Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University.

Slides:



Advertisements
Similar presentations
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Advertisements

Passwords suck Nico Smit November “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Grid Security. Typical Grid Scenario Users Resources.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Cryptography Basic (cont)
Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CSCI 530L Public Key Infrastructure. Who are we talking to? Problem: We receive an . How do we know who it’s from? address Can be spoofed.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
Introduction To Windows NT ® Server And Internet Information Server.
Tony BrettOUCS Course Code ZAB 9 February Security – Encryption and Digital Signatures Tony Brett Oxford University Computing Services February.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,
© Julia Wilk (FHÖV NRW) 1 Digital Signatures. © Julia Wilk (FHÖV NRW)2 Structure 1. Introduction 2. Basics 3. Elements of digital signatures 4. Realisation.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
X.509 Certificate management in.Net By, Vishnu Kamisetty
Privacy-Preserving Authentication: A Tutorial Anna Lysyanskaya Brown University.
1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Chapter 10: Authentication Guide to Computer Network Security.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Public-key Cryptography Strengths and Weaknesses Matt Blumenthal.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Configuring Directory Certificate Services Lesson 13.
Feedback #2 (under assignments) Lecture Code:
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Copyright 1999 S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 41b Cryptography and Its Applications.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Grid Security.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Cryptography Lecture 27.
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University

Your Identity Online When you are online, what makes you you? René Descartes I think, therefore I am

Your Identity Online When you are online, what makes you you? Anna Lysyanskaya I log in, therefore I am Disclaimer: provided no one else can log in as me

How do I log in? Let me count the ways. With a username and password. –Pros: intuitive, human-memorizable (up to a point) –Cons: not privacy-preserving, insecure in so many ways…

How do I log in? Let me count the ways. With public-key certificates. –Cons: not as intuitive, not human-memorizable (need a hardware device to remember the credentials), not privacy-preserving –Pros: secure – your device would need to be hacked or stolen before your identity can be stolen

How do I log in? Let me count the ways. Crash course in cryptography: What are public keys?

How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates?

How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates? How do you use them for authentication and authorization?

How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates? How do you use them for authentication and authorization? –Underlying building block: digital signature schemes

Digital Signature Schemes

This is what a signed message looks like, with PGP

How do you verify my signature if you don’t know my public key? Anna Lysyanskaya Anna Lysyanskaya’s public key is LKYFHDJY96GA4JHGJHG JHASGKFG53NPOIOISUD FOAISU Anna Lysyanskaya’s public key is 73qsgsdfiusagf87twrjhsi fu98wqurhlasjhfoaistr

How do you verify my signature if you don’t know my public key? Anna Lysyanskaya’s public key is LKYFHDJY96GA4JHGJHG JHASGKFG53NPOIOISUD FOAISU Anna Lysyanskaya’s public key is 73qsgsdfiusagf87twrjhsi fu98wqurhlasjhfoaistr

How do you verify my signature if you don’t know my public key? Anna Lysyanskaya Anna Lysyanskaya’s public key is LKYFHDJY96GA4JHGJHG JHASGKFG53NPOIOISUD FOAISU Anna Lysyanskaya’s public key is 73qsgsdfiusagf87twrjhsi fu98wqurhlasjhfoaistr Signed by BROWN UNIVERSITY Signed by BOWRN UNIVRSITY

A certificate is when someone whose public key is well-known (e.g. Brown University) certifies that a public key belongs to a particular site/web server/person.

How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates? How do you use them for authentication and authorization? My certificate (e.g. from Brown University) tells you my credentials (e.g. that I am a faculty member, a gym member, authorized to enter the CIT building, to access the digital library, etc.) I convince you that I have in my possession a SK corresponding to my PK. For example, because I am able to sign messages. This is not just cool theory – this is what you’re using right now! SSL, HTTPS, …

How do I log in? Let me count the ways. With public-key certificates. –Cons: not as intuitive, not human-memorizable (need a device to remember the credentials) –Pros: secure – your device would need to be hacked before your identity can be stolen

How do I log in? Let me count the ways. With public-key certificates. –Cons: not as intuitive, not human-memorizable (need a device to remember the credentials), not privacy-preserving –Pros: secure – your device would need to be hacked before your identity can be stolen

Newspaper Subscription projo.com Today ’ s news? Who are you? Do you have a subscription? It ’ s Bond. James Bond. I can tell you, but then I ’ ll have to kill you...

