1 / 82

A Security Model for Anonymous Credential Systems

A Security Model for Anonymous Credential Systems. 26 th August I-NetSec, SEC 2004 Andreas Pashalidis and Chris J. Mitchell. Agenda. Why do we need AC Systems ? How do AC Systems work ? The model. What is “security” in an AC System ? What is “privacy” in an AC System ? Open questions.

denver
Download Presentation

A Security Model for Anonymous Credential Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Security Model forAnonymous Credential Systems 26th August I-NetSec, SEC 2004 Andreas Pashalidis and Chris J. Mitchell

  2. Agenda • Why do we need AC Systems ? • How do AC Systems work ? • The model. • What is “security” in an AC System ? • What is “privacy” in an AC System ? • Open questions.

  3. Agenda • Why do we need AC Systems ? • How do AC Systems work ? • The model. • What is “security” in an AC System ? • What is “privacy” in an AC System ? • Open questions.

  4. Why do we need AC Systems ?

  5. Why do we need AC Systems ?

  6. Why do we need AC Systems ?

  7. Why do we need AC Systems ?

  8. Why do we need AC Systems ?

  9. Why do we need AC Systems ?

  10. Why do we need AC Systems ? We want to prevent this! (technically – not through legislation)

  11. Agenda • Why do we need AC Systems ? • How do AC Systems work ? • The model. • What is “security” in an AC System ? • What is “privacy” in an AC System ? • Conclusions.

  12. How do AC Systems work ?

  13. How do AC Systems work ?

  14. How do AC Systems work ?

  15. How do AC Systems work ?

  16. How do AC Systems work ?

  17. How do AC Systems work ?

  18. How do AC Systems work ?

  19. How do AC Systems work ?

  20. Agenda • Why do we need AC Systems ? • How do AC Systems work ? • The model. • What is “security” in an AC System ? • What is “privacy” in an AC System ? • Open questions.

  21. Why another model ? • There is a formal model in [CL01]*. • Based on simulatability: • Ideal functionality guarantees security and privacy; cryptosystem has to “meet” this standard. • Relationship between different notions is somewhat hidden. • Adversary cannot corrupt parties adaptively. • Alternative model based on different ideas, in particular the [BR93]** model. *Camenisch & Lysyanskaya “An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation”, Eurocrypt 2001 **Bellare & Rogaway “Entity Authentication and Key Distribution” Crypto 1993

  22. What is a AC System ? • It is a 10-tuple consisting of • Five Sets: Users, Issuers, Verifiers, Pseudonyms, Credential Types. • Three Protocols: Pseudonym Establishment, Credential Issuing, Credential Showing. • One Algorithm: Initialisation. • One number: Security Parameter (k).

  23. What is a AC System ? Turing machines • It is a 10-tuple consisting of • Five Sets: Users, Issuers, Verifiers, Pseudonyms, Credential Types. • Three Protocols: Pseudonym Establishment, Credential Issuing, Credential Showing. • One Algorithm: Initialisation. • One number: Security Parameter (k).

  24. The model • Users, Issuers and Verifiers execute the protocols with each other directly (not through an attacker who controls all communications). • Several notions of security and privacy. • Each notion is defined by means of a game between two Turing machines: Challenger vs. Adversary.

  25. The games – three phases 1) Challenger chooses k, runs initialisation, controls all Users, Issuers, Verifiers. 2) Adversary issues queries to Challenger. • A query makes the Challenger either • initiate a protocol between a user and an issuer or a user and a verifier, or • hand control of a party over to the Adversary.

  26. The games – three phases 3) No more queries. Adversary runs credential showing protocol with an uncorrupted verifier. If verifier accepts Adversary wins; otherwise he loses. • The notion of security is satisfied iff no Adversary can win the game with a non-negligible probability (in the security parameter k).

  27. Agenda • Why do we need AC Systems ? • How do AC Systems work ? • The model. • What is “security” in an AC System ? • What is “privacy” in an AC System ? • Open questions.

  28. What is “security” in an ACS ? • Three notions of security. • Pseudonym owner protection. • Credential Unforgeability. • Credential Non-transferability.

  29. Pseudonym owner protection

  30. Pseudonym owner protection

  31. Pseudonym owner protection

  32. Pseudonym owner protection

  33. Pseudonym owner protection

  34. Pseudonym owner protection

  35. Pseudonym owner protection

  36. Pseudonym owner protection

  37. Pseudonym owner protection “Nobody, even if colludingwith others (users, issuers and verifiers) should be able to successfully show a credential on a pseudonym of which he is not the owner (i.e. on a pseudonym which was not established by himself).”

  38. Credential Unforgeability

  39. Credential Unforgeability

  40. Credential Unforgeability

  41. Credential Unforgeability “The only way for a user to successfully show a credential is by having previously obtained it from the issuer.”

  42. Credential Non-Transferability

  43. Credential Non-Transferability

  44. Credential Non-Transferability

  45. Credential Non-Transferability

  46. Credential Non-Transferability

  47. Credential Non-Transferability

  48. Credential Non-Transferability Needs additional assumption: not all secrets may be shared!

  49. Credential Non-Transferability “Even if colluding with others who have obtained a credential, a user can successfully show it only if it was issued to him personally.”

  50. Credential Non-Transferability Non-Transferability implies Unforgeability. Definitions make this explicit. Non-Transferability not always required.

More Related