distributed: O1 = {{{{m}k4}k3}k2}k1, {{{Bob}k3}k2}k1, {{A3}k2}k1, {A2}k1 Replace, e.g., A3 by (C3,A3), where C3 is encryption of k3 under A3's public key O1 = {{{{m}k4}k3}k2}k1, {{{C4, Bob}k3}k2}k1, {{C3,A3}k2}k1, {C2,A2}k1! What about chosen ciphertext security? I.e., ciphertext must not be changeable! To make ciphertext non-malleable, include hash of onion as label in public key encryption Routers cannot generate R' at random choose it pseudo randomly, e.g., R' = {0}k3-1 O3 = {{m}k4}k3, {0}k3-1, {R }k2-1, {C4, Bob}k3
70 Onion Routing! So Onion O4 is computed as follows: O4 = {m}k4, {0}k3-1, {{0}k2-1}k3-1, {{{0}k1-1}k2-1}k3-1, (C4,Bob), L4 where C4 = EncPKBob(k4,Hash(L4))! So Onion O3 is computed as follows: O3 = {{m}k4}k3, {{{0}k2-1}k3-1}k3, {{{{0}k1-1}k2-1}k3-1}k3, {C4,Bob}k3,(C3,A3) = {{m}k4}k3, {0}k2-1, {{0}k1-1}k2-1, {C4,Bob}k3, (C3,A3), where C3 = EncPK3(k3,Hash(L3))
71 Onion Routing! So Onion O3 is computed as follows: O3 = {{m}k4}k3, {{{0}k2-1}k3-1}k3,{{{{0}k1-1}k2-1}k3-1}k3, {C4,Bob}k3, (C3,A3) = {{m}k4}k3, {0}k2-1,{{0}k1-1}k2-1, {C4,Bob}k3, (C3,A3), where C3 = EncPK3(k3,Hash(L3))! So Onion O2 is computed as follows: O2 = {{{m}k4}k3}k2, {0}k1-1, {{C4,Bob}k3}k2, {(C3,A3)}k2,(C2,A2), where C2 = EncPK2(k2,Hash(L2))! So Onion O1 is computed as follows: O1 = {{{{m}k4}k3}k2}k1, {{{C4,Bob}k3}k2}k1, {{(C3,A3)}k2}k1,{(C2,A2)}k1,(C1,A1) where C1 = EncPK1(k1,Hash(L1))
72 Technologies to Protect eprivacy Lecture 2 Anonymous Credentials Jan Camenisch IBM Research
73 Privacy at the Authentication Layer Authentication without identification 73
74 What is an identity & identity management? language skills work marital status phone number salary credit card number shopping hobbies public authority name address birth date insurance nick name leisure blood group health status health care! ID: set of attributes shared w/ someone attributes are not static: user & party can add! ID Management: two things to make ID useful authentication means means to transport attributes between parties 74
75 Let's see a scenario 75
76 Alice wants to watch a movie at Mplex I wish to see Alice in Wonderland Alice Movie Streaming Service
77 Alice wants to watch a movie at Mplex You need: - subscription - be older than 12 Alice Movie Streaming Service
78 Watching the movie with the traditional solution ok, here's - my eid - my subscription Alice Movie Streaming Service
79 Watching the movie with the traditional solution Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service
80 Watching the movie with the traditional solution This is a privacy and security problem! - identity theft - profiling - discrimination Aha, you are - Alice Doe - born on Dec 12, Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service
81 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Alice Movie Streaming Service 81
82 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Alice Movie Streaming Service 82
83 Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Aha, you are - Alice@facebook.com - born on Dec 12, Alice's friends are... - Alice's public profile is... Mplex Customer - # Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 83
84 Identity Mixer solves this. When Alice authenticates to the Movie Streaming Service with Identity Mixer, all the services learns is that Alice has a subscription is older than 12 and no more.
