Upload
hayden
View
24
Download
0
Embed Size (px)
DESCRIPTION
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup. Christer Andersson Markulf Kohlweiss Karlstad Univ., SwedenKU Leuven, Belgium Leonardo Martucci Andriy Panchenko Karlstad Univ., Sweden RWTH Aachen, Germany. What is this presentation about?. - PowerPoint PPT Presentation
Citation preview
WISTP’08©LAM2008
15/05/2008
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup
Christer Andersson Markulf KohlweissKarlstad Univ., Sweden KU Leuven, Belgium
Leonardo Martucci Andriy Panchenko Karlstad Univ., Sweden RWTH Aachen, Germany
WISTP’08©LAM2008 2/32
15/05/2008
What is this presentation about?
• framework for setting groups with privacy requirements• pseudonyms and zero-knowledge proofs• can be deployed for different applications• for aiding admission control schemes• suitable (also) for distributed environments
• the problem addressed in this presentation:assuming an initial Sybil-free set, how to build privacy-friendly subsets?
* this paper extends to the paper “Self-Certified Sybil-Free Pseudonyms” – ACM WiSec’08
WISTP’08©LAM2008 3/32
15/05/2008
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup
WISTP’08©LAM2008 4/32
15/05/2008
Defining Identity Domains
• set of identifiers used for a given context or application
identifiers
Identity Domainused for a given application
WISTP’08©LAM2008 5/32
15/05/2008
Applications and Identity Domains
• networked environments with need for cooperation• Reputation Systems• e-Voting• Anonymous Communication Systems• Chat rooms / Forums• …
• applications that require identity domains
WISTP’08©LAM2008 6/32
15/05/2008
Example: Sets and e-Voting
• a set of voters:
• a subset that votes:
• next election:
• next election:
A
∩B AB
∩C AC
∩D AD
WISTP’08©LAM2008 7/32
15/05/2008
Privacy-friendly e-Voting
• a set of voters:
• a subset that votes:
• next election:
• next election:
A
∩B AB
∩C AC
∩D AD
WISTP’08©LAM2008 8/32
15/05/2008
The Sybil Attack
“a small number of network nodes counterfeiting multiple identities so to compromise a disproportionate share of the system”
• originally applied for P2P networksbut fits well in the context of any decentralized application
an identity authority is needed to provide identifiers
WISTP’08©LAM2008 9/32
15/05/2008
Sybil Attack and the e-Vote
• a set of voters:
• a subset that votes:
• next election:
• next election:
A
∩B AB
∩C AC
∩D AD
WISTP’08©LAM2008 10/32
15/05/2008
The Problem (part 1)
How to build identity domains with anonymous users?• while protecting against Sybil Attacks• while providing unlinkability between multiple appearances
A B
∩B A
WISTP’08©LAM2008 11/32
15/05/2008
The Problem (part 2)
How to build identity domains with anonymous users?• while protecting against Sybil Attacks• while providing unlinkability between multiple spawns
A
BC
D
∩B A
∩C A
∩D A
WISTP’08©LAM2008 12/32
15/05/2008
The Initial Assumption
• the original set is Sybil-free application / context dependent
identifiers
Initial Identity Setused for one or more applications
TTP
( honest )
WISTP’08©LAM2008 13/32
15/05/2008
∩B AB
Refining the Problem
• assuming an initial Sybil-free identity set, how to build privacy-friendly subsets (identity domains) ?
A
and still keep the Sybil-free properties
WISTP’08©LAM2008 14/32
15/05/2008
Possible Scenarios and Solutions
• if TTP is always available• the trivial solution
• if TTP is NOT available (not at all times)• self-certified and Sybil-free framework
WISTP’08©LAM2008 15/32
15/05/2008
The Trivial Solution with a TTP
• if a TTP is always available
TTP
authenticate
anonymouscredential
( )
( )
( )( )
WISTP’08©LAM2008 16/32
15/05/2008
The Problem Addressed by the Paper
• assuming an initial Sybil-free group, how to achieve privacy?without the continuous involvement of a TTP
∩B AB
and still keep the Sybil-free properties
ATTP
WISTP’08©LAM2008 17/32
15/05/2008
Applications and Identity Domains
• networked environments with need for cooperation• Reputation Systems• e-Voting• Anonymous Communication Systems• Chat rooms / Forums, etc.
