Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University.

Published byFerdinand Crawford Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University."— Presentation transcript:

1 Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University

2 Your Identity Online When you are online, what makes you you? René Descartes I think, therefore I am

3 Your Identity Online When you are online, what makes you you? Anna Lysyanskaya I log in, therefore I am Disclaimer: provided no one else can log in as me

4 How do I log in? Let me count the ways. With a username and password. –Pros: intuitive, human-memorizable (up to a point) –Cons: not privacy-preserving, insecure in so many ways…

5 How do I log in? Let me count the ways. With public-key certificates. –Cons: not as intuitive, not human-memorizable (need a hardware device to remember the credentials), not privacy-preserving –Pros: secure – your device would need to be hacked or stolen before your identity can be stolen

6 How do I log in? Let me count the ways. Crash course in cryptography: What are public keys?

7 How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates?

8 How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates? How do you use them for authentication and authorization?

9 How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates? How do you use them for authentication and authorization? –Underlying building block: digital signature schemes

10

11 Digital Signature Schemes

12

13

14

15

16

17

18 This is what a signed email message looks like, with PGP

19 How do you verify my signature if you don’t know my public key? Anna Lysyanskaya Anna Lysyanskaya’s public key is LKYFHDJY96GA4JHGJHG JHASGKFG53NPOIOISUD FOAISU Anna Lysyanskaya’s public key is 73qsgsdfiusagf87twrjhsi fu98wqurhlasjhfoaistr

20 How do you verify my signature if you don’t know my public key? Anna Lysyanskaya’s public key is LKYFHDJY96GA4JHGJHG JHASGKFG53NPOIOISUD FOAISU Anna Lysyanskaya’s public key is 73qsgsdfiusagf87twrjhsi fu98wqurhlasjhfoaistr

21 How do you verify my signature if you don’t know my public key? Anna Lysyanskaya Anna Lysyanskaya’s public key is LKYFHDJY96GA4JHGJHG JHASGKFG53NPOIOISUD FOAISU Anna Lysyanskaya’s public key is 73qsgsdfiusagf87twrjhsi fu98wqurhlasjhfoaistr Signed by BROWN UNIVERSITY Signed by BOWRN UNIVRSITY

22 A certificate is when someone whose public key is well-known (e.g. Brown University) certifies that a public key belongs to a particular site/web server/person.

23 How do I log in? Let me count the ways. Crash course in cryptography: What are public keys? What are certificates? How do you use them for authentication and authorization? My certificate (e.g. from Brown University) tells you my credentials (e.g. that I am a faculty member, a gym member, authorized to enter the CIT building, to access the digital library, etc.) I convince you that I have in my possession a SK corresponding to my PK. For example, because I am able to sign messages. This is not just cool theory – this is what you’re using right now! SSL, HTTPS, …

24 How do I log in? Let me count the ways. With public-key certificates. –Cons: not as intuitive, not human-memorizable (need a device to remember the credentials) –Pros: secure – your device would need to be hacked before your identity can be stolen

25 How do I log in? Let me count the ways. With public-key certificates. –Cons: not as intuitive, not human-memorizable (need a device to remember the credentials), not privacy-preserving –Pros: secure – your device would need to be hacked before your identity can be stolen

26 Newspaper Subscription projo.com Today ’ s news? Who are you? Do you have a subscription? It ’ s Bond. James Bond. I can tell you, but then I ’ ll have to kill you...

27 Newspaper Subscription projo.com Today ’ s news? Show me your subscription. Subscription #007 87% of US population is uniquely identifiable by zip code, DOB and gender [Sweeney]

28 Newspaper Subscription projo.com Today ’ s news? Prove that you are authorized. Here is a zero-knowledge proof

29 Newspaper Subscription projo.com Today ’ s news? Prove that you are authorized. Here is a zero-knowledge proof Anonymous credentials: a protocol where I can convince you that I am authorized without revealing any identifying information. [Chaum85]

30 How do I log in? Let me count the ways. With anonymous credentials. –Cons: not super intuitive, not human-doable (need a device to remember the credentials) –Pros: secure – your device would need to be hacked before your identity can be stolen, -- privacy-preserving

31 How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work?

32 How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work? –Underlying building block: zero-knowledge proofs

33 How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work? –Underlying building block: –Can anonymous credentials work in practice? zero-knowledge proofs

34 How do I log in? Let me count the ways. Crash course in cryptography, part 2: –How do anonymous credentials work? –Underlying building block: –Can anonymous credentials work in practice? –Can I use anonymous credentials? zero-knowledge proofs

35

36 Can you 3-color a graph? 1. Each vertex colored red, green or blue 2. No monochromatic edges

37 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

38 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

39 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

40 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

41 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

42 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

43 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

44 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

45 1. Each vertex colored red, green or blue 2. No monochromatic edges Can you 3-color a graph?

