28-2-2014

1

Jaap-Henk Hoepman

Digital Security (DS)Radboud University Nijmegen, the Netherlands

@xotoxot // jhh@cs.ru.nl // www.cs.ru.nl/~jhh

Privacy Enhancing TechnologiesAn Introduction

Jaap-Henk Hoepman // Radboud University Nijmegen //

Agenda

Properties

● Anonymity

● Untraceability

● Unlinkability

Strategies & patterns

PETs

● Remailers

● Blind signatures

● Group signatures

● Zero knowledge protocols

● Credentials/pseudonyms

28-02-2014 // Privacy Enhancing Technologies 2

Jaap-Henk Hoepman // Radboud University Nijmegen //

Properties

Anonimity (vs pseudonymity)

● K-anonimity

Untraceability

Unlinkability

28-02-2014 // Privacy Enhancing Technologies 3 Jaap-Henk Hoepman // Radboud University Nijmegen //

Privacy design strategies

28-02-2014 // Privacy Enhancing Technologies 4

Jaap-Henk Hoepman // Radboud University Nijmegen //

Software development cycle

28-02-2014 // Privacy Enhancing Technologies 5

ConceptDevelopment

Implemen-tation

Privacy enhancing technologies

Jaap-Henk Hoepman // Radboud University Nijmegen //

Levels of abstraction

Design strategy

● “A basic method to achieve a particular design

goal” – that has certain properties that allow it to

be distinguished from other basic design strategies

Design pattern

● “Commonly recurring structure to solve a general

design problem within a particular context”

(Privacy enhancing) technology

● “A coherent set of ICT measures that protects

privacy” – implemented using concrete technology

28-02-2014 // Privacy Enhancing Technologies 6

28-2-2014

2

Jaap-Henk Hoepman // Radboud University Nijmegen //

Data protection law

Core principles

● Data minimisation

● Purpose limitation

● Proportionality

● Subsidiarity

● Data subject rights: consent, (re)view

● Adequate protection

● (Provable) Compliance

28-02-2014 // Privacy Enhancing Technologies 7 Jaap-Henk Hoepman // Radboud University Nijmegen //

ag

gre

gate

minimise

sep

ara

te

hide

inform control

enforcedemonstrate

28-02-2014 // Privacy Enhancing Technologies 8

Jaap-Henk Hoepman // Radboud University Nijmegen //

8 privacy design strategies

Minimise● The amount of PII should be minimal

Separate● Process PII in a distributed fashion

Aggregate● Process PII in the least possible detail

Hide● PII should not be stored in plain view

Enforce

● A privacy policy should be in place and be enforced

Inform● Subjects should be informed when PII is processed

Control● Subjects should have control over when/how PII is processed

Demonstrate

● Compliance to policies and legal requirements must be demonstrated

28-02-2014 // Privacy Enhancing Technologies 9 Jaap-Henk Hoepman // Radboud University Nijmegen //

What about design patterns?

28-02-2014 // Privacy Enhancing Technologies 10

Strategy Patterns Coverage

Minimise Select before you collect,

anonymisation, ….

Separate Distribute, sector-specific pseudonyms

Aggregate Data fuzzing; coarse-grained location

Hide Encryption, onion routing, …..

Enforce Access control, privacy licenses

Inform P3P (?)

Control Informed consent (?)

Demonstrate Privacy management system, logging

Jaap-Henk Hoepman // Radboud University Nijmegen //

Preventing traffic analysis

28-02-2014 // Privacy Enhancing Technologies 11 Jaap-Henk Hoepman // Radboud University Nijmegen //

Traffic analysis

What does adversary control?

● Entry point

● Exit point

● Intermediate nodes

● Intermediate links

28-02-2014 // Privacy Enhancing Technologies 12

28-2-2014

3

Jaap-Henk Hoepman // Radboud University Nijmegen //

Simple remailing

Type 0

● Anon.penet.fi

Type I (= encrypt mail; then type 0)

● Cypherpunks

Type II

● Mixmaster

28-02-2014 // Privacy Enhancing Technologies 13 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 14

Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 15 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 16

Jaap-Henk Hoepman // Radboud University Nijmegen //

Attacks

28-02-2014 // Privacy Enhancing Technologies 17 Jaap-Henk Hoepman // Radboud University Nijmegen //

Attacks

Trace long messages

● Packet counting

Saturate network to detect messages

● Traffic shaping

Statistical attacks

● Latency attack

● Clogging attack:

is C on a route to E?

