identity-based privacy (ibp) - cloud computing and privacy protection

Identity-Based Privacy (IBP)

Cloud Computing and Privacy Protection

07/2014

Privacy preserving

Encryption is one of the most effective information protection techniques.

Information

Privacy preserving – Conceptual model

Security

Privacy

• Security – Data at Rest Encryption, Data in Transit Encryption

• Privacy – Data in Use Encryption

Privacy preserving – existing systems

• PKI – Public-Key Infrastructure

• PGP – Pretty Good Privacy

• IBE – Identity-Based Encryption

• PKI, PGP – it’s more about key management then encryption

• IBE – email address as the public key

Privacy preserving – existing systems (cont.)

Drawbacks:

• PKI – very expensive, usability

• PGP – usability

• IBE – difficult mathematics, strong patents

Identity-Based Privacy (IBP)

The alternative to PKI/PGP/IBE systems

IBP – History

original idea came from January, 2011

• First public presentation in June, 2011 • http://www.amathnet.cz/akce/historie-akci/vut/pavlov-2011/prubeh.aspx

• http://www.amathnet.cz/Portals/0/QuickGallery/444/IMGP0056.JPG

• Fully open sourced since September, 2013

• Matured in April, 2014

IBP – Conceptual Architecture Model

User (Client-Side App.)

Identity & Access Management

Data Resource Encryption Key Generator

IBP – Modules

• Encryption Key Generator – a Personal Key Ring separated from cloud application and data storage

• Identity & Access Management – the gateway to your privacy

• User Agent – only there meet your encryption key and data

IBP – Modules (cont.)

IBEKG, OIDC/UMA, User Agent

• IBEKG – Identity-Based Encryption Key Generator

• OIDC/UMA – Identity & Access Management built around OpenID Connect (OIDC) and User Managed Access (UMA) specifications

• User Agent – client side data encryption process

IBP – Technical background

• Identity & Access Management Provider – email address as the user’s identifier

• Authentication/Authorization/Access Control – OIDC, UMA

• One-Time Identity-Based Key Generator

• Identity encryption key generated from user’s identifier

IBP – Technical background (cont.)

• Identity-Based Encryption[1]

• Data encryption key encrypted by identity encryption key

• NIST SHA-256, AES-256, CTR-DRBG-256

• OpenSSL FIPS 140-2 validated

1. a simple HMAC-SHA/AES(GCM) symmetric encryption, not the type of public-key encryption as mentioned on the ID-based encryption Wikipedia article

IBP – Technical background (cont.)

Client-side zero-knowledge encryption:

• All users' data are encrypted on the client side and never touch servers in a plain form

• Data storage provider has zero knowledge of the encryption keys

• Encryption key generator server has zero knowledge of users' data

IBP – Operating model

User Agent (Browser)

Identity Provider + Data/App Provider

Encryption Key Generator

mobile operators, banks, Gov. Google, Microsoft, Oracle, Amazon,

clinics, large enterprises

home or corp. computer, tablet, smartphone, Internet of Things

Customer

Commercial (Closed Source) Software/Services

Transparent (Open Source) Software/Services

IBP – Pros

• usability (no passwords, no certificates) • no key and certificate management (creation,

storage, distribution, revocation) • lost key prevention • IBE like features, key escrow/fair encryption, no

need for receiver’s public key before encryption • no IBE revocation problem (access control) • Encryption Key Generator Device (referred to as

the Internet Of Things) • SIM Card/Java Applet

IBP – Cons

• online solution

• master key security

Main Business Opportunities

• Cloud Storage / Sharing

• Health Records / Medical Data Sharing

• Electronic Postal Services

• New Email-like Services

Featured links

• igi64.github.io

• openid.net/connect

• kantarainitiative.org/confluence/display/uma

• twitter.com/igi64