1 anonymity, unobservability, pseudonymity and identity management requirements for an ami world...
TRANSCRIPT
1
Anonymity, unobservability, pseudonymity and identity management requirements
for an AmI world
Andreas Pfitzmann
Dresden University of Technology, Department of Computer Science, D-01062 DresdenPhone: 0351/ 463-38277, e-mail: [email protected], http://dud.inf.tu-dresden.de/
2
Excerpts from: Treaty Establishing a Constitution for Europe
Article I-2 The Union's values
The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. ...
Article I-3 The Union's objectives
2. The Union shall offer its citizens an area of freedom, security and justice without internal frontiers, and an internal market where competition is free and undistorted.
3
Excerpts from: Treaty Establishing a Constitution for Europe
Article II-68 Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
4
Distrust is the basis
Cooperation on the basis of mutual distrust
(e.g. separation of powers, checks and balances)
is the basis of organizing modern societies, not trust.
5
Threats and corresponding protection goals
threats:
1) unauthorized access to information
2) unauthorized modification of information
3) unauthorized withholding of information or resources
protection goals:
confidentiality
integrity
availabilityfor authorized users
≥ total correctness
partial correctness
no classification, but pragmatically usefulexample: unauthorized modification of a program
1) cannot be detected, but can be prevented; cannot be reversed2)+3) cannot be prevented, but can be detected; can be reversed
6
Distrust is the basis, revisited
Cooperation on the basis of mutual distrust
(e.g. separation of powers, checks and balances)
is the basis of organizing modern societies, not trust.
Cf. confidentiality vs. integrity / availability :
You can’t check whether your trust has been justified
even after the fact vs. you can check whether your
trust has been justified.
7
Transitive propagation of errors and attacks
symbol explanation
computer
program
A used B todesign C
machine X exe-cutes program Y
Y
X
A
B C
transitivepropagation of “errors”
8
Trojan horseuniversal
(covert)
input channel
universalcommands
Trojan horse
(cov
ert)
outp
ut c
hann
el
write access
write access
non-termination
resource consumption
unauthorized disclosure of information
unauthorizedmodification of information
unauthorized withholding of information or resources
9
Protection against whom ?
Laws and forces of nature- components are growing old- excess voltage (lightning, EMP)- voltage loss- flooding (storm tide, break of water pipe)- change of temperature ...
Human beings- outsider- user of the system- operator of the system- service and maintenance- producer of the system- designer of the system- producer of the tools to design and produce - designer of the tools to design and produce - producer of the tools to design and produce the tools to design and produce- designer ...
faulttolerance
Trojan horse • universal • transitive
includes user,operator, service and maintenance ... of the system used
10
protection concerningprotection against
to achievethe intended
to preventthe unintended
designer and producer of the tools to design and produce
designer of the system
producer of the system
service and maintenance
user of the system
outsiders
unobservability, anonymity, unlinkability:
avoid the ability to gather “unnecessary data”
physical and logical restriction of access
protect the system physically and protect data cryptographically from outsiders
restrict physical access,restrict and loglogical access
intermediate languages and intermediate results, which are analyzed independently
independent analysis of the productsee above + several independent designers
control as if a new product, see above
operator of the system
Which protection measures against which attacker ?
physical distribution and redundance
11
Multilateral security
Security with minimal assumptions about others
• Each party has its particular protection goals.
• Each party can formulate its protection goals.
• Security conflicts are recognized and compromises negotiated.
• Each party can enforce its protection goals within the agreed compromise.
12
Protection Goals: Sorting
ContentContent CircumstancesCircumstances
ConfidentialityConfidentialityHidingHiding
Integrity Integrity
AnonymityAnonymityUnobservabilityUnobservability
AccountabilityAccountability
Prevent the Prevent the unintendedunintended
Achieve the Achieve the intendedintended
Availability Availability ReachabilityReachabilityLegal EnforceabilityLegal Enforceability
13
Protection Goals: Definitions
Confidentiality ensures the confidentiality of user data when they are transferred. This assures that nobody apart from the communicants can discover the content of the communication.
Hiding ensures the confidentiality of the transfer of confidential user data. This means that nobody apart from the communicants can discover the existence of confidential communication.
Anonymity ensures that a user can use a resource or service without disclosing his/her identity. Not even the communicants can discover the identity of each other.
Unobservability ensures that a user can use a resource or service without others being able to observe that the resource or service is being used. Parties not involved in the communication can observe neither the sending nor the receiving of messages.
Integrity ensures that modifications of communicated content (including the sender’s name, if one is provided) are detected by the recipient(s).
