1,388 research outputs found
Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs
Today, digital identity management for individuals is either inconvenient and
error-prone or creates undesirable lock-in effects and violates privacy and
security expectations. These shortcomings inhibit the digital transformation in
general and seem particularly concerning in the context of novel applications
such as access control for decentralized autonomous organizations and
identification in the Metaverse. Decentralized or self-sovereign identity (SSI)
aims to offer a solution to this dilemma by empowering individuals to manage
their digital identity through machine-verifiable attestations stored in a
"digital wallet" application on their edge devices. However, when presented to
a relying party, these attestations typically reveal more attributes than
required and allow tracking end users' activities. Several academic works and
practical solutions exist to reduce or avoid such excessive information
disclosure, from simple selective disclosure to data-minimizing anonymous
credentials based on zero-knowledge proofs (ZKPs). We first demonstrate that
the SSI solutions that are currently built with anonymous credentials still
lack essential features such as scalable revocation, certificate chaining, and
integration with secure elements. We then argue that general-purpose ZKPs in
the form of zk-SNARKs can appropriately address these pressing challenges. We
describe our implementation and conduct performance tests on different edge
devices to illustrate that the performance of zk-SNARK-based anonymous
credentials is already practical. We also discuss further advantages that
general-purpose ZKPs can easily provide for digital wallets, for instance, to
create "designated verifier presentations" that facilitate new design options
for digital identity infrastructures that previously were not accessible
because of the threat of man-in-the-middle attacks
Self-sovereign identity decentralized identifiers, claims and credentials using non decentralized ledger technology
Dissertação de mestrado integrado em Engenharia InformĂĄticaCurrent identity management systems rely on centralized databases to store userâs personal data, which poses
a great risks for data security, as these infrastructure create a critical point of failure for the whole system. Beside
that service providers have to bear huge maintenance costs and comply with strict data protection regulations.
Self-sovereign identity (SSI) is a new identity management paradigm that tries to answer some of these
problems by providing a decentralized user-centric identity management system that gives users full control of
their personal data. Some of its underlying concepts include Decentralized Identifiers (DIDs), Verifiable Claims
and Credentials. This approach does not rely on any central authority to enforce trust as it often uses Blockchain
or other Decentralized Ledger Technologies (DLT) as the trust anchor of the system, although other decentralized
network or databases could also be used for the same purpose.
This thesis focuses on finding alternative solutions to DLT, in the context of SSI. Despite being the most used
solution some DLTs are known to lack scalability and performance, and since a global identity management
system heavily relies on these two requirements it might not be the best solution to the problem.
This document provides an overview of the state of the art and main standards of SSI, and then focuses on
a non-DLT approach to SSI, referencing non-DLT implementations and alternative decentralized infrastructures
that can be used to replace DLTs in SSI. It highlights some of the limitations associated with using DLTs for
identity management and presents a SSI framework based on decentralized names systems and networks. This
framework couples all the main functionalities needed to create different SSI agents, which were showcased in
a proof of concept application.Actualmente os sistemas de gestĂŁo de identidade digital estĂŁo dependentes de bases de dados centralizadas
para o armazenamento de dados pessoais dos seus utilizadores. Isto representa um elevado risco de segurança,
uma vez que estas infra-estruturas representam um ponto crĂtico de falha para todo o sistema. Para alĂ©m disso
os service providers tĂȘm que suportam elevados custos de manutenção para armazenar toda esta informaçao
e ainda são obrigados a cumprir as normas de protecção de dados existentes.
Self-sovereign identity (SSI) Ă© um novo paradigma de identidade digital que tenta dar resposta a alguns destes
problemas, criando um sistema focado no utilizador e totalmente descentralizado que oferece aos utilizadores
total controlo sobre os seus dados pessoais. Alguns dos conceitos subjacentes incluem Decentalized Identifiers
(DIDs), Verifiable Credentials e Presentations. Esta abordagem nĂŁo depende de qualquer autoridade central
para estabelecer confiança, dado que utiliza Blockchains ou outras Decentralized Ledger Technilogies (DLT)
como ùncora de confiança do sistema. No entanto outras redes ou bases de dados descentralizadas podem
também ser utilizadas para alcançar o mesmo objectivo.
Esta tese concentra-se em encontrar soluçÔes alternativas para a DLT no ùmbito da SSI. Apesar de esta ser
a solução mais utilizada, sabe-se que algumas DLTs carecem de escalabilidade e desempenho. Sendo que um
sistema de identidade digital com abrangĂȘncia global dependerĂĄ bastante destes dois requisitos, esta pode nĂŁo
ser a melhor solução.
