2016 ifip summer school on identity management and privacy ... · !iot makes things harder still...
Post on 22-May-2020
4 Views
Preview:
TRANSCRIPT
© 2016 IBM Corporation
Cryptography to the Aid
Jan Camenisch
TL Cryptography & PrivacyPrincipal Research Staff MemberMember, IBM Academy of Technology
jca@zurich.ibm.com@JanCamenischibm.biz/jancamenisch
2016 IFIP Summer School on Identity Management and Privacy – Karlstad, Sweden
© 2016 IBM Corporation2 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
We are increasingly conducting our daily task electronically, in an increasingly electronic environment, and
Facts
....are becoming increasingly vulnerable to cybercrimes
© 2016 IBM Corporation3 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
33% of cyber crimes, including identity theft, take less time than to make a cup of tea.
Facts
© 2016 IBM Corporation4 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
10 Years ago, your identity information on the black market was worth $150. Today….
Facts
© 2016 IBM Corporation5 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
$4'500'000'000 cost of identity theft worldwide (2015)
Facts
© 2016 IBM Corporation6 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
ᄅ
Houston, we have a problem!
© 2016 IBM Corporation7 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
ᄅ
Houston, we have a problem!
“Buzz Aldrin's footprints are still up there”(Robin Wilton)
© 2016 IBM Corporation8 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Computers don't forget
! Apps & devices are built to use & generate lots of data
! Data is stored by default & easily duplicated
! Data mining gets ever better
! New (ways of) businesses using personal data
! Humans forget most things quickly
! Paper collects dust in drawers
© 2016 IBM Corporation9 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Where's all my data?
The ways of data are hard to understand
! Devices, operating systems, & apps are getting more complex and intertwined
– Mashups, Ad networks– Machines virtual and realtime configured– Not visible to users, and experts– Data processing changes constantly
! IoT makes things harder still– unprotected network, – devices with low footprint– different operators– no or small UI
→ No control over data and far too easy to loose them
© 2016 IBM Corporation10 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
The core problem
Applications are designed with the sandy beach in mind but are then built on the moon.
– Feature creep, security comes last, if at all– Everyone can do apps and sell them – Networks and systems hard not (well) protected
© 2016 IBM Corporation11 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
We need paradigm shift: build stuff for the moon
rather than the sandy beach!
Security & Privacy is not a lost cause!
© 2016 IBM Corporation12 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
That means:! Reveal only minimal data necessary! Encrypt every bit! Attach usage policies to each bit
Cryptography can do that!
Security & Privacy is not a lost cause!
© 2016 IBM Corporation13 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
What does that mean?
We do have the cryptography, but it is hardly used
!Deemed too expensive!Too hard to manage all the keys, fear of loosing keys!Protecting data is considered futile!Often required by law, but these are w/out teeth!Debate about legality of encryption V2.0
On the positive side
! Importance of security and privacy increasingly recognized!Laws are revised
© 2016 IBM Corporation14 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Cryptography to the Aida few examples of rocket science
© 2016 IBM Corporation15 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
I. Human – Computer Authentication Done Right
password
Paper-world approach: - store password - better, store hash of password
© 2016 IBM Corporation16 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
The problem with paper-world based approach to passwords
salted PW hashcorrect?correct?correct?correct?correct?…correct!!
correct?
! Passwords are mutual secret: need proper protection & cannot be shared! Password (hashes) useless against offline attacks
– Human-memorizable passwords are inherently weak– NIST: 16-character passwords have 30 bits of entropy ≈ 1 billion possibilities– Rig of 25 GPUs tests 350 billion possibilities / second, so ≈ 3ms for 16 chars– 60% of LinkedIn passwords cracked within 24h
! More expensive hash functions provide very little help only– increases verification time as well– does not work for short passwords such as pins etc
! Single-server solutions inherently vulnerable to offline attacks– Server / administrator / hacker can always guess & test
password
© 2016 IBM Corporation17 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
The solution: distributed password verification
Setup: Open account w/ password p
p2p1 p2
p1
p =
p
© 2016 IBM Corporation18 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
The solution: distributed password verification
Login to account with password p'
! no server alone can test password! passwords safe as long as not all servers are hacked
– off-line attacks no longer possible– on-line attacks can be throttled
! pro-active re-sharing possible! First server
– web-server replaces hash-data files→– user's computer secure against loss or theft of user device→
p'
p2
p'p'
p1
p1 p2=?
© 2016 IBM Corporation19 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
How it works in a nutshell [CLN12,CEN15]
E' = (EncX(1/p') ⟐ E)r
= EncX( (p/p')r)
E= EncX(p)x1
E'
E'
p' = p ? ↔
DecX(E') = 1 ?
