Cryptography 4 Privacy

Similar documents
Cryptographic dimensions of Privacy

Cryptography for People

Privacy in an Electronic World A Lost Cause?

IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features

Forschungsrichtungen in der IT-Sicherheit

IBM Identity Mixer. Authentication without identification. Introduction Demo Use Cases Features Overview Deployment

Cryptography 4 People

Cryptography 4 People

Direct Anonymous Attestation

Directions in Security Research

Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich

Authentication without Identification. Jan Camenisch IBM Research - Zurich IBM Corporation

Anonymous Credentials and e-cash

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

Privacy Privacy Preserving Authentication Schemes: Theory and Applications

A Decade of Direct Anonymous Attestation

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

CS3235 Seventh set of lecture slides

Technologies to Protect eprivacy

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Prof. Christos Xenakis

Diffie-Hellman. Part 1 Cryptography 136

Prof. Christos Xenakis

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

CSE 127: Computer Security Cryptography. Kirill Levchenko

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Kurose & Ross, Chapters (5 th ed.)

CS November 2018

More crypto and security

Encryption. INST 346, Section 0201 April 3, 2018

UNIT - IV Cryptographic Hash Function 31.1

Privacy with attribute-based credentials ABC4Trust Project. Fatbardh Veseli

Structure-Preserving Certificateless Encryption and Its Application

Public-Key Cryptography

Trusted Computing: Introduction & Applications

Study Guide for the Final Exam

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Lecture 2 Applied Cryptography (Part 2)

CSC 474/574 Information Systems Security

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Cryptographic protocols

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Using Cryptography CMSC 414. October 16, 2017

ENEE 459-C Computer Security. Security protocols

Reminder: Homework 4. Due: Friday at the beginning of class

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Key Protection for Endpoint, Cloud and Data Center

ENEE 459-C Computer Security. Security protocols (continued)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

An Introduction to Trusted Platform Technology

Secure Multiparty Computation

Covert Identity Information in Direct Anonymous Attestation (DAA)

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Public Key Algorithms

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Password Authenticated Key Exchange by Juggling

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

PKI Credentialing Handbook

PYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Introduction to Modern Cryptography. Benny Chor

T Cryptography and Data Security

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Public Key Algorithms

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Digital Signatures. Cole Watson

Introduction to Cryptography Lecture 10

Authentication Technology for a Smart eid Infrastructure.

Introduction to Public-Key Cryptography

Notes for Lecture 24

Cryptography (Overview)

CS 161 Computer Security

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

Zero Knowledge Protocol

Chapter 9. Public Key Cryptography, RSA And Key Management

Certificateless Public Key Cryptography

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

1 Identification protocols

Introduction to Cryptography Lecture 7

Identification Schemes

Privacy-Preserving & User-Auditable Pseudonym Systems. Jan Camenisch, Anja Lehmann IBM Research Zurich

CS 161 Computer Security

Trusted Platform Module explained

Privacy Enhancing Technologies CSE 701 Fall 2017

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

CSC 5930/9010 Modern Cryptography: Digital Signatures

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Transcription:

SuRI School of Computer and Communication Sciences EPFL Cryptography 4 Privacy Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch

Facts We all increasingly conduct our daily tasks electronically...are becoming increasingly vulnerable to cybercrimes 2

Facts 33% of cyber crimes, including identity theft, take less time than to make a cup of tea. 3

Facts 10 Years ago, your identity information on the black market was worth $150. Today. 4

Facts $4'500'000'000 cost of identity theft worldwide 5

Houston, we have a problem! ᄅ 6

Houston, we have a problem! ᄅ Buzz Aldrin's footprints are still up there (Robin Wilton) 7

Computers don't forget # Apps built to use & generate (too much) data # Data is stored by default # Data mining gets ever better # New (ways of) businesses using personal data # Humans forget most things too quickly # Paper collects dust in drawers 8

Where's all my data? The ways of data are hard to understand # Devices, operating systems, & apps are getting more complex and intertwined Mashups, Ad networks Machines virtual and realtime configured Not visible to users, and experts Data processing changes constantly No control over data and far too easy to loose them 9

The real problem Applications are designed with the sandy beach in mind but are then built on the moon. Feature creep, security comes last, if at all Everyone can do apps and sell them Networks and systems hard not (well) protected 10

Security & Privacy is not a lost cause! We need paradigm shift & build stuff for the moon rather than the sandy beach! 11

Security & Privacy is not a lost cause! That means: # Reveal only minimal data necessary # Encrypt every bit # Attach usage policies to each bit Cryptography can do that! 12

