Privacy with attribute-based credentials ABC4Trust Project Fatbardh Veseli Deutsche Telekom Chair for Mobile Business and Multilateral Security Goethe University Frankfurt, Germany fatbardh.veseli@m-chair.de 1
Overview Motivation Identity Management Issues Privacy-ABCs - Architecture, Concepts and features ABC4Trust Project Overview Standardisation efforts 2
Identity Management (IdM) 2 sides of a medal with enormous economic potential ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies Organisations aim to sort out User Accounts in different IT systems Authentication Rights management Access control Unified identities help to ease administration manage customer relations Identity management systems ease single-sign-on by unify accounts solve the problems of multiple passwords People live their life in different roles (professional, private, volunteer) using different identities (pseudonyms): email accounts, SIM cards, ebay trade names, chat names, Facebook names, ) Differentiated identities help to protect privacy, especially anonymity personal security/safety enable reputation building at the same time Identity management systems support users using role based identities help to present the right identity in the right context 3
Identity Management (IdM) 2 sides of a medal with enormous economic potential ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies People live their life in different roles (professional, private, volunteer) using different identities (pseudonyms): email accounts, SIM cards, ebay trade names, chat names, Facebook names, ) Differentiated identities help to protect privacy, especially anonymity personal security/safety enable reputation building at the same time Identity management systems support users using role based identities help to present the right identity in the right context Organisations aim to sort out User Accounts in different IT systems Authentication Rights management Access control Unified identities help to ease administration manage customer relations Identity management systems ease single-sign-on by unify accounts solve the problems of multiple passwords 4
Identity Management (IdM) One of many definitions An integrated concept of processes, policies and technologies that enable organizations and individual entities to facilitate and control the use of identity information in their respective relations 5
Privacy (and security) issues of typical federated IdM architectures Identity Service Provider (IdSP) Relying Party (RP) trust 4. token response 3. token request 1. request access 2. policy 5. token User 6
Partial Identities needed Based on [Clauß, Köhntopp 2001] 7
Identity Definition in ISO/IEC 24760 to reduce the risk of over-identification Identity (partial identity): Set of attributes related to an entity From A Framework for Identity Management (ISO/IEC 24760) Part 1: Terminology and concepts (IS:2011) Part 2: Reference framework and requirements (CD) Part 3: Practice (WD) [standards.iso.org/ittf/publiclyavailablestandards/index.html, www.jtc1sc27.din.de/en] 8
Attribute Based Credentials (Privacy-ABCs) Certifying relevant attributes Token issuance and presentation unlinkable Rather coins (that cannot be distinguished) than bank notes (that have a serial number) Users can disclose (minimal) subsets of the encoded claims To respond to unanticipated requests of RPs Without invalidating the token integrity E.g. Certificate for birth date -> Claim for being over 21 Two major approaches and technologies U-Prove (Credentica -> Microsoft) Idemix (IBM) 9
Two approaches for Privacy- ABCs Blind Signatures Zero-Knowledge Proofs Issuer Issuer User Verifier User Verifier U-Prove Brands, Paquin et al. Discrete Logs, RSA,.. Idemix (Identity Mixer) Damgard, Camenisch & Lysyanskaya Strong RSA, pairings (LMRS, q-sdh) 10
ABC4Trust Objectives A common, unified architecture for ABC systems to enable Comparing their respective features Combining them on common platforms Lock-In free usage of ABC systems Open reference implementations of selected ABC systems Deployments in actual production enabling Minimal disclosure Provision of anonymous feedback to a community proving one is accredited as a member 11
ABC4Trust Partners Johann Wolfgang Goethe- Universität Frankfurt, DE Alexandra Institute AS, DK Computer Technology Institute & Press DIOPHANTUS, GR IBM Research - Zurich, CH Miracle A/S, DK Nokia Solutions and Networks, DE Technische Universität Darmstadt, DE Unabhängiges Landeszentrum für Datenschutz, DE Eurodocs AB, SE CryptoExperts SAS, FR Microsoft NV, BE Söderhamn Kommun, SE 12
Architecture, entities and features Issuer Revocation Authority Credential Revocation Credential Issuance Revocation info retrieval User Presentation Token Revocation info retrieval Token Inspection Inspector Verifier 13
ABC4Trust Pilot Söderhamn: Community Interaction School internal platform for communication among pupils, teachers, and personnel Provide trusted authentication while protecting anonymity Usability: make privacy technology understandable for non-technical users (e.g. pupils) Norrtullskolan School Söderhamn, Sweden 14
Söderhamn pilot - Student consultation name = Kari Johannson Grade= 5 Class = 5A Gender = F name =? Grade = 5 Class =? 15
ABC4Trust Pilot Patras: Course Rating Course ratings conducted anonymously without learning participants identities Conduct polls based on attendance Verify with anonymous proofs towards untrusted infrastructure Computer Technology Institute Patras, Greece 16
Course Evaluation Course = 536 Matriculation nr: 1295 Attendance units: 6 name = Maria Papadopoulou Department = CEI Type = Student Matriculation nr: 1295 name =? Department =? Student = Yes CourseID = 536 #Attendance units > 5 = Yes 17 17
Privacy-ABCs and eid eids can be considered as credentials with several attributes. Privacy-ABCs can be used to disclose only some of the attributes.
Standardisation relevant projects within ISO/IEC JTC 1/SC 27 24760 A framework for identity Management 20008 Anonymous digital signatures 24146 Access control framework WG 5 -Identity management and privacy technologies 29100 Privacy framework WG 2 Cryptography and security mechanisms 29191 Partially anonymous, partially unlinkable authentication 29101 Privacy architecture framework 20009 Anonymous Entity Authentication 19
Conclusions & Outlook ICT and related services are coming ever closer to people. A more privacy friendly Internet requires: Partial Identities and Identifiers Minimum Disclosure Privacy-respecting Attribute Based Credentials ABC4Trust Summit Event: 2015-01-20, Brussels, Representation of the State of Hesse www.abc4trust.eu www.jtc1sc27.din.de/en www.fidis.net www.picos-project.eu www.primelife.eu www.prime-project.eu www.m-chair.de, fatbardh.veseli@m-chair.de, coord-abc4trust@m-chair.de
Back-Up Attribute-based Credentials for Trust
Identity Theft (?) 22 22
ABC4Trust Project Facts Scheduled duration: November 2010 February 2015 Partners: 12 partners from industry, academia, research centres and data protection authorities Costs: 13.59 Million ( 8.85 Million EU funded) Funding: The ABC4Trust project receives research funding from the European Union's Seventh Framework Programme under grant agreement n 257782 as part of the ICT Trust and Security Research theme. Web Page: https://abc4trust.eu Project coordination: Chair of Mobile Business & Multilateral Security Goethe University Frankfurt 60629 Frankfurt am Main, Germany contact@abc4trust.eu 23