Blacklisting and blocking anonymous credential users


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Blacklisting and blocking anonymous credential users

  1. 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print), INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEME TECHNOLOGY (IJCET)ISSN 0976 – 6367(Print)ISSN 0976 – 6375(Online)Volume 3, Issue 3, October - December (2012), pp. 41-53 IJCET© IAEME: Impact Factor (2012): 3.9580 (Calculated by GISI) © BLACKLISTING AND BLOCKING ANONYMOUS CREDENTIAL USERS 1 H.Jayasree, Assoc. Prof, Dept. of IT , ATRI, Uppal, 2 Dr. A.Damodaram, Prof. of CSE Dept & Director – Academic Audit Cell, JNTUH, Hyderabad. ABSTRACT Anonymous credential systems provide a mechanism for the users to authenticate themselves anonymously. Since the transactions are inherently anonymous, some users try to misbehave by taking advantage of their anonymity. So there is a necessity to formulate some method to stop such users from misbehaving. Also in order to increase the security at the users end we include an additional entity, the trustee that the user trusts. KEYWORDS Initiator(user), CA (certification authority), responder/verifier(website owner),SSL (Secure socket layer), SHA- 1( secure hash algorithm). 1 INTRODUCTION Credential systems allow subjects to prove possession of attributes to interested parties. In a sound credential system subject’s first need to obtain a structure termed a credential from an entity termed the credential issuer. The issuer encodes some well-defined set of attributes together with their values into the credential which is then passed on, or `granted, to the subject. Only after having gone through this process can the subject prove possession of those attributes that are encoded in the credential. During this latter process, the interested party is said to `verify the credential and is therefore called a verifier. Subjects are typically human users, issuers are typically well-known organisations with authority over the attributes they encode into the credentials they issue, and verifiers typically are service providers that perform attribute based access control. An example of a credential system is a Public Key Infrastructure (PKI). In a PKI, credentials are public key certificates that bind together subject attributes such as subject name, public key, its issue and expiry dates, and 41
  2. 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEMEso on. The credential issuer is the Certification Authority (CA); it grants public key certificates according tosome subject registration procedure. Finally, credential verifiers are the entities within the PKI that accept thecertificates issued by the CA. In conventional credential systems (e.g. a PKI), issuers and verifiers identify anygiven subject by a system-wide identifier. This has a potentially severe impact on the subjects privacy, as itenables issuers and verifiers to combine their knowledge about the subject. Indeed, they can constructindividual transaction histories for all the subjects in the system, simply by correlating credential related eventsusing these identifiers.Over the last 20 years, a significant amount of research has been performed on credential systems that try toaddress the privacy issue. In an anonymous credential system, subjects establish a different identifier with eachissuer and verifier they wish to interact with, where we assume throughout that these pseudonyms cannot beconnected to the subjects true identity. These identifiers, termed the subjects pseudonyms, are unlinkable, i.e.they do not possess any connection with one another. This means that it is infeasible, for colluding issuers andverifiers, to decide with certainty whether or not any given pair of pseudonyms belongs to the same subject1.While a subject obtains a credential under the pseudonym that was established with the issuer, proof of itspossession2 takes place under the pseudonym established with the verifier. Of course, in order for the system toremain sound, subjects should only be able to successfully prove possession of credentials that they were indeedissued by some legitimate issuer. A number of anonymous credential systems have been proposed in the literature, each with its own particularset of entities, underlying problems, assumptions and properties. This section presents the model of anonymouscredential systems on which the rest of the paper is based. It is intended to be as general as possible, in order tobe consistent with the majority of existing schemes.1) Proving possession of a credential amounts to proving possession of the attributes that are encoded within thecredential. We refer to this process also as the showing of a credential.2) We consider an anonymous credential system to involve four types of player: subjects, issuers and verifiers,trustee. It is assumed that subjects establish at least one pseudonym with each organisation with which theywish to interact.These pseudonyms are assumed to be indistinguishable, meaning that they do not