85 Privacy-protecting authentication with IBM Identity Mixer Like PKI, but better:! One secret Identity (secret key)! Many Public Pseudonyms (public keys)
86 Privacy-protecting authentication with IBM Identity Mixer Like PKI, but better:! Issuing a credential Name = Alice Doe Birth date = April 3, 1997
87 Privacy-protecting authentication with Privacy ABCs Alice Movie Streaming Service 87
88 Privacy-protecting authentication with IBM Identity Mixer I wish to see Alice in Wonderland You need: - subscription - be older than 12 Alice Movie Streaming Service 88
89 Privacy-protecting authentication with IBM Identity Mixer Alice Movie Streaming Service 89
90 Privacy-protecting authentication with IBM Identity Mixer I wish to see Alice in Wonderland You need: - subscription - be older than 12 Alice Movie Streaming Service 90
91 Privacy-protecting authentication with IBM Identity Mixer Like PKI! but does not send credential! only minimal disclosure Alice - valid subscription - eid with age 12 Movie Streaming Service
92 Privacy-protecting authentication with IBM Identity Mixer Like PKI! but does not send credential! only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 - have a subscription Alice Movie Streaming Service 92
93 Advantages of Identity Mixer! For Users: privacy minimizing disclosure of personal data keeping their identities safe pseudonymous/anonymous access! For Service Providers: security, accountability, and compliance avoiding the risk of loosing personal data if it gets stolen compliance with legislation (access control rules, personal data protection) strong authentication (cryptographic proofs replace usernames/passwords) user identification if required (under certain circumstances) 93
94 Demo Try yourself at on Privacy Day (January 28)
95 Further Concepts 95
96 Concept Inspection Inspector parameters TTP Inspection grounds If car is damaged: ID with insurance or gov't needs be retrieved Similarly: verifiably encrypt any certified attribute (optional) TTP is off-line & can be distributed to lessen trust 96
97 Concept Revocation Revocation authority parameters (public key) Revocation info If Alice was speeding, license needs to be revoked! There are many different use cases and many solutions Variants of CRL work (using crypto to maintain anonymity) Accumulators Signing entries & Proof,... Limited validity certs need to be updated... For proving age, a revoked driver's license still works 97
98 Concept Usage Limitation Degree of anonymity can be limited:! If Alice and Eve are on-line at the same time, they are caught!! Use Limitation anonymous until: If Alice used certs > 100 times total or > 10'000 times with Bob! Alice's cert can be bound to hardware token (e.g., TPM) 98
99 A couple of use cases 99
100 Age verification Proving 12+, 18+, 21+ without disclosing the exact date of birth privacy and compliance with age-related legislation! Movie streaming services! Gaming industry! Online gambling platforms! Dating websites! Social benefits for young/old people 100
101 Healthcare Anonymous treatment of patients (while enabling access control and payments)! Anonymous access to patients' records accessing medical test results! Anonymous consultations with specialists online chat with a psychologist online consultation with IBM Watson! Eligibility for the premium health insurance proving that the body mass index (BMI) is in the certain range without disclosing the exact weight, height, or BMI 101
102 Subscriptions, membership Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.)! Patent databases! DNA databases! News/Journals/Magazines! Transportation: tickets, toll roads! Loyalty programs??? 102
103 Polls, recommendation platforms Providing anonymous, but at the same time legitimate feedback! Online polls applying different restrictions on the poll participants: location, citizenship! Rating and feedback platforms anonymous feedback for a course only from the students who attended it wikis recommendation platforms 103
104 Towards Realizing Anonymous Creds 104
105 An Software Stack View on Identity Mixer application layer resource request presentation policy presentation token Wallet AC & app logic store policy layer crypto layer policy credential matcher evidence gen. orchestration store credential mgr Sig Enc... Com... ZKP policy token matcher store evidence verif. orchestration token mgr Sig Enc... Com... ZKP
106 The Policy Layer An Example: Presentation policy pecuid> metersuid> User Verifier presentation policy presentation token 106
107 Privacy-protecting authentication with Privacy ABCs Alice Movie Streaming Service 107
108 Required Technologies Signature Schemes Encryption Schemes Zero-Knowledge Proofs Commitment Schemes... challenge is to do all this efficiently!
109 zero-knowledge proofs 109
110 Zero-Knowledge Proofs! interactive proof between a prover and a verifier about the prover's knowledge Commitment Challenge Response! properties: zero-knowledge verifier learns nothing about the prover's secret proof of knowledge (soundness) prover can convince verifier only if she knows the secret completeness if prover knows the secret she can always convince the verifier 110
111 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Given group <g> and element y Є <g>. Prover wants to convince verifier that she knows x s.t. y = gx such that verifier only learns y and g. Prover: x random r t := gr t c s := r - cx y, g Verifier: s random c t = g s yc? notation: PK{(α): y = gα } 111
112 Zero Knowledge Proofs Proof of knowledge: if a prover can successfully convince a verifier, then the secret need to be extractable. Prover might do protocol computation in any way it wants & we cannot analyse code. Thought experiment:! Assume we have prover as a black box we can reset and rerun prover! Need to show how secret can be extracted via protocol interface x t t c c' x s t = gs yc = gs' yc' yc'-c = gs-s' y = g(s-s')/(c'-c) s' x = (s-s')/(c'-c) mod q
113 Zero Knowledge Proofs: Security Zero-knowledge property: If verifier does not learn anything (except the fact that Alice knows x = log g y ) Idea: One can simulate whatever Bob sees. Choose random c', s' compute t := g s' c' y if c = c' send s' = s, otherwise restart t c s Problem: if domain of c too large, success probability becomes too small
114 Zero Knowledge Proofs of Knowledge of Discrete Logarithms One way to modify protocol to get large domain c: Prover: x random r t := gr h := H(c,v)? s := r - cx y, g Verifier: h t random c,v h := H(c,v) c,v s t = g s yc? notation: PK{(α): y = gα } 114
115 Zero Knowledge Proofs: Security One way to modify protocol to get large domain c: Choose random c', s' compute t' := gs' yc' after having received c reboot verifier Choose random s compute t := gs yc send s h t' c,v h t c,v s
116 From Protocols To Signatures Signature SPK{(α): y = gα }(m): Signing a message m: - chose random r Є Zq and - compute c := H(gr m) = H(t m) s := r - cx mod (q) - output (c,s) Verifying a signature (c,s) on a message m: - check c = H(gs yc m)? 116 t = gs y c? Security: - underlying protocol is zero-knowledge proof of knowledge - hash function H(.) behaves as a random oracle.
