Cryptography 4 People

Transcription

1 International Workshop on Inference & Privacy in a Hyperconnected World 2016 Cryptography 4 People Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research ibm.biz/jancamenisch

2 Facts We increasingly conduct our daily task electronically, in an increasingly electronic environment, and...are becoming increasingly vulnerable to cybercrimes 2

3 Facts 33% of cyber crimes, including identity theft, take less time than to make a cup of tea. 3

4 Facts 10 Years ago, your identity information on the black market was worth $150. Today. 4

5 Facts $4'500'000'000 cost of identity theft worldwide 5

6 Houston, we have a problem! ﾩ 6

7 Houston, we have a problem! ﾩ Buzz Aldrin's footprints are still up there (Robin Wilton) 7

8 Computers don't forget " Apps built to use & generate (too much) data " Data is stored by default " Data mining gets ever better " New (ways of) businesses using personal data " Humans forget most things too quickly " Paper collects dust in drawers 8

9 Where's all my data? The ways of data are hard to understand " Devices, operating systems, & apps are getting more complex and intertwined Mashups, Ad networks Machines virtual and realtime configured Not visible to users, and experts Data processing changes constantly " IoT makes things harder still unprotected network, devices with low footprint different operators no or small UI No control over data and far too easy to loose them 9

10 The real problem Applications are designed with the sandy beach in mind but are then built on the moon. Feature creep, security comes last, if at all Everyone can do apps and sell them Networks and systems hard not (well) protected 10

11 Security & Privacy is not a lost cause! We need paradigm shift: build stuff for the moon rather than the sandy beach! 11

12 Security & Privacy is not a lost cause! That means: " Reveal only minimal data necessary " Encrypt every bit " Attach usage policies to each bit Cryptography can do that! 12

13 Cryptography to the Aid 13

14 Vehicle-to-vehicle/infrastructure/cloud communication Secure communication requirements: Security: authenticate real vehicles to prevent attacker from disrupting traffic Privacy: impossible to track individual vehicles V2V/V2I: high message frequency, low communication bandwidth V2Cloud: less resource-critical 14

15 privacy Anonymous authentication with classical crypto same signing key built into all vehicles perfect privacy bad security: key compromised revoke all vehicles same key in batches of vehicles poor privacy: only anonymous within batch poor security: only anonymous security 15 Car2Car online pseudonym authority: authority becomes security/efficiency bottleneck vehicles have to store/fetch fresh pseudonyms different signing key in each vehicle good security no privacy: vehicles traceable by their public keys

16 Privacy ABCs in V2V: privacy and security can co-exist Different key ( credential ) in each vehicle, can be individually revoked optimal privacy optimal security Offline authority (or multiple) can de-anonymize signatures Vehicles can locally self-certify pseudonyms no server interaction needed optionally limit number of pseudonyms per vehicle/day/... Big challenge: efficiency (signature size + computation) 16

17 Privacy-ABCs Identity Mixer 17

18 Privacy-protecting authentication with Privacy ABCs Users' Keys: " One secret Identity (secret key) " Many Public Pseudonyms (public keys) " Variation: domain pseudonym unique per domain use a different identity for each communication partner or even transaction 18

19 Privacy-protecting authentication with Privacy ABCs Certified attributes from Identity provider " Issuing a credential Name = Alice Doe Birth date = April 3,

20 Privacy-protecting authentication with Privacy ABCs Certified attributes from purchasing department " Issuing a credential 20

21 Privacy-protecting authentication with Privacy ABCs I wish to see Alice in Wonderland You need: - subscription - be older than 12 21

22 Privacy-protecting authentication with Privacy ABCs Proving identity claims " but does not send credentials " only minimal disclosure - valid subscription - eid with age 12 22

23 Proving Identity Claims: Minimal Disclosure 23 Alice Doe Age: 12+ Hauptstr 7, Zurich CH single Exp. Valid ve r ID ified ve r ID ified Alice Doe Dec 12, 1998 Hauptstr. 7, Zurich CH single Exp. Aug 4, 2018

24 Privacy-protecting authentication with Privacy ABCs Proving identity claims " but does not send credential " only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 - have a subscription Transaction is not linkable to any other of Alice's transactions! 24

25 Healthcare Use Case Anonymous consultations with specialists online chat with at physician / online consultation with IBM Watson to check eligibility Alice gets a health insurance credential Insurance 1. Alice proves she has insurance 2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment Health portal 4. Alice gets treatment from physician, hospital, etc Insurance Alice sends bill to insurance and proves that she had gotten the necessary permission for the treatment.

