Efficient Selective Disclosure on Smart Cards using Idemixpim/talks/20130408_idman.pdf · Smart...
Transcript of Efficient Selective Disclosure on Smart Cards using Idemixpim/talks/20130408_idman.pdf · Smart...
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Efficient Selective Disclosure on Smart Cardsusing Idemix
Pim Vullers Gergely Alpar
Institute for Computing and Information Sciences – Digital SecurityRadboud University Nijmegen
Conference on Policies & Research in Identity Management8th April 2013
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 1 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Attributes on Smart Cards
Privacy issues
• Smart cards are “Big Brother’s little helper” (Stefan Brands)
• With Oyster / OV-chipcard / Charlie / . . . , you tell who youare when you get on a bus, metro, train, . . .
• Identity-based solutions violate their users’ privacy(and increase identity-fraud risk)
Attribute-based credentials
• Attribute-based authorisation:only provide the information which the system needs
• Example of attribute-based credentials (electronic wietpas):
• card only says “I’m a Dutch citizen, and my age is over 18”
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 2 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Outline
Introduction
Idemix Credentials
Smart Card Implementation
Performance Results
Summary
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 3 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Credential-based System
The ideas
• Attributes: grouped in credentials
• Data minimisation: selective disclosure
• Unlinkability: randomisation & zero-knowledge
A credential
• Attributes
• Secret key
• Issuer’s signature
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 4 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Protocols
1 Credential issuance• Blind signature generated by the issuer over the secret key of
the card and the attributes to be issued.• Issuer unlinkability
2 Attribute verification
I Proof generation / presentation• Selective disclosure of the credential’s attributes• Randomisation of the issuer’s signature
II Proof verification / authentication• Verify the zero-knowledge proof using the issuer’s public key• Multi-show unlinkability
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 5 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Idemix specifics
Camenisch-Lysyanskaya signature scheme
• Keys: (n,S ,Z ,R0...l), (p′, q′) where n = (2p′ + 1)(2q′ + 1)
• Signature: (A, e, v) where A =
(Z
Sv∏l
i=0 Rimi
)e−1 mod p′q′
mod n
Credentials
• Secret key: m0
• Attributes: m1 . . .ml
Verification
• Randomisation (with r): A′ = A · S r mod n, v ′ = v − e · r
• Zero-knowledge proof of e and undisclosed mi
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 6 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Outline
Introduction
Idemix Credentials
Smart Card Implementation
Performance Results
Summary
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 7 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Smart Card Platforms
Java Card
+ High-level (object-oriented) programming language
+ Widely spread / high availability
− Limited cryptographic API / no mathematical API
MULTOS
+ Low-level access to the cryptographic co-processor
+ Proper cryptographic/mathematical API
+ Very flexible memory management
− Low-level language causes a steep learning curve.
− Limited amount of RAM available
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 8 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Design of the System
Java
platform
Idemix
application Terminal
service
Idemix
library
(a) Terminal
MULTOS
platform
Idemix
applicationAPDU
handling
Recipient/Prover
cryptography
(b) Card
Figure : System architecture for Idemix on a smart card.
• Terminal service translates IBM’s Idemix commands and datatypes into APDU commands for smart card communication
• MULTOS implementation, limited by smart cardcharacteristics, is 95% compatible with Idemix Library
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 9 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Outline
Introduction
Idemix Credentials
Smart Card Implementation
Performance Results
Summary
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 10 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Related Work on Smart Cards
Related work
• Bichsel et al. (IBM Research, 2009), ± 7.5 secCamenisch & Lysyanskaya anonymous credential system
• Sterckx et al. (KU Leuven, 2009), ± 3 secDirect anonymous attestation
Our previous results
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 11 / 18
• Batina et al. (RU Nijmegen, 2010), ± 1.5 secHoepman et al. (RU Nijmegen, 2010), ± 0.6 sec
Self-blindable certificates of Verheul
• Mostowski and Vullers (RU, 2011), ± 0.5 - 0.9 secU-Prove selective disclosure (2-5 attributes)
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Issuance Performance
2.2622.379
2.4542.522
2.605
1.6961.758 1.781 1.796 1.809
1 2 3 4 5
#attributes
0
1.5s
2.5s
time
Figure : Credential issuance times ( : computation, : overhead).
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 12 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Presentation Performance
1.099
0.997
0.895
0.969
0.869
0.768
0 1 2
#disclosed
0
0.75s
1.5stime
(a) 2 stored attributes
1.454
1.352
1.226
1.149
1.025
0.947
1.287
1.185
1.063
0.985
0.864
0.784
0 1 2 3 4 5
#disclosed
0
0.75s
1.5stime
(b) 5 stored attributes
Figure : Attribute verification times ( : computation, : overhead).
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 13 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
U-Prove Comparison
1.454
1.352
1.226
1.149
1.025
0.947
1.287
1.185
1.063
0.985
0.864
0.784
0 1 2 3 4 5
#disclosed
0
0.75s
1.5stime
(a) Idemix
869814
764708
651594
648586
530469
406343
0 1 2 3 4 5
#disclosed
0
1000
time (ms)
(b) U-Prove
Figure : Attribute verification times ( : computation, : overhead).
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 14 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Summary
• Efficient MULTOS implementation of the Idemix technology
• Multi-show unlinkability of the credentials on the smart card
• Attribute-based credentials on smart cards are possible
• Major improvement over IBM’s DAA implementation
Next steps:
• Studying other technologies
• Practicing with other platforms
• Making anonymous credentials usable: IRMA
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 15 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
IRMA – I Reveal My Attributes
Tuesday 9th April 201309:15 – 10:15 Second keynote session: Bart Jacobs
Towards Practical Attribute-Based Identity Management:the IRMA Trajectory.
https://www.irmacard.org/Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 16 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Demo
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 17 / 18
IntroductionIdemix Credentials
Smart Card ImplementationPerformance Results
SummaryRadboud University Nijmegen
Questions
Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 18 / 18