Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymous Credentials on a Standard Java Card

Published byChristine Lloyd Modified over 6 years ago

Similar presentations

Presentation on theme: "Anonymous Credentials on a Standard Java Card"— Presentation transcript:

1 Anonymous Credentials on a Standard Java Card
Author: P. Bichsel, J. Camenisch, T. Groß, V. Shoup Presented by Haorui Wu University of South Carolina 04/09/2015

2 Introduction Electronic authentication tokens are getting more and more popular (tickets, road tolls) User is fully identifiable in the transactions involving the token in current electronic ID (eID) cards. Unique identification is inappropriate in many cases, attribute-based authentication is highly desired, therefore, privacy protection is necessary (youth protection)

3 What do we need? We need privacy-enhanced credential systems
No trusted third parties should be involved in transactions If one considers linkability by timing, the credential system must be able to operate offline Anonymous credential system Fortunately, there exist privacy-enhancing technologies address our requirement of full anonymity, and allow for attribute-based access control What is Anonymous credential system?

4 Certificate System Public certificates vs. Private certificates
Certificates with public key cryptography – a certificate is a signed copy of an identity and a public key Private certificates are a special kind of certificate, issued to a user and then kept secret – a private certificate also contains a list of attributes, the certificate holder can assert parts of the attribute information to a verifier 1. Protocols for issuing signatures on cryptographically committed values (the signer does not learn the message), and 2. the ability to prove knowledge of certificates without revealing them Private certificate systems provide a foundation for building anonymous credential systems. Bichsel, Patrik, et al. Cryptographic protocols of the identity mixer library. Vol Tech. Rep. RZ 3730, 2009.

5 Anonymous Credential System
Certificates on a Master Secret The credential system issues private certificates on a user master secret, an attribute m1 is dedicated to containing the user’s master secret. The certificate gets issued on the key without the issuer learning the secret. The master secret acts as the identity of the user and helps bind certificates to this identity. To perform a proof of knowledge using the certificate, the user must prove knowledge of the master secret. Bichsel, Patrik, et al. Cryptographic protocols of the identity mixer library. Vol Tech. Rep. RZ 3730, 2009.

6 Limitations on Current Implementation
Camenisch-Lysyanskaya (CL) anonymous credential system Based on bilinear maps – can operate in smaller prime-order groups but smart cards do not offer suitable algebraic support for the elliptic curves Based on strong RSA assumption and specified in the Identity Mixer protocol – need a large composite modulus One problem: current methods are not feasible to implement on smart cards

7 Basic Requirements for eID smart cards
Proof key lengths > 1400 bits Transaction time < 10s Smart card platform should be standardized eID card must be certified The smart card platform must be well-established and cheap Java Card is a very good choice Java Card refers to a software technology that allows Java-based applications (applets) to be run securely on smart cards and similar small memory footprint devices.

8 Application Requirements of eID cards
Sustainable secondary use – must be able to use over an entire lifetime without privacy or trust degradation Autonomous trust root – must protect the citizen’s security and privacy autonomously and cannot delegate computations to the terminal. Long-term certificates – must forgo short term updates

9 Functional Requirements of eID cards
Proof of possession – must be able to issue a proof of possession of a credential Age proof – mostly used in the area of youth protection Finite-set attributes – attributes are particularly privacy-sensitive Revocation – need to be revoked when the owner declares the card lost or stolen

10 Hardware Requirements of eID cards
A standardized Java Card with comprehensive security certification Used by existing eID systems in production Java Card standard interface is chosen Prevent direct access to the cryptographic co-processor, fast multiplication, and exponentiation primitives Only offers the use of well-defined primitives such as RSA encryption Transient memory is severely restricted (750 bytes heap, 200 bytes stack), which makes the implementation of multi-base exponentiation and many pre-computation techniques impossible