bear any connection to theidentity of the subject they belong to.We further assume that pseudonyms are unlinkable, i.e. two pseudonymsfor the same subject cannot be linked to each other. Subjects may obtain credentials, i.e. structures that encode awell defined, finite set of attributes together with their values, from issuers. They may subsequently show thosecredentials to verifiers, i.e. convince them that they possess (possibly a subset of) the encoded attributes. Acredential is issued under a pseudonym that the subject has established with its issuer, and it is shown under thepseudonym that the subject has established with the relevant verifier.It is assumed that the anonymous credential system is sound. This means that it offers pseudonym ownerprotection, i.e. that only the subject that established a given pseudonym can show credentials under it.Soundness also implies credential unforgeability; the only way that subjects may prove possession of acredential is by having obtained it previously from a legitimate issuer. In some applications, it is required thatthe system offers the stronger property of credential non-transferability. This property guarantees that no 42
  3. 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEMEsubject can prove possession of a credential that it has not been issued, even if the subject colludes with othersubject(s) that may have (legitimately) obtained such a credential. In other words, a system that offers non-transferability prohibits credential sharing, whereas a system that offers only unforgeability, does not. Werequire that credentials are bound to the subject to which they have been issued. We therefore assume that eitherthe system offers non-transferability or that in practice subjects do not share their credentials. It is assumedfurther that the system properly protects privacy in that a subjects transactions with organisations do notcompromise the unlinkability of its pseudonyms.1.1 BASIC TERMINOLOGYWe mention below some basic terminology.ANONYMITY: To enable the anonymity of a subject, there always has to be an appropriate set of subjectswith potentially the same attributes. Anonymity is thus defined as the state of being not identifiable within a setof subjects, the anonymity set.UNLINKABLITY: The [ISO15408 1999] defines unlinkability as follows: "[Unlinkability] ensures that a usermay make multiple uses of resources or services without others being able to link these uses together. [...]Unlinkability requires that users and/or subjects are unable to determine whether the same user caused certainspecific operations in the system."PSEUDONYMITY: Pseudonyms are identifiers of subjects. We can generalize pseudonyms to be identifiers ofsets of subjects. The subject whom the pseudonym refers to is the holder of the pseudonym. Beingpseudonymous is the state of using a pseudonym as ID. We assume that each pseudonym refers to exactly oneholder, invariant over time, being not transferred to other subjects. Pseudonymity is the use of pseudonyms asIDs. An advantage of pseudonymity technologies is that accountability for misbehaviour can be enforced. Also,persistent pseudonyms allow their owners to build a pseudonymous reputation over time.BLACKLISTING: Several credential systems have been proposed in which users can authenticate to servicesanonymously. Since anonymity can give users the license to misbehave, some variants allow the selectivedeanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The abilityof the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limitthe scope of deanonymization, systems such as “e-cash” have been proposed in which users are deanonymizedunder only certain types of well-defined misbehavior such as “double spending.” While useful in someapplications, it is not possible to generalize such techniques to more subjective definitions of misbehavior.CERTIFICATION AUTHORITY (CA): It is a third party organization that the user as well as the respondertrusts. He issues the certificate for the user. This certificate ensures the responder that the user is a valid person.Hence the responder allows the user to be anonymous in his transactions.TRUSTEE: Trustee can be any person or a third party organization that the user trusts. The trustee first ensuresthat the user is valid by asking for necessary credentials. If satisfied, the trustee assigns a pseudo name to theuser. He then contacts the certification authority and requests for a certificate on behalf of the user. 43
