Privacy Enhancing Technologiesjhh/secsem/2014/pets.pdf · 28-2-2014 3 Jaap-Henk Hoepman // Radboud...
Transcript of Privacy Enhancing Technologiesjhh/secsem/2014/pets.pdf · 28-2-2014 3 Jaap-Henk Hoepman // Radboud...
28-2-2014
1
Jaap-Henk Hoepman
Digital Security (DS)Radboud University Nijmegen, the Netherlands
@xotoxot // [email protected] // www.cs.ru.nl/~jhh
Privacy Enhancing TechnologiesAn Introduction
Jaap-Henk Hoepman // Radboud University Nijmegen //
Agenda
Properties
● Anonymity
● Untraceability
● Unlinkability
Strategies & patterns
PETs
● Remailers
● Blind signatures
● Group signatures
● Zero knowledge protocols
● Credentials/pseudonyms
28-02-2014 // Privacy Enhancing Technologies 2
Jaap-Henk Hoepman // Radboud University Nijmegen //
Properties
Anonimity (vs pseudonymity)
● K-anonimity
Untraceability
Unlinkability
28-02-2014 // Privacy Enhancing Technologies 3 Jaap-Henk Hoepman // Radboud University Nijmegen //
Privacy design strategies
28-02-2014 // Privacy Enhancing Technologies 4
Jaap-Henk Hoepman // Radboud University Nijmegen //
Software development cycle
28-02-2014 // Privacy Enhancing Technologies 5
ConceptDevelopment
Implemen-tation
Privacy enhancing technologies
Jaap-Henk Hoepman // Radboud University Nijmegen //
Levels of abstraction
Design strategy
● “A basic method to achieve a particular design
goal” – that has certain properties that allow it to
be distinguished from other basic design strategies
Design pattern
● “Commonly recurring structure to solve a general
design problem within a particular context”
(Privacy enhancing) technology
● “A coherent set of ICT measures that protects
privacy” – implemented using concrete technology
28-02-2014 // Privacy Enhancing Technologies 6
28-2-2014
2
Jaap-Henk Hoepman // Radboud University Nijmegen //
Data protection law
Core principles
● Data minimisation
● Purpose limitation
● Proportionality
● Subsidiarity
● Data subject rights: consent, (re)view
● Adequate protection
● (Provable) Compliance
28-02-2014 // Privacy Enhancing Technologies 7 Jaap-Henk Hoepman // Radboud University Nijmegen //
ag
gre
gate
minimise
sep
ara
te
hide
inform control
enforcedemonstrate
28-02-2014 // Privacy Enhancing Technologies 8
Jaap-Henk Hoepman // Radboud University Nijmegen //
8 privacy design strategies
Minimise● The amount of PII should be minimal
Separate● Process PII in a distributed fashion
Aggregate● Process PII in the least possible detail
Hide● PII should not be stored in plain view
Enforce
● A privacy policy should be in place and be enforced
Inform● Subjects should be informed when PII is processed
Control● Subjects should have control over when/how PII is processed
Demonstrate
● Compliance to policies and legal requirements must be demonstrated
28-02-2014 // Privacy Enhancing Technologies 9 Jaap-Henk Hoepman // Radboud University Nijmegen //
What about design patterns?
28-02-2014 // Privacy Enhancing Technologies 10
Strategy Patterns Coverage
Minimise Select before you collect,
anonymisation, ….
Separate Distribute, sector-specific pseudonyms
Aggregate Data fuzzing; coarse-grained location
Hide Encryption, onion routing, …..
Enforce Access control, privacy licenses
Inform P3P (?)
Control Informed consent (?)
Demonstrate Privacy management system, logging
Jaap-Henk Hoepman // Radboud University Nijmegen //
Preventing traffic analysis
28-02-2014 // Privacy Enhancing Technologies 11 Jaap-Henk Hoepman // Radboud University Nijmegen //
Traffic analysis
What does adversary control?
● Entry point
● Exit point
● Intermediate nodes
● Intermediate links
28-02-2014 // Privacy Enhancing Technologies 12
28-2-2014
3
Jaap-Henk Hoepman // Radboud University Nijmegen //
Simple remailing
Type 0
● Anon.penet.fi
Type I (= encrypt mail; then type 0)
● Cypherpunks
Type II
● Mixmaster
28-02-2014 // Privacy Enhancing Technologies 13 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 14
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 15 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 16
Jaap-Henk Hoepman // Radboud University Nijmegen //
Attacks
28-02-2014 // Privacy Enhancing Technologies 17 Jaap-Henk Hoepman // Radboud University Nijmegen //
Attacks
Trace long messages
● Packet counting
Saturate network to detect messages
● Traffic shaping
Statistical attacks
● Latency attack
● Clogging attack:
is C on a route to E?