Cryptography to the Aid 13 2015 Information Security Summer School - Bilbao

Today: two solutions Identity mixer: privacy protecting authentication Password-based security: from humans to cryptographic keys?? 14 October 15, 2015 - Press Day

Identity Mixer 15 October 15, 2015 - Press Day

Alice wants to watch a movie at Movie Streaming Service I wish to see Alice in Wonderland Alice Movie Streaming Service 16

Alice wants to watch a movie at Movie Streaming Service You need: - subscription - be older than 12 Alice Movie Streaming Service 17

Watching the movie with the traditional solution Using digital equivalent of paper world, e.g., with X.509 Certificates ok, here's - my eid - my subscription Alice Movie Streaming Service 18

Watching the movie with the traditional solution...with X.509 Certificates Aha, you are - Alice Doe - born on Dec 12, 1975-7 Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 19

Watching the movie with the traditional solution This is a privacy and security problem! - identity theft - discrimination - profiling, possibly in connection with other services Aha, you are - Alice Doe - born on Dec 12, 1975-7 Waterdrive - CH 8003 Zurich - Married - Expires Aug 4, 2018 Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 20

Watching the movie with the traditional solution With OpenID (similar protocols), e.g., log-in with Facebook Alice Movie Streaming Service 21

Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Alice Movie Streaming Service 22

Watching the movie with the traditional solution With OpenID and similar solution, e.g., log-in with Facebook Aha, Alice is watching a 12+ movie Aha, you are - Alice@facebook.com - 12+ Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016 Alice Movie Streaming Service 23

Proper cryptography solves this: Identity Mixer When Alice authenticates to the Movie Streaming Service with Identity Mixer, all the services learns is that Alice has a subscription is older than 12 and no more! 24

Privacy-protecting authentication with Privacy ABCs Users' Keys: # One secret Identity (secret key) # Many Public Pseudonyms (public keys) use a different identity for each communication partner or even transaction 25

Privacy-protecting authentication with Privacy ABCs Certified attributes from Identity provider # Issuing a credential Name = Alice Doe Birth date = April 3, 1997 26

Privacy-protecting authentication with Privacy ABCs Certified attributes from purchasing department # Issuing a credential 27

Privacy-protecting authentication with Privacy ABCs I wish to see Alice in Wonderland You need: - subscription - be older than 12 28

Privacy-protecting authentication with Privacy ABCs Proving identity claims # but does not send credentials # only minimal disclosure - valid subscription - eid with age 12 29

Proving Identity Claims: Minimal Disclosure 30 Alice Doe Age: 12+ Hauptstr 7, Zurich CH single Exp. Valid ve r ID ified ve r ID ified Alice Doe Dec 12, 1998 Hauptstr. 7, Zurich CH single Exp. Aug 4, 2018

Privacy-protecting authentication with Privacy ABCs Proving identity claims # but does not send credential # only minimal disclosure (Public Verification Key of issuer) Aha, you are - older than 12 - have a subscription Transaction is not linkable to any other of Alice's transactions! 31

Try Identity Mixer for yourself Try yourself: Build your app: Source code: Info: 32 idemixdemo.mybluemix.net github.com/ibm-bluemix/idemix-issuer-verifier github.com/github.com/p2abcengine/p2abcengine ibm.biz/identity_mixer

You might already have Identity Mixer on your devices Identity Mixer (and related protocols) in standards # TPM V1.2 (2004) and V2.0 (2015) call it Direct Anonymous Attestation # FIDO Alliance authentication is standardizing this as well (w/ and w/out chip) TPMs allow one to store secret key in a secure place! Alice 33

Other examples: secure and privacy access to databases Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.) # DNA databases # News/Journals/Magazines # Patent database??? Cryptography access protocol s.t. database provider has no information about # which user accesses # which data 34

A glimpse at the underlying cryptography 35

A Glimpse at the technical realization Signature scheme compatible with ZKP Commitment scheme compatible with ZKP & sig. scheme Zero knowledge proof of knowledge 36

Zero Knowledge Proofs of Knowledge of Discrete Logarithms Given group <g> and element y Є <g>. Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g. Prover: random r t := gr PK{(α): y = gα } t c s := r - cx Verifier : random c s t = gs yc 37

Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα z = gβ u = gβhα } PK{(α,β): y = gα z = gβ } als and groups of different order (under SRSA): PK{(α): y = gα α Є [A,B] } PK{(α): y = gα z = gα α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): PK{(α): y = gα }(m) 38