117 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα z = gβ u = gβhα } PK{(α,β): y = gα z = gβ } als and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): SPK{(α): y = gα }(m) 117
118 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,β1,α2,β2, α3, β3): C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = gα1gα2hβ3 } mean? Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1, C2= gα2hβ2 and C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3 α3 = a1 + a2 (mod q) And what about: PK{(α1,...,β3): C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3 α3 = a1 + 5 a2 118 C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = gα1 (g5)α2hβ3 } (mod q)
119 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does C1= gα1hβ1 C2= gα2hβ2 C3 =gα3hβ3 C3 = C2α1hβ3 } mean? PK{(α1,..,β3): Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1, C2= gα2hβ2 and C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2 α1hβ3+β2 α1 C3 = gα2 α1 hβ3+β2 α1 = gα3 hβ3' a3 = a1 a2 (mod q) And what about PK{(α1,β1 β2): 119 C1= gα1hβ1 C2= gα2hβ2 C2 = C1α1hβ2 } a2 = a12 (mod q)
120 Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,..,β2): C1= gα1hβ1 C2= gα2hβ2 g = (C2/C1)α1hβ2 } mean? Prover knows values α, β1, β2 such that C1= gα1hβ1 g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2 g1/α1 = C2 g-α1h-β1 hβ2/α1 C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1 C2 = gα2 hβ2 α2 = α1 + a1-1 (mod q) 120
121 signature schemes 121
122 RSA Signature Scheme for reference Rivest, Shamir, and Adlemann 1978 Secret Key: two random primes p and q Public Key: n := pq, prime e, and collision-free hash function H: {0,1}* -> {0,1}ℓ Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1) s := H(m) d mod n Verification of signature s on a message m Є {0,1}* se = H(m) Correctness: se = (H(m)d)e = H(m)d e = H(m) 122 (mod n) (mod n)
123 RSA Signature Scheme for reference Verification signature on a message m Є {0,1}* se := H(m) (mod n) Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) } But this is not a valid proof expression!!!! :-( 123
124 CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n k signature is (c,e,s)
125 CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a 1 m1... a k mk bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 125
126 Proving Knowledge of a CL-signature Recall: d = ce a1m1a2m2 bs mod n Observe:! Let c' = c btmod n with randomly chosen t! Then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1! provide c'! PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } proves d := c'ε a1µ1 a2m2b σ 126
127 Technologies to Protect eprivacy Lecture 3 Anonymous Credentials II Jan Camenisch IBM Research
128 Privacy-protecting authentication with Privacy ABCs commitment scheme signature scheme Alice zero-knowledge proofs 128
129 Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα z = gβ u = gβhα } PK{(α,β): y = gα z = gβ } Intervals and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): SPK{(α): y = gα }(m) 129
130 CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n k signature is (c,e,s)
131 CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a 1 m1... a k mk bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 131
132 Proving Knowledge of a CL-signature Recall: d = ce a1m1a2m2 bs mod n Observe:! Let c' = c btmod n with randomly chosen t! Then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1! provide c'! PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } proves d := c'ε a1µ1 a2m2b σ 132
133 commitment scheme 133
134 Commitment Scheme: Functionality m m m, ? mє m
135 Commitment Scheme: Security Binding m, m', ? m є m? m' є m
136 Commitment Scheme: Security Binding m, m', ? m є m? m' є m
137 Commitment Scheme: Security Hiding: for all message m, m' m m' m m'
138 Commitment Scheme: Security Hiding: for all message m, m' m m' m m'? m m' m m'
139 Commitment Schemes Group G = <g> = <h> of order q To commit to element x Є Zq: Pedersen: perfectly hiding, computationally binding choose r Є Zq and compute c = gxhr ElGamal: computationally hiding, perfectly binding: choose r Є Zq and compute c = (gxhr, gr) To open commitment: reveal x and r to verifier verifier checks if c = gxhr
140 Pedersen's Commitment Scheme Pedersen's Scheme: Choose r Є Zq and compute c = gxhr Perfectly hiding: Let c be a commitment and u= logg h Thus c = gxhr = gx+ur = g(x+ur')+u(r-r') = gx+ur'hr-r' for any r'! I.e., given c and x' here exist r' such that c = gx'hr' Computationally binding: Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q
141 Commitment Scheme: Extended Features Proof of Knowledge of Contents m Proof m true Proof of Relations among Contents m, m' Proof m = 2 m' m m' true
142 Commitment Scheme: Extended Features Let C1 = gmhr and C' = gm'hr then: m Proof m true PK{(α,β): C = gβhα } m, m' Proof m = 2 m' PK{(α,β,γ): m m' true C' = gβhα C = (g2)βhγ }
143 putting things together 143
144 Realizing Pseudonyms and Key Binding! Let G = <g> = <h> of order q! User's secret key: random sk Zq! To compute a pseudonym Nym Choose random r Zq Compute Nym = gskhr 144
