real name registration will there be privacy?
DESCRIPTION
Real Name Registration Will there be privacy?. K.P. Chow 1 , Echo P. Zhang 1 , S.H. Hou 2 & F. Xu 3 July 2013 Hong Kong. 1 University of Hong Kong 2 University of Science and Technology, Beijing 3 Institute of Information Engineering, CAS. Real-Name System. - PowerPoint PPT PresentationTRANSCRIPT
1
Real Name RegistrationWill there be privacy?
K.P. Chow1, Echo P. Zhang1, S.H. Hou2 & F. Xu3
July 2013Hong Kong
1University of Hong Kong2University of Science and Technology, Beijing3Institute of Information Engineering, CAS
Real-Name System• When a user wants to register
an account on a blog, website or bulletin board system, he is required to offer identification credentials including their real name to the network service center
• One may use an on-line pseudonym, however, the person’s real identity would be available if rules or laws are broken
CISC 2
3
Where is real-name system implemented?
CISC
South Korea• The first country implemented real-
name system• Since 28 Jun 2009, 35 Korea websites
have implemented a name registration system according to the newly amended Information and Communications Network Act (Choi Jin-sil Law)
CISC 4
Why real-name system in Korea?• Implemented after the suicide of Choi
Jin-sil ( 崔真实 ) which was said related to malicious comments about her on Internet bulletin boards
• On 23 Aug 2012, the Constitutional Court of Korea ruled unanimously that the real-name requirements is unconstitutional, citing such provision’s violation of freedom of speech in cyberspaceCISC 5
The Korea Constitutional Court said• The system has not been beneficial to
the public, …, number of illegal or malicious postings online has not decreased
• Instead, users moved to foreign Websites
• Also prevent foreigners from expressing their opinions online
CISC 6
7
Who’s next?
CISC
The China Development• 2002 李希光 proposed “Anonymous
should be prohibited on the Internet”
CISC 8http://www.chuanmeijia.com/zt/mingrentang/lixiguang/
Since 2002
• 2003: “real-name registration” at the cyber cafe
• 2004: real-name registration website appeared
• 2005: real-name registration for website administrators
• 2005: real-name registration for QQ group creators and administrators
CISC 9
From 2008• 2008: MIIT (Ministry of Industry and
Information Technology) proposed real-name registration
• 2012: sina.com, sohu.com, 163.com and blog.qq.com implemented real-name registration
• 2013: Chinese government announced real-name registration be implemented by June 2014
CISC 10
11
How the real-name registration be implemented?
CISC
Some requirements• Allows indirect real-name
registration– “ 后台实名、前台匿名”的实名制度
(real-name at the back, pseudonym at the web)
• Practical issues:– Large number of users– Cost to implement should low
CISC 12
Who should be responsible for the registration?• Public security (Police)?• Government department(s)?• Websites or service providers?• Independent authority?
CISC 13
Real-Name RegistrationOur Proposal• Multiple parties involved
– User (U)– Registration center (RC)– Independent authority (IA)– Personal data storage center (PDSC)
• Components– User real-name registration (RN)– User web-name registration (WN)
Real-Name RegistrationEncryption Scheme• Use Shamir’s Secret Sharing Scheme • 2 out of 3: 3 parties sharing the secret and any 2
parties together can decryption the secret• The 3 parties: User (U), Independent Authority
(IA) and Registration Center (RC)• To retrieve the real-name
– For crime case, the Police can request the Court to order the IA and RC to retrieve the real-name
– For personal reason, the User can request the Registration Center to retrieve the real-name
User Real-Name Registration
Registration Center (RC)
Key Server (xi0, yi0)
Data Storage Server
User (U)
1. Submit Personal Authentication Information (PAI)
3. Destroy the PAI 2.1. E pkID(PAI)
2.2a (xi1, yi1)
Private Data Storage Center (PDSC)Independent
Authority (IA)
2.2b (xi2, yi2)
2.2c (xi3, yi3)
User real-name registration
1. REGISTRATION: User connect to the Registration Center using a secure channel and Private Authentication Information (PAI) are submitted to the Registration Center
2. AUTHENTICATION: Registration Center authenticate the identity of the User using the submitted Private Authentication Information (PAI), and then encrypted the PAI
User real-name registration(Authentication)
(2.1) Assign Web-user name (WN) to each user
(2.2) Build public-secret key pair (pkID, skID) and 2-degree polynomial fID for
each user such that fID(0)=skID
(2.3) Use pkID to encrypt user Personal Authentication Information (PAI) and
store (Web-user name WN, pkID, encrypted PAI) in PDSC
(2.4) Generate 4 pairs (xik, yik) such that k=0…3, fID(xik)=yik on the Key
Server in PDSC, keep (xi0, yi0) in Key Server and distribute the other 3 pairs to the User, Registration Center and the Independent Authority
(2.5) Return the Web-user name (WN) to the user
(2.6) In RC, destroy the user Private Authentication Information (PAI) but keep the (Web-user name WN, fID)
Note that we use the polynomial for secret sharing of the skID ,please refer to Shamir’s Secret Sharing Scheme or the supplementary
User Web-name Registration
Website (Service Provider)
Key ServerData Storage Server
User (U)
1. Service Request
2.1. Verify the identity (Ask the question about PAI)
3. Submit N answers (and among them there’s only one correct answer) and the Web-name (WN)
5. Encrypt N answers with pkID
2.2. Send the WN and the question
7. Compare the submitted answer and the retrieved answer, If there’s one and only one correct answer matching the record, return success, otherwise return fail.
PDSC
4. Based on WN, retrieve the pkID
6. Retrieve the encrypted answer w.r.t. WN
User Web-name Registration at the Service Provider
1. The User requests to use the service at Service Provider with Web-user name (WN)
2. The Server Provider asks questions based on Personal Authentication Information (PAI), question sent to both the User and the PDSC
3. The User sends N answers (only 1 is correct) to the Key Server at PDSC
4. The Key Storage Server based on the Web-user name WN, retrieves the pkID and encrypts the N answers, and then sends the encrypted answers to the Data Storage Server.
5. The Data Storage Server compares the encrypted answers with the stored data in the Data Storage Server, if exactly one answer is matched, the Web-user name WN is authenticated
Some Properties1. User A cannot pretend to be User B because he cannot give a right
answer about User B’s Personal Authentication Information (PAI)
2. Users can see their own PAIs but others cannot
3. For a crime case, the Police can make a request to the Court to order the
RC and IA to retrieve the Real-name of the user (RN):
– For example, the Police wants to investigate the user “ 剑客” and makes a
request to the Court to order RC and IA to retrieve the real-name of “ 剑客” .
Based on the input from RC and IA, PDSC constructs the polynomial f 剑客 (.),
find the secret key sk 剑客 by computing f 剑客 (0) and then retrieves the identity
of the Web-name user “ 剑客” .
22
Thank You