28-02-2014 // Privacy Enhancing Technologies 18

28-2-2014

4

Jaap-Henk Hoepman // Radboud University Nijmegen //

Dining cryptographers

28-02-2014 // Privacy Enhancing Technologies 19 Jaap-Henk Hoepman // Radboud University Nijmegen //

Setup

28-02-2014 // Privacy Enhancing Technologies 20

0 1

1

Jaap-Henk Hoepman // Radboud University Nijmegen //

Sending a 1

28-02-2014 // Privacy Enhancing Technologies 21

0 1

1

1

𝑣𝑎𝑙𝑢𝑒 ⊕ (𝑙𝑒𝑓𝑡 ⊕ 𝑟𝑖𝑔ℎ𝑡)

1 = 1⊕ (1⊕ 1)1 = 0⊕ 1

1 = 0⊕ 1

𝑣𝑎𝑙𝑢𝑒 = ⨁𝑖𝑏𝑖𝑡𝑖 = 1⊕ 1⊕ 1 = 1

Jaap-Henk Hoepman // Radboud University Nijmegen //

Questions

Why does this work?

● Because each left or right bit happens twice in the

final sum and is cancelled out using the xor

What can go wrong?

● Collisions

● Last broadcaster can force value

28-02-2014 // Privacy Enhancing Technologies 22

Jaap-Henk Hoepman // Radboud University Nijmegen //

Blind signatures & anonymous e-cash

28-02-2014 // Privacy Enhancing Technologies 23 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 24

Blind signatures: Digicash

issuer acquirer

mo

ne

yfl

oat

clearing & settlement

28-2-2014

5

Jaap-Henk Hoepman // Radboud University Nijmegen //

Blind signature

28-02-2014 // Privacy Enhancing Technologies 25 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 26

DigiCash offline coin

jan jansen

blind signature

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

coin number

1 $

jan jansen

jan jansen

01001001.. 10100011..

zdd 01001001.. + 10100011.. = Jan Jansen

Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 27

Coin deposit

jan jansen

blind signature

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

coin number

1 $

jan jansen

jan jansen

random

L,R,R,R,L,L, ..

merchant bank

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

coin number

1 $

jan jansen

jan jansen

Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 28

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

coin number

1 $

jan jansen

jan jansen

Same coin deposit

jan jansen

blind signature

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

coin number

1 $

jan jansen

jan jansen

random

L,R,L,R,L,L, ..

merchant bank

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

jan jansen

coin number

1 $

jan jansen

jan jansen

jan jansen

privacy revoked!

Jaap-Henk Hoepman // Radboud University Nijmegen //

Zero-knowledge protocols

28-02-2014 // Privacy Enhancing Technologies 29 Jaap-Henk Hoepman // Radboud University Nijmegen //

Zero knowledge

The cave of Ali Baba

28-02-2014 // Privacy Enhancing Technologies 30

28-2-2014

6

Jaap-Henk Hoepman // Radboud University Nijmegen //

Proofs of knowledge

Completeness

● Verifier accepts the proof if the assertion is true

● Assumption: the parties follow the protocol

Soundness

● If the fact is false, the verifier rejects the proof

● Assumption: the parties follow the protocol

Zero knowledge

● No information about the prover’s private input is revealed to the verifier

● The verifier cannot convince a third party of the correctness of the assertion

28-02-2014 // Privacy Enhancing Technologies 31 Jaap-Henk Hoepman // Radboud University Nijmegen //

Schnorr protocol

Cyclic group G with generator g

28-02-2014 // Privacy Enhancing Technologies 32

Jaap-Henk Hoepman // Radboud University Nijmegen //

Completeness?

Soundness?

Zero knowledge?

28-02-2014 // Privacy Enhancing Technologies 33 Jaap-Henk Hoepman // Radboud University Nijmegen //

Questions?

28-02-2014 // Privacy Enhancing Technologies

jaap-henk.hoepman@tno.nl, jhh@cs.ru.nl , www.cs.ru.nl/~jhh

34

Jaap-Henk Hoepman // Radboud University Nijmegen //

Private handshaking

28-02-2014 // Privacy Enhancing Technologies 35 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 36

Spot the Fed

28-2-2014

7

Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 37

Private handshake

Jaap-Henk Hoepman // Radboud University Nijmegen //

Requirements

28-02-2014 // Privacy Enhancing Technologies 38

Jaap-Henk Hoepman // Radboud University Nijmegen //

Protocol

28-02-2014 // Privacy Enhancing Technologies 39 Jaap-Henk Hoepman // Radboud University Nijmegen //

Attribute based credentials

28-02-2014// Privacy Enhancing Technologies 40

Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 41 Jaap-Henk Hoepman // Radboud University Nijmegen //

Typical system

28-02-2014 // Privacy Enhancing Technologies 42

Credential Issuers

User Relying Parties

Scheme Authority

Token Provider

Token

Unforgeability

Non transferability

Unlinkability

Revocatability

28-2-2014

8

Jaap-Henk Hoepman // Radboud University Nijmegen //

How to implement a credential?