Newspaper Subscription projo.com Today ’ s news? Show me your subscription. Subscription #007 87% of US population is uniquely identifiable by zip code, DOB and gender [Sweeney]

Newspaper Subscription projo.com Today ’ s news? Prove that you are authorized. Here is a zero-knowledge proof

Newspaper Subscription projo.com Today ’ s news? Prove that you are authorized. Here is a zero-knowledge proof Anonymous credentials: a protocol where I can convince you that I am authorized without revealing any identifying information. [Chaum85]

How do I log in? Let me count the ways. With anonymous credentials. –Cons: not super intuitive, not human-doable (need a device to remember the credentials) –Pros: secure – your device would need to be hacked before your identity can be stolen, -- privacy-preserving

How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work?

How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work? –Underlying building block: zero-knowledge proofs

How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work? –Underlying building block: –Can anonymous credentials work in practice? zero-knowledge proofs

How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work? –Underlying building block: –Can anonymous credentials work in practice? –Can I use anonymous credentials? zero-knowledge proofs

Can you 3-color a graph? 1. Each vertex colored red, green or blue 2. No monochromatic edges

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

Is every graph 3-colorable?

No...

Zero-knowledge proof of 3-colorability

Let me convince you that it’s 3-colorable! Zero-knowledge proof of 3-colorability

Please step out.

Zero-knowledge proof of 3-colorability

Please come back in, and check one edge.

Zero-knowledge proof of 3-colorability

Do you want to check another edge? Zero-knowledge proof of 3-colorability

Please step out.

Zero-knowledge proof of 3-colorability

If we repeat 100 times and you never catch me lying, you’ll be convinced! [GMW86] Zero-knowledge proof of 3-colorability

Verifier “Encrypted” colors for each vertex I challenge edge (u,v) “Decryption” of the colors for u,v Prover Prover convinces Verifier that the graph is 3-colorable Verifier learned nothing about the solution

ZK Proofs for Other Things Verifier Prover Prover convinces Verifier that the statement is true Verifier learned nothing about the solution Theorem: Everything provable is provable in zero-knowledge. [GMR85,GMW86,BGGHKMR88]

How do I log in? Let me count the ways. Crash course in cryptography: –How do anonymous credentials work? –Underlying building block: –Can anonymous credentials work in practice? –Can I use anonymous credentials? zero-knowledge proofs ✔

How do anonymous credentials work? [L99,CL01,L02,CL02,CL04,BCKL08,…,CL50] Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user And there is more! You can also obtain credentials anonymously.

Can this work in practice? Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user Efficiency: comparable to certificate-based non-anonymous authentication.

Can this work in practice? Efficiency: comparable to certificate-based non-anonymous authentication. The #1 concern: but with anonymous credentials, how will we know if something goes wrong? Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can this work in practice? Efficiency: comparable to certificate-based non-anonymous authentication. The #1 concern: but with anonymous credentials, how will we know if something goes wrong? –What if users share their credentials in an unauthorized way? Can address this with more cool crypto! –What if we need to revoke anonymous credentials? More cool crypto! Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can this work in practice? Efficiency: comparable to certificate-based non-anonymous authentication. The #1 concern: but with anonymous credentials, how will we know if something goes wrong? –Main takeaway: everything you can do non- anonymously, you can do anonymously. Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can I use anonymous credentials? Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can I use anonymous credentials? –No… but maybe… Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can I use anonymous credentials? You can download and play with existing implementations. – – Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can I use anonymous credentials? You can download and play with existing implementations. – – You can tell everyone about it. –Why would they care? Last year’s European Court of Justice ruling may have something to do with it. Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

Can I use anonymous credentials? You can download and play with existing implementations. – – You can tell everyone about it. –Why would they care? Last year’s European Court of Justice ruling may have something to do with it. You can take CS 151 and do research in cryptography with me! Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

But I have a device in my pocket right now! How do I log in? Let me count the ways. With anonymous credentials. –Cons: not super intuitive, not human-doable (need a device to remember the credentials) –Pros: secure – your device would need to be hacked before your identity can be stolen, -- privacy-preserving But it makes perfect sense to me now!

Taking charge of your personal data Anonymous authorization is just a small piece of the puzzle. Other pieces: –Protecting databases containing sensitive information –Private web browsing –Secure communication –… A lot of work to do!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.