  4. 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEMEThere are three main entities involved: (1) the initiator (2) the digital analyst (3) responder. Initially the initiatorgenerates a list of credentials and sends them to the digital analyst revealing only those credentials that areenough to prove that he is authentic. After authenticating the initiator, the digital analyst signs the list with adigital signature and gives the initiator a pseudonym. Henceforth the initiator interacts with the responder usinghis pseudonym.2. RELATED WORKThe scenario with multiple users, who, while remaining anonymous to the organizations, manage to transfercredentials from one organization to another, was first introduced by Chaum [7]. Subsequently, Chaum andEvertse [6] proposed a solution that is based on the existence of a semi-trusted third party who is involved in alltransactions. However, the involvement of a semi-trusted third party is undesirable.The scheme later proposed by Damgard [9] employs general complexity-theoretic primitives (one-wayfunctions and zero-knowledge proofs) and is therefore not applicable for practical use. Moreover, it does notprotect organizations against colluding users. The scheme proposed by Chen [8] is based on discrete-logarithm-based blind signatures. It does not address the problem of colluding users. Another drawback of her scheme andthe other practical schemes previously proposed is that to use a credential several times, a user needs to obtainseveral signatures from the issuing organization. Lysyanskaya, Rivest, Sahai, and Wolf [11] propose a generalcredential system. While their general solution captures many of the desirable properties, it is not usable inpractice because their constructions are based on one-way functions and general zero-knowledge proofs. Theirpractical construction, based on a non-standard discrete-logarithm-based assumption, has the same problem asthe one due to Chen [8]: a user needs to obtain several signatures from the issuing organization in order to useunlinkably a credential several times.Other related work is that of Brands [4] who provides a certificate system in which a user has control over whatis known about the attributes of a pseudonym. Although a credential system with one-show credentials can beinferred from his framework, obtaining a credential system with multi-show credentials is not immediate andmay in fact be impossible in practice. Another inconvenience of these and the other discrete-logarithm-basedschemes mentioned above is that all the users and the certification authorities in these schemes need to share thesame discrete logarithm group. The concept of revocable anonymity is found in electronic payment systems(e.g., [5, 14]) and group signature and identity escrow (e.g., [1, 3, 2, 12] schemes. Prior to our work, theproblem of constructing a practical system with multiple-use credentials eluded researchers for some time [4, 8,9, 11]. We solve it by extending ideas found in the constructions of strong-RSA-based signature schemes [10,13] and group signature schemes [1].3. PROPOSALIn addition to the three main entities i.e, the initiator, the certification authority and the responder we include anadditional entity i.e the trustee. The trustee is a third party individual/organization that the user trusts. Instead ofrevealing his credentials to the certification authority, the user approaches a trustee to whom he reveals thenecessary credentials. The trustee provides the user with a pseudo name. The trustee then approaches the CA forthe certificate. 44
  5. 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEMEThe responder keeps track of all the users’ activities and if it tracks one of the users trying to misbehave, itblacklists that user. The responder maintains a table containing a list of blacklisted and white listed users. Theresponder then contacts the respective certification authority and notifies it about the misbehavior. The CA afterinvestigation revokes the user’s certificate. If any user who is listed as a blacklisted user tries to contact the CAfor renewal of certificate, the CA rejects the request.The trustee uses sha-1 algorithm to generate pseudo name (hash). The responder meanwhile keeps track ofuser’s activities. If any user tries to misbehave, he is blacklisted.To blacklist the user, the responder should store the login and logout times of each user. If any malpractice isobserved, the responder can check the time at which the site was compromised and compare it with the loginand logout times of the user. Then the responder can make a list of users who were using the site when themalpractice occurred .the responder can add these names under suspicious list. Then based on the content of theinformation compromised or severity of damage, the responder can decide the action to be taken. If the usersname appears more than once in the suspicious list the user’s activities are carefully scrutinized by theresponder. The responder can maintain a threshold such that if the number of times the users name appears inthe suspicious list crosses the threshold value, the user can be blacklisted.3.1GENERATION OF CERTIFICATE USING OPEN SSLSecure Sockets Layer (SSL) is a cryptographic protocol that provides communication security overthe Internet SSL encrypts the segments of network connections above the Transport Layer, using asymmetriccryptography for key exchange, symmetric encryption for privacy, and message authentication codes formessage integrity. Several versions of the protocol are in widespread use in applications