Accountability ensures that sender and recipients of information cannot successfully deny having sent or received the information. This means that communication takes place in a provable way.
Availability ensures that communicated messages are available when the user wants to use them.
Reachability ensures that a peer entity (user, machine, etc.) either can or cannot be contacted depending on user interests.
Legal enforceability ensures that a user can be held liable to fulfill his/her legal responsibilities within a reasonable period of time.
14
Correlations between protection goals
ConfidentialityConfidentiality
HidingHiding
IntegrityIntegrity
AnonymityAnonymity
UnobservabilityUnobservability
AccountabilityAccountability
AvailabilityAvailabilityReachabilityReachability
Legal EnforceabilityLegal Enforceability
weakens–
–
implies strengthens+
+
+
15
Golden rule
Correspondence between organizational and IT structures
Correspondence between organizational and IT structures
Since tamper-resistance of HW is all but good and
organizations are far from perfect keeping secrets:
Personal data should be gathered, processed and
stored, if at all, by IT in the hands of the individual
concerned.
16
Superposed sending (DC-network)
+
+++
........
+
........
station 1 M1 3A781
M2 00000
M3 00000
+
........
station 2
+
........
station 3
K23 67CD3
K12 2DE92
K13 4265B
-K12 E327E
-K13 CEAB5
-K23 A943D
67EE2
4AE41
99B6E
anonymous access= M1 M2 M3+ +
User station
Pseudo-random bit-stream generator
Modulo- 16-Adder
Anonymity of the sender
If stations are connected by keys the value of which is completely unknown to the attacker, tapping all lines does not give him any information about the sender.
D. Chaum 1985 for finite fields
A. Pfitzmann 1990 for abelian groups
3A781
17
Protection of the communication relation: MIX-network
MIX1 batches, discards repeats,
MIX2 batches, discards repeats,
D.Chaum 1981 for electronic mail
c1 (z4,c2(z1,M1)) c1 (z5,c2(z2,M2)) c1 (z6,c2(z3,M3))
c2 (z3,M3) c2 (z1,M1) c2 (z2,M2)
M2 M3 M1
d1(c1(zi,Mi)) = (zi,Mi)
d2(c2(zi,Mi)) = (zi,Mi)
18
Identity management
Privacy-enhancing identity management is only possible
w.r.t. parties which don‘t get GUIDs anyway, by
• the communication network (e.g. network addresses)
• the user device (e.g. serial numbers, radio signatures),
or even
• the user him/herself (e.g. by biometrics).
19
Personal identifier
845 authorizes A: ___
A notifies 845: ___
845 pays B €
B certifies 845: ___
C pays 845 €
20
Role-relationship pseudonyms and transaction pseudonyms
762 authorizes A: __
A notifies 762: ___
451 pays B €
B certifies 451: ___
B certifies 314: ___
C pays 314 €
21
Pseudonyms: Linkability in detail
Distinction between:
1. Initial linking between the pseudonym and its holder
2. Linkability due to the use of the pseudonym in different contexts
22
Pseudonyms: Initial linking to holder
Public pseudonym:The linking between pseudonym and its holder may be publicly know from the very beginning.
Initially non-public pseudonym:The linking between pseudonym and its holder may be know by certain parties (trustees for identity), but is not public at least initially.
Initially unlinked pseudonym:The linking between pseudonym and its holder is – at least initially – not known to anybody (except the holder).
Phone number with its owner listed in public directories
Bank account with bank as trustee for identity,Credit card number ...
Biometric characteristics; DNA (as long as no registers)
23
Pseudonyms: Use in different contexts => partial order
A B stands for “B enables stronger anonymity than A”
increasingunlinkability
of transactions
increasingavailable
anonymity
linkable
unlinkable
person pseudonym
role pseudonym relationship pseudonym
role-relationship pseudonym
transaction pseudonym
number of an identity card, social security number, bank
account
pen name, employee identity card number
customer number
contract number
one-time password, TAN
24
Summing up
Requirements for a multilaterally secure and privacy-enabling AmI world:• Make sure that others cannot gather „unnecessary data“
(just not gathering it is not enough, as history tells us).• Since trust in foreign infrastructures w.r.t. confidentiality
properties (e.g. privacy) will be very limited at best, each human should have his/her trusted device(s) to provide for his/her security. This device might act in an ambient way in the interests of its owner.
• Communication of humans with their ICT-environment should be by means of their trusted device only.
• Develop trusted devices which have no identifying radio signature.
• Minimize sensor abilities w.r.t. sensing foreign human beings directly.
25
Terminology and further reading
http://dud.inf.tu-dresden.de/Anon_Terminology.shtml