RSA Signature Scheme Rivest, Shamir, and Adlemann 1978 Secret Key: two random primes p and q Public Key: n := pq, prime e, and collision-free hash function H: {0,1}* -> {0,1}ℓ Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1) s := H(m) d mod n Verification of signature s on a message m Є {0,1}* se = H(m) Correctness: se = (H(m)d)e = H(m)d e = H(m) 39 (mod n) (mod n)

RSA Signature Scheme Verification signature on a message m Є {0,1}* se := H(m) (mod n) Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) } But this is not a valid proof expression!!!! :-( 40

CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1,..., mk Є {0,1}ℓ : choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s n compute c : c = (d / (a m1... a mk bs ))1/e mod n 1 41 k signature is (c,e,s)

CL-Signature Scheme To verify a signature (c,e,s) on messages m1,..., mk: m1,..., mk Є {0,1}ℓ: e > 2ℓ+1 d = ce a 1 m1... a k mk bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 42

Proving Knowledge of a CL-signature Observe: d = ce am bs mod n Let c' = c btmod n with randomly chosen t then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1 # provide c' # PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ µ Є {0,1}ℓ ε > 2ℓ+1 } 43

Password-based Security 44 October 15, 2015 - Press Day

Password are insecure, aren't they? username-password the most prominent form of user authentication Passwords inherently insecure? No! We re just using them incorrectly 45 October 15, 2015 - Press Day

The problem with passwords password salted PW hash correct? correct? correct? correct? correct? correct!! # Passwords are symmetric secrets need protection on server & user # Password (hashes) useless against offline attacks Human-memorizable passwords are inherently weak NIST: 16-character passwords have 30 bits of entropy 1 billion possibilities Rig of 25 GPUs tests 350 billion possibilities / second, so 3ms for 16 chars 60% of LinkedIn passwords cracked within 24h # More expensive hash functions provide very little help only increases verification time as well does not work for short passwords such as pins etc # Single-server solutions inherently vulnerable to offline attacks Server / administrator / hacker can always guess & test 46 2015 Information Security Summer School - Bilbao

The solution: distributed password verification Setup: Open account w/ password p p1 p p2 p= 47 October 15, 2015 - Press Day p1 p2

The solution: distributed password verification Login to account with password p' p1 p' p' # no server alone can test password? = p1 p2 p2 # passwords safe as long as not all servers are hacked off-line attacks no longer possible on-line attacks can be throttled # pro-active re-sharing possible # First server web-server replaces hash-data files user's computer secure against loss or theft of user device 48 October 15, 2015 - Press Day

How it works in a nutshell [CLN12,CEN15] # Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme # At setup: user encrypts p under X: E= EncX(p) E= EncX(p) x1 # Password verification: check for encryption of 1 E' p' = p? p' DecX(E') = 1? E' = (EncX(1/p') E) r r = EncX( (p/p') ) E' E=EncX(p) x2 # Servers do not learn anything 1 if passwords match, random number otherwise # User could even be talking to the wrong servers... 49 2015 Information Security Summer School - Bilbao

From password to cryptographic keys [CLN12,CLLN14,CEN15] p1 k1 p2 # One of the servers could be your smart phone, laptop, k2 # Get key share from if password check succeeded # Decrypt all your files on phone (or stored in the cloud, etc) 50 October 15, 2015 - Press Day

From password to cryptographic keys [CLN12,CLLN14,CEN15] p1 k1 p' p'? = p1 p2 k p2 # One of the servers could be your smart phone, laptop, k2 # Get key share from if password check succeeded # Decrypt all your files on phone (or stored in the cloud, etc) 51 October 15, 2015 - Press Day

Further Research Needed! # Securing the infrastructure & IoT ad-hoc establishment of secure authentication and communication audit-ability & privacy (where is my information, crime traces) security services, e.g., better CA, oblivious TTPs, anon. routing, # Usability HCI Infrastructure (setup, use, changes by end users) # Provably secure protocols Properly modeling protocols (UC, realistic attacks models,...) Verifiable security proofs Retaining efficiency 52 2015 Information Security Summer School - Bilbao

Further Research Needed! # Quantum Computers Lots of new crypto needed still Build apps algorithm agnostic # Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog 53 2015 Information Security Summer School - Bilbao

Conclusion Let engage in some rocket science! # Much of the needed technology exists # need to use them & build apps for the moon # and make apps usable & secure for end users Thank you! Joint work w/ Maria Dubovitskaya, Anja Lehmann, Anna Lysyanskaya, Gregory Neven, and many many more. jca@zurich.ibm.com 54 @JanCamenisch 2015 Information Security Summer School - Bilbao ibm.biz/jancamenisch

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback