2016 IFIP Summer School on Identity Management and Privacy ... · !IoT makes things harder still...

© 2016 IBM Corporation

Cryptography to the Aid

Jan Camenisch

TL Cryptography & PrivacyPrincipal Research Staff MemberMember, IBM Academy of Technology

[email protected]@JanCamenischibm.biz/jancamenisch

2016 IFIP Summer School on Identity Management and Privacy – Karlstad, Sweden

mailto:[email protected]

© 2016 IBM Corporation2 IFIP Summerschool 2016 - Jan Camenisch - IBM Research - Zurich

We are increasingly conducting our daily task electronically, in an increasingly electronic environment, and

Facts

....are becoming increasingly vulnerable to cybercrimes


33% of cyber crimes, including identity theft, take less time than to make a cup of tea.

Facts


10 Years ago, your identity information on the black market was worth $150. Today….

Facts


$4'500'000'000 cost of identity theft worldwide (2015)

Facts


ﾩ

Houston, we have a problem!


ﾩ

Houston, we have a problem!

“Buzz Aldrin's footprints are still up there”(Robin Wilton)


Computers don't forget

! Apps & devices are built to use & generate lots of data

! Data is stored by default & easily duplicated

! Data mining gets ever better

! New (ways of) businesses using personal data

! Humans forget most things quickly

! Paper collects dust in drawers


Where's all my data?

The ways of data are hard to understand

! Devices, operating systems, & apps are getting more complex and intertwined

– Mashups, Ad networks– Machines virtual and realtime configured– Not visible to users, and experts– Data processing changes constantly

! IoT makes things harder still– unprotected network, – devices with low footprint– different operators– no or small UI

→ No control over data and far too easy to loose them


The core problem

Applications are designed with the sandy beach in mind but are then built on the moon.

– Feature creep, security comes last, if at all– Everyone can do apps and sell them – Networks and systems hard not (well) protected


We need paradigm shift: build stuff for the moon

rather than the sandy beach!

Security & Privacy is not a lost cause!


That means:! Reveal only minimal data necessary! Encrypt every bit! Attach usage policies to each bit

Cryptography can do that!

Security & Privacy is not a lost cause!


What does that mean?

We do have the cryptography, but it is hardly used

!Deemed too expensive!Too hard to manage all the keys, fear of loosing keys!Protecting data is considered futile!Often required by law, but these are w/out teeth!Debate about legality of encryption V2.0

On the positive side

! Importance of security and privacy increasingly recognized!Laws are revised


Cryptography to the Aida few examples of rocket science


I. Human – Computer Authentication Done Right

password

Paper-world approach: - store password - better, store hash of password


The problem with paper-world based approach to passwords

salted PW hashcorrect?correct?correct?correct?correct?…correct!!

correct?

! Passwords are mutual secret: need proper protection & cannot be shared! Password (hashes) useless against offline attacks

– Human-memorizable passwords are inherently weak– NIST: 16-character passwords have 30 bits of entropy ≈ 1 billion possibilities– Rig of 25 GPUs tests 350 billion possibilities / second, so ≈ 3ms for 16 chars– 60% of LinkedIn passwords cracked within 24h

! More expensive hash functions provide very little help only– increases verification time as well– does not work for short passwords such as pins etc

! Single-server solutions inherently vulnerable to offline attacks– Server / administrator / hacker can always guess & test

password


The solution: distributed password verification

Setup: Open account w/ password p

p2p1 p2

p1

p =

p


The solution: distributed password verification

Login to account with password p'

! no server alone can test password! passwords safe as long as not all servers are hacked

– off-line attacks no longer possible– on-line attacks can be throttled

! pro-active re-sharing possible! First server

– web-server replaces hash-data files→– user's computer secure against loss or theft of user device→

p'

p2

p'p'

p1

p1 p2=?


How it works in a nutshell [CLN12,CEN15]

E' = (EncX(1/p') ⟐ E)r

= EncX( (p/p')r)

E= EncX(p)x1

E'

E'

p' = p ? ↔

DecX(E') = 1 ?

E=EncX(p)x2

! Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme! At setup: user encrypts p under X: E= EncX(p)! Password verification: check for encryption of 1

! Servers do not learn anything– 1 if passwords match, random number otherwise

! User could even be talking to the wrong servers...

p'


From password to cryptographic keys [CLN12,CLLN14,CEN15]

! One of the servers could be your smart phone, laptop, …! Get key share from if password check succeeded! Decrypt all your files on phone (or stored in the cloud, etc)

k1

k2

p1

p2


From password to cryptographic keys [CLN12,CLLN14,CEN15]

! One of the servers could be your smart phone, laptop, …! Get key share from if password check succeeded! Decrypt all your files on phone (or stored in the cloud, etc)

p'

k1

k2

p1

p2

k

p' p1 p2=?