such as webbrowsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).ALGORITHMS USED3.1.1SHA-1 ALGORITHMIn cryptography, SHA-1 is a cryptographic hash function designed by the United States National SecurityAgency and published by the United States NIST as a U.S. Federal Information Processing Standard. SHAstands for "secure hash algorithm". The three SHA algorithms are structured differently and are distinguishedas SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hashspecification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications.SHA-2 on the other hand significantly differs from the SHA-1 hash function. SHA-1 is the most widely used ofthe existing SHA hash functions, and is employed in several widely used security applications and protocols, aswell as a consistency checker in Git. In 2005, security flaws were identified in SHA-1, namely that amathematical weakness might exist, indicating that a stronger hash function would be desirable.3.2.2RSA- ALGORITHMRSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring largeintegers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who firstpublicly described it in 1978. A user of RSA creates and then publishes the product of two large prime numbers, 45
  6. 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEMEalong with an auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use thepublic key to encrypt a message, but with currently published methods, if the public key is large enough, onlysomeone with knowledge of the prime factors can feasibly decode the message.4. RESULTS AND DISCUSSIONThe trustee can use a wamp server with an inbuilt phpmyadmin database. The user enters his credentials on theweb page created by trustee. The trustee after verifying these credentials provides a pseudo name to the user.The algorithm used is sha-1.The trustee then contacts the certification authority to request a certificate on behalf of the user. The CA can usethe SSL tool to generate the certificate.The responder webpage can contain a provision to let the user upload the certificate or enter the certificate serialnumber (it is unique to each user). After getting it verified from the CA, the responder can allow access to theuser.The responder also must keep track of the users activities to avoid any malpractice by the user. The respondercan maintain a white list, blacklist and suspicious list. the white list contains names of valid users. Thesuspicious list contains a list of users whose activities are to be carefully scrutinized. The black list contains alist of users who are blacklisted.4.1 IMPLEMENTATION The trustee uses sha-1 algorithm to generate pseudoname (hash). This feature is directly available in php. Forexample the code<?phpecho hash(SHA1, xyz);?>Generates the hash :66b27417d37e024c46526c2f6d358a754fc552f3Hence the trustee generates the hash and sends it to the user. The user uses this hash value as his pseudonameand carries out his transactions with the responder using this pseudoname. The trustee then contacts thecertification authority for the certificate.The certification authority can use a tool like SSL to generate the certificate. SSL is a freeware and can bedownloaded from the internet.The following commands are used to obtain the .crt file: 1. genrsa -des3 -out server.key 1024. 2. req -key server.key -out server.csr. 3. x509 -req -days 365 -in server.csr -signkey server.key -out server.crt. 4. The first command is to generate the keys (Public, Private) using the des algorithm and store the outputin the file server.key which is of 1024 bits. 46
  7. 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October December (2012), © IAEME October-December The second command is used to generate a .csr file. Hence server.csr file is generated. In this window server.csrwe can see that the command allow us to enter the default credentials that are shown in the details of the DigitalCertificate.The third command is to provide the duration of validity for the certificate.Once the .csr file is generated we can upload it in a website (eg. Verisign, Getacert) 47
  8. 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEMEThe user can use this certificate to register to the responder without revealing his credentials. Here thecertificate serial number is a unique number and can be used as the primary key to identify the user.4.2 SCREEN SHOTS 2) Trustee Generates Psudoname For The User. Also Contacts The Ca For The Certificate.1) Trustees Page For The User To Enter eCredentials 48
  9. 9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEME3) Registration With Responder 5) User Enters Login Id And Password4) User Login 6) Login Id Password And Login Time Are Stored In Responders Database 49
  10. 10. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEME7) Responders Site 9) Initiator Updates The Changes8) Initiator Tries To Make Changes To Responders 10) The Change Made And Time At Which TheSite Change Was Made Is Stored In The Responders Database 50