26 Concept: Inspection TTP If car is broken: ID with insurance needs be retrieved Can verifiably encrypt any certified attribute (optional) TTP is off-line & can be distributed to lessen trust 26

27 You might already have Identity Mixer on your devices Identity Mixer (and related protocols) in standards " TPM V1.2 (2004) and V2.0 (2015) call it Direct Anonymous Attestation " FIDO Alliance authentication is standardizing this as well (w/ and w/out chip) TPMs allow one to store secret key in a secure place! Alice 27

28 Unlinkable Identifiers for Databases [Camenisch Lehmann CCS' 15] 28

29 How to maintain related yet distributed data? Example use case: social security system " Different entities maintain data of citizens " Eventually data needs to be exchanged or correlated Health Insurance Doctor A Doctor B Hospital Pension Fund Tax Authority Welfare Center Many other different use case: IoT, Industry 4.0, Home Appliances, Metering,... 29

30 Globally Unique Identifier " user data is associated with globally unique identifier e.g., social security number, insurance ID Doctor A ID Data Alice.1210 " different entities can easily share & link related data records Bob.0411 Record of Bob.0411? Carol.2503 Hospital ID Data Bob.0411 Carol.2503 Dave

31 Globally Unique Identifier " user data is associated with globally unique identifier e.g., social security number, insurance ID Doctor A ID Data Alice.1210 " different entities can easily share & link related data records Bob.0411 Record of Bob.0411? Carol.2503 Hospital + simple data exchange no control about data exchange if records are lost, pieces can be linked together data has high-value requires strong protection 31 ID Data Bob.0411 Carol.2503 Dave.1906

32 Using Privacy-ABCs to derive Identifiers Doctor A ID Data fadl039nd d028naid8 10nziadod " Use Domain pseudonym Hospital ID Data o1anlpzad Landi1nad p1mslzna 32

33 Using Privacy-ABCs to derive Identifiers Doctor A ID Data fadl039nd d028naid8 10nziadod " Use Domain pseudonym " Needs credential to ensure consistency Hospital ID Data o1anlpzad Landi1nad p1mslzna 33

34 Using Privacy-ABCs to derive Identifiers Doctor A ID Data fadl039nd d028naid8 10nziadod " Use Domain pseudonym " Needs credential to ensure consistency Can also transfer attributes proof of ownership of pseudonym 34 Hospital ID Data o1anlpzad Landi1nad p1mslzna

35 Using Privacy-ABCs to derive Identifiers Doctor A ID Data fadl039nd d028naid8 10nziadod " Use Domain pseudonym " Needs credential to ensure consistency Can also transfer attributes proof of ownership of pseudonym " Approach also works for IoT collected data authenticate data with pseudonym & credentials Hospital ID Data o1anlpzad Landi1nad p1mslzna data exchange needs to involve user + control about data exchange + lost records are cannot be linked together 35

36 Local Pseudonyms & Trusted Converter " central converter derives independent server-local identifiers from unique identifier " user data is associated with (unlinkable) server-local identifiers aka pseudonyms " only converter can link & convert pseudonyms central hub for data exchange Doctor A ID Data Hba02 P89dy Converter Main ID ID-A ID-H Alice.1210 Hba02 7twnG Bob.0411 P89dy ML3m5 Carol uj sd7ab Dave G3wx y2b4m 912uj Hospital ID Data ML3m5 sd7ab y2b4m 36

37 Local Pseudonyms & Trusted Converter " central converter derives independent server-local identifiers from unique identifier " user data is associated with (unlinkable) server-local identifiers aka pseudonyms " only converter can link & convert pseudonyms central hub for data exchange Doctor A Record of P89dy from Hospital? ID-A ID-H Alice.1210 Hba02 7twnG Bob.0411 P89dy ML3m5 Carol uj sd7ab Dave G3wx y2b4m Data Hba02 P89dy Converter Main ID ID 912uj Record of ML3m5? Hospital ID Data ML3m5 sd7ab y2b4m 37

