cryptography 4 people - researcher.watson.ibm.com · the solution: distributed password...
TRANSCRIPT
copy 2017 IBM Corporation
Cryptography 4 People
Dr Jan CamenischPrinciple RSM Member IBM Academy of TechnologyIBM Research ndash Zurich
JanCamenischibmbizjancamenisch
Seminar at Universidad Autonoma de Madrid ndash April 3 2017
copy 2017 IBM Corporation2 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We all increasingly conduct our daily tasks electronically
Facts
are becoming increasingly vulnerable to cybercrimes
copy 2017 IBM Corporation3 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
copy 2017 IBM Corporation4 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2017 IBM Corporation5 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
$4500000000 cost of identity theft worldwide
Facts
copy 2017 IBM Corporation6 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation2 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We all increasingly conduct our daily tasks electronically
Facts
are becoming increasingly vulnerable to cybercrimes
copy 2017 IBM Corporation3 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
copy 2017 IBM Corporation4 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2017 IBM Corporation5 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
$4500000000 cost of identity theft worldwide
Facts
copy 2017 IBM Corporation6 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation3 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
33 of cyber crimes including identity theft take less time than to make a cup of tea
Facts
copy 2017 IBM Corporation4 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2017 IBM Corporation5 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
$4500000000 cost of identity theft worldwide
Facts
copy 2017 IBM Corporation6 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation4 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
10 Years ago your identity information on the black market was worth $150 Todayhellip
Facts
copy 2017 IBM Corporation5 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
$4500000000 cost of identity theft worldwide
Facts
copy 2017 IBM Corporation6 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation5 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
$4500000000 cost of identity theft worldwide
Facts
copy 2017 IBM Corporation6 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation6 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation7 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ᄅ
Houston we have a problem
ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation8 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Computers dont forget
Apps built to use amp generate (too much) data
Data is stored by default
Data mining gets ever better
New (ways of) businesses using personal data
Humans forget most things too quickly
Paper collects dust in drawers
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation9 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Wheres all my data
The ways of data are hard to understand
Devices operating systems amp apps are getting more complex and intertwined
ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly
rarr No control over data and far too easy to loose them
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation10 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon
ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation11 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
We need paradigm shift ampbuild stuff for the moon
rather than the sandy beach
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation12 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit
Cryptography can do that
Security amp Privacy is not a lost cause
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation13 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Mix Networks
Priced OT
Private information retrieval
Onion Routing
e-voting
Confirmer signatures
Group signatures
Anonymous Credentials
OT with Access Control
Oblivious Transfer
Blind signatures
Secret Handshakes
Group signatures Pseudonym Systems
Searchable Encryption
Homomorphic Encryption
Cryptography to the Aid
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation14 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
What does that mean
We do have the cryptography but it is hardly used
Deemed too expensiveToo hard to manage all the keys fear of loosing keysProtecting data is considered futileOften required by law but these are wout teethDebate about legality of encryption V20
On the positive side
Importance of security and privacy increasingly recognizedLaws are revised
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation15 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Password-based security
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation16 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
I Human ndash Computer Authentication Done Right
password
Paper-world approach - store password - better store hash of password
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation17 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The problem with paper-world based approach to passwords
salted PW hashcorrectcorrectcorrectcorrectcorrecthellipcorrect
correct
Passwords are mutual secret need proper protection amp cannot be shared Password (hashes) useless against offline attacks
ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h
More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc
Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test
password
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation18 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Setup Open account w password p
p2p1 p2
p1
p =
p
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation19 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
The solution distributed password verification
Login to account with password p
no server alone can test password passwords safe as long as not all servers are hacked
ndash off-line attacks no longer possiblendash on-line attacks can be throttled
pro-active re-sharing possible First server
ndash web-server rarr replaces hash-data filesndash users computer rarr secure against loss or theft of user device
p
p2
p
p
p1
p1 p2=
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation20 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How it works in a nutshell [CLN12CEN15]
E = (EncX(1p) ⟐ E)r
= EncX( (pp)r)
E= EncX(p)x1
E
E
p = p harr
DecX(E) = 1
E=EncX(p)x2
Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme
At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1
Servers do not learn anythingndash 1 if passwords match random number otherwise