Alice wants to watch a movie at Movie Streaming Service

Alice

Movie Streaming Service

I wish to see Alice in Wonderland


Alice wants to watch a movie at Movie Streaming Service

Alice


You need:- subscription- be older than 12


Watching the movie with the traditional solution

Alice


ok, here's - my eID - my subscription

Using digital equivalent of paper world, e.g., with X.509 Certificates



Alice


Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018

Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016

...with X.509 Certificates



Alice


Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018

Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016

This is a privacy and security problem! - identity theft - discrimination - profiling, possibly in connection with other services



Alice


With OpenID (similar protocols), e.g., log-in with Facebook



Alice


With OpenID and similar solution, e.g., log-in with Facebook

Aha, Alice is watching a 12+ movie



Alice


With OpenID and similar solution, e.g., log-in with Facebook

Aha, you are- [email protected] 12+Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016

Aha, Alice is watching a 12+ movie


Proper cryptography solves this: Identity Mixer

When Alice authenticates to the Movie StreamingService with Identity Mixer, all the services learns isthat Alice

has a subscriptionis older than 12

and no more!


Users' Keys:! One secret Identity (secret key)! Many Public Pseudonyms (public keys)

– fully unlinkable– or domain pseudonym (linkable within domain)

Privacy-protecting authentication with Privacy ABCs

→ use a different identity for each communication partner or even per transaction


Certified attributes from Identity provider! Issuing a credential


Name = Alice DoeBirth date = April 3, 1997



Certified attributes from purchasing department! Issuing a credential



I wish to see Alice in Wonderland

You need:- subscription- be older than 12


Proving identity claims! but does not send credentials! only minimal disclosure


- valid subscription - eID with age ≥ 12


Proving Identity Claims: Minimal Disclosure

Alice DoeDec 12, 1998Hauptstr. 7, ZurichCHsingleExp. Aug 4, 2018 ve

rified

ID

Alice DoeAge: 12+Hauptstr 7, ZurichCHsingleExp. Valid ve

rified

ID



Aha, you are- older than 12- have a subscription

Proving identity claims! but does not send credential! only minimal disclosure (Public Verification Key

of issuer)

Transaction is not linkable to any other of Alice's transactions!


You might already have Identity Mixer on your devices

Devices/applications include: mobile phones, laptops, sensors, cars, …

First solution: use digital certificates (X.509) No privacy→

Second solution: use TTP – the privacy CA solution (still no rocket science!)

Privacy CAIssuer


You might already have Identity Mixer on your devices

Alice

Better: use Identity Mixer

! TPM V1.2 (2004) and V2.0 (2015) call it – Direct Anonymous Attestation! FIDO Alliance authentication is standardizing this as well (w/ and w/out chip)

TPMs allow one to store secret key in a secure place!

Issuer


Other examples: secure and privacy access to databases

! DNA databases! News/Journals/Magazines! Patent databaseSandy beach approach: identify & provide record

Cryptography access protocol s.t. database provider has no information about! which user accesses! which data

Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.)

???


Healthcare Use Case

Consultations with specialists with prior approval onlySandy beach approach: identify & chat with a psychologist or consultation with IBM Watson

1. Alice show insurance card/number2. Alice describes symptoms 3. Alice gets approval for treatment

0. Alice gets a health insurance card

Insurance

Insurance

Health portal

5. Alice sends bill to insurance who will check whether approvalwas recorded.

(4. Alice gets treatment from physician, hospital, etc)


Healthcare Use Case

Solution with Identity Mixer

1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment

0. Alice gets a health insurance credential

Insurance

Insurance

Health portal

5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.

4. Alice gets treatment from physician, hospital, etc


Securing Credit Card Payments

Purchase of $15.50cc

cc Number 123456789Expiration 08/2015

Expiration 08/2015“Allow amazon.com up to $300/week”

Expiration 08/2015“Allow amazon.com up to $300/week”

clearinghouse

Expiration 08/2015“Transfer $862 to expedia.com”

Purchase of $862

Expiration 08/2015“Transfer $862 toexpedia.com”

Repeated Credit Cards Payments

Sandy beach approach: store credit card number and authorization on server

Better! Bank issues a classic credit card ! User registers at a special portal to obtain the Identity Mixer credential! User derives a token allowing that store to withdraw the money! Users cannot be linked across purchases/shops! Stored credit card info useless to hackers!


How to maintain related yet distributed data?

Example use case: social security system! Different entities maintain data of citizens! Eventually data needs to be exchanged or correlated

Health Insurance

HospitalDoctor B

Doctor A

Welfare CenterTaxAuthority

Pension Fund

Many other different use case: IoT, Industry 4.0, Home Appliances, Metering, ...


How to maintain related yet distributed data?