28-02-2014 // Privacy Enhancing Technologies 18
28-2-2014
4
Jaap-Henk Hoepman // Radboud University Nijmegen //
Dining cryptographers
28-02-2014 // Privacy Enhancing Technologies 19 Jaap-Henk Hoepman // Radboud University Nijmegen //
Setup
28-02-2014 // Privacy Enhancing Technologies 20
0 1
1
Jaap-Henk Hoepman // Radboud University Nijmegen //
Sending a 1
28-02-2014 // Privacy Enhancing Technologies 21
0 1
1
1
𝑣𝑎𝑙𝑢𝑒 ⊕ (𝑙𝑒𝑓𝑡 ⊕ 𝑟𝑖𝑔ℎ𝑡)
1 = 1⊕ (1⊕ 1)1 = 0⊕ 1
1 = 0⊕ 1
𝑣𝑎𝑙𝑢𝑒 = ⨁𝑖𝑏𝑖𝑡𝑖 = 1⊕ 1⊕ 1 = 1
Jaap-Henk Hoepman // Radboud University Nijmegen //
Questions
Why does this work?
● Because each left or right bit happens twice in the
final sum and is cancelled out using the xor
What can go wrong?
● Collisions
● Last broadcaster can force value
28-02-2014 // Privacy Enhancing Technologies 22
Jaap-Henk Hoepman // Radboud University Nijmegen //
Blind signatures & anonymous e-cash
28-02-2014 // Privacy Enhancing Technologies 23 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 24
Blind signatures: Digicash
issuer acquirer
mo
ne
yfl
oat
clearing & settlement
28-2-2014
5
Jaap-Henk Hoepman // Radboud University Nijmegen //
Blind signature
28-02-2014 // Privacy Enhancing Technologies 25 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 26
DigiCash offline coin
jan jansen
blind signature
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
01001001.. 10100011..
zdd 01001001.. + 10100011.. = Jan Jansen
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 27
Coin deposit
jan jansen
blind signature
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
random
L,R,R,R,L,L, ..
merchant bank
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 28
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
Same coin deposit
jan jansen
blind signature
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
random
L,R,L,R,L,L, ..
merchant bank
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
jan jansen
privacy revoked!
Jaap-Henk Hoepman // Radboud University Nijmegen //
Zero-knowledge protocols
28-02-2014 // Privacy Enhancing Technologies 29 Jaap-Henk Hoepman // Radboud University Nijmegen //
Zero knowledge
The cave of Ali Baba
28-02-2014 // Privacy Enhancing Technologies 30
28-2-2014
6
Jaap-Henk Hoepman // Radboud University Nijmegen //
Proofs of knowledge
Completeness
● Verifier accepts the proof if the assertion is true
● Assumption: the parties follow the protocol
Soundness
● If the fact is false, the verifier rejects the proof
● Assumption: the parties follow the protocol
Zero knowledge
● No information about the prover’s private input is revealed to the verifier
● The verifier cannot convince a third party of the correctness of the assertion
28-02-2014 // Privacy Enhancing Technologies 31 Jaap-Henk Hoepman // Radboud University Nijmegen //
Schnorr protocol
Cyclic group G with generator g
28-02-2014 // Privacy Enhancing Technologies 32
Jaap-Henk Hoepman // Radboud University Nijmegen //
Completeness?
Soundness?
Zero knowledge?
28-02-2014 // Privacy Enhancing Technologies 33 Jaap-Henk Hoepman // Radboud University Nijmegen //
Questions?
28-02-2014 // Privacy Enhancing Technologies
[email protected], [email protected] , www.cs.ru.nl/~jhh
34
Jaap-Henk Hoepman // Radboud University Nijmegen //
Private handshaking
28-02-2014 // Privacy Enhancing Technologies 35 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 36
Spot the Fed
28-2-2014
7
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 37
Private handshake
Jaap-Henk Hoepman // Radboud University Nijmegen //
Requirements
28-02-2014 // Privacy Enhancing Technologies 38
Jaap-Henk Hoepman // Radboud University Nijmegen //
Protocol
28-02-2014 // Privacy Enhancing Technologies 39 Jaap-Henk Hoepman // Radboud University Nijmegen //
Attribute based credentials
28-02-2014// Privacy Enhancing Technologies 40
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 41 Jaap-Henk Hoepman // Radboud University Nijmegen //
Typical system
28-02-2014 // Privacy Enhancing Technologies 42
Credential Issuers
User Relying Parties
Scheme Authority
Token Provider
Token
Unforgeability
Non transferability
Unlinkability
Revocatability
28-2-2014
8
Jaap-Henk Hoepman // Radboud University Nijmegen //
How to implement a credential?