User could even be talking to the wrong servers
p
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation21 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
k1
k2
p1
p2
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation22 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
From password to cryptographic keys [CLN12CLLN14CEN15]
One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)
p
k1
k2
p1
p2
k
p p1 p2=
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation23 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Anonymous Authentication
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation24 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation25 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need- subscription- be older than 12
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation26 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok heres - my eID - my subscription
Using digital equivalent of paper world eg with X509 Certificates
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation27 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
with X509 Certificates
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation28 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018
Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation29 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols) eg log-in with Facebook
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation30 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation31 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution eg log-in with Facebook
Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016
Aha Alice is watching a 12+ movie
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation32 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proper cryptography solves this Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice
has a subscriptionis older than 12
and no more
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation33 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Users Keys
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
rarr use a different identity for each communication partner or even transaction
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation34 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3 1997
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation35 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department Issuing a credential
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation36 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need- subscription- be older than 12
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation37 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving identity claims but does not send credentials only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ge 12
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation38 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Proving Identity Claims Minimal Disclosure
Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve
rified
ID
Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve
rified
ID
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation39 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Privacy-protecting authentication with Privacy ABCs
Aha you are- older than 12- have a subscription
Proving identity claims but does not send credential only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alices transactions
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation40 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Try Identity Mixer for yourself
Try yourself rarr idemixdemomybluemixnetBuild your app rarr githubcomIBM-Bluemixidemix-issuer-verifierSource code rarr githubcomgithubcomp2abcenginep2abcengineInfo rarr ibmbizidentity_mixer
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation41 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation
FIDO Alliance authentication is standardizing this as well (w and wout chip)
TPMs allow one to store secret key in a secure place
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation42 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Other examples secure and privacy access to databases
DNA databases NewsJournalsMagazines Patent database
Cryptography access protocol st database provider has no information about which user accesses
which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation43 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A glimpse at the underlying cryptography
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation44 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
A Glimpse at the technical realization
Zero knowledge proof of knowledge
Signature schemecompatible with ZKP
Commitment schemecompatible with ZKP amp sig scheme
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation45 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g
t = gs yc
Prover
random r
t = gr
Verifier
random c
s = r - cx
t
s
c
PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation46 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures)
PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation47 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation48 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
RSA Signature Scheme
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg
PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation49 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation50 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation51 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Observendash d = ce a1m1 bs mod nndash Let c = c btmod n with randomly chosen t
then d = ce a1m1bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on some m1 provide c PK(ε micro1 σ) d = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation52 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Variation
d = crsquoe a1m1a2m2 bsrsquo mod n
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
Proving Knowledge of a CL-signature
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation53 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Cryptography to the Aida few examples of rocket science
Unlinkable Identifiers for Databases [CamenischampLehmann CCS 15 EuroSampP 17]
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation54 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
How to maintain related yet distributed data
Example use case social security system Different entities maintain data of citizens Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation55 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
IoT Use case ndash Car Example
garage
insurer
road infrastructure
sellermanufacturer
parts provider
Many other different use case IoT Industry 40 Home Appliances Metering
