Dr. Thomas Groß – Research Scientist03 February 2011Anonymous Credentials on Java CardPatrik Bichsel, Jan Camenisch, Thoma...
Privacy            Feasibility   Way Ahead                                    ￷[Images from iStockPhoto.com]              ...
Privacy   Feasibility   Way Ahead              ￷                        3
“Neil Armstrong’sFootsteps arestill there”(Robin Wilton, Sun Microsystems)                                   ᄅ            ...
IBM Presentation Template Full VersionAnonymous Credentials:Attribute-based Access w/ Strong Security & Privacy5          ...
Private Credentials: How to Build Them  In the  beginning...
State of the Art: How to Build Them  asking for a credential
State of the Art: How to Build Them  getting a credential ...                             containing “birth date = April 3...
State of the Art: How to Build Them  showing a credential ...                             goes off-line                   ...
State of the Art: How to Build Them  showing a credential ...                                     containing statements “d...
Signature Scheme based on SRSA [CL01]          Public key of signer: RSA modulus n and ai, b, d Є QRn          Secret key:...
Signature Scheme based on SRSA [CL01] A signature (c,e,s) on messages m1, ..., mk is valid iff:            m1, ..., mk Є ...
Proof of Knowledge of a CL Signature Solution randomize c :     –   Let c = c bsmod n with random s         then d = ce a ...
Privacy   Feasibility   Way Ahead              ￷                        14
Vision: Smart Identity Card                                                     Strong accountability and privacy         ...
IBM Presentation Template Full Version                                                 [Independent proof point:Feasibilit...
IBM Presentation Template Full Version Java Card* Limitations                                          § 8-bit CPU (3.57 M...
IBM Presentation Template Full VersionJava CardStructure                                             IDMX Applet          ...
System Overview                              User PC     User                      interacts/                             ...
IBM Presentation Template Full VersionExecution Times for a Full Proof (incl. Communication)                  Modulus     ...
Privacy   Technology   Way Ahead              ￷                       21
IBM Presentation Template Full VersionJust Launched ABC4Trust Project■    EU FP 7 research project■    13.5 Million EUR, 4...
IBM Presentation Template Full VersionABC4Trust GoalsAchieve paradigm shift and interoperability in trustworthy infrastruc...
Privacy        Feasibility     Way Ahead Anonymous                        Anonymous credentials:     Technology       cred...
IBM Presentation Template Full VersionResources     ■   This talk is based on P. Bichsel, J. Camenisch, T. Gross, V. Shoup...
Upcoming SlideShare
Loading in …5
×

Anonymous Credentials on Java Card - SIT Smartcard 2011

2,216 views

Published on

How anonymous credentials can enhance electronic identity cards with strong security and privacy. A feasibility study presented at the Fraunhofer SIT Smartcard workshop 2011

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,216
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Anonymous Credentials on Java Card - SIT Smartcard 2011

