Patrik Bichsel

Anonymous credentials on a standard java card

Secure identity tokens such as Electronic Identity (eID) cards are emerging everywhere. At the same time user-centric identity management gains acceptance. Anonymous credential schemes are the optimal realization of user-centricity. However, on inexpensive hardware platforms, typically used for eID cards, these schemes could not be made to meet the necessary requirements such as future-proof key lengths and transaction times on the order of 10 seconds. The reasons for this is the need for the hardware platform to be standardized and certified. Therefore an implementation is only possible as a Java Card applet. This results in severe restrictions: little memory (transient and persistent), an 8-bit CPU, and access to hardware acceleration for cryptographic operations only by defined interfaces such as RSA encryption operations. Still, we present the first practical implementation of an anonymous credential system on a Java Card 2.2.1. We achieve transaction times that are orders of magnitudes faster than those of any prior attempt, while raising the bar in terms of key length and trust model. Our system is the first one to act completely autonomously on card and to maintain its properties in the face of an untrusted terminal. In addition, we provide a formal system specification and share our solution strategies and experiences gained and with the Java Card.

Get shorty via group signatures without encryption

Group signatures allow group members to anonymously sign messages in the name of a group such that only a dedicated opening authority can reveal the exact signer behind a signature. In many of the target applications, for example in sensor networks or in vehicular communication networks, bandwidth and computation time are scarce resources and many of the existent constructions simply cannot be used. Moreover, some of the most efficient schemes only guarantee anonymity as long as no signatures are opened, rendering the opening functionality virtually useless. In this paper, we propose a group signature scheme with the shortest known signature size and favorably comparing computation time, whilst still offering a strong and practically relevant security level that guarantees secure opening of signatures, protection against a cheating authority, and support for dynamic groups. Our construction departs from the popular sign-and-encrypt-and-prove paradigm, which we identify as one source of inefficiency. In particular, our proposal does not use standard encryption and relies on re-randomizable signature schemes that hide the signed message so as to preserve the anonymity of signers. Security is proved in the random oracle model assuming the XDDH, LRSW and SDLP assumptions and the security of an underlying digital signature scheme. Finally, we demonstrate how our scheme yields a group signature scheme with verifier-local revocation.

Mixing Identities with Ease

Anonymous credential systems are a key ingredient for a secure and privacy protecting electronic world. In their full-fledged form, they can realize a broad range of requirements of authentication systems. However, these many features result in a complex system that can be difficult to use. In this paper, we aim to make credential systems easier to employ by providing an architecture and high-level specifications for the different components, transactions and features of the identity mixer anonymous credential system. The specifications abstract away the cryptographic details but they are still sufficiently concrete to enable all features. We demonstrate the use of our framework by applying it to an e-cash scenario.

Security and Trust through Electronic Social Network-Based Interactions

The success of a Public Key Infrastructure such as the Web of Trust (WoT) heavily depends on its ability to ensure that public keys are used by their legitimate owners, thereby avoiding malicious impersonations. To guarantee this property, the WoT requires users to physically gather, check each other’s credentials (e.g., ID cards), to sign the trusted keys, and to subsequently monitor their validity over time. This trust establishment and management procedure is rather cumbersome and, as we believe, the main reason for the limited adoption of the WoT. To overcome this problem, we propose a solution that leverages the intrinsic properties of Electronic Social Networks (ESN) to establish and manage trust in the WoT. In particular, we exploit dynamically changing profile and contact information, as well as interactions among users of ESNs to gain and maintain trust in the legitimacy of key ownerships without the disadvantages of the traditional WoT approach. We see our proposal as an effective way to make security and trust solutions available to a broad audience of non-technical users.

A calculus for privacy-friendly authentication

Establishing authentic channels has become a common operation on the Internet and electronic commerce would not be possible without it. Because traditionally authentication is based on identifying users, the success of electronic commerce causes rapid erosion of their privacy. Privacy-friendly authentication, such as group signatures or anonymous credential systems, could mitigate this issue minimizing the information released during an authentication operation. Unfortunately, privacy-friendly authentication systems are not yet deployed. One reason is their sophistication and feature richness, which is complicating their understanding. By providing a calculus for analyzing and comparing the requirements and goals of privacy-friendly authentication systems, we contribute to a better understanding of such technologies. Our calculus extends the one by Maurer and Schmid [18], by introducing: (1) pseudonyms to enable pseudonymous authentication, (2) a pseudonym annotation function denoting the information an entity reveals about itself, and (3) event-based channel conditions to model conditional release of information used for privacy-friendly accountability.

An Architecture for Privacy-ABCs

One of the main objectives of the ABC4Trust project was to define a common, unified architecture for Privacy-ABC systems to allow comparing their respective features and combining them into common platforms. The chapter presents an overview of features and concepts of Privacy-ABCs and introduces the architecture proposed by ABC4Trust, describing the layers and components as well as the highlevel APIs. We also present the language framework of ABC4Trust through an example scenario. Furthermore, this chapter investigates integration of Privacy-ABCs with the existing Identity Management protocols and also analyses the required trust relationships in the ecosystem of Privacy-ABCs.

Cryptographic Protocols Underlying Privacy-ABCs

In this chapter we present the Cryptographic Engine which provides the cryptographic functionality used in the ABC Engine, such as issuance or presentation of credentials. We first describe the architecture of the Cryptographic Engine, explain the building blocks it uses, and explain how they are bound together. We then describe the cryptographic primitives that the library uses to instantiate those building blocks.

Recognizing Your Digital Friends

Personal relationships are more and more managed over digital communication media, and electronic social networks in particular. Digital identity, conceived as a way to characterize and recognize persons on the Internet, has thus taken center stage, although this concept still remains vague in many of its aspects. This work aims at shedding some light on this topic, by sketching a basic conceptual framework, analyzing the issues for Internet users, and proposing possible solutions that promote a better use of digital identity.

Demo: a comprehensive framework enabling data-minimizing authentication

Authentication is an all-embracing mechanism in todays (digital) society. While current systems require users to provide much personal data and offer many attack vectors due to using a username/passwords combination, systems that allow for minimizing the data released during authentication exist. Implementing such data-minimizing authentication reduces the number of attack vectors, enables enterprises to reduce the risk associated with possession of sensitive user data, and realizes better privacy for users. Our prototype demonstrates the use of data-minimizing authentication using the scenario of accessing a teenage chat room in a privacy-preserving way. The prototype allows a user to retrieve credentials, which may be seen as the digital equivalent of the plastic cards we carry in our wallets today. It also implements a service provider who requires authentication with respect to a service-specific policy. The prototype determines whether and how the user can fulfill the policy with her credentials, which typically results in various options. A graphical user interface then allows the user to select one of these options. Based on the users input, the prototype generates an Identity Mixer proof that shows fulfillment of the service providers policy without revealing unnecessary information. Finally, this proof is sent to the service provider for verification. Our prototype is the first implementation of such far-reaching data-minimizing authentication, where we provide the building blocks of our implementation as open-source software.