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation56 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Requirements
Data originating from (or being related to) an individual
Interactions with many different parties who share exchange and store data
Data needs to be protectedndash Stored in encrypted formndash Anonymizedndash Stored distributedly (different data base different data controller)ndash User needs to be informed where data resides how it is processed etc
Still different parties want to use datandash No too much anonymized otherwise not usable anymorendash If somewhat anonymized how can user still keep track
How can we do this
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation57 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation58 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Globally Unique Identifier
user data is associated with globally unique identifierndash eg social security number insurance ID
different entities can easily share amp link related data records
+ simple data exchange
ndash no control about data exchangendash if records are lost pieces can be linked togetherndash data has high-value rarr requires strong protection
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
Record ofBob0411
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation59 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonymID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation60 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistencyID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation61 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Using Privacy-ABCs to derive Identifiers
Use Domain pseudonym
Use credential to ensure consistency
Exchanging records via user and credentials
ndash data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
Bob0411
Carol2503
Dave1906
ID Data
Alice1210
Bob0411
Carol2503
Hospital
Doctor A
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation62 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation63 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
Record of ML3m5
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation64 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation65 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Local Pseudonyms amp Trusted ldquoConverterrdquo
central converter derives independent server-local identifiers from unique identifier
user data is associated with (unlinkable) server-local identifiers aka ldquopseudonymsrdquo
only converter can link amp convert pseudonyms rarr central hub for data exchange
Record of P89dy from Hospital
Record of ML3m5
+ control about data exchange+ if records are lost pieces cannot be linked together
ndash converter learns all request amp knows all correlations
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Main ID ID-A ID-H
Alice1210 Hba02 7twnG
Bob0411 P89dy ML3m5
Carol2503 912uj sD7Ab
Dave1906 5G3wx y2B4m
Converter
How can be make the converter less trusted
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation66 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Blindly Translatable Pseudonyms from Cryptography
Converter
Goal - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation67 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Blindly Translatable Pseudonyms from Cryptography [CL15]
Converter
Idea - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospitals key- Converter operates translation on encrypted pseudonyms
Plus for security - Converter to sign pseudonyms amp doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDUkA) rarr enc(pkHfC(IDUkA)) enc(pkHfC(IDUkH)) rarr fC(IDUkH)
nymU(UA) = enc(xAfC(IDUkA))
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation68 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Generation
Converter XxnymiA
converter X and server SA jointly compute a pseudonym nymiA for user uidi
Xs input unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi larr PRF(kuidi)
2) compute server-local ldquoinnerrdquo pseudonym using server-specific secret key xA
xnymiA larr zixA ie fC(IDUkA) = PRF(kuidi)xA
3) compute final pseudonym using a secret key kA nymiA larr PRP(kAxnymiA)
k skX for each server xA xB xC hellip
kA skAServer A
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation69 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation70 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation71 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
xnymiA = zixA
xnymiB = zixB
nymiA
nymiB
xnymiB = xnymiA xB xA
PRP(kB xnymiB)
PRP-1(kA nymiA)
Server A
Server B
kA skA
kB skB
We can compute this blindly using of homomorphic encryption
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation72 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
k skX for each server xA xB xC hellip
C SB qid
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation73 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
Server A
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellip
Server B
kA skA
kB skB
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation74 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
High-level Idea | Pseudonym Conversion
Converter X
server SA wishes to convert a pseudonym nymiA for server SB
SAs input nymiA SB qid
3) decrypt first layer asC larr Dec(skX C)
4) blindly transform encrypted pseudonymC larr C Δ with Δ = xB xA
C = Enc(pkB xnymiA) xB xA
C = Enc(pkB PRF(kuidi) xA) xB xA
C = Enc(pkB PRF(kuidi) xB) C = Enc(pkB xnymiB)
k skX for each server xA xB xC hellipC SA qid
5) decrypt inner pseudonym xnymiB larr Dec(skB C)
6) compute final pseudonym as nymiB larr PRP(kB xnymiB)
1) re-obtain xnymiA larr PRP-1(kA nymiA)
2) encrypt xnymiA under SBs and Converter Xs keyC larr Enc(pkX (Enc(pkB xnymiA))
C SB qid Server A
Server B
kA skA
kB skB
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation
Conclusion
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation76 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip
Usabilityndash HCIndash Infrastructure (setup use changes by end users)
Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation77 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Further Research Needed
Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic
Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-
copy 2017 IBM Corporation78 Jan Camenisch - Cryptography 4 People - Seminar at Universidad Autonoma de Madrid
Conclusion
Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users
Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more
jcazurichibmcom JanCamenisch ibmbizjancamenisch
- IBM Presentation Template Full Version
- Facts
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
- Slide 74
- Slide 75
- Slide 76
- Slide 77
- Slide 78
-