Bede Music Box

SelectiveDisclosure(v0.2) BenLaurie(benl@google.com) May11,2007 Abstract 1Summary Thereisagrowingdesiretoallowuserstobemoreincontroloftheironline identity,asseeninMicrosoft'sCardSpace[Cam,Cha06],OpenID[RR06],Project 1 Althoughithasbeenrepeatedlyshownthattheaverageenduseriseasilypersuadedto giveuptheirprivacy,despiteprofessingtocareaboutit[AG05]. 2 Assertionsarealsooftenknownasattributesorcerticatesinthiscontext. 3 By\trust",Imean\ispreparedtobelieve"or,equivalently,\ispreparedtorelyupon". 1 safeintheknowledgethattheassertionis,infact,true. 3PrivacyRequirements KimCameron'sfamous\LawsofIdentity"[Cam06]include 4.Directedidentity Auniversalidentitysystemmustsupportbothomni-directionaliden- tiersforusebypublicentitiesandunidirectionalidentiers 4 foruse byprivateentities,thusfacilitatingdiscoverywhilepreventingun- necessaryreleaseofcorrelationhandles. 4 Iwouldprefertheterms\universal"and\independent"ratherthan\omnidirectional" and\unidirectional" 2  Minimal Thisistheprivacypreservingbit-Iwanttotelltherelying partytheveryleastheneedstoknow.Ishouldn'thaveto revealmydateofbirth,justproveI'mover18somehow.  Unlinkable Iftherelyingpartyorparties,orotheractorsinthesystem, can,eitherontheirownorincollusion,linktogethermyvarious assertions,thenI'veblowntheminimalityrequirementoutof thewater. NoteasubtlebutimportantdierencebetweenKim'slawsandmine{he talksabout identiers whereasItalkabout assertions .Inanidealworld, assertionswouldnotbeidentiers;butitturnsoutthatinpracticetheyoften are. 4AssertionsasIdentiers Sowhydoassertionsturnouttobeidentiers?Consideroncemorewhatisin anassertion:asubject,avalue,aclaimantandasignature(ofwhichthelast twoareoptional).Iftheidentitysystemisrespectingprivacy,thenthesubject willbedierentforeachrelyingparty(becausethesubjectwillbeidentied bytheunidirectionalidentierestablishedwiththatparticularrelyingparty). Anaiveanalysiswouldleadyoutobelievethatthisisgoodenough-notwo relyingpartieswouldseethesamesubject,andthereforenolinkagecouldbe established. Butthisisnotso.Firstly,thevalueoftheassertionwillbethesameat eachrelyingparty.Thisisboundtobeatleastpartiallyidentifying,orthere wouldbenopointinhavingit(thatis,ifeveryonewouldhavethesamevalue, thenyoumightaswellnotbotherwiththeassertionatall).Forexample,ifit ismyaddress,then(inmycase)thatnarrowsmedowntooneoffourpeople. Ifitismydateofbirth,thenthatnarrowsmedownto(approximately)onein 20,000 5 5 Assumeanaveragelifeexpectancyof60years,then60x365=21,900. 6 Notethatanassertionwithaclaimantbutnosignatureisnotworththepaperitis writtenon. 3 fortherelyingpartyandtheclaimanttocolludeinordertolinkanyother \unidirectional"identierstheusermayhave. Thesituationisevenworseifassertionsareusedastheyusuallyare{thatis, boundtomy\realname"orsomeotheromnidirectionalidentier,likemyNa- tionalInsurancenumber,forexample.Inthatcase,theactualassertionshown isalwaysthesame,andsothecollusionoftheclaimantisnotevenrequired. Mostidentitymanagementsystemswithanypretensionatalltoprivacyxthis problembyhavingtheuserpresenttheir\universal"assertionwiththeiromni- directionalidentieronitandinexchangegivethematemporaryassertionwith aunidirectionalidentier{thiscaneitherbedonewiththeoriginalclaimant orwithsomemutually 7 trustedthirdparty.But,ofcourse,whoeverissuesthis temporaryassertioncantriviallylinkittotheoriginalassertion,andsoweare backtothescenariodescribedabove,whererelyingpartiesandassertionissuers cancolludetolinkassertionsandthereforeidentiers. 5ZeroKnowledgeandSelectiveDisclosureProofs Nowthatwehaveidentiedtheproblem,isthereasolution?Happily,the 7 Thatis,byboththeuserandtherelyingparty. 4 1.Thatthedateofbirth(representedasanumber,ofcourse)islessthan someparticulardate. 2.Thatthisfactwassignedbysomeparticularclaimant. Ofcourse,thisisn'tmuchuseunlessIcanlinkthisprooftomyidentity, somehow.Fortunately,selectivedisclosureproofscanalsomanagethattrick, andevenwithoutrevealingmyidentity.Whathappens,inpractice,isthatI havetwogroupsofsignedassertions(atthispointitmighthelptothinkof themascerticates). id=1234abcd key=5678efgh where\key"identiesapublic/privatekeypairforwhichIhavetheprivate key. id=1234abcd birthdate=25thMarch1960 Thesemayhavebeenissued(andthereforesigned)bytwodierentclaimants. UsingselectivedisclosureIwouldthenprovethat 1.Ihavetheprivatekeycorrespondingtothepublickeyintherststate- ment. 2.The\id"eldsinthetwocerticatesarethesame. 