WISTP’08©LAM2008

15/05/2008

A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup

Christer Andersson Markulf KohlweissKarlstad Univ., Sweden KU Leuven, Belgium

Leonardo Martucci Andriy Panchenko Karlstad Univ., Sweden RWTH Aachen, Germany

WISTP’08©LAM2008 2/32

15/05/2008

What is this presentation about?

• framework for setting groups with privacy requirements• pseudonyms and zero-knowledge proofs• can be deployed for different applications• for aiding admission control schemes• suitable (also) for distributed environments

• the problem addressed in this presentation:assuming an initial Sybil-free set, how to build privacy-friendly subsets?

* this paper extends to the paper “Self-Certified Sybil-Free Pseudonyms” – ACM WiSec’08

WISTP’08©LAM2008 3/32

15/05/2008

A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup

WISTP’08©LAM2008 4/32

15/05/2008

Defining Identity Domains

• set of identifiers used for a given context or application

identifiers

Identity Domainused for a given application

WISTP’08©LAM2008 5/32

15/05/2008

Applications and Identity Domains

• networked environments with need for cooperation• Reputation Systems• e-Voting• Anonymous Communication Systems• Chat rooms / Forums• …

• applications that require identity domains

WISTP’08©LAM2008 6/32

15/05/2008

Example: Sets and e-Voting

• a set of voters:

• a subset that votes:

• next election:

• next election:

A

∩B AB

∩C AC

∩D AD

WISTP’08©LAM2008 7/32

15/05/2008

Privacy-friendly e-Voting

• a set of voters:

• a subset that votes:

• next election:

• next election:

A

∩B AB

∩C AC

∩D AD

WISTP’08©LAM2008 8/32

15/05/2008

The Sybil Attack

“a small number of network nodes counterfeiting multiple identities so to compromise a disproportionate share of the system”

• originally applied for P2P networksbut fits well in the context of any decentralized application

an identity authority is needed to provide identifiers

WISTP’08©LAM2008 9/32

15/05/2008

Sybil Attack and the e-Vote

• a set of voters:

• a subset that votes:

• next election:

• next election:

A

∩B AB

∩C AC

∩D AD

WISTP’08©LAM2008 10/32

15/05/2008

The Problem (part 1)

How to build identity domains with anonymous users?• while protecting against Sybil Attacks• while providing unlinkability between multiple appearances

A B

∩B A

WISTP’08©LAM2008 11/32

15/05/2008

The Problem (part 2)

How to build identity domains with anonymous users?• while protecting against Sybil Attacks• while providing unlinkability between multiple spawns

A

BC

D

∩B A

∩C A

∩D A

WISTP’08©LAM2008 12/32

15/05/2008

The Initial Assumption

• the original set is Sybil-free application / context dependent

identifiers

Initial Identity Setused for one or more applications

TTP

( honest )

WISTP’08©LAM2008 13/32

15/05/2008

∩B AB

Refining the Problem

• assuming an initial Sybil-free identity set, how to build privacy-friendly subsets (identity domains) ?

A

and still keep the Sybil-free properties

WISTP’08©LAM2008 14/32

15/05/2008

Possible Scenarios and Solutions

• if TTP is always available• the trivial solution

• if TTP is NOT available (not at all times)• self-certified and Sybil-free framework

WISTP’08©LAM2008 15/32

15/05/2008

The Trivial Solution with a TTP

• if a TTP is always available

TTP

authenticate

anonymouscredential

( )

( )

( )( )

WISTP’08©LAM2008 16/32

15/05/2008

The Problem Addressed by the Paper

• assuming an initial Sybil-free group, how to achieve privacy?without the continuous involvement of a TTP

∩B AB

and still keep the Sybil-free properties

ATTP

WISTP’08©LAM2008 17/32

15/05/2008

Applications and Identity Domains

• networked environments with need for cooperation• Reputation Systems• e-Voting• Anonymous Communication Systems• Chat rooms / Forums, etc.