145 Privacy-protecting authentication with Privacy ABCs Like PKI, but better:! Issuing a credential Name = Alice Doe Birth date = April 3, 1997 Concept: credentials 145
146 Realizing Issuance of Credential Recall: a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 e d = c a m1... a 1 mk k bs mod n Problem: Pseudonym not in message space! Solution: Sign secret key instead d = ce a 1 sk a 2 m2... a mk k bs mod n New Problem: how can we sign a secret message? 146
147 Realizing Issuance of Credential n, ai, b, d C=a 1 sk bs'
148 Realizing Issuance of Credential σ' } {( K P C=a 1 sk σ, 1 µ ' ): C C n, ai, b, d µ1 b a = 1 e m a,n bs'
149 Realizing Issuance of Credential n, ai, b, d σ' } {( K P C=a 1 sk σ, 1 µ ' ): C C µ1 b a = 1 e m a,n ) s, e, c ( c = (d/c a name 2 bs )1/e mod n bs'
150 Realizing Issuance of Credential n, ai, b, d σ' } {( K P C=a 1 sk σ, 1 µ ' ): C C µ1 b a = 1 e m a,n ) s, e, c ( c = (d/c a name 2 bs )1/e mod n bs' d = ce a sk 1 a 2 name bs + s' (mod n)
151 Realizing Issuance of Credential Want to sign w.r.t. Nym = gskhr n, ai, b, d
152 Realizing Issuance of Credential Want to sign w.r.t. Nym = gskhr ρ µ1 h =g {(µ K P 1 n, ai, b, d σ' } m m a y n N, : m ) y,σ' N ρ, C, C ρ b 1 µ a2 a = 1 stores Nym, name e c = (d/c a name 3 bs )1/e mod n sk r Nym = g h C=a 1 sk a r 2 bs' d = ce a sk 1 a ra 2 3 name bs + s' (mod n)
153 Polling: Scenario and Requirements Scenario:! Pollster(s) and a number of users! Only registered user (e.g., students who took a course) can voice opinion (e.g., course evaluation)! User can voice opinion only once (subsequent attempts are dropped)! Users want to be anonymous! A user's opinion in different polls must not be linkable
154 Polling Solution: Registration (n,a1,a2,b,d)! User generates pseudonym (ID for registration)! User obtains credential on pseudonym stating that she is eligible for polls, i.e., (c,e,s) d = ce a sk 1 a 2 r a 3 attr bs (mod n)! Credential can contain attributes (e.g., course ID) about her
155 Polling Solution: Submit Poll 1. User generates domain pseudonym, domain = pollid 2. User transforms credential 3. Transformed credential with a subset of the attributes User is anonymous and unlinkable Multiple opinions are detected because uniqueness of domain pseudonym
156 Polling Solution: Polling 1. Domain pseudonym: P = gdsk = H(pollID)sk P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble (under the Decisional Diffie-Hellman assumption) 2. User transforms credential: c' = c bs'mod n with randomly chosen s' SPK{(ε, µ1, µ2, µ3,σ) : P = gdµ1 d := c'ε a1µ1 a2µ2a3µ3b σ (mod n) µ1, µ2, µ3 Є {0,1}ℓ ε > 2ℓ+1 }(opinion)
157 Concept Inspection Inspector parameters TTP Inspection grounds If car is damaged: ID with insurance or gov't needs be retrieved Similarly: verifiably encrypt any certified attribute (optional) TTP is off-line & can be distributed to lessen trust 157
158 Public Key Encryption Key Generation Encryption Decryption
159 Security Like Envelopes!? No info about message
160 Security Like Envelopes!? or? This is called semantic security (secure if used once only.)
161 ElGamal Encryption Scheme! Group G = <g> of order q! Secret Key Group x Є {1,...,q}; Public key y = gx! To encrypt message m Є <g>: choose random r Є {1,...,q}; compute c = (yr m, gr)! To decrypt ciphertext c = (c1,c2) We know c = (yr m, gr) = (gxr m, gr) Thus set m = c1 c2-x = yr m g-xr = yr-r m = m
162 Realizing Inspection Nym Nym = gskhr y= gx d = ce a ska ra name bs + s' (mod n) 1 2 3! Encrypt Nym : random u Є {1,...,q} and enc = (yu Nym, gu) = (e1,e2)! Compute proof token (presentation token): compute c' = c btmod n with randomly chosen t compute proof PK{(ε, µ1, µ2, µ3, σ) : d := c'ε a1µ1a2µ2a3µ3b σ e1 = yρ gµ1hµ2 e2 = gρ» µ1, µ3, µ3 Є {0,1}ℓ ε > 2ℓ+1 }
163 Revocation of credentials
164 Anonymous Credential Revocation various reasons to revoke credential & user lost credential / secret key & misbehavior of user publishes revocation info looks up Alice should be able to convince verifier that her credential is among the good ones! 164
165 Anonymous Credential Revocation & Pseudonyms standard revocation lists don't work? 165
166 Revocable Credentials: First Solution! Include into credential some credential ID ui as message, e.g., d = ce a 1 sk a 2 ui bs + s' (mod n)! Publish list of all valid (or invalid) ui's. (u1,..., uk)! Alice proves that her ui is on the list. Choose random g Compute Uj = guj for uj in (u1,..., uk) Prove PK{(ε, µ, ρ, σ) : ( d = c'ε a ρa µ b σ (n) U1 = gµ ) 1 2 (( ( (d = c'ε a ρa µ b σ (mod n) Uk = gµ ) } 1 2! Not very efficient, i.e., linear in size k of list :-(
167 Revocable Credentials: Second Solution! Include into credential some credential ID ui as message, e.g., d = ce a ska ui bs + s' (mod n) 1 2! Publish list of all invalid ui's. (u1,..., uk)! Alice proves that her ui is not on the list. Choose random h and compute U = hui Prove PK{(ε, µ, ρ, σ) : d = c'ε a ρa µ b σ (mod n) 1 2 U = hµ } Verifier checks whether U = huj for all uj on the list.! Better, as only verifier needs to do linear work (and it can be improved using so-call batch-verification...)! What happens if we make the list of all valid ui's public?! If credential is revoked, all past transactions become linkable...