Este documento fornece uma visĂŁo geral do estado da arte e principais standards da SSI, focando-se de
seguida numa abordagem nĂŁo DLT, que inclui uma breve referĂȘncia a implementaçÔes nĂŁo-DLT e tecnologias
alternativas que poderĂŁo ser utilizadas para substituir as DLTs na SSI. Alem disso aborda algumas das principais
limitaçÔes associadas ao uso de DLTs na gestão de identidades digitais e apresenta uma framework baseada
em name systems e redes descentralizadas. Esta framework inclui as principais funcionalidades necessĂĄrias
para implementar os diferentes agentes SSI, que foram demonstradas através de algumas aplicaçÔes proof of
concept
Authentication Protocols and Privacy Protection
Tato dizertaÄnĂ prĂĄce se zabĂœvĂĄ kryptografickĂœmi prostĆedky pro autentizaci. HlavnĂm tĂ©matem vĆĄak nejsou klasickĂ© autentizaÄnĂ protokoly, kterĂ© nabĂzejĂ pouze ovÄĆenĂ identity, ale tzv. atributovĂ© autentizaÄnĂ systĂ©my, pomocĂ kterĂœch mohou uĆŸivatelĂ© prokazovat svoje osobnĂ atributy. Tyto atributy pak mohou pĆedstavovat jakĂ©koliv osobnĂ informace, napĆ. vÄk, nĂĄrodnost Äi mĂsto narozenĂ. Atributy mohou bĂœt prokazovĂĄny anonymnÄ a s podporou mnoha funkcĂ na ochranu digitĂĄlnĂ identity. Mezi takovĂ© funkce patĆĂ napĆ. nespojitelnost autentizaÄnĂch relacĂ, nesledovatelnost, moĆŸnost vĂœbÄru prokazovanĂœch atributĆŻ Äi efektivnĂ revokace. AtributovĂ© autentizaÄnĂ systĂ©my jsou jiĆŸ nynĂ povaĆŸovĂĄny za nĂĄstupce souÄasnĂœch systĂ©mĆŻ v oficiĂĄlnĂch strategickĂœch plĂĄnech USA (NSTIC) Äi EU (ENISA). ÄĂĄst poĆŸadovanĂœch funkcĂ je jiĆŸ podporovĂĄna existujĂcĂmi kryptografickĂœmi koncepty jako jsou U-Prove Äi idemix. V souÄasnĂ© dobÄ vĆĄak nenĂ znĂĄmĂœ systĂ©m, kterĂœ by poskytoval vĆĄechny potĆebnĂ© funkce na ochranu digitĂĄlnĂ identity a zĂĄroveĆ byl prakticky implementovatelnĂœ na zaĆĂzenĂch, jako jsou ÄipovĂ© karty. Mezi klĂÄovĂ© slabiny souÄasnĂœch systĂ©mĆŻ patĆĂ pĆedevĆĄĂm chybÄjĂcĂ nespojitelnost relacĂ a absence revokace. NenĂ tak moĆŸnĂ© efektivnÄ zneplatnit zaniklĂ© uĆŸivatele, ztracenĂ© Äi ukradenĂ© autentizaÄnĂ karty Äi karty ĆĄkodlivĂœch uĆŸivatelĆŻ. Z tÄchto dĆŻvodĆŻ je v tĂ©to prĂĄci navrĆŸeno kryptografickĂ© schĂ©ma, kterĂ© ĆeĆĄĂ slabiny nalezenĂ© pĆi analĂœze existujĂcĂch ĆeĆĄenĂ. VĂœslednĂ© schĂ©ma, jehoĆŸ nĂĄvrh je zaloĆŸen na ovÄĆenĂœch primitivech, jako jsou -protokoly pro dĆŻkazy znalostĂ, kryptografickĂ© zĂĄvazky Äi ovÄĆitelnĂ© ĆĄifrovĂĄnĂ, pak podporuje vĆĄechny poĆŸadovanĂ© vlastnosti pro ochranu soukromĂ a digitĂĄlnĂ identity. ZĂĄroveĆ je vĆĄak nĂĄvrh snadno implementovatelnĂœ v prostĆedĂ smart-karet. Tato prĂĄce obsahuje plnĂœ kryptografickĂœ nĂĄvrh systĂ©mu, formĂĄlnĂ ovÄĆenĂ klĂÄovĂœch vlastnostĂ, matematickĂœ model schĂ©matu v programu Mathematica pro ovÄĆenĂ funkÄnosti a vĂœsledky experimentĂĄlnĂ implementace v prostĆedĂ .NET smart-karet. I pĆesto, ĆŸe navrhovanĂœ systĂ©m obsahuje podporu vĆĄech funkcĂ na ochranu soukromĂ, vÄetnÄ tÄch, kterĂ© chybĂ u existujĂcĂch systĂ©mĆŻ, jeho vĂœpoÄetnĂ sloĆŸitost zĆŻstĂĄvĂĄ stejnĂĄ Äi niĆŸĆĄĂ, doba ovÄĆenĂ uĆŸivatele je tedy kratĆĄĂ neĆŸ u existujĂcĂch systĂ©mĆŻ. VĂœsledkem je schĂ©ma, kterĂ© mĆŻĆŸe velmi znatelnÄ zvĂœĆĄit ochranu soukromĂ uĆŸivatelĆŻ pĆi jejich ovÄĆovĂĄnĂ, pĆedevĆĄĂm pĆi vyuĆŸitĂ v elektronickĂœch dokladech, pĆĂstupovĂœch systĂ©mech Äi InternetovĂœch sluĆŸbĂĄch.This dissertation thesis deals with the cryptographic constructions for user authentication. Rather than classical authentication protocols which allow only the identity verification, the attribute authentication systems are the main topic of this thesis. The attribute authentication systems allow users to give proofs about the possession of personal attributes. These attributes can represent any personal information, for example age, nationality or birthplace. The attribute ownership can be proven anonymously and with the support of many features for digital identity protection. These features include, e.g., the unlinkability of verification sessions, untraceability, selective disclosure of attributes or efficient revocation. Currently, the attribute authentication systems are considered to be the successors of existing authentication systems by the official strategies of USA (NSTIC) and EU (ENISA). The necessary features are partially provided by existing cryptographic concepts like U-Prove and idemix. But at this moment, there is no system providing all privacy-enhancing features which is implementable on computationally restricted devices like smart-cards. Among all weaknesses of existing systems, the missing unlinkability of verification sessions and the absence of practical revocation are the most critical ones. Without these features, it is currently impossible to invalidate expired users, lost or stolen authentication cards and cards of malicious users. Therefore, a new cryptographic scheme is proposed in this thesis to fix the weaknesses of existing schemes. The resulting scheme, which is based on established primitives like -protocols for proofs of knowledge, cryptographic commitments and verifiable encryption, supports all privacy-enhancing features. At the same time, the scheme is easily implementable on smart-cards. This thesis includes the full cryptographic specification, the formal verification of key properties, the mathematical model for functional verification in Mathematica software and the experimental implementation on .NET smart-cards. Although the scheme supports all privacy-enhancing features which are missing in related work, the computational complexity is the same or lower, thus the time of verification is shorter than in existing systems. With all these features and properties, the resulting scheme can significantly improve the privacy of users during their verification, especially when used in electronic ID systems, access systems or Internet services.