• applications that require identity domains• Sybil-free identities• Privacy requirements• Independence from a TTP
WISTP’08©LAM2008 18/32
15/05/2008
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup
WISTP’08©LAM2008 19/32
15/05/2008
The Paper Contribution
• Self-Certified Sybil-Free Framework
• Self-Certified no need of a continuous involvement of a TTP• Sybil-Free enables detection of Sybil identities in a group
WISTP’08©LAM2008 20/32
15/05/2008
Attacker Model
• Attacker Goals• attackers seeking to deploy a Sybil attack in an identity domain• attackers seeking to identify relationships between pseudonyms
• Attacker Strength• can eavesdrop all network communications
• Attacker Limitation• the TTP is honest, i.e. has at most 1 initial identity(initial Sybil-free set)
WISTP’08©LAM2008 21/32
15/05/2008
Solution Overview
• from the initial Sybil-free set, we propagate the Sybil-freeness to n-identity domains
A
BC
D
∩B A
∩C A
∩D A
WISTP’08©LAM2008 22/32
15/05/2008
Assumptions and Construction
• Assumption:• every user U has a membership certificate certU
obtained from TTP (bootstrap), i.e. the initial assumption• each identity domain has a unique identifier ctx
• Construction• variation of Camenisch et al. periodically spendable e-token*
ctx
*Camenisch et al. How to Win the Clone Wars: efficient periodicn-times anonymous authentication. In: ACM CCS 2006
WISTP’08©LAM2008 23/32
15/05/2008
Solution Overview (detailed)
• for each identity set ctx
generate a fresh public-key pk(U, ctx)
• membership certificate is used to get :• self-certified pseudonym• pseudonyms certificate
• detection of multiple pk(U, ctx)
• (Sybil node detection)• obtain the user permanent pkU
ctx
pk(U, ctx)
pk’’(U, ctx)pk’(U, ctx)
WISTP’08©LAM2008 24/32
15/05/2008
Protocols and Operation Phases
• Enrollment Phase• IKg outputs issuer I key pair (pkI, skI)
• UKg outputs user’s key pair (pkU, skU)
• Obtain Issue outputs membership certificate certU I keeps track of pkU and revocation
inform
• membership certificate is a e-token dispenser that will be used to generate the pseudonyms (and the transcripts)
WISTP’08©LAM2008 25/32
15/05/2008
Creating of an Identity Domain
• Any node can set new Identity Domains• identity domains may have a validity time (included in ctx)• the ctx name of an Identity Domain must be unique
2 domains with the same ctx are understood as the same domain
• attackers can try to reuse a ctx to identify honest users
• Requirements regarding ctx use• users never turn their clock back• users keep a list with all non-expired identity domains• users never join expired domains
WISTP’08©LAM2008 26/32
15/05/2008
Protocols and Operation Phases
• Identity Domain Buildup and Use Phase• Sign generates pseudo-random pseudonyms
P(U, ctx) and pseudonyms certificates cert(U, ctx)
• Verify verifies P(U, ctx) and cert(U, ctx) correctness
• Identify given 2 cert(U, ctx) generated by the same user for a same ctx, but 2 different (pk(U, ctx) , pk’(U, ctx) ),
computes pkU+ Revoke
WISTP’08©LAM2008 27/32
15/05/2008
Security Analysis
• Sybil-Proof Property• 1 user can have at most 1 pseudonym per set• users can check the uniqueness of all other participants
• Unlinkability Property• strong unlinkability properties between pseudonyms generated for
different identity domains
• Membership Certificate Sharing/Theft
• Corrupt Identity Domain Issuers (or ctx issuers)
WISTP’08©LAM2008 28/32
15/05/2008
Summary
• Self-Certified Sybil-Free Framework• privacy-preserving identifiers
unlikable pseudonyms in different sets• detection of Sybil identities• no continuous involvement of a TTP
• Applications:• networked environments with need for cooperation (especially when a TTP is not available all times)
WISTP’08©LAM2008 29/32
15/05/2008
Acknowledgments
www.prime-project.eu
www.fidis.net