identity-based privacy (ibp) - cloud computing and privacy protection
Post on 28-Nov-2014
96 Views
Preview:
DESCRIPTION
TRANSCRIPT
Identity-Based Privacy (IBP)
Cloud Computing and Privacy Protection
07/2014
Privacy preserving
Encryption is one of the most effective information protection techniques.
Information
Privacy preserving – Conceptual model
Security
Privacy
• Security – Data at Rest Encryption, Data in Transit Encryption
• Privacy – Data in Use Encryption
Privacy preserving – existing systems
• PKI – Public-Key Infrastructure
• PGP – Pretty Good Privacy
• IBE – Identity-Based Encryption
• PKI, PGP – it’s more about key management then encryption
• IBE – email address as the public key
Privacy preserving – existing systems (cont.)
Drawbacks:
• PKI – very expensive, usability
• PGP – usability
• IBE – difficult mathematics, strong patents
Identity-Based Privacy (IBP)
The alternative to PKI/PGP/IBE systems
IBP – History
original idea came from January, 2011
• First public presentation in June, 2011 • http://www.amathnet.cz/akce/historie-akci/vut/pavlov-2011/prubeh.aspx
• http://www.amathnet.cz/Portals/0/QuickGallery/444/IMGP0056.JPG
• Fully open sourced since September, 2013
• Matured in April, 2014
IBP – Conceptual Architecture Model
User (Client-Side App.)
Identity & Access Management
Data Resource Encryption Key Generator
IBP – Modules
• Encryption Key Generator – a Personal Key Ring separated from cloud application and data storage
• Identity & Access Management – the gateway to your privacy
• User Agent – only there meet your encryption key and data
IBP – Modules (cont.)
IBEKG, OIDC/UMA, User Agent
• IBEKG – Identity-Based Encryption Key Generator
• OIDC/UMA – Identity & Access Management built around OpenID Connect (OIDC) and User Managed Access (UMA) specifications
• User Agent – client side data encryption process
IBP – Technical background
• Identity & Access Management Provider – email address as the user’s identifier
• Authentication/Authorization/Access Control – OIDC, UMA
• One-Time Identity-Based Key Generator
• Identity encryption key generated from user’s identifier
IBP – Technical background (cont.)
• Identity-Based Encryption[1]
• Data encryption key encrypted by identity encryption key
• NIST SHA-256, AES-256, CTR-DRBG-256
• OpenSSL FIPS 140-2 validated
1. a simple HMAC-SHA/AES(GCM) symmetric encryption, not the type of public-key encryption as mentioned on the ID-based encryption Wikipedia article
IBP – Technical background (cont.)
Client-side zero-knowledge encryption:
• All users' data are encrypted on the client side and never touch servers in a plain form
• Data storage provider has zero knowledge of the encryption keys
• Encryption key generator server has zero knowledge of users' data
IBP – Operating model
User Agent (Browser)
Identity Provider + Data/App Provider
Encryption Key Generator
mobile operators, banks, Gov. Google, Microsoft, Oracle, Amazon,
clinics, large enterprises
home or corp. computer, tablet, smartphone, Internet of Things
Customer
Commercial (Closed Source) Software/Services
Transparent (Open Source) Software/Services
IBP – Pros
• usability (no passwords, no certificates) • no key and certificate management (creation,
storage, distribution, revocation) • lost key prevention • IBE like features, key escrow/fair encryption, no
need for receiver’s public key before encryption • no IBE revocation problem (access control) • Encryption Key Generator Device (referred to as
the Internet Of Things) • SIM Card/Java Applet
IBP – Cons
• online solution
• master key security
Main Business Opportunities
• Cloud Storage / Sharing
• Health Records / Medical Data Sharing
• Electronic Postal Services
• New Email-like Services
Featured links
• igi64.github.io
• openid.net/connect
• kantarainitiative.org/confluence/display/uma
• twitter.com/igi64
top related