Presentation is loading. Please wait.

Presentation is loading. Please wait.

WISTP’08 ©LAM2008 15/05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.

Similar presentations


Presentation on theme: "WISTP’08 ©LAM2008 15/05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss."— Presentation transcript:

1 WISTP’08 ©LAM2008 15/05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss Karlstad Univ., SwedenKU Leuven, Belgium Leonardo Martucci Andriy Panchenko Karlstad Univ., Sweden RWTH Aachen, Germany

2 WISTP’08 ©LAM2008 15/05/2008 2/32 What is this presentation about? framework for setting groups with privacy requirements pseudonyms and zero-knowledge proofs can be deployed for different applications for aiding admission control schemes suitable (also) for distributed environments the problem addressed in this presentation: assuming an initial Sybil-free set, how to build privacy-friendly subsets? * this paper extends to the paper “Self-Certified Sybil-Free Pseudonyms” – ACM WiSec’08

3 WISTP’08 ©LAM2008 15/05/2008 3/32 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup

4 WISTP’08 ©LAM2008 15/05/2008 4/32 Defining Identity Domains set of identifiers used for a given context or application identifiers Identity Domain used for a given application

5 WISTP’08 ©LAM2008 15/05/2008 5/32 Applications and Identity Domains networked environments with need for cooperation Reputation Systems e-Voting Anonymous Communication Systems Chat rooms / Forums … applications that require identity domains

6 WISTP’08 ©LAM2008 15/05/2008 6/32 Example: Sets and e-Voting a set of voters: a subset that votes: next election: A ∩ B AB ∩ C AC ∩ D AD

7 WISTP’08 ©LAM2008 15/05/2008 7/32 Privacy-friendly e-Voting a set of voters: a subset that votes: next election: A ∩ B AB ∩ C AC ∩ D AD

8 WISTP’08 ©LAM2008 15/05/2008 8/32 The Sybil Attack “ a small number of network nodes counterfeiting multiple identities so to compromise a disproportionate share of the system ” originally applied for P2P networks but fits well in the context of any decentralized application an identity authority is needed to provide identifiers

9 WISTP’08 ©LAM2008 15/05/2008 9/32 Sybil Attack and the e-Vote a set of voters: a subset that votes: next election: A ∩ B AB ∩ C AC ∩ D AD

10 WISTP’08 ©LAM2008 15/05/2008 10/32 The Problem (part 1) How to build identity domains with anonymous users? while protecting against Sybil Attacks while providing unlinkability between multiple appearances A B ∩ B A

11 WISTP’08 ©LAM2008 15/05/2008 11/32 The Problem (part 2) How to build identity domains with anonymous users? while protecting against Sybil Attacks while providing unlinkability between multiple spawns A B C D ∩ B A ∩ C A ∩ D A

12 WISTP’08 ©LAM2008 15/05/2008 12/32 The Initial Assumption the original set is Sybil-free application / context dependent identifiers Initial Identity Set used for one or more applications TTP ( honest )

13 WISTP’08 ©LAM2008 15/05/2008 13/32 ∩ B AB Refining the Problem assuming an initial Sybil-free identity set, how to build privacy- friendly subsets (identity domains) ? A and still keep the Sybil-free properties

14 WISTP’08 ©LAM2008 15/05/2008 14/32 Possible Scenarios and Solutions if TTP is always available the trivial solution if TTP is NOT available (not at all times) self-certified and Sybil-free framework

15 WISTP’08 ©LAM2008 15/05/2008 15/32 The Trivial Solution with a TTP if a TTP is always available TTP authenticate anonymous credential ( )

16 WISTP’08 ©LAM2008 15/05/2008 16/32 The Problem Addressed by the Paper assuming an initial Sybil-free group, how to achieve privacy? without the continuous involvement of a TTP ∩ B AB and still keep the Sybil-free properties A TTP

17 WISTP’08 ©LAM2008 15/05/2008 17/32 Applications and Identity Domains networked environments with need for cooperation Reputation Systems e-Voting Anonymous Communication Systems Chat rooms / Forums, etc. applications that require identity domains Sybil-free identities Privacy requirements Independence from a TTP

18 WISTP’08 ©LAM2008 15/05/2008 18/32 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup

19 WISTP’08 ©LAM2008 15/05/2008 19/32 The Paper Contribution Self-Certified Sybil-Free Framework Self-Certified no need of a continuous involvement of a TTP Sybil-Free enables detection of Sybil identities in a group