168 Revocable Credentials: Second Solution Variation: verifier could choose h and keep it fixed for a while! Can pre-compute list Ui = hui! single table lookup! BUT: if user comes again, verifier can link!!!! ALSO: verifier could not change h at all! or use the same as other verifiers! one way out h = H(verifier, date), so user can check correctness. date could be the time up to seconds and the verifier could just store all the lists, i.e., pre-compute it.
169 Revocable Credentials: Second Solution better implementation of proof : Issuer signs intervals between revoked # revocation list: #1,#4,#5, Sig( 0,#1) Sig(#1,#4) Sig(#4,#5) Sig(#5, N ) #3 #3 #3 Verifier does not learn #, #i, #j! #3 contains # where #i < # <#j and Sig(#i,#j) Sig(#i,#j) can be realised also with credential signature scheme, using different public key
170 Revocable Credentials: Third Solution Using cryptographic accumulators: credentials contain random serial number # Issuer accumulates all "good" serial numbers #2 #3 #1 #2 #2 #6 #4 #5 #2 contains # that is included in Proof requires witness
171 Revocable Credentials: Third Solution Using cryptographic accumulators: to revoke #2 issuer publishes new accumulator & new witnesses for unrevoked credentials #2 #3 #1 #2 #2 #6 #4 #5 #2 contains # that is included in Proof would require witness
172 Revocable Credentials: Third Solution #2 Using so-called cryptographic accumulators:! Key setup: RSA modulus n, seed v #3 #1! Accumulate: values are primes ei #6 #4 #5 accumulator value: z = v Π ei mod n publish z and n witness value x for ej : s.t. z = x ej mod n can be computed as x = v e1... ej-1 ej+1... ek mod n! Show that your value e is contained in accumulator: provide x for e verifier checks z = x e mod n
173 Revocable Credentials: Third Solution Security of accumulator: show that e s.t. z = x e mod n for e that is not contained in accumulator: For fixed e: Equivalent to RSA assumption Any e: Equivalent to Strong RSA assumption #2 #3 #1 #6 #4 #5 Revocation: Each cert is associated with an e and each user gets witness x with certificate. But we still need: Efficient protocol to prove that committed value is contained in accumulator. Dynamic accumulator, i.e., ability to remove and add values to accumulator as certificates come and go.
174 Revocable Credentials: Third Solution! Prove that your key is in accumulator: Commit to x: choose random s and g and compute U1 = x hs, U2 = gs and reveal U1,U2, g Run proof-protocol with verifier PK{(ε, µ, ρ, σ, ξ, δ) : d = c'ε a ρa µ b σ (mod n) z = U1µ(1/h)ξ (mod n) 1 2 µ ξ δ 1 = U2 (1/g) (mod n) U2 = g (mod n)}
175 Revocable Credentials: Third Solution! Analysis No information about x and e is revealed: (U1, U2) is a secure commitment to x proof-protocol is zero-knowledge Proof is indeed proving that e contained in the certificate is also contained in the accumulator: a) 1 = U2µ(1/g)ξ = (gδ)µ (1/g)ξ (mod n) => ξ = δ µ b) z = U1µ(1/h)ξ =U1µ(1/h)δ µ =(U1/hδ )µ c) d = c'ε a ρa µ b σ (mod n) 1 (mod n) 2
176 Revocation: Third Solution Dynamic Accumulator! When a new user gets a certificate containing enew Recall: z = v Π ei mod n Thus: z' = z enew mod n But: then all witnesses are no longer valid, i.e., need to be updated x' = x enew mod n
177 Revocation: Third Solution Dynamic Accumulator! When a certificate containing erev revoked Now z' = v Π ei = z 1/erev mod n Witness: Use Ext. Euclid to compute a and b s.t. a eown + b erev = 1 Now x' = x b z' a mod n Why: x'eown = ((x b z' a )eown) erev 1/erev mod n = ((x b z' a )eown erev ) 1/erevmod n = ((x eown) b erev (z' erev) a eown) 1/erev mod n = (z b erev z a eown ) 1/erev mod n = z 1/erev mod n = z' :-)
178 Revocation: Third Solution (improved) Dynamic Accumulator: in case the issuer knows the factorization of n! When a new user gets a certificate containing enew Recall: z = v Π ei mod n Actually v never occurs anywhere... so: v' = v 1/enew mod n and x = z 1/enew mod n Thus z needs not to be changed in case new member joins!! Witnesses need to be recomputed upon revocation only!