E=EncX(p)x2
! Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme! At setup: user encrypts p under X: E= EncX(p)! Password verification: check for encryption of 1
! Servers do not learn anything– 1 if passwords match, random number otherwise
! User could even be talking to the wrong servers...
p'
© 2016 IBM Corporation20 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
From password to cryptographic keys [CLN12,CLLN14,CEN15]
! One of the servers could be your smart phone, laptop, …! Get key share from if password check succeeded! Decrypt all your files on phone (or stored in the cloud, etc)
k1
k2
p1
p2
© 2016 IBM Corporation21 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
From password to cryptographic keys [CLN12,CLLN14,CEN15]
! One of the servers could be your smart phone, laptop, …! Get key share from if password check succeeded! Decrypt all your files on phone (or stored in the cloud, etc)
p'
k1
k2
p1
p2
k
p' p1 p2=?
© 2016 IBM Corporation22 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Cryptography to the Aida few examples of rocket science
© 2016 IBM Corporation23 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
© 2016 IBM Corporation24 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need:- subscription- be older than 12
© 2016 IBM Corporation25 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok, here's - my eID - my subscription
Using digital equivalent of paper world, e.g., with X.509 Certificates
© 2016 IBM Corporation26 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
...with X.509 Certificates
© 2016 IBM Corporation27 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
This is a privacy and security problem! - identity theft - discrimination - profiling, possibly in connection with other services
© 2016 IBM Corporation28 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID (similar protocols), e.g., log-in with Facebook
© 2016 IBM Corporation29 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, Alice is watching a 12+ movie
© 2016 IBM Corporation30 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, you are- Alice@facebook.com- 12+Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
Aha, Alice is watching a 12+ movie
© 2016 IBM Corporation31 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Proper cryptography solves this: Identity Mixer
When Alice authenticates to the Movie StreamingService with Identity Mixer, all the services learns isthat Alice
has a subscriptionis older than 12
and no more!
© 2016 IBM Corporation32 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Users' Keys:! One secret Identity (secret key)! Many Public Pseudonyms (public keys)
– fully unlinkable– or domain pseudonym (linkable within domain)
Privacy-protecting authentication with Privacy ABCs
→ use a different identity for each communication partner or even per transaction
© 2016 IBM Corporation33 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Certified attributes from Identity provider! Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3, 1997
© 2016 IBM Corporation34 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department! Issuing a credential
© 2016 IBM Corporation35 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
© 2016 IBM Corporation36 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Proving identity claims! but does not send credentials! only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ≥ 12
© 2016 IBM Corporation37 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Proving Identity Claims: Minimal Disclosure
Alice DoeDec 12, 1998Hauptstr. 7, ZurichCHsingleExp. Aug 4, 2018 ve
rified
ID
Alice DoeAge: 12+Hauptstr 7, ZurichCHsingleExp. Valid ve
rified
ID
© 2016 IBM Corporation38 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-protecting authentication with Privacy ABCs
Aha, you are- older than 12- have a subscription
Proving identity claims! but does not send credential! only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alice's transactions!
© 2016 IBM Corporation39 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
You might already have Identity Mixer on your devices
Devices/applications include: mobile phones, laptops, sensors, cars, …
First solution: use digital certificates (X.509) No privacy→
Second solution: use TTP – the privacy CA solution (still no rocket science!)
Privacy CAIssuer
© 2016 IBM Corporation40 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
You might already have Identity Mixer on your devices
Alice
Better: use Identity Mixer
! TPM V1.2 (2004) and V2.0 (2015) call it – Direct Anonymous Attestation! FIDO Alliance authentication is standardizing this as well (w/ and w/out chip)
TPMs allow one to store secret key in a secure place!
Issuer
© 2016 IBM Corporation41 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Other examples: secure and privacy access to databases
! DNA databases! News/Journals/Magazines! Patent databaseSandy beach approach: identify & provide record
Cryptography access protocol s.t. database provider has no information about! which user accesses! which data
Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.)
???
© 2016 IBM Corporation42 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Healthcare Use Case
Consultations with specialists with prior approval onlySandy beach approach: identify & chat with a psychologist or consultation with IBM Watson
1. Alice show insurance card/number2. Alice describes symptoms 3. Alice gets approval for treatment
0. Alice gets a health insurance card
Insurance
Insurance
Health portal
5. Alice sends bill to insurance who will check whether approvalwas recorded.
(4. Alice gets treatment from physician, hospital, etc)
© 2016 IBM Corporation43 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Healthcare Use Case
Solution with Identity Mixer
1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment
0. Alice gets a health insurance credential
Insurance
Insurance
Health portal
5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.
4. Alice gets treatment from physician, hospital, etc
© 2016 IBM Corporation44 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Securing Credit Card Payments
Purchase of $15.50cc
cc Number 123456789Expiration 08/2015
Expiration 08/2015“Allow amazon.com up to $300/week”
Expiration 08/2015“Allow amazon.com up to $300/week”
clearinghouse
Expiration 08/2015“Transfer $862 to expedia.com”
Purchase of $862
Expiration 08/2015“Transfer $862 toexpedia.com”
Repeated Credit Cards Payments
Sandy beach approach: store credit card number and authorization on server
Better! Bank issues a classic credit card ! User registers at a special portal to obtain the Identity Mixer credential! User derives a token allowing that store to withdraw the money! Users cannot be linked across purchases/shops! Stored credit card info useless to hackers!