3.Thedateofbirthispriorto21yearsbeforenow. 4.Bothcerticatesaresignedbytheirclaimants. Animportantpointtonoteisthat,unlikemoretraditionalcerticates(for example,X.509certicates,orSAMLassertions)Idonoteveractually show the relyingpartythesecerticates{whatIdoisprovethatIhavethemandprove thingsaboutthem.And,what'smore,eachtimeIproveit,theproofisdierent (andnotlinkabletothepreviousproof,evenbytheissuerofthecerticate). Thismeansthattherelyingparty(andeveryoneelse)isdeniedaccesstoany materialthatmightallowthemtolinkanypartoftheprooftoanyother,orto anyproofseenatadierenttime,ortotheuseofthecerticateatanyother (orthesame)relyingparty. Iftheproofscannotbelinked,thenateachinteractioninsteadofgaining anextrapieceofinformationaboutyouallthatisgainedisanisolatedpieceof informationaboutsomeonewhocannotbelinkedtoanyotherisolatedpieceof information. Ofcourse,itisimportanttounderstandthatselectivedisclosurecando nothingaboutinherentlyidentifyinginformation:ifIwantaphysicaldelivery, forexample,thenImustgiveanaddress.Thataddressislikelytolimitmy identitytooneofasmallnumberofpeople.Similarlyinformationliketelephone numbers,emailaddresses,taxIDsandIPaddressestendtobehighlylinkable. 5 Clearlyselectivedisclosurewillnotobviatetheneedforuserstobewellinformed aboutwhatdataisbeingrevealed,andtomakechoicesthathelptopreserve theirprivacy-butitdoes,atleast,preventusersfrombeingexposedtoless obviouscorrelationoftheirpersonalinformation. 6RandomExtras  Itisalsoworthmentioningthatusingselectivedisclosureeectivelytends tomeanrethinkingthewaythingsaredone.Alltoooftendecisionsabout whatuserscanandcannotdoareexpressedintermsoftheiridentity: \BenLaurieisallowedtoeditthispage".Inordertouseselectivedisclo- surewellitisbettertophrasethisintermsofentitlementinstead:\The ownerofthiscerticateisentitledtoeditthispage".Thisallowsselective disclosuretominimise(oreliminate,inthiscase)identifyinginformation.  Iamawareoftwoselectivedisclosureschemesthatarepractical 8 .The rstisduetoBrands[Bra00]andthesecondduetoBangerter,Camenisch andLysyanskya[BCL04].Bothofthesehaveimplementationsavailablein theformofPRIME's[pri]Idemix[CH02]andCredentica[cre].  Isaidthatselectivedisclosureisnottheonlywayofsolvingthese+prob- lems.Othermechanismsthatmayhelpincludezero-knowledgeproofs[FFS88, GO94]andblindsignatures[Cha82]butnoneofthemareas exibleas selectivedisclosureproofs.Notethattheselectivedisclosureproofsmen- tionedaboverelyonzero-knowledgeproofsandblindsignaturesfortheir operation. 7Conclusion Traditionalsignaturesschemesmakeitimpossibletoconstructidentityman- agementsystemsthatpreserveprivacy,butthelittle-knownselectivedisclosure technologyrescuesusfromthisdilemma. Allwehavetodoisstartusingit! 8Acknowledgements ThankstoAdrianaLukas,CatOkita,WendySeltzerandKymberleePricefor reviewingearlyversionsofthispaper.ThankstoJamesMuirandDaveWalker forcommentsonearlier(published)revisions. 8 Thatis,canberuninareasonabletimeonreasonablehardware 6 References [AG05]A.AcquistiandJ.Grossklags.Privacyandrationalityinindividual decisionmaking. Security&PrivacyMagazine,IEEE ,3(1):26{33, 2005. [asn88]CCITTRecommendationX.208:SpecicationofAbstractSyntax NotationOne(ASN.1),1988. [BCL04]E.Bangerter,J.Camenisch,andA.Lysyanskaya.Acryptographic frameworkforthecontrolledreleaseofcertieddata. TwelfthIn- ternationalWorkshoponSecurityProtocols ,2004. [Bra00]S.A.Brands. [Lib] http://www.projectliberty.org/ . [NNR99]MoniNaor,YaelNaor,andOmerReingold.Appliedkidcryptogra- phyorhowtoconvinceyourchildrenyouarenotcheating. Journal ofCraptology ,0(1),1999. [pri]PRIME-PrivacyandIdentityManagementforEurope, https: //www.prime-project.eu/ . [RR06]D.RecordonandD.Reed.OpenID2.0:aplatformforuser-centric identitymanagement. ProceedingsofthesecondACMworkshopon Digitalidentitymanagement ,pages11{16,2006. [RSA78]RLRivest,A.Shamir,andL.Adleman.AMethodforObtain- ingDigitalSignaturesandPublic-KeyCryptosystems. Communi- cations ,1978. [Shi]