Title: Minimal Information Disclosure with Efficiently Verifiable Credentials David Bauer, Douglas M. Blough, and David Cash
1Minimal Information Disclosure with Efficiently
Verifiable Credentials David Bauer, Douglas M.
Blough, and David Cash
DIM 2008 Workshop Oct 31, 2008
2Goal Digital Identifier
3Terminology
- Digital identity entities have a defined set of
attributes, defined by the entities themselves or
by authorities (e.g., an employer)? - Entities make claims about attributes of their
identities - Credentials include claims and evidence that can
be used to verify the claims - Relying parties receive and check credentials
4Scenario
- Off-line Credentials
- Three types of entities
- Users
- Identity providers
- Relying parties/service providers
- Some PKI infrastructure available
- Revocation handled at a higher level
5Related Work 1
- Brands credential
- Used by Credentica (bought out by Microsoft)?
- User is anonymous, even to identity provider
- Different uses of credential can be linked
- About 2 orders of magnitude slower than our
system - Camenisch, Lysyanskaya, et al.
- Used in IBMs Idemix
- Provides unlinkability
- Significantly slower than Brands credential
6Motivation
- Users want
- Convenience of a single-sign on system
- Ease of use of a driver's license
- Privacy of user-controlled, limited disclosure
- Security of modern cryptography
- Relying parties, law enforcement want
auditability - Credential not anonymous to identity provider
- Linking of different uses of same credential
- Detection of credential abuse
7Our Approach
- Aim for auditability, not anonymity
- Disclose the minimum information a relying party
needs - Users want to provide the fewest attributes and
least amount of evidence needed for a given
interaction - Be able to control when and where personal
information is used - Credential use can be monitored so users can
choose to know when and how their credentials are
used - Avoid over-reliance on identity providers
- Symmetric relationship between providers and
consumers of credentials
8Micro-Claims Basics
- Standard digital certificates permit only all or
nothing disclosure of identity - Instead of a few big claims (name, address, birth
date, etc.), have many fine-grain claims - Instead of Address 400 10th St. NW, Apt 123A,
Atlanta, GA 30318-5551, USA - Address, city Atlanta
- Address, state Georgia
- Address, street 400 10th St. NW
- Address, 2nd Line Apt 123A
- ....
9Minimal Disclosure Credentials Use
Credential
User/Owner
Identity Provider
Network
Partial Credential
Partial Credential
Relying Parties
Relying Parties
10Minimal Disclosure using Merkle Hash Trees
- Start with a PKI certificate
- Replace the flat identity in a certificate with
the root hash of a Merkle hash tree of identity
micro-claims
Root
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
Claim
Claim
Claim
Claim
Claim
Claim
Claim
Claim
11Merkle Hash Tree - Advantages
- Ties many sub-claims to a single hash value or a
single certificate - Owner can choose exactly which claims to release
at a given time - Easily scales to thousands of micro-claims
- Reduces needed space and time compared to having
many certificates - Reduces exposure even in the event of a
compromised private key
12Related Work 2
- Basic hash tree credential is a redactable
signature - Johnson, et al. (CTRSA 2002) use the same hash
tree construction for a homomorphic signature
13Extension Multiple Authorities
Identity Providers
Credentials
User/Owner
Combined Credential
14 Extension to Multiple Authorities
- Add special nodes that have their own
certificates associated with them. These special
nodes form root nodes of their own subtrees.
Root
H(L,R)?
H(L,R)?
H(L,R)?
Subtree
Subtree
H(L,M,R)?
H(L,M,R)?
H(C)?
H(C)?
Issuer
H(L,R)?
H(L,R)?
Issuer
H(C)?
H(C)?
Claim
Claim
H(C)?
H(C)?
H(C)?
Claim
Claim
Claim
Claim
Claim
15Advantages of Credential Extension
- Multiple trees from different identity providers
can be combined under a single tree - Identity providers do not have access to all
information about the user - Identity providers are only responsible for
claims related to their subject area - User only has to keep track of one credential
- Relying party only has to check one signature
16Minimum Disclosure Credentials Some Details
- Combining credentials requires a new signature by
an identity provider or signing oracle - Leaf nodes should be recognizable by their hash
- Required for proof of security
- Implemented by clearing or setting the last bit
of the hash to indicate a leaf or non-leaf node - Claims must be padded before hashing
- Prevents dictionary attacks against nodes
- Verification of public key should be tied to
claims shown - Prevents complex combination attacks
17Security
- Private key prevents easy theft or impersonation
- Claims tied to public key prevents
man-in-the-middle attacks - Collusion isn't possible between separate
credentials - But is a concern when combining credentials
- Security proof in paper for the tree structure
18Performance
19What counts as a credential?
- Complete resume
- Employment history
- Complete educational transcripts
- Awards received
- List of publications
- Complete content of publications
- Medical records
- Reputation/character witness data
20Extension Demo System
- Credential is used as building block of a larger
agent system - Two non-public parts of the credential are split
up - Private key remains in user's possession
- Hash tree data resides on a user-controlled
agent - Provides simple joint authority
21Joint Authority via Identity Agents
IDENTITY PROVIDER
RELYING PARTY
USER (w/ Local IdA)?
Attributes disclosed to RP, User ID, Device
ID, Nonces
Send minimum-disclosure credential
Remote IdA
22Advantages of Identity Agent
- Easy revocation of permissions of lost or stolen
devices - Immediate detection of unauthorized attempts to
use credentials - Distributed trust
- Distribution of personal information
- User retains control over information and its use
- Can put most functionality on devices local IdA
but at cost of increased exposure
23Questions?