179 Revocation: Zeroth Solution Update of Credentials: encode validity time as attribute if credential is valid no need to check revocation updates from issuer no additional effort for verifier 179
180 Revocation: Zeroth Solution Re-issue certificates (off-line interaction might be too expensive) U Recall issuing for identity mixer: U := a 1 m1 a m2 2 bs' Choose e,s c = (d/(ua (c,e,s ) 3 m3 a 4 time bs ))1/e mod n
181 Revocation: Zeroth Solution Re-issue certificates (off-line interaction might be too expensive)! Idea: just repeat last step for each new time time': Choose ei,si ci = (d/(ua 3 m3' a 4 time' bsi ))1/ei mod n (ci,ei,si )! Update information (ci,ei,si ) can be pushed to user by many different means
182 References! D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In EUROCRYPT 87, vol. 304 of LNCS, pp Springer-Verlag, 1988.! S. Brands. Rapid demonstration of linear relations connected by boolean operators.in EUROCRYPT 97, vol of LNCS, pp Springer Verlag, 1997.! Mihir Bellare: Computational Number Theory Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials. Crypto 2002, Lecture Notes in Computer Science, Springer Verlag.! Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag.! Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key Exchange. CRYPTO 2010: ! Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on Computer and Communications Security 2009: ! Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag.! M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages , Springer-Verlag, 2003.! E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of Certified Data. In Twelfth International Workshop on Security Protocols Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology CRYPTO '93. Springer Verlag, 1993.! J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation.
183 References! David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM, Vol. 24 No. 2, pp , 1981.! David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology Proceedings of CRYPTO '82, 1983.! David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in Communications of the ACM, Vol. 28 No. 10, 1985.! Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: ! Victor Shoup: A computational introduction to Number Theory and Algebra. Available from: D. Molnar and D. Wagner: Privacy and Security in Library RFID. Issues, Practices, and Architectures. In ACM CCS 2004.! G. Avoine, M.A. Bingöl, X. Carpent. S.B.O. Yalcin: Privacy-Friendly Authentication in RFID Systems: On Sublinear Protocols Based on Symmetric-Key Cryptography. In IEEE Transactions on Mobile Computing, 2013.! J.H. Cheon, J. Hong, G. Tsudik: Reducing RFID reader load with the meet-in-the-middle strategy. In Journal of Communications and Networks (14): (2012)! M. Ohkubo, K. Suzuki, S. Kinoshita: Efficient hash-chain based RFID privacy protection scheme. In: UbiComp Workshop, Ubicomp Privacy: Current Status and Future Directions (2004)! D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM.! D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1988.! J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances in Cryptology CRYPTO 2003.! J. Camenisch and A. Lysyanskaya: A Formal Treatment of Onion Routing. In Advances in Cryptology - CRYPTO 2005.! J. Camenisch and A.Mityagin: Mix-Network with Stronger Security. In Privacy Enhancing Technologies PET 2005.! T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology CRYPTO '84.
184 Conclusions! Roadmap Explain possibilities to engineers, policy makers etc Usable prototypes Provide transparency Public infrastructure for privacy protection Laws with teeth (encourage investment in privacy)! Challenges Internet services get paid with personal data (inverse incentive) End users are not able to handle their data (user interfaces..) Security technology typically invisible and hard to sell! Towards a secure information society Society changes quickly and gets shaped by technology Consequences are hard to grasp (time will show...) We must inform and engage in a dialog 184
185 Thank you!! Links: idemixdemo.zurich.ibm.com! Code github.com/p2abcengine & abc4trust.eu/idemix 185
IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features
Introduction Deployment Use Cases Blockchain More Features IBM Identity Mixer Privacy-preserving identity management and authentication for Blockchain and beyond Dr. Maria Dubovitskaya IBM Research Zurich
More informationCryptography 4 Privacy
SuRI School of Computer and Communication Sciences EPFL Cryptography 4 Privacy Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch Facts
More informationAnonymous Credentials and e-cash
Anonymous Credentials and e-cash Jan Camenisch Principle Researcher; TL Cryptography & Privacy IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch Facts 33% of cyber crimes, including identity theft,
More informationAuthentication without Identification. Jan Camenisch IBM Research - Zurich IBM Corporation
Authentication without Identification Jan Camenisch IBM Research - Zurich Facts We all increasingly conduct our daily tasks electronically...are becoming increasingly vulnerable to cybercrimes 2 Facts
More informationIBM Identity Mixer. Authentication without identification. Introduction Demo Use Cases Features Overview Deployment
Introduction Demo Use Cases Features Overview Deployment IBM Identity Mixer Authentication without identification Jan Camenisch, Maria Dubovitskaya, Peter Kalambet, Anja Lehmann, Gregory Neven, Franz-Stefan
More informationCryptography for People
CySeP2015 Winter School on Cyber Security & Privacy KTH Stockholm Cryptography for People Dr. Jan Camenisch Cryptography & Privacy Principal Research Staff Member Member, IBM Academy of Technology jca@zurich.ibm.com
More informationIdentity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation
Identity Mixer: From papers to pilots and beyond Gregory Neven, IBM Research Zurich Motivation Online security & trust today: SSL/TLS for encryption and server authentication Username/password for client
More informationCryptographic dimensions of Privacy
PRIVACY SUMMIT 2016 The Alain Turing Institute Cryptographic dimensions of Privacy Dr. Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch
More informationPrivacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich
Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving
More informationPrivacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich
Privacy-Enhancing Technologies & Applications to ehealth Dr. Anja Lehmann IBM Research Zurich IBM Research Zurich IBM Research founded in 1945 employees: 3,000 12 research labs on six continents IBM Research
More informationAnonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or
More informationPrivacy Privacy Preserving Authentication Schemes: Theory and Applications
Privacy Privacy Preserving Authentication Schemes: Theory and Applications 18 th Infocom World, Athens, Greece, 2016 Yannis C. Stamatiou Computer Technology Institute & Press Diophantus and Business Administration
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationAPPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationA simple approach of Peer-to-Peer E-Cash system
A simple approach of Peer-to-Peer E-Cash system Mr. Dharamvir, Mr. Rabinarayan Panda Asst. Professor, Dept. of MCA, The Oxford College of Engineering Bangalore, India. Abstract-With the popularization
More informationThe Design of an Anonymous and a Fair Novel E-cash System
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 2, Number 2 (2012), pp. 103-109 International Research Publications House http://www. ripublication.com The Design of
More informationPrivacy Enhancing Technologies CSE 701 Fall 2017
Privacy Enhancing Technologies Lecture 2: Anonymity Applications Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Anonymous communication mixes, anonymizing proxies,
More informationDigital Cash Systems
Digital Cash Systems Xiang Yin Department of Computer Science McMaster University December 1, 2010 Outline 1 Digital Cash 2 3 4 5 Digital Cash Overview Properties Digital Cash Systems Digital Cash Digital
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationENEE 459-C Computer Security. Security protocols
ENEE 459-C Computer Security Security protocols Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public.
