View
238
Download
0
Category
Tags:
Preview:
Citation preview
PKI versus Private Credentials 1
PKI versus Private Credentials
Stefan Brands
Zero-Knowledge Systems Inc.
Montreal
PKI versus Private Credentials2
Digital Certificates:
sequences of zeros and ones (of a mathematical structure)
verifiable with 100 % accuracy by computers
transferable electronically (no human intervention, fast)
unforgeable (crypto protection) can specify any kind of data
PKI versus Private Credentials3
Identity Certificates:
CA digital signature binds public key to real name
secret key signs message (prevents replay, non-repudiation)
verify by applying CA's public key use as authenticated pointer into
databases (like SSNs)
PKI versus Private Credentials4
PKI versus Private Credentials5
Federal PKIs:
USA (Access Certificates for Electronic Services, FPKI)
United Kingdom (CLOUD COVER) Australia (Public Key Auth.
Framework, Gatekeeper) Canada (Canada Public Key
Infrastructure) Hong Kong (identity certificates to
most residents)
PKI versus Private Credentials6
In the future:
mobile phones watches televisions cars computerized household
appliances …
PKI versus Private Credentials7
Drawbacks to organizations: transaction delays loose business (faulty/ irrelevant
data, online connection fails) central database verification hard to protect databases against
hackers and insiders privacy standards bring
compliance costs Manage CRLs / online validation
PKI versus Private Credentials8
Privacy concerns:
traceability (CA, verifiers, wiretappers, intel. agencies)
linkability (in and across PKIs) non-repudiable evidence discrimination (consults any
database) errors (database, identities) no control over secondary use revocation (CRL, online whitelists)
PKI versus Private Credentials9
Legislation ineffective:
does not deter criminals stopping violations takes long legislation implemented ? technologies faster than law theft / modification by hackers ? misuse by employees ? laws may be amended, changed,
exempted, overturned, or ignored database audits -> accessibility
PKI versus Private Credentials10
Privacy design goals:
control (selective disclosure) anonymity unlinkability no self-authenticating records smartcard implementations
PKI versus Private Credentials11
Private Credentials:
similar to coins and public transport tickets (not identifiable)
meet all privacy design goals practical security benefits
PKI versus Private Credentials12
Issuing a Private Credential: Certificate binds public key to
attributes CA cannot learn user's public key
and CA's signature (blinding) CA encodes attributes into user's
secret key
PKI versus Private Credentials13
Showing a Private Credential: Send public key and CA signature selectively disclose property of
attributes sign message (= authenticate
property) replay prevention
PKI versus Private Credentials14
Note:
different attributes in different or same Private Credentials
anyone can be CA one attribute may be identity selective disclosure unlinkability
PKI versus Private Credentials15
Selective disclosure:
show part of attribute data without revealing more (think: marker)
more powerful than paper-based certificates (Boolean properties, n out of m, intervals)
works across different Private Credentials
PKI versus Private Credentials 16
PKI versus Private Credentials17
PKI versus Private Credentials18
Reissuance:
refresh previously issued Credential without knowing attributes
update Credential's attributes before refreshing
PKI versus Private Credentials19
Dossier-Resistance:
verifier gets zero evidence of transaction; or
verifier gets self-authenticating evidence of a message or a part of the disclosed property
self-authenticating evidence can be limited to designated parties
PKI versus Private Credentials20
Fraud protections:
reduce identity fraud eliminate central database risks limited-show property (identity
computable if shown too often) discourage lending (encode secret
of user) discourage discarding (tie
unfavorable attributes in)
PKI versus Private Credentials21
PKI versus Private Credentials22
Smartcard implementation: strong protection against loss,
theft, extortion, lending,copying, discarding, etc
can use standard 8-bit chips use desktop computer, notebook,
handheld, mobile phone, … user's computer protects privacy,
smartcard cannot leak data
PKI versus Private Credentials23
Benefits to organizations: prevent unfair competition no law enforcement intrusions reduce identity fraud foster fair competition cheapest way to comply with
privacy principles improve transaction finality cultivate goodwill
PKI versus Private Credentials24
Private Credentials can subsume X.509:
two attributes: certificate holder's X.500 name, all other fields
restrict entropy of X.509 validity period
restrict entropy of extension fields set serial number to hash of the
public key or to zero
PKI versus Private Credentials25
Sample applications:
electronic cash digital pseudonyms for public
forums and virtual communities access control (VPNs, subscription
services, Web sites, databases) digital copyright protection
(certificates permit use of works) electronic voting
PKI versus Private Credentials26
(continued)
electronic patient files electronic postage automated data bartering online auctions financial securities trading pay-per-view tickets public transport ticketing electronic food stamps road-toll pricing
PKI versus Private Credentials27
(continued)
national ID cards (with privacy) permission-based marketing Web site personalization multi-agent systems collaborative filtering loyalty schemes electronic gambling medical prescriptions
PKI versus Private Credentials28
For more information:
“Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” ISBN 0-262-02491-8, MIT Press August 2000, 356 pp.
“Private Cedentials,” whitepaper, Zero-Knowledge Systems, September 2000
brands@zeroknowledge.com www.xs4all.nl/~brands
Recommended