11 Protocol Design Decision
Full-fledged CL anonymous credential system is not feasible on current card (takes s to selective disclose an attributes from more than 20 fields) Rely on the tamper resistance of the hardware for such attribute-related proofs Solution: Issue a CL credential with a secret key m0 on an eID card Store all attribute information about the citizen in the card independently of the credential When the citizen wants to use the card for privacy-protecting authentication, we compute a valid attribute statement A discrete log commitment is provided to ensure that the detection of revoked cards can check C against for each in the revocation list

12 Solution to Realization on Smart Card
Multi-base Exponentiations No interface to exploit hardware-accelerated multi-base exponentiation 8-bit ALU is too slow Resort to modular exponentiation Modular Exponentiations Delegate modular exponentiations to RSA encryption Problems: RSA usually resides in EEPROM: deplete the write cycle quickly Too long to write to EEPROM Overcome by creating a new RSA in transient memory. Use two bases with two independently chosen exponents to overcome this

13 Solution to Realization on Smart Card
Modular Multiplication Heavy-weight for the application layer Overcome by an extremely efficient modular squaring primitive Addition Addition can become dominant after the optimization of exponentiation and multiplication Delegate the addition to the hardware acceleration by taking RSA-CRT decryption operation, and by carefully setting the base and exponent arguments the CRT algorithm it produces an addition/subtraction in the decrypted message that can be extracted by inexpensive shifts.

14 Solution to Realization on Smart Card
Randomness A true random number generator (TRNG) takes as input a source that is effectively random: cannot store the randomness because of memory limitations A Pseudorandom number generator (PRNG) takes as input a fixed value, called the seed, and produces a sequence of output bits using a deterministic algorithm: pseudo-random generation with the same seed will result in the same random number Use SHA-1 to generate true random seed, 3DES could be even better

15 Solution to Realization on Smart Card
Transient Memory Transient memory is very limited Use the communication buffer of the smart card as additional transient memory to mitigate the problem, but not encrypted.

16 Architecture of the full system
Requirements Use transient memory optimally and in a tightly controlled manner Must feature strong security and robustness properties Architecture design First established an explicit RamManager that owns most of the applet’s memory. It governs byte arrays for group elements as well as exponents and organizes the request and release of this memory Secondly, they created most classes either in the singleton design pattern or as static, such that there exists either only one instance with state or that the class does not have dynamic state at all Also, security-critical memory, such as digest state and random seed for PRNG, is completely separated from other computations and well encapsulated in the corresponding classes.

17 Performance Different modulus length comparison
Upper bound on the base length was 1536 bit, upper bound on the exponent length was 895 bit

18 Performance Individual operation time

19 To the Future Higher RAM and faster CPU: 1MB of EEPROM, 32KB of RAM and 66MHz, 16-bit CPU. Java Card 3.0: allow RSA keys store in RAM instead of EEPROM

20 Summary First practical implementation of an anonymous credential system on Java Card 2.2.1 Achieve transaction times orders of magnitudes faster than prior attempts, meeting the key length requirements Act completely autonomously on card and to maintain its properties in the face of an untrusted terminal

21 THANK YOU!

22 Reference Bichsel, Patrik, et al. "Anonymous credentials on a standard java card."Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009. Bichsel, Patrik, et al. Cryptographic protocols of the identity mixer library. Vol Tech. Rep. RZ 3730, 2009.

23 Zero Knowledge Proof Proof the authentication of you information without revealing the actual information. Take advantage the difficulty of computing discrete logarithms. Let p be a large prime, and choose an x at random which will be secret ID number. Now choose a generator A and compute B = Ax(mod p). You can safely publish A, B, and p. In order to verify the possession of x: Prover (you) chooses a random number 0 < r < p-1 and sends the verifier h = Ar(mod p). Verifier sends back a random bit b. Prover sends s = (r + bx)(mod (p - 1)) to verifier. Verifier computes As(mod p) which should equal hBb(mod p).

Download ppt "Anonymous Credentials on a Standard Java Card"

Similar presentations

Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.

Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Implementation of LSI for Privacy Enhancing Computation Kazue Sako, Sumio Morioka 2011.2.10

Implementation of LSI for Privacy Enhancing Computation Kazue Sako, Sumio Morioka
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Cryptographic Technologies

Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Similar presentations

Ads by Google