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationOn the Revocation of U-Prove Tokens
On the Revocation of U-Prove Tokens Christian Paquin, Microsoft Research September nd 04 U-Prove tokens provide many security and privacy benefits over conventional credential technologies such as X.509
More informationProtocols for Anonymous Communication
18734: Foundations of Privacy Protocols for Anonymous Communication Anupam Datta CMU Fall 2016 Privacy on Public Networks } Internet is designed as a public network } Machines on your LAN may see your
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationCan eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010
Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010 Content eid Primary Functions eid Privacy Features and Security
More informationENEE 459-C Computer Security. Security protocols (continued)
ENEE 459-C Computer Security Security protocols (continued) Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationU-Prove Technology Overview
U-Prove Technology Overview November 2010 TOC Introduction Community Technology Preview Additional Capabilities RSA Demo Conclusion 2 Introduction History U-Prove well established in academia Patent portfolio
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationAnonymity. Assumption: If we know IP address, we know identity
03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationYou can find a brief summary of this Privacy Policy in the chart below.
In this policy Shine TV Limited with registered office at Shepherds Building Central, Charecroft Way, Shepherds Bush, London, W14 0EE, UK (Company or we) informs you about how we collect, use and disclose
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationBlockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric
Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric Elli Androulaki Staff member, IBM Research, Zurich Workshop on cryptocurrencies Athens, 06.03.2016 Blockchain systems
More informationkey distribution requirements for public key algorithms asymmetric (or public) key algorithms
topics: cis3.2 electronic commerce 24 april 2006 lecture # 22 internet security (part 2) finish from last time: symmetric (single key) and asymmetric (public key) methods different cryptographic systems
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationNYMBLE: Blocking Misbehaving Users in Anonymizing Networks
RESEARCH ARTICLE OPEN ACCESS NYMBLE: Blocking Misbehaving Users in Anonymizing Networks 1 R.Ravikumar, 2 J.Ramesh Kumar 1 Asst.professor, Dept.of.Computer Science, Tamil University, Thanjavur-613010. 2
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationMASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY
Effective Date: 12 September 2017 MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY Mastercard respects your privacy. This Privacy Policy describes how we process personal data, the types of personal
More informationConjure Network LLC Privacy Policy
Conjure Network LLC Privacy Policy Effective September 28, 2018 Conjure Network LLC ( Conjure, us, we, or our ) operates http://www.conjure.network (the Site or Website ). This Privacy Policy (the Policy
More informationSecurity & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of
Contents Security & Privacy Contents Web Architecture and Information Management [./] Spring 2009 INFO 190-02 (CCN 42509) Erik Wilde, UC Berkeley School of Information Abstract 1 Security Concepts Identification
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationCS Paul Krzyzanowski
Computer Security 17. Tor & Anonymous Connectivity Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2018 1 2 Anonymity on the Internet Often considered bad Only criminals need to hide
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Privacy on Public Networks Internet is designed as a public network Wi-Fi access points,
More informationUsing Cryptography CMSC 414. October 16, 2017
Using Cryptography CMSC 414 October 16, 2017 Digital Certificates Recall: K pub = (n, e) This is an RSA public key How do we know who this is for? Need to bind identity to a public key We can do this using
More informationWebsite and Marketing Privacy Policy
Website and Marketing Privacy Policy In this policy Endemol Shine UK and its group of companies (Company or we) informs you about how we collect, use and disclose personal data from and about you and your
More informationPrivacy Information - Privacy and Cookies Policy In Full
Privacy Information - Privacy and Cookies Policy In Full Contents 1. Introduction & General Terms 2. Who are we? 3. What information will Gaucho collect about me? 4. How will Gaucho use the information
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationDefinition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party
Definition Anonymous Communication Hiding identities of parties involved in communications from each other, or from third-parties Who you are from the communicating party Who you are talking to from everyone
More informationThe most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationBeam Technologies Inc. Privacy Policy
Beam Technologies Inc. Privacy Policy Introduction Beam Technologies Inc., Beam Dental Insurance Services LLC, Beam Insurance Administrators LLC, Beam Perks LLC, and Beam Insurance Services LLC, (collectively,
More informationSAFE-BioPharma RAS Privacy Policy
SAFE-BioPharma RAS Privacy Policy This statement discloses the privacy practices for the SAFE-BioPharma Association ( SAFE- BioPharma ) Registration Authority System ( RAS ) web site and describes: what
More informationBackground. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33
Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended
More informationAnonymity and Privacy
