1

Real Name RegistrationWill there be privacy?

K.P. Chow1, Echo P. Zhang1, S.H. Hou2 & F. Xu3

July 2013Hong Kong

1University of Hong Kong2University of Science and Technology, Beijing3Institute of Information Engineering, CAS

Real-Name System• When a user wants to register

an account on a blog, website or bulletin board system, he is required to offer identification credentials including their real name to the network service center

• One may use an on-line pseudonym, however, the person’s real identity would be available if rules or laws are broken

CISC 2

3

Where is real-name system implemented?

CISC

South Korea• The first country implemented real-

name system• Since 28 Jun 2009, 35 Korea websites

have implemented a name registration system according to the newly amended Information and Communications Network Act (Choi Jin-sil Law)

CISC 4

Why real-name system in Korea?• Implemented after the suicide of Choi

Jin-sil ( 崔真实 ) which was said related to malicious comments about her on Internet bulletin boards

• On 23 Aug 2012, the Constitutional Court of Korea ruled unanimously that the real-name requirements is unconstitutional, citing such provision’s violation of freedom of speech in cyberspaceCISC 5

The Korea Constitutional Court said• The system has not been beneficial to

the public, …, number of illegal or malicious postings online has not decreased

• Instead, users moved to foreign Websites

• Also prevent foreigners from expressing their opinions online

CISC 6

7

Who’s next?

CISC

The China Development• 2002 李希光 proposed “Anonymous

should be prohibited on the Internet”

CISC 8http://www.chuanmeijia.com/zt/mingrentang/lixiguang/

Since 2002

• 2003: “real-name registration” at the cyber cafe

• 2004: real-name registration website appeared

• 2005: real-name registration for website administrators

• 2005: real-name registration for QQ group creators and administrators

CISC 9

From 2008• 2008: MIIT (Ministry of Industry and

Information Technology) proposed real-name registration

• 2012: sina.com, sohu.com, 163.com and blog.qq.com implemented real-name registration

• 2013: Chinese government announced real-name registration be implemented by June 2014

CISC 10

11

How the real-name registration be implemented?

CISC

Some requirements• Allows indirect real-name

registration– “ 后台实名、前台匿名”的实名制度

(real-name at the back, pseudonym at the web)

• Practical issues:– Large number of users– Cost to implement should low

CISC 12

Who should be responsible for the registration?• Public security (Police)?• Government department(s)?• Websites or service providers?• Independent authority?

CISC 13

Real-Name RegistrationOur Proposal• Multiple parties involved

– User (U)– Registration center (RC)– Independent authority (IA)– Personal data storage center (PDSC)

• Components– User real-name registration (RN)– User web-name registration (WN)

Real-Name RegistrationEncryption Scheme• Use Shamir’s Secret Sharing Scheme • 2 out of 3: 3 parties sharing the secret and any 2

parties together can decryption the secret• The 3 parties: User (U), Independent Authority

(IA) and Registration Center (RC)• To retrieve the real-name

– For crime case, the Police can request the Court to order the IA and RC to retrieve the real-name

– For personal reason, the User can request the Registration Center to retrieve the real-name

User Real-Name Registration

Registration Center (RC)

Key Server (xi0, yi0)

Data Storage Server

User (U)

1. Submit Personal Authentication Information (PAI)

3. Destroy the PAI 2.1. E pkID(PAI)

2.2a (xi1, yi1)

Private Data Storage Center (PDSC)Independent

Authority (IA)

2.2b (xi2, yi2)

2.2c (xi3, yi3)

User real-name registration

1. REGISTRATION: User connect to the Registration Center using a secure channel and Private Authentication Information (PAI) are submitted to the Registration Center

2. AUTHENTICATION: Registration Center authenticate the identity of the User using the submitted Private Authentication Information (PAI), and then encrypted the PAI

User real-name registration(Authentication)

(2.1) Assign Web-user name (WN) to each user

(2.2) Build public-secret key pair (pkID, skID) and 2-degree polynomial fID for

each user such that fID(0)=skID

(2.3) Use pkID to encrypt user Personal Authentication Information (PAI) and

store (Web-user name WN, pkID, encrypted PAI) in PDSC

(2.4) Generate 4 pairs (xik, yik) such that k=0…3, fID(xik)=yik on the Key

Server in PDSC, keep (xi0, yi0) in Key Server and distribute the other 3 pairs to the User, Registration Center and the Independent Authority

(2.5) Return the Web-user name (WN) to the user

(2.6) In RC, destroy the user Private Authentication Information (PAI) but keep the (Web-user name WN, fID)

Note that we use the polynomial for secret sharing of the skID ,please refer to Shamir’s Secret Sharing Scheme or the supplementary

User Web-name Registration

Website (Service Provider)

Key ServerData Storage Server

User (U)

1. Service Request

2.1. Verify the identity (Ask the question about PAI)

3. Submit N answers (and among them there’s only one correct answer) and the Web-name (WN)

5. Encrypt N answers with pkID

2.2. Send the WN and the question

7. Compare the submitted answer and the retrieved answer, If there’s one and only one correct answer matching the record, return success, otherwise return fail.

PDSC

4. Based on WN, retrieve the pkID

6. Retrieve the encrypted answer w.r.t. WN

User Web-name Registration at the Service Provider

1. The User requests to use the service at Service Provider with Web-user name (WN)

2. The Server Provider asks questions based on Personal Authentication Information (PAI), question sent to both the User and the PDSC

3. The User sends N answers (only 1 is correct) to the Key Server at PDSC

4. The Key Storage Server based on the Web-user name WN, retrieves the pkID and encrypts the N answers, and then sends the encrypted answers to the Data Storage Server.

5. The Data Storage Server compares the encrypted answers with the stored data in the Data Storage Server, if exactly one answer is matched, the Web-user name WN is authenticated

Some Properties1. User A cannot pretend to be User B because he cannot give a right

answer about User B’s Personal Authentication Information (PAI)

2. Users can see their own PAIs but others cannot

3. For a crime case, the Police can make a request to the Court to order the

RC and IA to retrieve the Real-name of the user (RN):

– For example, the Police wants to investigate the user “ 剑客” and makes a

request to the Court to order RC and IA to retrieve the real-name of “ 剑客” .

Based on the input from RC and IA, PDSC constructs the polynomial f 剑客 (.),

find the secret key sk 剑客 by computing f 剑客 (0) and then retrieves the identity

of the Web-name user “ 剑客” .

22

Thank You