20 WISTP’08 ©LAM2008 15/05/2008 20/32 Attacker Model Attacker Goals attackers seeking to deploy a Sybil attack in an identity domain attackers seeking to identify relationships between pseudonyms Attacker Strength can eavesdrop all network communications Attacker Limitation the TTP is honest, i.e. has at most 1 initial identity (initial Sybil-free set)

21 WISTP’08 ©LAM2008 15/05/2008 21/32 Solution Overview from the initial Sybil-free set, we propagate the Sybil-freeness to n- identity domains A B C D ∩ B A ∩ C A ∩ D A

22 WISTP’08 ©LAM2008 15/05/2008 22/32 Assumptions and Construction Assumption: every user U has a membership certificate cert U obtained from TTP (bootstrap), i.e. the initial assumption each identity domain has a unique identifier ctx Construction variation of Camenisch et al. periodically spendable e-token* ctx *Camenisch et al. How to Win the Clone Wars: efficient periodic n-times anonymous authentication. In: ACM CCS 2006

23 WISTP’08 ©LAM2008 15/05/2008 23/32 Solution Overview (detailed) for each identity set ctx generate a fresh public-key pk (U, ctx) membership certificate is used to get : self-certified pseudonym pseudonyms certificate detection of multiple pk (U, ctx) (Sybil node detection) obtain the user permanent pk U ctx pk (U, ctx) pk’’ (U, ctx) pk’ (U, ctx)

24 WISTP’08 ©LAM2008 15/05/2008 24/32 Protocols and Operation Phases Enrollment Phase IKg outputs issuer I key pair ( pk I, sk I ) UKg outputs user’s key pair ( pk U, sk U ) Obtain Issue outputs membership certificate cert U I keeps track of pk U and revocation inform membership certificate is a e-token dispenser that will be used to generate the pseudonyms (and the transcripts)

25 WISTP’08 ©LAM2008 15/05/2008 25/32 Creating of an Identity Domain Any node can set new Identity Domains identity domains may have a validity time (included in ctx ) the ctx name of an Identity Domain must be unique 2 domains with the same ctx are understood as the same domain attackers can try to reuse a ctx to identify honest users Requirements regarding ctx use users never turn their clock back users keep a list with all non-expired identity domains users never join expired domains

26 WISTP’08 ©LAM2008 15/05/2008 26/32 Protocols and Operation Phases Identity Domain Buildup and Use Phase Sign generates pseudo-random pseudonyms P (U, ctx) and pseudonyms certificates cert (U, ctx) Verify verifies P (U, ctx) and cert (U, ctx) correctness Identify given 2 cert (U, ctx) generated by the same user for a same ctx, but 2 different (pk (U, ctx), pk’ (U, ctx) ), computes pk U + Revoke

27 WISTP’08 ©LAM2008 15/05/2008 27/32 Security Analysis Sybil-Proof Property 1 user can have at most 1 pseudonym per set users can check the uniqueness of all other participants Unlinkability Property strong unlinkability properties between pseudonyms generated for different identity domains Membership Certificate Sharing/Theft Corrupt Identity Domain Issuers (or ctx issuers)

28 WISTP’08 ©LAM2008 15/05/2008 28/32 Summary Self-Certified Sybil-Free Framework privacy-preserving identifiers unlikable pseudonyms in different sets detection of Sybil identities no continuous involvement of a TTP Applications: networked environments with need for cooperation (especially when a TTP is not available all times)

29 WISTP’08 ©LAM2008 15/05/2008 29/32 Acknowledgments www.prime-project.eu www.fidis.net

30 WISTP’08 ©LAM2008 15/05/2008 30/32 leonardo.martucci@kau.se

31 WISTP’08 ©LAM2008 15/05/2008 31/32 e-token Dispenser Membership Certificate seed s for PRF fs user’s secret key sk U issuer’s I Camenisch-Lisyanskaya (CL) signature on ( s, sk U ) Outputs: token serial number P (U, ctx) (pseudo-random pseudonym) a transcript cert (U, ctx) that proves the correctness of P (U, ctx) *Camenish et al. How to Win the Clone Wars: efficient periodic n-times anonymous authentication. In: ACM CCS 2006

32 WISTP’08 ©LAM2008 15/05/2008 32/32 What changed from Camenisch et al. a)non-interactive publicly verifiable shows for signature verification b)temporal public-keys bind to e-token Sign protocol applying the Fiat-Shamir heuristic c)instead of time periods, we limit the number of generated e-tokens per signing identity domain context ctx d)optimized version for k=1 (only one e-token per ctx )

33 WISTP’08 ©LAM2008 15/05/2008 33/32 leonardo.martucci@kau.se


Download ppt "WISTP’08 ©LAM2008 15/05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss."

Similar presentations


Ads by Google