On the efficiency of revocation in RSA-based anonymous systems

© 2016 IEEEThe problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist L-W of non-revoked users or a blacklist L-B of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in L-W (membership proof) or that they are not in L-B (non-membership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zero-knowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSA-based setting, and we consider the case of non-membership proofs to blacklists L = L-B. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zero-knowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zero-knowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zero-knowledge non-membership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.Postprint (author's final draft

Practical backward unlinkable revocation in FIDO, German e-ID, Idemix and U-Prove

FIDO, German e-ID, Idemix and U-Prove constitute privacy-enhanced public-key infrastructures allowing users to authenticate in an anonymous way. This however hampers timely revocation in a privacy friendly way. From a legal perspective, revocation typically should be effective within 24 hours after user reporting. It should also be backward unlinkable, i.e. user anonymity cannot be removed after revocation. We describe a new, generic revocation mechanism based on pairing based encryption and apply it to supplement the systems mentioned. This allows for both flexible and privacy friendly revocation. Protocol execution takes less than a quarter of a second on modern smartcards. An additional property is that usage after revocation is linkable, allowing users to identify fraudulent usage after revocation. Our technique is the first Verifier Local Revocation scheme with backwards unlinkable revocation for the systems mentioned. This also allows for a setup resembling the well-known Online Certificate Status Protocol (OCSP). Here the service provider sends a pseudonym to a revocation provider that returns its status. As the information required for this is not secret the status service can be distributed over many cloud services. In addition to the status service our technique also supports the publication of a central revocation list

Analysis of revocation strategies for anonymous Idemix credentials

In an increasing information-driven society, preserving privacy is essential. Anonymous credentials promise a solution to protect the user’s privacy. However, to ensure accountability, efficient revocation mechanisms are essential. Having classified existing revocation strategies, we implemented one variant for each. In this paper we describe our classification and compare our implementations. Finally, we present a detailed analysis and pragmatic evaluation of the strategies.status: publishe

Aprimoramento da privacidade em infraestruturas de chaves públicas centradas no usuário e baseadas em notários

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Ciência da Computação, Florianópolis, 2014.Este trabalho tem como objetivo propor novas alternativas de Infraestrutura de Chaves Públicas (ICP) para prover um melhor gerenciamento das identidades, dos atributos e da privacidade dos usuários finais no âmbito de uma Infraestrutura de Autenticação e Autorização (IAA). Neste trabalho são descritas três alternativas: ICP Baseada em Atributos, ICP Centrada no Usuário e ICP Centrada no Usuário com Autenticação Anônima. A partir de uma visão crítica apresentada ao modelo de uma ICP X.509 e também com o uso de certificados de atributos, foram levantadas as limitações de suas adoções e utilizações, bem como a falta de suporte e o fornecimento na privacidade do usuário. Baseadas em Autoridades Notariais para fornecer a confiabilidade dos dados, as propostas utilizam-se do paradigma centrado no usuário para prover um maior controle para o usuário gerenciar e apresentar seus atributos, facilitando nos procedimentos de emissão e verificação das credenciais. As principais diferenças entre as propostas estão no fornecimento de diferentes níveis de privacidade para o usuário final e por meio da utilização de diferentes mecanismos criptográficos, tais como a Criptografia Baseada em Identidades (CBI) e provas de autenticação zero-knowledge. As propostas são analisadas e comparadas entre si e entre cinco outros sistemas, protocolos ou tecnologias utilizadas em uma IAA: ICP X.509 com certificados de atributos, OpenID, framework Shibboleth, U-Prove e Idemix. As suas escolhas se dão pela ampla utilização ou pelos resultados de projetos e pesquisas no meio acadêmico e privado, destacando ou não na privacidade do usuário. Mostra-se que as alternativas de ICP permitem uma simplificação na emissão de credenciais com chaves criptográficas, na verificação destas credenciais, no suporte a diferentes níveis de privacidade para o usuário, com uma alternativa em definir um justo modelo de negócio e a possibilidade de utilização em procedimentos de assinatura de documentos eletrônicos.Abstract : This work aims to propose new alternatives for Public Key Infrastructure (PKI) to improve the management of identities, attributes and privacy of end users within an Authentication and Authorization Infrastructure (AAI). In this work three alternatives are described: PKI Based on Attributes, User-Centric PKI and User-Centric PKI with Anonymous Authentication. From a critical view introduced to the X.509 PKI model and also with the use of attributes certificates, was raised the limitations of their adoption and uses, as well as the lack of the support and the supply of the user's privacy. Based on Notary Authorities to provide data reliability, the proposed alternatives use of user-centric paradigm to provide more control for the user to manage and to present their attributes, making it easier procedures for issuing and verificating credentials. The main differences between the proposals are in providing different levels of end-user's privacy and through the use of different cryptographic mechanisms, such as Identity-Based Cryptography (IBC) and zero-knowledge authentication proofs. The proposals are analyzed and compared with each other and with five other systems, protocols or technologies used in an IAA: X.509 PKI with attribute certificates, OpenID, Shibboleth framework, U-Prove and Idemix. The choices are given by the widespread use or the results from academic and private's research and projects, focusing or not on user's privacy. It is shown that the PKI's alternatives allow a simplification in the issuance of credentials with cryptographic keys, the verification of that credentials, in supporting different levels of user's privacy, an alternative to defining a fair business model and the possibility of using in procedures for signing electronic documents