  11. 11. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEME11)Email To Trustee About Users Misbehaviour 12) Checking the mail 5. CONCLUSIONThe above graph shows that the proposal is feasible and helps to secure the site against misbehaving users. Thethreshold can be selected by the responder based on the sensitivity of data contained in the site. Our proposedwork blacklists the user based on the login times that are stored in the database of the responder. 51
  12. 12. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print),ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEME6. REFERENCES[1] Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene Tsudik. A practical and provably secure coalition-resistant group signature scheme. In CRYPTO, volume 1880 of LNCS, pages 255–270. Springer, 2000.[2] David Chaum and Eug`ene van Heyst. Group signatures. In EUROCRYPT, pages 257–265, 1991.[3] Jan Camenisch and Markus Stadler. Efficient group signature schemes for large groups (extended abstract).In CRYPTO, volume 1294 of LNCS, pages 410–424. Springer, 1997.[4] Stefan Brands. Rethinking Public Key Infrastructure and Digital Certificates Building in Privacy. PhDthesis, Eindhoven Institute of Technology, Eindhoven, The Netherlands, 1999.[5] Ernie Brickell, Peter Gemmel, and David Kravitz. Trustee-based tracing extensions to anonymous cash andthe making of anonymous change. In Proceedings of the Sixth Annual ACM-SIAMs, pages 457{466.Association for Computing Machinery, January 1995.[6] David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personalinformation between organizations. In M. Odlyzko, editor, Advances in Cryptology | CRYPTO 86, volume 263of Lecture Notes in Computer Science, pages 118{167. Springer-Verlag, 1987.[7] David Chaum. Security without identification: Transaction systems to make big brother obsolete.Communications of the ACM, 28(10):1030{1044, October 1985.[8] Lidong Chen. Access with pseudonyms. In E. Dawson ann J. Golic, editor, Cryptography: Policy andAlgorithms, volume 1029 of Lecture Notes in Computer Science, pages 232{243. Springer Verlag, 1995.[9] Ivan Bjerre Damgard. Payment systems and credential mechanism with provable security against abuse byindividuals. In Shafi Goldwasser, editor, Advances in Cryptology | CRYPTO 88, volume 403 of Lecture Notesin Computer Science, pages 328{335. Springer Verlag, 1990.[10] Ronald Cramer and Victor Shoup. Signature schemes based on the strong rsa assumption. In Proc. 6thACM Conference on Computer and Communications Security,pages 46{52. ACM press, nov 1999.[11] Anna Lysyanskaya, Ron Rivest, Amit Sahai, and Stefan Wolf. Pseudonym systems. In Howard Heys andCarlisle Adams, editors, Selected Areas in Cryptography, volume 1758 of Lecture Notes in Computer Science.Springer Verlag, 1999.[12] Joe Kilian and Erez Petrank. Identity escrow. In Hugo Krawczyk, editor, Advances in Cryptology |CRYPTO 98, volume 1642 of Lecture Notes in Computer Science, pages 169{185, Berlin, 1998. SpringerVerlag.[13] Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signatures without the random oracle.In Jacques Stern, editor, Advances in Cryptology | EUROCRYPT 99, volume 1592 of Lecture Notes inComputer Science, pages 123{139. Springer Verlag, 1999.[14] Markus Stadler, Jean-Marc Piveteau, and Jan Camenisch. Fair blind signatures. In Louis C. Guillou andJean-Jacques Quisquater, editors, Advances in Cryptology | EUROCRYPT 95, volume 921 of Lecture Notes inComputer Science, pages 209{219. Springer Verlag, 1995. 52
  13. 13. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 – 6367(Print), ISSN 0976 – 6375(Online) Volume 3, Issue 3, October-December (2012), © IAEME Links:••••• Authors Dr Avula Damodaram obtained his B.Tech. Degree in CSE in 1989, M.Tech. in CSE in 1995 and Ph.D in Computer Science in 2000 all from JNTUH, Hyderabad. His areas of interest are Computer Networks, Software Engineering, Data Mining and Image Processing. He has successfully guided 6 Ph.D. and 2 MS Scholars apart from myriad M.Tech projects. He is currently guiding 9 scholars for Ph.D and 1 scholar for MS. He is on the editorial board of 2 International Journals and a number of Course materials. He has organized as many as 30 Workshops, Short Term Courses and other Refresher and Orientation programmes. He has published 35 well researched papers in national and International journals. He has also presented 45 papers at different National and International conferences. On the basis of his scholarly achievements and other multifarious services, He was honored with the award of DISTINGUISHED ACADAMICIAN by Pentagram Research Centre, India, in January 2010. H.Jayasree obtained her B.E. in CSE from Bangalore University and M.Tech. in CSE from JNTUH, Hyderabad in 2001 and 2006 respectively. She is currently a Research Scholar of CSE JNTUH, Hyderabad. She is working as Associate Professor, for Aurora’s Technological and Research Institute and has 10yrs of teaching experience in various colleges of Hyderabad and Bangalore. Areas of research interest include Computer Networks and Network Security. 53