Privacy and accountability in identity systems: the best of both worlds

0
396

Privacy and accountability are widely believed to be opposing goals in identity systems. On one hand, service providers require users to be identifiable to reduce fraud; on the other, users want to limit tracking while minimizing the amount of information disclosed about them. As a result, debates on identity become a rope pulling effort with privacy proponents on one end and security ones on the other. We will illustrate that this opposition is in fact an illusion. Modern cryptography makes it possible to achieve both strong security and privacy to any degree desired. In this paper, we present a system allowing honest users to access online resources anonymously, but when a user contravenes to the terms of service or acts fraudulently, an auditor can de-anonymize and then ban the misbehaving user from the system. We also describe a prototype using a mobile phone as a second factor of authentication implementing this system. This paper showcases a new ID escrow system to verifiably encrypt user pseudonyms for an auditor, and an efficient revocation accumulator scheme compatible with the U-Prove technology. Privacy and accountability in identity systems: the best of both worlds Microsoft Research pg. 2 Introduction As more services are migrated online, system designers are faced with seemingly contradicting requirements. On one hand, they need to provide adequate security for online transactions increasing in value, and simple usernames/passwords do not to provide sufficient protection anymore. On the other hand, privacy requirements protecting against user profiling and tracking are becoming more common and complex. Many systems prioritize one aspect over the other, and most often than not, security. However, it is now better understood that privacy is an as important aspect that must be considered when designing new systems. As noteworthy example, the White House published last year the National Strategy for Trusted Identities in Cyberspace (NSTIC), outlining the vision of an identity ecosystem that provides both strong privacy and security for consumer identities to be used online. Multiple technologies are being proposed in the industry to address the privacy issues; but system designers frequently equate privacy with classical cryptographic secrecy. Protecting privacy entails more than encrypting user data and attributes, it also involves reducing to the strict required minimum the information learned about the user’s activities and data for all parties involved in an identity transaction. The key is therefore to balance both sets of requirements and design systems that can provide both the required privacy and security protections, using the right mechanisms. So-called minimal disclosure technologies provide strong cryptographic protections across the privacy spectrum: from anonymity, pseudonymity, to full-identification. For example, U-Prove and Idemix are two predominant technologies backed by important industry players that have been widely studied in academia and in various research projects. They may work well in an ideal world, but reality is more complicated. First, full-anonymity is rarely needed in practice; most identity scenarios require the presentation of some sort of attribute (for example , “I’m pseudonym XYZ”, “I’m over-21”, “my clearance level is higher than SECRET”). Second, anonymity services routinely get abused, prompting critics to lobby for shutting them down for security reasons. As an example, TOR network nodes are routinely blocked by various organizations and systems to prevent illegal activities, therefore also precluding honest users from its benefits. Privacy services are beneficial to the internet community, but operational and authorized privacy services are even more useful! 1 The notion of privacy by design is getting more popular and widely advocated. 2 http://www.nist.gov/nstic/ 3 Also called anonymous credentials. 4 http://www.microsoft.com/u-prove 5 http://www.zurich.ibm.com/security/idemix/ 6 One noteworthy and currently active project, ABC4Trust, aims at architecting and implementing a common abstraction over U-Prove and Idemix (and any other minimal disclosure technologies), and running real-l ife pilots with these technologies. https://abc4trust.eu. 7 https://www.torproject.org/ 8 As an example, Wikipedia does not allow editing pages when using TOR, thus preventing anon ymous contributions. Certain sensitive topics would benefit from qualified yet anonymous authors ; our system could be used to prove certified qualification of an anonymous author, allowing the anonymity to be lifted by the Wikipedia administrators in case of abuse, and by revoking the author’s accreditation. Privacy and accountability in identity systems: the best of both worlds Microsoft Research pg. 3 To enhance their survival chances in the real world, privacy-protecting technologies should therefore offer accountability mechanisms to allow honest participants to use them, while allowing misbehaving ones to be identified and/or banned. In this paper, we present a system that extends the U-Prove technology to provide an ID escrow service to de-anonymize users committing fraudulent transactions and a revocation mechanism to prevent these users from further accessing the system. We also describe a prototype implementing this system that uses a mobile phone as a second factor of authentication to increase security. About U-Prove U-Prove is an innovative cryptographic technology that allows users to minimally disclose certified information about themselves when interacting with online services. U-Prove provides a superset of the security features of Public Key Infrastructure (PKI), and also provides strong privacy protections by offering superior user control and preventing unwanted user tracking. The U-Prove technology specifies cryptographic primitives that can be integrated in the leading federation protocols (like SAML, WS-Trust, OpenId, OAuth, etc.) to enhance their privacy characteristics. Microsoft released the U-Prove cryptographic specification under the Open Specification Promise 10 allowing anyone to use and implement it freely, and released an open-source SDK implementing it. With the new version 1.1 (revision 2) release of the specification, it is now possible to extend the capabilities of the technology by defining external modules. The ID Escrow and revocation schemes we present later are examples of such extensions. Academic research in the area of privacy technologies such as U-Prove has been booming in the last few years. Many of the new schemes require more advanced mathematics and rely on newer security assumptions that have not been vetted in practice. Fortunately, U-Prove and the new extension schemes presented herein rely on conventional security assumptions (the same ones as in DSA and ECDSA), and the mathematics are simple enough to be implemented using math libraries widely available. Two-factor security Two-factor authentication is an important feature in many identity systems, and is now supported in leading consumer web properties offered by the likes of Microsoft Facebook and Google. Using a dedicated security device or a mobile phone is a good way to increase the confidence in the user 9 See for example the U-Prove WS-Trust V1.0 profile.