  1. 1. Dr. Thomas Groß – Research Scientist03 February 2011Anonymous Credentials on Java CardPatrik Bichsel, Jan Camenisch, Thomas Groß, Victor Shoup 1 © 2009 IBM Corporation
  2. 2. Privacy Feasibility Way Ahead ￷[Images from iStockPhoto.com] 2
  3. 3. Privacy Feasibility Way Ahead ￷ 3
  4. 4. “Neil Armstrong’sFootsteps arestill there”(Robin Wilton, Sun Microsystems) ᄅ 4
  5. 5. IBM Presentation Template Full VersionAnonymous Credentials:Attribute-based Access w/ Strong Security & Privacy5 © 2011 IBM Corporation
  6. 6. Private Credentials: How to Build Them In the beginning...
  7. 7. State of the Art: How to Build Them asking for a credential
  8. 8. State of the Art: How to Build Them getting a credential ... containing “birth date = April 3, 1987”
  9. 9. State of the Art: How to Build Them showing a credential ... goes off-line - drivers license - insurance - older > 20
  10. 10. State of the Art: How to Build Them showing a credential ... containing statements “drivers license, age (as stated in driver’s license) > 20, and insurance” Using identity mixer, user can transform (different) token(s) into a new single one that, however, still verifies w.r.t. original signers public keys.
  11. 11. Signature Scheme based on SRSA [CL01] Public key of signer: RSA modulus n and ai, b, d Є QRn Secret key: factors of n To sign k messages m1, ..., mk Є {0,1}ℓ :  choose random prime e > 2ℓ and integer s ≈ n  compute c such that m1 mk s e d = a ·...· a b c mod n 1 k  signature is (c,e,s)[SRSA CL-signature system introduced in Camenisch and Lysyanskaya 01. There exist alternative systems in elliptic curve settings, for instance with BBS-alike signatures.]
  12. 12. Signature Scheme based on SRSA [CL01] A signature (c,e,s) on messages m1, ..., mk is valid iff:  m1, ..., mk Є {0,1}ℓ:  e > 2ℓ m1 mk  d= a ·...· a bs ce mod n 1 k Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption.
  13. 13. Proof of Knowledge of a CL Signature Solution randomize c : – Let c = c bsmod n with random s then d = ce a m1 mk – · ... · a bs* (mod n) holds, 1 k i.e., (c,e, s*) is a also a valid signature! Therefore, to prove knowledge of signature on hidden msgs:  provide c  PK{(e, m1, ..., mk, s) : d = ce a m1 · ... · a mk b s 1 k ∧ mi Є {0,1}ℓ ∧ e Є 2ℓ+1 ± {0,1}ℓ }
  14. 14. Privacy Feasibility Way Ahead ￷ 14
  15. 15. Vision: Smart Identity Card Strong accountability and privacy Sustainable secondary use Trusted identity basis Cost effective Future-proof[Card picture is an artists conception: the chip of the actual JCOP 41/v.2.2 Java Card used for the feasibility study is on the backside.] © 2011 IBM Corporation
  16. 16. IBM Presentation Template Full Version [Independent proof point:Feasibility Problem Sterckx, Gierlichs, Preneel, Verbauwhede ‘09] Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card. Autonomy All data on card Malicious terminal16 © 2011 IBM Corporation
  17. 17. IBM Presentation Template Full Version Java Card* Limitations § 8-bit CPU (3.57 MHz) § Limited access to public key-CP (only standard RSA, DSA) § Limited RAM (2K)*: JCOP 41/v2.2 17 © 2011 IBM Corporation
  18. 18. IBM Presentation Template Full VersionJava CardStructure IDMX Applet Basic Ops interface Card Java Card API Manager Java Card VM Card-Specific Operating System 8-bit CPU 3DES CP Public Key CP[Source: Prof. Wolfgang Reif – chip cards]18 © 2011 IBM Corporation
  19. 19. System Overview User PC User interacts/ Browser request: policy/ Backend consents response: proof to policy (Server) Identity Wallet Identity Mixer Validation request: policy/ pkI response: proof Validates proofs with Key Point issuer’s public key Transforms inserts/owns certificates Smart ID Card in privacy- Identity Mixer preserving identity proof statements skU certificates Maintains master key and certificates confidential Won the Innovation Award 2009 (Gesellschaft für Informatik, GI) Secure Javacard19 © 2011 IBM Corporation
  20. 20. IBM Presentation Template Full VersionExecution Times for a Full Proof (incl. Communication) Modulus 1280 bit 1536 bit 1984 bit Precomputation 5203 ms 7828 ms 13250 ms Compute A’ 2125 ms 2906 ms 5000 ms Compute T1 3078 ms 4922 ms 8250 ms Policy-dependent 2234 ms 2625 ms 3298 ms Compute 1 562 ms 656 ms 828 ms response Total 7437 ms 10453 ms 16548 ms[Avg. performance measurements with 100 experiments on JCOP 41/v2.2. A: credential blinding, T1: first stage of Sigma-proof commitment, response: Sigma-proof response]20 © 2011 IBM Corporation
  21. 21. Privacy Technology Way Ahead ￷ 21
  22. 22. IBM Presentation Template Full VersionJust Launched ABC4Trust Project■ EU FP 7 research project■ 13.5 Million EUR, 4 years■ 12 partners ● Goethe University Frankfurt Unabhängiges Landeszentrum für ● Datenschutz ● Alexandra Institute Eurodocs ● ●Research Academic Computer Technology Institute CryptoExperts (SmartCards) ● ● IBM Research Microsoft R&D France ● ● Lenio Municipality of Söderhamn ● ● Nokia Siemens Networks Technische Universität Darmstadt ●22 © 2011 IBM Corporation
  23. 23. IBM Presentation Template Full VersionABC4Trust GoalsAchieve paradigm shift and interoperability in trustworthy infrastructures■ Establish abstraction and unification of different crypto algorithms.■ Create interaction flows, architecture & data formats as well as policies.■ Realize reference implementation.■ Validate concepts by real-world pilots in the eID space. ■ Establish NG smart card implementation of anonymous credentials. –Realization by CryptoExperts, lead by Pascal Paillier. –Native SmartCard, direct access to crypto co-processor.23 © 2011 IBM Corporation
  24. 24. Privacy Feasibility Way Ahead Anonymous Anonymous credentials: Technology credential future-proof feasible and systems to be solution to practical: harmonized, ￷ minimal efficiently integrated disclosure realizable on into identity and attribute smart cards managementauthentication systems 24
  25. 25. IBM Presentation Template Full VersionResources ■ This talk is based on P. Bichsel, J. Camenisch, T. Gross, V. Shoup. Anonymous Credentials on a Standard Java Card. ACM CCS 2009. Prof. V. Shoup is affiliated with the New York University and contributed to this work during a sabbatical at IBM Research – Zurich. ■ Identity Mixer Community: idemix.wordpress.com – Download Identity Mixer Library 2.3.2 – Read Identity Mixer Specification 2.3.2 – http://prime.inf.tu-dresden.de/idemix/ ■ PrimeLife: www.primelife.eu ■ ABC4Trust: www.abc4trust.de ■ Email Jan or Thomas: {jca, tgr}[at]zurich.ibm.com25 © 2011 IBM Corporation

×