• applications that require identity domains• Sybil-free identities• Privacy requirements• Independence from a TTP

WISTP’08©LAM2008 18/32

15/05/2008

A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup

WISTP’08©LAM2008 19/32

15/05/2008

The Paper Contribution

• Self-Certified Sybil-Free Framework

• Self-Certified no need of a continuous involvement of a TTP• Sybil-Free enables detection of Sybil identities in a group

WISTP’08©LAM2008 20/32

15/05/2008

Attacker Model

• Attacker Goals• attackers seeking to deploy a Sybil attack in an identity domain• attackers seeking to identify relationships between pseudonyms

• Attacker Strength• can eavesdrop all network communications

• Attacker Limitation• the TTP is honest, i.e. has at most 1 initial identity(initial Sybil-free set)

WISTP’08©LAM2008 21/32

15/05/2008

Solution Overview

• from the initial Sybil-free set, we propagate the Sybil-freeness to n-identity domains

A

BC

D

∩B A

∩C A

∩D A

WISTP’08©LAM2008 22/32

15/05/2008

Assumptions and Construction

• Assumption:• every user U has a membership certificate certU

obtained from TTP (bootstrap), i.e. the initial assumption• each identity domain has a unique identifier ctx

• Construction• variation of Camenisch et al. periodically spendable e-token*

ctx

*Camenisch et al. How to Win the Clone Wars: efficient periodicn-times anonymous authentication. In: ACM CCS 2006

WISTP’08©LAM2008 23/32

15/05/2008

Solution Overview (detailed)

• for each identity set ctx

generate a fresh public-key pk(U, ctx)

• membership certificate is used to get :• self-certified pseudonym• pseudonyms certificate

• detection of multiple pk(U, ctx)

• (Sybil node detection)• obtain the user permanent pkU

ctx

pk(U, ctx)

pk’’(U, ctx)pk’(U, ctx)

WISTP’08©LAM2008 24/32

15/05/2008

Protocols and Operation Phases

• Enrollment Phase• IKg outputs issuer I key pair (pkI, skI)

• UKg outputs user’s key pair (pkU, skU)

• Obtain Issue outputs membership certificate certU I keeps track of pkU and revocation

inform

• membership certificate is a e-token dispenser that will be used to generate the pseudonyms (and the transcripts)

WISTP’08©LAM2008 25/32

15/05/2008

Creating of an Identity Domain

• Any node can set new Identity Domains• identity domains may have a validity time (included in ctx)• the ctx name of an Identity Domain must be unique

2 domains with the same ctx are understood as the same domain

• attackers can try to reuse a ctx to identify honest users

• Requirements regarding ctx use• users never turn their clock back• users keep a list with all non-expired identity domains• users never join expired domains

WISTP’08©LAM2008 26/32

15/05/2008

Protocols and Operation Phases

• Identity Domain Buildup and Use Phase• Sign generates pseudo-random pseudonyms

P(U, ctx) and pseudonyms certificates cert(U, ctx)

• Verify verifies P(U, ctx) and cert(U, ctx) correctness

• Identify given 2 cert(U, ctx) generated by the same user for a same ctx, but 2 different (pk(U, ctx) , pk’(U, ctx) ),

computes pkU+ Revoke

WISTP’08©LAM2008 27/32

15/05/2008

Security Analysis

• Sybil-Proof Property• 1 user can have at most 1 pseudonym per set• users can check the uniqueness of all other participants

• Unlinkability Property• strong unlinkability properties between pseudonyms generated for

different identity domains

• Membership Certificate Sharing/Theft

• Corrupt Identity Domain Issuers (or ctx issuers)

WISTP’08©LAM2008 28/32

15/05/2008

Summary

• Self-Certified Sybil-Free Framework• privacy-preserving identifiers

unlikable pseudonyms in different sets• detection of Sybil identities• no continuous involvement of a TTP

• Applications:• networked environments with need for cooperation (especially when a TTP is not available all times)

WISTP’08©LAM2008 29/32

15/05/2008

Acknowledgments

www.prime-project.eu

www.fidis.net

WISTP’08©LAM2008 30/32

15/05/2008

leonardo.martucci@kau.se