Anonymous credentials: 3 techniques

● Use a different one each time

Uprove (Microsoft)

● Prove knowledge of credential

Idemix (IBM)

● Randomise credential each time

Self-blindable (RU)

28-02-2014 // Privacy Enhancing Technologies 43 Jaap-Henk Hoepman // Radboud University Nijmegen //

Self blindable credentials

28-02-2014 // Privacy Enhancing Technologies

Credential Authority (CA)

User (P) Merchant (V)

> 18

44

Jaap-Henk Hoepman // Radboud University Nijmegen //

Self blindable credentials

28-02-2014 // Privacy Enhancing Technologies

User (P) Merchant (V)

> 18> 18> 18

45 Jaap-Henk Hoepman // Radboud University Nijmegen //

Cryptographic implementation

Elliptic curve cryptography

● Points 𝑃 on a curve 𝐸.

● 𝑥𝑃 : multiplying point 𝑃 with scalar 𝑥 ∈ ℤ𝑝.

● CDH assumption: given 𝑥𝑃 and 𝑃 it is hard to compute

𝑥. (Note: division by 𝑥 is easy!).

Pairing / bilinear map e: 𝐺1 × 𝐺2 → 𝐺𝑇● 𝑒 𝑥𝑃, 𝑦𝑄 = 𝑒(𝑃, 𝑄)𝑥𝑦

● DDH now is easy: 𝑒 𝑥𝑃, 𝑦𝑃 = 𝑒 𝑃, 𝑧𝑃 ?

● Type 3: no computably homomorphism 𝜙:𝐺2 → 𝐺1

Public system parameters

● 𝑃 ∈ 𝐸[𝐹𝑝], 𝑄 ∈ 𝐸[𝐹𝑝𝑘], 𝑒

28-02-2014 // Privacy Enhancing Technologies 46

Jaap-Henk Hoepman // Radboud University Nijmegen //

Schnorr

Zero knowledge proof of DL of 𝑋 = 𝑥𝑃

● Prover commits to 𝑅 = 𝑟𝑃 for random 𝑟 ∈ 𝐹𝑝

● Verifier sends random challenge 𝑐 < 𝑝

● Prover sends 𝑠 = 𝑟 + 𝑥𝑐; Verifier checks 𝑅 = 𝑠𝑃 − 𝑐𝑋

Signature on message 𝑚

● Signer commits to 𝑅 = 𝑟𝑃 for random 𝑟 ∈ 𝐹𝑝

● Signer computes 𝑐 = 𝐻(𝑅|𝑚) and 𝑠 = 𝑟 + 𝑥𝑐

● Signature 𝜎 = 𝑅, 𝑐, 𝑠

● To verify, take 𝑅 and 𝑚 to compute 𝑐. Then check 𝑅 = 𝑠𝑃 − 𝑐𝑋

28-02-2014 // Privacy Enhancing Technologies 47 Jaap-Henk Hoepman // Radboud University Nijmegen //

Keys and certificates

28-02-2014 // Privacy Enhancing Technologies

Issuer Prover

Private key 𝒂 𝒌

Public key 𝐴 = 𝑎𝑄 𝐾 = 𝑘𝑃

Certificate 𝐶 = 𝑎𝐾

48

28-2-2014

9

Jaap-Henk Hoepman // Radboud University Nijmegen //

Basic protocol

28-02-2014 // Privacy Enhancing Technologies 49 Jaap-Henk Hoepman // Radboud University Nijmegen //

Basic protocol

28-02-2014 // Privacy Enhancing Technologies 50

Jaap-Henk Hoepman // Radboud University Nijmegen //

Problems with basic protocol

Smart card must be highly secure

● Compromise of a single card (or private key 𝑘𝑖)

allows one to create credentials for everyone

No known way to revoke cards

● Published protocols are insecure because they

make users traceable

28-02-2014 // Privacy Enhancing Technologies

𝐶𝑗 = 𝑘𝑗 (𝐶𝑖𝑘𝑖)

51 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 52

twitter: @xotoxot blog.xot.nl jhh@cs.ru.nl www.cs.ru.nl/~jhh