Anonymous credentials: 3 techniques
● Use a different one each time
Uprove (Microsoft)
● Prove knowledge of credential
Idemix (IBM)
● Randomise credential each time
Self-blindable (RU)
28-02-2014 // Privacy Enhancing Technologies 43 Jaap-Henk Hoepman // Radboud University Nijmegen //
Self blindable credentials
28-02-2014 // Privacy Enhancing Technologies
Credential Authority (CA)
User (P) Merchant (V)
> 18
44
Jaap-Henk Hoepman // Radboud University Nijmegen //
Self blindable credentials
28-02-2014 // Privacy Enhancing Technologies
User (P) Merchant (V)
> 18> 18> 18
45 Jaap-Henk Hoepman // Radboud University Nijmegen //
Cryptographic implementation
Elliptic curve cryptography
● Points 𝑃 on a curve 𝐸.
● 𝑥𝑃 : multiplying point 𝑃 with scalar 𝑥 ∈ ℤ𝑝.
● CDH assumption: given 𝑥𝑃 and 𝑃 it is hard to compute
𝑥. (Note: division by 𝑥 is easy!).
Pairing / bilinear map e: 𝐺1 × 𝐺2 → 𝐺𝑇● 𝑒 𝑥𝑃, 𝑦𝑄 = 𝑒(𝑃, 𝑄)𝑥𝑦
● DDH now is easy: 𝑒 𝑥𝑃, 𝑦𝑃 = 𝑒 𝑃, 𝑧𝑃 ?
● Type 3: no computably homomorphism 𝜙:𝐺2 → 𝐺1
Public system parameters
● 𝑃 ∈ 𝐸[𝐹𝑝], 𝑄 ∈ 𝐸[𝐹𝑝𝑘], 𝑒
28-02-2014 // Privacy Enhancing Technologies 46
Jaap-Henk Hoepman // Radboud University Nijmegen //
Schnorr
Zero knowledge proof of DL of 𝑋 = 𝑥𝑃
● Prover commits to 𝑅 = 𝑟𝑃 for random 𝑟 ∈ 𝐹𝑝
● Verifier sends random challenge 𝑐 < 𝑝
● Prover sends 𝑠 = 𝑟 + 𝑥𝑐; Verifier checks 𝑅 = 𝑠𝑃 − 𝑐𝑋
Signature on message 𝑚
● Signer commits to 𝑅 = 𝑟𝑃 for random 𝑟 ∈ 𝐹𝑝
● Signer computes 𝑐 = 𝐻(𝑅|𝑚) and 𝑠 = 𝑟 + 𝑥𝑐
● Signature 𝜎 = 𝑅, 𝑐, 𝑠
● To verify, take 𝑅 and 𝑚 to compute 𝑐. Then check 𝑅 = 𝑠𝑃 − 𝑐𝑋
28-02-2014 // Privacy Enhancing Technologies 47 Jaap-Henk Hoepman // Radboud University Nijmegen //
Keys and certificates
28-02-2014 // Privacy Enhancing Technologies
Issuer Prover
Private key 𝒂 𝒌
Public key 𝐴 = 𝑎𝑄 𝐾 = 𝑘𝑃
Certificate 𝐶 = 𝑎𝐾
48
28-2-2014
9
Jaap-Henk Hoepman // Radboud University Nijmegen //
Basic protocol
28-02-2014 // Privacy Enhancing Technologies 49 Jaap-Henk Hoepman // Radboud University Nijmegen //
Basic protocol
28-02-2014 // Privacy Enhancing Technologies 50
Jaap-Henk Hoepman // Radboud University Nijmegen //
Problems with basic protocol
Smart card must be highly secure
● Compromise of a single card (or private key 𝑘𝑖)
allows one to create credentials for everyone
No known way to revoke cards
● Published protocols are insecure because they
make users traceable
28-02-2014 // Privacy Enhancing Technologies
𝐶𝑗 = 𝑘𝑗 (𝐶𝑖𝑘𝑖)
51 Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 52
twitter: @xotoxot blog.xot.nl [email protected] www.cs.ru.nl/~jhh