38 Local Pseudonyms & Trusted Converter " central converter derives independent server-local identifiers from unique identifier " user data is associated with (unlinkable) server-local identifiers aka pseudonyms " only converter can link & convert pseudonyms central hub for data exchange Doctor A Record of P89dy from Hospital? ID-A ID-H Alice.1210 Hba02 7twnG Bob.0411 P89dy ML3m5 Carol uj sd7ab Dave G3wx y2b4m Data Hba02 P89dy Converter Main ID ID 912uj Record of ML3m5? Hospital + control about data exchange + if records are lost, pieces cannot be linked together ID Data ML3m5 sd7ab y2b4m converter learns all request & knows all correlations 38

39 (Un)linkable Pseudonyms Pseudonym Generation " converter & servers jointly derive pseudonyms from unique identifiers servers do not learn unique identifiers, converter does not learn the pseudonyms P89dy Doctor A ID Data Hba02 Converter Main ID Pseudonym for Doctor A P89dy 912uj Alice.1210 Bob.0411 Carol.2503 Dave

40 (Un)linkable Pseudonyms Pseudonym Conversion " converter & servers jointly derive pseudonyms from unique identifiers servers do not learn unique identifiers, converter does not learn the pseudonyms " only converter can link & convert pseudonyms but does so in a blind way Doctor A ID Data Hba02 Converter P89dy 912uj 40

41 (Un)linkable Pseudonyms Pseudonym Conversion " converter & servers jointly derive pseudonyms from unique identifiers servers do not learn unique identifiers, converter does not learn the pseudonyms " only converter can link & convert pseudonyms but does so in a blind way Converter Record of P89dy at Hospital Doctor A Record of P89dy at Hospital Record of P89dy at Hospital blind conversion request ID Data Hba02 P89dy 912uj Hospital ID Data ML3m5 sd7ab y2b4m 41

42 (Un)linkable Pseudonyms Pseudonym Conversion " converter & servers jointly derive pseudonyms from unique identifiers servers do not learn unique identifiers, converter does not learn the pseudonyms " only converter can link & convert pseudonyms but does so in a blind way Converter Record of P89dy at Hospital Doctor A Record of P89dy at Hospital Record of P89dy at Hospital blind conversion request blind conversion Record of P89dy? ID Data Hba02 P89dy 912uj unblinding conversion response Record of P89dy? Record of ML3m5? Hospital ID Data ML3m5 sd7ab y2b4m 42

43 (Un)linkable Pseudonyms Security " converter & servers jointly derive pseudonyms from unique identifiers servers do not learn unique identifiers, converter does not learn the pseudonyms " only converter can link & convert pseudonyms but does so in a blind way Converter Record of P89dy at Hospital Doctor A Record of P89dy at Hospital Record of P89dy at Hospital blind conversion request blind conversion Record of P89dy? Hba02 P89dy 912uj Record of P89dy? + converter does not learn pseudonyms in request can not even tell if requests are for the same pseudonym + converter can not link data itself Data unblinding conversion response + control about data exchange + if records are lost, pieces cannot be linked together 43 ID Record of ML3m5? Hospital ID Data ML3m5 sd7ab y2b4m

44 (Un)linkable Pseudonyms Consistency " pseudonyms are unique & consistent generation is deterministic, injective and consistent with blind conversion P89dy Doctor A ID Data Hba02 P89dy Converter 912uj Main ID Bob.0411 ML3m5 Hospital ID Data ML3m5 sd7ab y2b4m 44

45 (Un)linkable Pseudonyms Consistency " pseudonyms are unique & consistent generation is deterministic, injective and consistent with blind conversion conversions are consistent and transitive Invoice for P89dy Doctor A ID Data Hba02 P89dy Converter 912uj Invoice for Invoice for ML3m5 RtE14 Insurance ID Data 6Wz6P $ $ $ fx4o7 RtE14 45 Hospital ID Data ML3m5 sd7ab y2b4m

