1. Privacy Preserving Identity Attribute
Verification in Windows CardSpace
Kevin Steuer Jr
Ruchith Fernando
Elisa Bertino
October 8, 2010

2. Windows CardSpace

3. Identity Manager
Identity Selector Relying Party

4. Identity Manager
● Information card issuer
● Security Token Service

5. Identity Selector

6. Source : http://en.wikipedia.org/wiki/File:Cardspace_identity_selector.png

7. Information Card

8. XML Descriptor
Issued by an identity manager
Managed
&
Self Issued

9. Relying Parties/Service Providers
● Specifies the required claims
● Expects an XML token containing the values

11. Problems
?

12. Identity Manager is trusted in
securely storing user's identity
attribute values
Identity Manager holds the attribute values in plain

13. Proposed Approach

14. Semi-Trusted Identity Manager

15. Relying Party → User :
Do you have a Social Security Number?

16. Just proving that the user does is sufficient!

17. No need to give away the SSN to the
Relying Party!

18. Let the Identity Manager store only a
COMMITMENT of the SSN
We use the Pedersen commitment

19. Pedersen Commitment
c=gxhr
●G : Finite cyclic group of large prime order p so that the
Computational Diffie-Hellman (CDH) problem is hard in G
● A generator g ∊ G
● x, r ∊ {0, 1, ... , p-1} = Fp

20. The user obtains a signed identity attribute value
from an identity provider
Sets up the commitment with the identity manager

21. How is it used with at a Service Provider?

22. Zero Knowledge Proof Of
Knowledge

23. Schnorr protocol
1. U randomly chooses y, s ∊ F*p , and sends V the
element d = gyhs ∊ G
2. V picks a random value e ∊ F*p , and sends e as a
challenge to U.
3. U sends u = y + ex, v = s + er, both in Fp, to V.
u v e
4. V accepts the proof if and only if g h = d c in G.

25. VeryIDX Managed Card

26. <ic:SupportedClaimType
Uri="http://veryidx...strongclaims/ssn">
<ic:DisplayTag>Strong Claim SSN</ic:DisplayTag>
<ic:Description>Strong Claim ...</ic:Description>
</ic:SupportedClaimType>
<vi:SupportedStrongClaimValues xmlns:vi="http://veryi...">
<vi:StrongClaimValue
Uri="http://veryidx...strongclaims/ssn">
<vi:Commitment>743872676989=</vi:Commitment>
<vi:R>329839797987493827983=</vi:R>
</vi:StrongClaimValue>
</vi:SupportedStrongClaimValues>

27. User is prompted to enter the value of the
strong claim
to carryout the proof

28. But ....

29. What about the 2nd and 3rd attempts?

30. Linkability
Consistent attribute values to the relying parties

31. The identity selector will prove the
same commitment value
to the relying party!

32. Make sure we don't present the same
commitment twice to the relying party!

33. Original Commitment :
c1 = gxhr
Commitment in the token to RP :
ci = gc1hri

34. Request Security Token Response
<wst:RequestSecurityTokenResponse>
...
<vi:SupportedStrongClaimValues>
<vi:ClaimValue Uri="http://veryidx...strongclaims/xyz">
<vi:Commitment>77666876989=</vi:Commitment>
<vi:R>329839797987493827983=</vi:R>
</vi:ClaimValue>
</vi:SupportedStrongClaimValues>
</wst:RequestSecurityTokenResponse>
Used by the identity selector to retrieve the
new commitment and random values

35. Identity Manager : WSO2 Identity Server (IS)
Identity Selector : Higgins
Relying Party : WSO2 IS Java RP
ZKPK implementation : VeryIDX

36. Thank You !