attribute-based authentication

Privacy-enhancing Attribute-based Authentication

Presenting works of the EU ProjectsPrimeLife and ABC4Trust

Slides provided by theIBM Research – Zurich identity and privacy team

(mostly from Jan Camenisch, Anja Lehmann, Gregory Neven)

Authentication and Anonymity?

[ Pictures: PCStelcom, BeautifulRailroadBridgeOverTheSilveryTay.Wordpress ]

ABC4Trust & PrimeLife − Tutorial − 10.06.2011 1

ABC4Trust & PrimeLife Tutorial

Part I: Introduction to

Privacy-Preserving Authentication

Anja Lehmann, IBM Research – Zurich, 10.06.2011


Authentication

User Verifier

Issuer

I am Alice Doe and I'm over 18!

Convince me! btw … I trust the Issuer

credential

show credential


Authentication

credential / certificate

signed list of attribute-value pairs

name= Alice Doe

birth date = 1973/01/26

signed by the issuer


Signature Scheme

priv

Verify( , , ) = true

message

public key

private key

signature

= Sign( , ) priv


Signature Scheme | Unforgeability

priv

public key

private key

Verify( , , ) = true

such that

© 2009 IBM Corporation

●

● Sechste Gliederungsebene● Siebente Gliederungsebene

● Achte Gliederungsebene● Neunte Gliederungsebene

Classical Authentication


Standard Public-Key Certificates

e.g., X.509 certificates

In the beginning…




Obtaining a certificate…

name = Alice Doe,birth date = 1973/01/26, pk =




Using a certificate…


full attribute disclosurefull attribute disclosure

linkable by certificate & public key linkable by certificate & public key




Using a certificate again…


name = Alice Doe,birth date = 1973/01/26,

pk =

linkable when used multiple times linkable when used multiple times


●



Privacy-Preserving Authentication


Privacy-Preserving Authentication: General Concepts

Basic Functionality

Minimal Disclosure Tokens

Pseudonyms and Combining/Binding of Multiple Tokens

Minimal Disclosure Wallets

Extensions Revocation Usage Limitation Inspection ...



In the beginning…

ABC4Trust & PrimeLife − Tutorial − 10.06.2011



Obtaining a token…



Using a token …


name = Alice Doe,birth date = 1973/01/26


Using a token …

issuance and showing are unlinkableissuance and showing are unlinkable


name = ?,birth date = 1973/01/26


Using a token …

selective attribute disclosureselective attribute disclosure



Protection of user's privacy

anonymity

unlinkeability (single-use)

selective disclosure

Unforgeability of tokens




Unforgeability: Alice should not be able to show a token

that she never obtained




Basic Functionality




Extensions Revocation Usage Limitation Inspection ...



extended version of minimal disclosure tokens:


pseudonymity

unlinkeability (multi-use)

using/combining multiple credentials


Unforgeability of credentials

Consistency of credentials (no sharing)



In the beginning…

master key= unique private identity



Obtaining a credential…

pseudonym= ephemeral public identity


name = Alice Doe,birth date = 1973/01/26, nym =


Obtaining a credential…



Using a credential…




Using a credential…

selective attribute disclosureselective attribute disclosure

issuance and showing are unlinkableissuance and showing are unlinkable




multi-show unlinkabilitymulti-show unlinkabilityname = Alice Doe,birth date = ?

Using a credential again…


passport: birth date = 1973/01/26driver's license: vehicle cat B


Using multiple credentials…

passport

driver's license




pseudonymity










Sharing Prevention: Alice and Eve should not be able to share credential




pseudonymity








Basic Functionality




Extensions Predicates over Attributes Revocation Device Binding Inspection Usage Limitation ...