Goals:! Different identifiers of same user in different databases

– if data is lost, they should not be easily linkable – entities should not be able to link records on a large scale

! Need to be able to exchange data & translate different identifiers– want to be able to control the scale of that

• frequency• not all domains

Health Insurance

HospitalDoctor B

Doctor A

Welfare CenterTaxAuthority

Pension Fund


Globally Unique Identifier

! user data is associated with globally unique identifier– e.g., social security number, insurance ID

! different entities can easily share & link related data records

ID Data

Bob.0411

Carol.2503

Dave.1906

ID Data

Alice.1210

Bob.0411

Carol.2503

Hospital

Doctor A

Record ofBob.0411?


Globally Unique Identifier

! user data is associated with globally unique identifier– e.g., social security number, insurance ID

! different entities can easily share & link related data records

ID Data

Bob.0411

Carol.2503

Dave.1906

ID Data

Alice.1210

Bob.0411

Carol.2503

Hospital

Doctor A

+ simple data exchange

– no control about data exchange– if records are lost, pieces can be linked together– data has high-value requires strong protection→

Record ofBob.0411?


Using Privacy-ABCs to derive Identifiers

! Use Domain pseudonym

ID Data

fadl039nd

d028naid8

10nziadod

Doctor A

ID Data

o1anlpzAd

Landi1nad

p1msLzna

Hospital



! Use Domain pseudonym! Use credential to ensure consistency

ID Data

fadl039nd

d028naid8

10nziadod

Doctor A

ID Data

o1anlpzAd

Landi1nad

p1msLzna

Hospital



! Use Domain pseudonym! Use credential to ensure consistency! Exchanging records via user and credentials

ID Data

fadl039nd

d028naid8

10nziadod

Doctor A

– data exchange needs to involve user

+ control about data exchange+ lost records are cannot be linked together

ID Data

o1anlpzAd

Landi1nad

p1msLzna

Hospital


Local Pseudonyms & Trusted “Converter”

Make data exchange possible without involving the user! central converter derives independent server-local identifiers from unique identifier! user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”! only converter can link & convert pseudonyms

→ central hub for data exchange

Main ID ID-A ID-H

Alice.1210 Hba02 7twnG

Bob.0411 P89dy ML3m5

Carol.2503 912uj sD7Ab

Dave.1906 5G3wx y2B4m

Converter

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Hospital

Doctor A





Main ID ID-A ID-H





Converter

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Hospital

Doctor A

Record of ML3m5 ?

Record of P89dy from Hospital?





Main ID ID-A ID-H





Converter

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Hospital

Doctor A

Record of ML3m5 ?

Record of P89dy from Hospital?

+ control about data exchange+ if records are lost, pieces cannot be linked together

– converter learns all request & knows all correlations


Blindly Translatable Pseudonyms from Cryptography

Converter

ID Data

ML3m5

sD7Ab

y2B4m

ID Data

Hba02

P89dy

912uj

Hospital

Doctor A

Goal: - Convert pseudonyms without seeing them- Control frequency different orgs ask for conversions


Blindly Translatable Pseudonyms from Cryptography [CL'15]

Converter

Idea: - Pseudonyms need to have mathematical relation- Doctor encrypts pseudonym under Hospital's key- Converter operates translation on encrypted pseudonyms

Plus, for security: - Converter to sign pseudonyms & doctor to prove encrypted pseudonyms were signed- Doctor and Hospital use (symmetric) encryption of pseudonym as identifier

Doctor A Hospital

fC(IDU,kA) enc(pk→ H,fC(IDU,kA)) enc(pkH,fC(IDU,kH)) f→ C(IDU,kH)

nymU(U,A) = enc(xA,fC(IDU,kA))

© 2016 IBM Corporation59 Jan Camenisch - Summer School TrentoAugust 23, 2016

Cryptography to the aid

! Crypto is available but needs to be used– requires some thinking in the design phase: privacy by design– often surprising and paradoxical what is possible – application of crypto is often not straightforward, often it is rocket science

see your favorite cryptographer :-) →

! Literature: some course material with all the cryptography on how to do this– camenisch.org/eprivacy


Further Research Needed!

!Securing the infrastructure & IoT– “ad-hoc” establishment of secure authentication and communication – audit-ability & privacy (where is my information, crime traces)– security services, e.g., better CA, oblivious TTPs, anon. routing, …

!Usability

– HCI– Infrastructure (setup, use, changes by end users)

!Provably secure protocols– Properly modeling protocols (UC, realistic attacks models, ...)– Verifiable security proofs– Retaining efficiency


Further Research Needed!

!Quantum Computers–Lots of new crypto needed still–Build apps algorithm agnostic

!Towards a secure information society–Society gets shaped by quickly changing technology–Consequences are hard to grasp yet–We must inform and engage in a dialog


Conclusion

Let engage in some rocket science!! Much of the needed technology exists! … need to use them & build apps “for the moon”! … and make apps usable & secure for end users

Thank [email protected] @JanCamenisch ibm.biz/jancamenisch

mailto:[email protected]

2016 IFIP Summer School on Identity Management and Privacy ... · !IoT makes things harder still...

Documents

Transcript of 2016 IFIP Summer School on Identity Management and Privacy ... · !IoT makes things harder still...