46 Is every graph 3-colorable?

47

48

49 No...

50 Zero-knowledge proof of 3-colorability

51 Let me convince you that it’s 3-colorable! Zero-knowledge proof of 3-colorability

52

53

54

55 Please step out.

56 Zero-knowledge proof of 3-colorability

57

58 Please come back in, and check one edge.

59 Zero-knowledge proof of 3-colorability

60 Do you want to check another edge? Zero-knowledge proof of 3-colorability

61

62 Please step out.

63 Zero-knowledge proof of 3-colorability

64

65

66

67

68 If we repeat 100 times and you never catch me lying, you’ll be convinced! [GMW86] Zero-knowledge proof of 3-colorability

69 Verifier “Encrypted” colors for each vertex I challenge edge (u,v) “Decryption” of the colors for u,v Prover Prover convinces Verifier that the graph is 3-colorable Verifier learned nothing about the solution

70 ZK Proofs for Other Things Verifier Prover Prover convinces Verifier that the statement is true Verifier learned nothing about the solution Theorem: Everything provable is provable in zero-knowledge. [GMR85,GMW86,BGGHKMR88]

71 How do I log in? Let me count the ways. Crash course in cryptography: –How do anonymous credentials work? –Underlying building block: –Can anonymous credentials work in practice? –Can I use anonymous credentials? zero-knowledge proofs ✔

72 How do anonymous credentials work? [L99,CL01,L02,CL02,CL04,BCKL08,…,CL50] Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user And there is more! You can also obtain credentials anonymously.

73 Can this work in practice? Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user Efficiency: comparable to certificate-based non-anonymous authentication.

74 Can this work in practice? Efficiency: comparable to certificate-based non-anonymous authentication. The #1 concern: but with anonymous credentials, how will we know if something goes wrong? Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

75 Can this work in practice? Efficiency: comparable to certificate-based non-anonymous authentication. The #1 concern: but with anonymous credentials, how will we know if something goes wrong? –What if users share their credentials in an unauthorized way? Can address this with more cool crypto! –What if we need to revoke anonymous credentials? More cool crypto! Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

76 Can this work in practice? Efficiency: comparable to certificate-based non-anonymous authentication. The #1 concern: but with anonymous credentials, how will we know if something goes wrong? –Main takeaway: everything you can do non- anonymously, you can do anonymously. Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

77 Can I use anonymous credentials? Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

78 Can I use anonymous credentials? –No… but maybe… Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

79 Can I use anonymous credentials? You can download and play with existing implementations. –http://www.zurich.ibm.com/idemix/http://www.zurich.ibm.com/idemix/ –http://research.microsoft.com/en-us/projects/u-prove/http://research.microsoft.com/en-us/projects/u-prove/ Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

80 Can I use anonymous credentials? You can download and play with existing implementations. –http://www.zurich.ibm.com/idemix/http://www.zurich.ibm.com/idemix/ –http://research.microsoft.com/en-us/projects/u-prove/http://research.microsoft.com/en-us/projects/u-prove/ You can tell everyone about it. –Why would they care? Last year’s European Court of Justice ruling may have something to do with it. Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

81 Can I use anonymous credentials? You can download and play with existing implementations. –http://www.zurich.ibm.com/idemix/http://www.zurich.ibm.com/idemix/ –http://research.microsoft.com/en-us/projects/u-prove/http://research.microsoft.com/en-us/projects/u-prove/ You can tell everyone about it. –Why would they care? Last year’s European Court of Justice ruling may have something to do with it. You can take CS 151 and do research in cryptography with me! Verifier Prove that you are an employee of Brown University. Here is a zero-knowledge proof that I know a SK, a PK, and a certificate such that (1) SK corresponds to PK (2) Certificate is from Brown University, certifying that the PK corresponds to an employee. Anonymous user

82 But I have a device in my pocket right now! How do I log in? Let me count the ways. With anonymous credentials. –Cons: not super intuitive, not human-doable (need a device to remember the credentials) –Pros: secure – your device would need to be hacked before your identity can be stolen, -- privacy-preserving But it makes perfect sense to me now!

83

84

85 Taking charge of your personal data Anonymous authorization is just a small piece of the puzzle. Other pieces: –Protecting databases containing sensitive information –Private web browsing –Secure communication –… A lot of work to do!

Download ppt "Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University."

Similar presentations

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Passwords suck Nico Smit November 2014. “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.

Passwords suck Nico Smit November “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Cryptography Basic (cont)

Cryptography Basic (cont)
Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.

Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CSCI 530L Public Key Infrastructure. Who are we talking to? Problem: We receive an e-mail. How do we know who it’s from? E-Mail address Can be spoofed.

CSCI 530L Public Key Infrastructure. Who are we talking to? Problem: We receive an . How do we know who it’s from? address Can be spoofed.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google