Computer Security Spring 2008 Anonymity and Privacy Aggelos Kiayias University of Connecticut Anonymity in networks Anonymous Credentials Anonymous Payments Anonymous E-mail and Routing E-voting Group,
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationNetwork Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: Anonymity Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor
More informationEagles Charitable Foundation Privacy Policy
Eagles Charitable Foundation Privacy Policy Effective Date: 1/18/2018 The Eagles Charitable Foundation, Inc. ( Eagles Charitable Foundation, we, our, us ) respects your privacy and values your trust and
More informationAn Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation
An Efficient System for Non-transferable Anonymous Credentials with ptional Anonymity Revocation Jan Camenisch IBM Research Zurich Research Laboratory CH 8803 Rüschlikon jca@zurich.ibm.com Anna Lysyanskaya
More informationCS 134 Winter Privacy and Anonymity
CS 134 Winter 2016 Privacy and Anonymity 1 Privacy Privacy and Society Basic individual right & desire Relevant to corporations & government agencies Recently increased awareness However, general public
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationDistributed Systems. Lecture 14: Security. Distributed Systems 1
06-06798 Distributed Systems Lecture 14: Security Distributed Systems 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More informationPRIVACY POLICY VANTAGE HOMES
State of Colorado PRIVACY POLICY VANTAGE HOMES Rev. 133C579 Version Date: April 01, 2017 GENERAL Vantage Homes LLC ( Company or we or us or our ) respects the privacy of its users ( user or you ) that
More informationTopics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols
Cryptographic Protocols Topics 1. Dramatis Personae and Notation 2. Session and Interchange Keys 3. Key Exchange 4. Key Generation 5. Cryptographic Key Infrastructure 6. Storing and Revoking Keys 7. Digital
More informationDistributed Systems. Lecture 14: Security. 5 March,
06-06798 Distributed Systems Lecture 14: Security 5 March, 2002 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationComputer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017
Computer Security 15. Tor & Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2017 April 24, 2017 CS 419 2017 Paul Krzyzanowski 1 Private Browsing Browsers offer a "private" browsing modes
More informationDROPBOX.COM - PRIVACY POLICY
Dropbox Privacy Policy Last Modified: October 15, 2012 This Privacy Policy provides our policies and procedures for collecting, using, and disclosing your information. Users can access the Dropbox service
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationCS155b: E-Commerce. Lecture 6: Jan. 25, Security and Privacy, Continued
CS155b: E-Commerce Lecture 6: Jan. 25, 2001 Security and Privacy, Continued FIREWALL A barrier between an internal network & the Internet Protects the internal network from outside attacks Executes administrator-defined
More informationPrivate Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes
Private Browsing Computer Security 16. Tor & Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2017 Browsers offer a "private" browsing modes Apple Private Browsing, Mozilla Private Browsing,
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More informationSYDNEY FESTIVAL PRIVACY POLICY
1. Level 5, 10 Hickson Road The Rocks Sydney NSW 2000 Australia Phone 61 2 8248 6500 Fax 61 2 8248 6599 sydneyfestival.org.au ABN 60 070 285 344 SYDNEY FESTIVAL PRIVACY POLICY Our Commitment to your Privacy
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More informationOUR PRIVACY POLICY. 1. Our Privacy Principles. 2. Information that We Collect from You. Last Updated: May 25, 2018
Last Updated: May 25, 2018 OUR PRIVACY POLICY This privacy policy ( Privacy Policy ) describes how information and data is collected from you when you use this online website, mobile website, application
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationForschungsrichtungen in der IT-Sicherheit
Forschungsrichtungen in der IT-Sicherheit Dr. Jan Camenisch Principle Researcher; Member, IBM Academy of Technology IBM Research Zurich jca@zurich.ibm.com @JanCamenisch ibm.biz/jancamenisch Facts 33% of
More informationLecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.
Lecture 13 Public Key Distribution (certification) 1 PK-based Needham-Schroeder TTP 1. A, B 4. B, A 2. {PKb, B}SKT B}SKs 5. {PK a, A} SKT SKs A 3. [N a, A] PKb 6. [N a, N b ] PKa B 7. [N b ] PKb Here,
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationCOMPGA12 1 TURN OVER
Applied Cryptography, COMPGA12, 2009-10 Answer ALL questions. 2 hours. Marks for each part of each question are indicated in square brackets Calculators are NOT permitted 1. Multiple Choice Questions.
More informationLast updated 31 March 2016 This document is publically available at
PRIVACY POLICY Last updated 31 March 2016 This document is publically available at http://www.conexusfinancial.com.au/privacy 1. INTRODUCTION This Privacy Policy sets out our commitment to protecting the
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2018 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationETSY.COM - PRIVACY POLICY
At Etsy, we value our community. You trust us with your information, and we re serious about that responsibility. We believe in transparency, and we re committed to being upfront about our privacy practices,
More informationChapter 13. Digital Cash. Information Security/System Security p. 570/626
Chapter 13 Digital Cash Information Security/System Security p. 570/626 Introduction While cash is used in illegal activities such as bribing money laundering tax evasion it also protects privacy: not
More information