Privacy in the Smart City - Applications, Technologies, Challenges and Solutions
Many modern cities strive to integrate information technology into every aspect of city life to create so-called smart cities. Smart cities rely on a large number of application areas and technologies to realize complex interactions between citizens, third parties, and city departments. This overwhelming complexity is one reason why holistic privacy protection only rarely enters the picture. A lack of privacy can result in discrimination and social sorting, creating a fundamentally unequal society. To prevent this, we believe that a better understanding of smart cities and their privacy implications is needed. We therefore systematize the application areas, enabling technologies, privacy types, attackers and data sources for the attacks, giving structure to the fuzzy term âsmart cityâ. Based on our taxonomies, we describe existing privacy-enhancing technologies, review the state of the art in real cities around the world, and discuss promising future research directions. Our survey can serve as a reference guide, contributing to the development of privacy-friendly smart cities
Non-Disclosing Credential On-chaining for Blockchain-based Decentralized Applications
Many service systems rely on verifiable identity-related information of their
users. Manipulation and unwanted exposure of this privacy-relevant information,
however, must at the same time be prevented and avoided. Peer-to-peer
blockchain-based decentralization with a smart contract-based execution model
and verifiable off-chain computations leveraging zero-knowledge proofs promise
to provide the basis for next-generation, non-disclosing credential management
solutions. In this paper, we propose a novel credential on-chaining system that
ensures blockchain-based transparency while preserving pseudonymity. We present
a general model compliant to the W3C verifiable credential recommendation and
demonstrate how it can be applied to solve existing problems that require
computational identity-related attribute verification. Our zkSNARKs-based
reference implementation and evaluation show that, compared to related
approaches based on, e.g., CL-signatures, our approach provides significant
performance advantages and more flexible proof mechanisms, underpinning our
vision of increasingly decentralized, transparent, and trustworthy service
systems
Towards a secure service provisioning framework in a Smart city environment
© 2017 Elsevier B.V. Over the past few years the concept of Smart cities has emerged to transform urban areas into connected and well informed spaces. Services that make smart cities âsmartâ are curated by using data streams of smart cities i.e., inhabitantsâ location information, digital engagement, transportation, environment and local government data. Accumulating and processing of these data streams raise security and privacy concerns at individual and community levels. Sizeable attempts have been made to ensure the security and privacy of inhabitantsâ data. However, the security and privacy issues of smart cities are not only confined to inhabitants; service providers and local governments have their own reservations â service provider trust, reliability of the sensed data, and data ownership, to name a few. In this research we identified a comprehensive list of stakeholders and modelled their involvement in smart cities by using the Onion Model approach. Based on the model we present a security and privacy-aware framework for service provisioning in smart cities, namely the âSmart Secure Service Provisioningâ (SSServProv) Framework. Unlike previous attempts, our framework provides end-to-end security and privacy features for trustable data acquisition, transmission, processing and legitimate service provisioning. The proposed framework ensures inhabitantsâ privacy, and also guarantees integrity of services. It also ensures that public data is never misused by malicious service providers. To demonstrate the efficacy of SSServProv we developed and tested core functionalities of authentication, authorisation and lightweight secure communication protocol for data acquisition and service provisioning. For various smart cities service provisioning scenarios we verified these protocols by an automated security verification tool called Scyther
- âŠ