Upload
igor-zboran
View
96
Download
0
Embed Size (px)
DESCRIPTION
A new decentralized Identity-Based Privacy (IBP) trusted model built around OpenID Connect and User-Managed Access (UMA) standards. IBP model supports Privacy by Design (PbD) principles. Why Identity and not Anonymity to preserve privacy? Easy, Anonymity does not overlap with Transparency, but Privacy does. Privacy hand in hand with Transparency, are the fundamental stones of the modern world.
Citation preview
Identity-Based Privacy (IBP)
Cloud Computing and Privacy Protection
07/2014
Privacy preserving
Encryption is one of the most effective information protection techniques.
Information
Privacy preserving – Conceptual model
Security
Privacy
• Security – Data at Rest Encryption, Data in Transit Encryption
• Privacy – Data in Use Encryption
Privacy preserving – existing systems
• PKI – Public-Key Infrastructure
• PGP – Pretty Good Privacy
• IBE – Identity-Based Encryption
• PKI, PGP – it’s more about key management then encryption
• IBE – email address as the public key
Privacy preserving – existing systems (cont.)
Drawbacks:
• PKI – very expensive, usability
• PGP – usability
• IBE – difficult mathematics, strong patents
Identity-Based Privacy (IBP)
The alternative to PKI/PGP/IBE systems
IBP – History
original idea came from January, 2011
• First public presentation in June, 2011 • http://www.amathnet.cz/akce/historie-akci/vut/pavlov-2011/prubeh.aspx
• http://www.amathnet.cz/Portals/0/QuickGallery/444/IMGP0056.JPG
• Fully open sourced since September, 2013
• Matured in April, 2014
IBP – Conceptual Architecture Model
User (Client-Side App.)
Identity & Access Management
Data Resource Encryption Key Generator
IBP – Modules
• Encryption Key Generator – a Personal Key Ring separated from cloud application and data storage
• Identity & Access Management – the gateway to your privacy
• User Agent – only there meet your encryption key and data
IBP – Modules (cont.)
IBEKG, OIDC/UMA, User Agent
• IBEKG – Identity-Based Encryption Key Generator
• OIDC/UMA – Identity & Access Management built around OpenID Connect (OIDC) and User Managed Access (UMA) specifications
• User Agent – client side data encryption process
IBP – Technical background
• Identity & Access Management Provider – email address as the user’s identifier
• Authentication/Authorization/Access Control – OIDC, UMA
• One-Time Identity-Based Key Generator
• Identity encryption key generated from user’s identifier
IBP – Technical background (cont.)
• Identity-Based Encryption[1]
• Data encryption key encrypted by identity encryption key
• NIST SHA-256, AES-256, CTR-DRBG-256
• OpenSSL FIPS 140-2 validated
1. a simple HMAC-SHA/AES(GCM) symmetric encryption, not the type of public-key encryption as mentioned on the ID-based encryption Wikipedia article
IBP – Technical background (cont.)
Client-side zero-knowledge encryption:
• All users' data are encrypted on the client side and never touch servers in a plain form
• Data storage provider has zero knowledge of the encryption keys
• Encryption key generator server has zero knowledge of users' data
IBP – Operating model
User Agent (Browser)
Identity Provider + Data/App Provider
Encryption Key Generator
mobile operators, banks, Gov. Google, Microsoft, Oracle, Amazon,
clinics, large enterprises
home or corp. computer, tablet, smartphone, Internet of Things
Customer
Commercial (Closed Source) Software/Services
Transparent (Open Source) Software/Services
IBP – Pros
• usability (no passwords, no certificates) • no key and certificate management (creation,
storage, distribution, revocation) • lost key prevention • IBE like features, key escrow/fair encryption, no
need for receiver’s public key before encryption • no IBE revocation problem (access control) • Encryption Key Generator Device (referred to as
the Internet Of Things) • SIM Card/Java Applet
IBP – Cons
• online solution
• master key security
Main Business Opportunities
• Cloud Storage / Sharing
• Health Records / Medical Data Sharing
• Electronic Postal Services
• New Email-like Services
Featured links
• igi64.github.io
• openid.net/connect
• kantarainitiative.org/confluence/display/uma
• twitter.com/igi64