46 (Un)linkable Pseudonyms Construction " security formally defined in the Universal Composability (UC) framework ideal functionality describing the optimal behaviour of such a system converter and servers can be fully corrupt " provably secure construction based on homomorphic encryption scheme (ElGamal encryption) verifiable pseudorandom function (Dodis-Yampolskiy-PRF) pseudorandom permutation ( lazy sampling ) dual-mode and standard signature schemes (AGOT+, Schnorr signatures) zero-knowledge proofs (Fiat-Shamir NIZKs with trapdoored ElGamal) 46

47 High-level Idea Pseudonym Generation " converter X and server SA jointly compute a pseudonym nymi,a for user uidi X's input: unique user-id uidi and server ID SA 1) compute global core identifier using secret key k zi PRF(k,uidi) 2) compute server-local inner pseudonym using server-specific secret key xa xnymi,a zixa Server A ka, ska xnymi,a Converter X k, skx, for each server: xa, xb, xc, 47 3) compute final pseudonym using a secret key ka nymi,a PRP(kA,xnymi,A)

48 High-level Idea Pseudonym Conversion " server SA wishes to convert a pseudonym nymi,a for server SB SA's input: nymi,a, SB, qid Server A ka,ska Server B kb,skb Converter X k, skx, for each server: xa, xb, xc, 48

49 High-level Idea Pseudonym Conversion " server SA wishes to convert a pseudonym nymi,a for server SB nymi,a SA's input: nymi,a, SB, qid xnymi,a = zixa Server A ka,ska Server B kb,skb Converter X k, skx, for each server: xa, xb, xc, xnymi,b = zixb nymi,b 49

50 High-level Idea Pseudonym Conversion " server SA wishes to convert a pseudonym nymi,a for server SB nymi,a PRP-1(kA, nymi,a) SA's input: nymi,a, SB, qid xnymi,a = zixa Converter X Server A ka,ska Server B kb,skb xnymi,b = xnymi,a xb /xa k, skx, for each server: xa, xb, xc, xnymi,b = zixb PRP(kB, xnymi,b) nymi,b 50

51 High-level Idea Pseudonym Conversion " server SA wishes to convert a pseudonym nymi,a for server SB SA's input: nymi,a, SB, qid 1) re-obtain xnymi,a PRP-1(kA, nymi,a) 2) encrypt xnymi,a under SB's and Converter X''s key C Enc(pkX, (Enc(pkB, xnymi,a)) C, SB, qid Server A ka,ska Server B kb,skb Converter X k, skx, for each server: xa, xb, xc, 51

52 High-level Idea Pseudonym Conversion " server SA wishes to convert a pseudonym nymi,a for server SB SA's input: nymi,a, SB, qid 1) re-obtain xnymi,a PRP-1(kA, nymi,a) 2) encrypt xnymi,a under SB's and Converter X''s key C Enc(pkX, (Enc(pkB, xnymi,a)) C, SB, qid Server A ka,ska Server B kb,skb Converter X k, skx, for each server: xa, xb, xc, 3) decrypt first layer as C' Dec(skX, C) 4) blindly transform encrypted pseudonym C'' C' Δ with Δ = xb / xa C'' = Enc(pkB, xnymi,a) xb / xa C'' = Enc(pkB, PRF(k,uidi) xa) xb / xa C'' = Enc(pkB, PRF(k,uidi) xb) C'' = Enc(pkB, xnymi,b) 52

53 High-level Idea Pseudonym Conversion " server SA wishes to convert a pseudonym nymi,a for server SB SA's input: nymi,a, SB, qid 1) re-obtain xnymi,a PRP-1(kA, nymi,a) 2) encrypt xnymi,a under SB's and Converter X''s key C Enc(pkX, (Enc(pkB, xnymi,a)) C, SB, qid Server A ka,ska Server B kb,skb Converter X k, skx, for each server: xa, xb, xc, C'', SA, qid 3) decrypt first layer as C' Dec(skX, C) 4) blindly transform encrypted pseudonym C'' C' Δ with Δ = xb / xa C'' = Enc(pkB, xnymi,a) xb / xa C'' = Enc(pkB, PRF(k,uidi) xa) xb / xa Enc(pkB, PRF(k,uidi) xb) 5) decrypt inner pseudonym xnymi,b Dec(skB, C'') 6) compute final pseudonym as nymi,b PRP(kB, xnymi,b) C'' = C'' = Enc(pkB, xnymi,b) 53