Predicates over attributes

Credentials on hidden attributes

Device binding

Domain pseudonym

Revocation of credentials

Inspection of credentials/attributes

Usage limitation

Censorable Audit Logs

Extended Functionality


name = ?,birth date > 1993/06/10

Predicate Over Attributes

= 1973/01/26

Range ProofsAge > 18, 10 < Age < 16, …

credit card expiration date > today

Set Membershipstatus: {children, student, senior}

Logical Combinations(credit card status = silver or gold) and valid driver's license

is user over 18?


Predicates over attributes

Credentials on hidden attributes

Device binding

Domain pseudonym

Revocation of credentials

Inspection of credentials/attributes

Usage limitation

Censorable Audit Logs

Extended Functionality


Credentials on Hidden Attributes

name = Alice Doe birth date =



User can prove statements on hidden attributes

similar to usage of pseudonyms = commitments to master secret


●



The idemix Library


Implementation available :-)

Identity Mixer is an implementation of Private Credentials Provides a library with all the crypto

Issuing credentials Transforming credentials according to a specified statement

(policy) Includes many of the features discussed

Provides a credential-based AC engine Relying party specifies attributes & credentials requirements User matches that to available credentials and generates

„evidence“ Get it at www.PrimeLife.eu/opensource and use it

..as do a number of projects already :-)

http://www.PrimeLife.eu/opensource


Authentication/Access Control Engine


Card-based access requirements language (CARL)

Policy and proof presentation in CARL and SAML/XACML

• Policy: requirements on owned cards, e.g.,

own p::Passport issued-by admin.ch, fgov.be, governo.it own c::Creditcard issued-by visa.com, amex.comreveal c.number, c.expdatewhere p.name = c.name ^ p.bdate < today-18Y ^ c.expdate > today ^ p.expdate > today+1M

• Authentication = claim over owned cards + evidence, e.g., own p::Passport issued-by admin.chown c::Creditcard issued-by visa.comreveal c.number = “1234567890”reveal c.expdate = “31/12/2012”where p.name = c.name ^ p.bdate < 22/03/1993 ^ p.expdate > 22/04/2011

IBM Identity Mixer: Framework

Signatures on lists of messages

(Credentials)

Efficient zero-knowledge proofs

Crypto Token Layer

PseudonymsCommitments

VerifiableEncryptio0n

VerifiableRandom FunctionsRevocation

Minimal disclosure

tokens

Group signatures

Direct Anonymousattestation

FullCredential

system…

U-Provesigs

CLsigs

Policy Layer

Composedschemes

Buildingblocks

Instan-tiations


“Token Transforming” Language

Declaration{ id1:unrevealed:string; id2:unrevealed:string; id3:unrevealed:int; id4:unrevealed:enum; id5:revealed:string; id6:unrevealed:enum }

ProvenStatements{Credentials{ randName1:http://www.ch.ch/passport/v2010/chPassport10.xml =

{ FirstName:id1, LastName:id2, CivilStatus:id4 } randName2:http://www.ibm.com/employee/employeeCred.xml =

{LastName:id2, Position:id5, Band:5, YearsOfEmployment:id3 } randName3:http://www.ch.ch/health/v2010/healthCred10.xml =

{ FirstName:id1, LastName:id2, Diet:id6 } } Inequalities{ {http://www.ibm.com/employee/ipk.xml, geq[id3,4]} } Commitments{ randCommName1 = {id1,id2}; randCommName2 = {id6} } Representations{ randRepName = {id5,id2; base1,base2} } Pseudonyms{ randNymName; http://www.ibm.com/employee/ }

VerifiableEncryptions{ {PublicKey1, Label, id2} } Message { randMsgName = “Term 1:We will use this data only for ...” }}


ABC4Trust & PrimeLife Tutorial

Questions?

www.abc4trust.eu

www.primelife.eu

www.zurich.ibm.com/security/idemix

Jan Camenisch, IBM Research – Zurich, 10.06.2011

http://www.abc4trust.eu/

http://www.zurich.ibm.com/security/idemix

attribute-based authentication

Technology