© 2016 IBM Corporation45 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Cryptography to the Aida few examples of rocket science
© 2016 IBM Corporation46 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
How to maintain related yet distributed data?
Example use case: social security system! Different entities maintain data of citizens! Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
Many other different use case: IoT, Industry 4.0, Home Appliances, Metering, ...
© 2016 IBM Corporation47 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
How to maintain related yet distributed data?
Goals:! Different identifiers of same user in different databases
– if data is lost, they should not be easily linkable – entities should not be able to link records on a large scale
! Need to be able to exchange data & translate different identifiers– want to be able to control the scale of that
• frequency• not all domains
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
© 2016 IBM Corporation48 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Globally Unique Identifier
! user data is associated with globally unique identifier– e.g., social security number, insurance ID
! different entities can easily share & link related data records
ID Data
Bob.0411
Carol.2503
Dave.1906
ID Data
Alice.1210
Bob.0411
Carol.2503
Hospital
Doctor A
Record ofBob.0411?
© 2016 IBM Corporation49 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Globally Unique Identifier
! user data is associated with globally unique identifier– e.g., social security number, insurance ID
! different entities can easily share & link related data records
ID Data
Bob.0411
Carol.2503
Dave.1906
ID Data
Alice.1210
Bob.0411
Carol.2503
Hospital
Doctor A
+ simple data exchange
– no control about data exchange– if records are lost, pieces can be linked together– data has high-value requires strong protection→
Record ofBob.0411?
© 2016 IBM Corporation50 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
! Use Domain pseudonym
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation51 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
! Use Domain pseudonym! Use credential to ensure consistency
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation52 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
! Use Domain pseudonym! Use credential to ensure consistency! Exchanging records via user and credentials
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
– data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation53 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Local Pseudonyms & Trusted “Converter”
Make data exchange possible without involving the user! central converter derives independent server-local identifiers from unique identifier! user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”! only converter can link & convert pseudonyms
→ central hub for data exchange
Main ID ID-A ID-H
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Dave.1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
© 2016 IBM Corporation54 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Local Pseudonyms & Trusted “Converter”
Make data exchange possible without involving the user! central converter derives independent server-local identifiers from unique identifier! user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”! only converter can link & convert pseudonyms
→ central hub for data exchange
Main ID ID-A ID-H
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Dave.1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Record of ML3m5 ?
Record of P89dy from Hospital?
© 2016 IBM Corporation55 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Local Pseudonyms & Trusted “Converter”
Make data exchange possible without involving the user! central converter derives independent server-local identifiers from unique identifier! user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”! only converter can link & convert pseudonyms
→ central hub for data exchange
Main ID ID-A ID-H
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Dave.1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Record of ML3m5 ?
Record of P89dy from Hospital?
+ control about data exchange+ if records are lost, pieces cannot be linked together
– converter learns all request & knows all correlations
© 2016 IBM Corporation56 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Blindly Translatable Pseudonyms from Cryptography
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
Goal: - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions
© 2016 IBM Corporation57 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Blindly Translatable Pseudonyms from Cryptography [CL'15]
Converter
Idea: - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospital's key- Converter operates translation on encrypted pseudonyms
Plus, for security: - Converter to sign pseudonyms & doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier
Doctor A Hospital
fC(IDU,kA) enc(pk→ H,fC(IDU,kA)) enc(pkH,fC(IDU,kH)) f→ C(IDU,kH)
nymU(U,A) = enc(xA,fC(IDU,kA))
© 2016 IBM Corporation
Conclusion
© 2016 IBM Corporation59 Jan Camenisch - Summer School TrentoAugust 23, 2016
Cryptography to the aid
! Crypto is available but needs to be used– requires some thinking in the design phase: privacy by design– often surprising and paradoxical what is possible – application of crypto is often not straightforward, often it is rocket science
see your favorite cryptographer :-) →
! Literature: some course material with all the cryptography on how to do this– camenisch.org/eprivacy
© 2016 IBM Corporation60 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Further Research Needed!
!Securing the infrastructure & IoT– “ad-hoc” establishment of secure authentication and communication – audit-ability & privacy (where is my information, crime traces)– security services, e.g., better CA, oblivious TTPs, anon. routing, …
!Usability
– HCI– Infrastructure (setup, use, changes by end users)
!Provably secure protocols– Properly modeling protocols (UC, realistic attacks models, ...)– Verifiable security proofs– Retaining efficiency
© 2016 IBM Corporation61 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Further Research Needed!
!Quantum Computers–Lots of new crypto needed still–Build apps algorithm agnostic
!Towards a secure information society–Society gets shaped by quickly changing technology–Consequences are hard to grasp yet–We must inform and engage in a dialog
© 2016 IBM Corporation62 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich
Conclusion
Let engage in some rocket science!! Much of the needed technology exists! … need to use them & build apps “for the moon”! … and make apps usable & secure for end users
Thank you!jca@zurich.ibm.com @JanCamenisch ibm.biz/jancamenisch
top related