Minimal Information Disclosure with Efficiently Verifiable Credentials David Bauer, Douglas M. Blough, and David Cash

1
Minimal Information Disclosure with Efficiently
Verifiable Credentials David Bauer, Douglas M.
Blough, and David Cash
DIM 2008 Workshop Oct 31, 2008
2
Goal Digital Identifier
3
Terminology

• Digital identity entities have a defined set of
  attributes, defined by the entities themselves or
  by authorities (e.g., an employer)?
• Entities make claims about attributes of their
  identities
• Credentials include claims and evidence that can
  be used to verify the claims
• Relying parties receive and check credentials

4
Scenario

• Off-line Credentials
• Three types of entities
• Users
• Identity providers
• Relying parties/service providers
• Some PKI infrastructure available
• Revocation handled at a higher level

5
Related Work 1

• Brands credential
• Used by Credentica (bought out by Microsoft)?
• User is anonymous, even to identity provider
• Different uses of credential can be linked
• About 2 orders of magnitude slower than our
  system
• Camenisch, Lysyanskaya, et al.
• Used in IBMs Idemix
• Provides unlinkability
• Significantly slower than Brands credential

6
Motivation

• Users want
• Convenience of a single-sign on system
• Ease of use of a driver's license
• Privacy of user-controlled, limited disclosure
• Security of modern cryptography
• Relying parties, law enforcement want
  auditability
• Credential not anonymous to identity provider
• Linking of different uses of same credential
• Detection of credential abuse

7
Our Approach

• Aim for auditability, not anonymity
• Disclose the minimum information a relying party
  needs
• Users want to provide the fewest attributes and
  least amount of evidence needed for a given
  interaction
• Be able to control when and where personal
  information is used
• Credential use can be monitored so users can
  choose to know when and how their credentials are
  used
• Avoid over-reliance on identity providers
• Symmetric relationship between providers and
  consumers of credentials

8
Micro-Claims Basics

• Standard digital certificates permit only all or
  nothing disclosure of identity
• Instead of a few big claims (name, address, birth
  date, etc.), have many fine-grain claims
• Instead of Address 400 10th St. NW, Apt 123A,
  Atlanta, GA 30318-5551, USA
• Address, city Atlanta
• Address, state Georgia
• Address, street 400 10th St. NW
• Address, 2nd Line Apt 123A
• ....

9
Minimal Disclosure Credentials Use
Credential
User/Owner
Identity Provider
Network
Partial Credential
Partial Credential
Relying Parties
Relying Parties
10
Minimal Disclosure using Merkle Hash Trees

• Start with a PKI certificate
• Replace the flat identity in a certificate with
  the root hash of a Merkle hash tree of identity
  micro-claims

Root
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(L,R)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
H(C)?
Claim
Claim
Claim
Claim
Claim
Claim
Claim
Claim
11
Merkle Hash Tree - Advantages

• Ties many sub-claims to a single hash value or a
  single certificate
• Owner can choose exactly which claims to release
  at a given time
• Easily scales to thousands of micro-claims
• Reduces needed space and time compared to having
  many certificates
• Reduces exposure even in the event of a
  compromised private key

12
Related Work 2

• Basic hash tree credential is a redactable
  signature
• Johnson, et al. (CTRSA 2002) use the same hash
  tree construction for a homomorphic signature

13
Extension Multiple Authorities
Identity Providers
Credentials
User/Owner
Combined Credential
14
Extension to Multiple Authorities

• Add special nodes that have their own
  certificates associated with them. These special
  nodes form root nodes of their own subtrees.

Root
H(L,R)?
H(L,R)?
H(L,R)?
Subtree
Subtree
H(L,M,R)?
H(L,M,R)?
H(C)?
H(C)?
Issuer
H(L,R)?
H(L,R)?
Issuer
H(C)?
H(C)?
Claim
Claim
H(C)?
H(C)?
H(C)?
Claim
Claim
Claim
Claim
Claim
15
Advantages of Credential Extension

• Multiple trees from different identity providers
  can be combined under a single tree
• Identity providers do not have access to all
  information about the user
• Identity providers are only responsible for
  claims related to their subject area
• User only has to keep track of one credential
• Relying party only has to check one signature

16
Minimum Disclosure Credentials Some Details

• Combining credentials requires a new signature by
  an identity provider or signing oracle
• Leaf nodes should be recognizable by their hash
• Required for proof of security
• Implemented by clearing or setting the last bit
  of the hash to indicate a leaf or non-leaf node
• Claims must be padded before hashing
• Prevents dictionary attacks against nodes
• Verification of public key should be tied to
  claims shown
• Prevents complex combination attacks

17
Security

• Private key prevents easy theft or impersonation
• Claims tied to public key prevents
  man-in-the-middle attacks
• Collusion isn't possible between separate
  credentials
• But is a concern when combining credentials
• Security proof in paper for the tree structure

18
Performance
19
What counts as a credential?

• Complete resume
• Employment history
• Complete educational transcripts
• Awards received
• List of publications
• Complete content of publications
• Medical records
• Reputation/character witness data

20
Extension Demo System

• Credential is used as building block of a larger
  agent system
• Two non-public parts of the credential are split
  up
• Private key remains in user's possession
• Hash tree data resides on a user-controlled
  agent
• Provides simple joint authority

21
Joint Authority via Identity Agents
IDENTITY PROVIDER
RELYING PARTY
USER (w/ Local IdA)?
Attributes disclosed to RP, User ID, Device
ID, Nonces
Send minimum-disclosure credential
Remote IdA
22
Advantages of Identity Agent

• Easy revocation of permissions of lost or stolen
  devices
• Immediate detection of unauthorized attempts to
  use credentials
• Distributed trust
• Distribution of personal information
• User retains control over information and its use
• Can put most functionality on devices local IdA
  but at cost of increased exposure

23
Questions?