54 High-level Idea Active Corruptions Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 54

55 High-level Idea Active Corruptions (Server) " ensure that servers can convert only their pseudonyms Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 55

56 High-level Idea Active Corruptions (Server) " ensure that servers can convert only their pseudonyms generation: bind pseudonym nymi,a to server SA via server-specific signature conversion: SA proves that C contains a correctly signed pseudonym Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 56

57 High-level Idea Active Corruptions (Server) " ensure that servers can convert only their pseudonyms generation: bind pseudonym nymi,a to server SA via server-specific signature conversion: SA proves that C contains a correctly signed pseudonym " challenge: how to sign pseudonyms in a blind conversion? Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 57

58 High-level Idea Active Corruptions (Server) " ensure that servers can convert only their pseudonyms generation: bind pseudonym nymi,a to server SA via server-specific signature conversion: SA proves that C contains a correctly signed pseudonym " challenge: how to sign pseudonyms in a blind conversion? dual-mode signatures: signature on ciphertext, can be decrypted to signature on plaintext Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 58

59 High-level Idea Active Corruptions (Server) " ensure that servers can convert only their pseudonyms generation: bind pseudonym nymi,a to server SA via server-specific signature conversion: SA proves that C contains a correctly signed pseudonym " challenge: how to sign pseudonyms in a blind conversion? dual-mode signatures: signature on ciphertext, can be decrypted to signature on plaintext Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 59

60 High-level Idea Active Corruptions (Converter) " ensure consistency of pseudonyms and conversions even in the presence of a corrupt converter let converter X prove correctness of his computations via NIZKs Converter X xnymi,a xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 60

61 High-level Idea Active Corruptions (Converter) " ensure consistency of pseudonyms and conversions even in the presence of a corrupt converter let converter X prove correctness of his computations via NIZKs Converter X xnymi,a,πnym xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', C,πA,πX, SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 61

62 High-level Idea Active Corruptions (Converter) " ensure consistency of pseudonyms and conversions even in the presence of a corrupt converter let converter X prove correctness of his computations via NIZKs " pseudonym generation can be anonymous or not non-anon: Server SA can verify that xnymi,a was correctly derived from uidi option important for bootstrapping / migration Converter X xnymi,a, πnym,, (uidi) xnymi,a PRF(k,uidi) xa Server A nymi,a PRP(kA,xnymi,A) Generation Conversion C, SB, qid, πa Converter X C'' Dec(skX, C) xb / xa Server A C Enc(pkX, (Enc(pkB, xnymi,a)) C'', C,πA,πX, SA, qid Server B nymi,b PRP(kB,Dec(skB, C'')) 62

63 (Un)linkable Pseudonyms Efficiency & Summary efficiency security against corrupt converter and corrupt servers: generation (X +SA): 15 exponentiations + 8 pairings conversion (X +SA+SB): 84 exponentiations + 30 pairings more efficient variant if converter is honest-but-curious (but servers fully corrupt) generation (X +SA): 7 exponentiations conversion (X +SA+SB): 40 exponentiations + 16 pairings (most exp. can be merged into multi-exponentiations) (un)linkable pseudonyms without trusted converter unlinkable data storage with controlled data exchange servers maintain data w.r.t. local, random-looking pseudonyms pseudonyms can only be linked via a central converter conversions done in a blind way converter must not be a trusted entity efficient and provably secure protocol paradigm shift: unlinkable as default, linkable only when necessary 63

64 Further Research Needed! " Securing the infrastructure & IoT ad-hoc establishment of secure authentication and communication audit-ability & privacy (where is my information, crime traces) security services, e.g., better CA, oblivious TTPs, anon. routing, " Usability HCI Infrastructure (setup, use, changes by end users) " Provably secure protocols Properly modeling protocols (UC, realistic attacks models,...) Verifiable security proofs Retaining efficiency 64

65 Further Research Needed! " Quantum Computers Lots of new crypto needed still Build apps algorithm agnostic " Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog 65

66 Conclusion Let engage in some rocket science! " Much of the needed technology exists " need to use them & build apps for the moon " and make apps usable & secure for end users Thank you! Joint work w/ Maria Dubovitskaya, Anja Lehmann, Anna Lysyanskaya, Gregory Neven, and many many more. ibm.biz/jancamenisch