WISTP’08©LAM2008
15/05/2008
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup
Christer Andersson Markulf KohlweissKarlstad Univ., Sweden KU Leuven, Belgium
Leonardo Martucci Andriy Panchenko Karlstad Univ., Sweden RWTH Aachen, Germany
WISTP’08©LAM2008 2/32
15/05/2008
What is this presentation about?
• framework for setting groups with privacy requirements• pseudonyms and zero-knowledge proofs• can be deployed for different applications• for aiding admission control schemes• suitable (also) for distributed environments
• the problem addressed in this presentation:assuming an initial Sybil-free set, how to build privacy-friendly subsets?
* this paper extends to the paper “Self-Certified Sybil-Free Pseudonyms” – ACM WiSec’08
WISTP’08©LAM2008 3/32
15/05/2008
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup
WISTP’08©LAM2008 4/32
15/05/2008
Defining Identity Domains
• set of identifiers used for a given context or application
identifiers
Identity Domainused for a given application
WISTP’08©LAM2008 5/32
15/05/2008
Applications and Identity Domains
• networked environments with need for cooperation• Reputation Systems• e-Voting• Anonymous Communication Systems• Chat rooms / Forums• …
• applications that require identity domains
WISTP’08©LAM2008 6/32
15/05/2008
Example: Sets and e-Voting
• a set of voters:
• a subset that votes:
• next election:
• next election:
A
∩B AB
∩C AC
∩D AD
WISTP’08©LAM2008 7/32
15/05/2008
Privacy-friendly e-Voting
• a set of voters:
• a subset that votes:
• next election:
• next election:
A
∩B AB
∩C AC
∩D AD
WISTP’08©LAM2008 8/32
15/05/2008
The Sybil Attack
“a small number of network nodes counterfeiting multiple identities so to compromise a disproportionate share of the system”
• originally applied for P2P networksbut fits well in the context of any decentralized application
an identity authority is needed to provide identifiers
WISTP’08©LAM2008 9/32
15/05/2008
Sybil Attack and the e-Vote
• a set of voters:
• a subset that votes:
• next election:
• next election:
A
∩B AB
∩C AC
∩D AD
WISTP’08©LAM2008 10/32
15/05/2008
The Problem (part 1)
How to build identity domains with anonymous users?• while protecting against Sybil Attacks• while providing unlinkability between multiple appearances
A B
∩B A
WISTP’08©LAM2008 11/32
15/05/2008
The Problem (part 2)
How to build identity domains with anonymous users?• while protecting against Sybil Attacks• while providing unlinkability between multiple spawns
A
BC
D
∩B A
∩C A
∩D A
WISTP’08©LAM2008 12/32
15/05/2008
The Initial Assumption
• the original set is Sybil-free application / context dependent
identifiers
Initial Identity Setused for one or more applications
TTP
( honest )
WISTP’08©LAM2008 13/32
15/05/2008
∩B AB
Refining the Problem
• assuming an initial Sybil-free identity set, how to build privacy-friendly subsets (identity domains) ?
A
and still keep the Sybil-free properties
WISTP’08©LAM2008 14/32
15/05/2008
Possible Scenarios and Solutions
• if TTP is always available• the trivial solution
• if TTP is NOT available (not at all times)• self-certified and Sybil-free framework
WISTP’08©LAM2008 15/32
15/05/2008
The Trivial Solution with a TTP
• if a TTP is always available
TTP
authenticate
anonymouscredential
( )
( )
( )( )
WISTP’08©LAM2008 16/32
15/05/2008
The Problem Addressed by the Paper
• assuming an initial Sybil-free group, how to achieve privacy?without the continuous involvement of a TTP
∩B AB
and still keep the Sybil-free properties
ATTP
WISTP’08©LAM2008 17/32
15/05/2008
Applications and Identity Domains
• networked environments with need for cooperation• Reputation Systems• e-Voting• Anonymous Communication Systems• Chat rooms / Forums, etc.
• applications that require identity domains• Sybil-free identities• Privacy requirements• Independence from a TTP
WISTP’08©LAM2008 18/32
15/05/2008
A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup
WISTP’08©LAM2008 19/32
15/05/2008
The Paper Contribution
• Self-Certified Sybil-Free Framework
• Self-Certified no need of a continuous involvement of a TTP• Sybil-Free enables detection of Sybil identities in a group
WISTP’08©LAM2008 20/32
15/05/2008
Attacker Model
• Attacker Goals• attackers seeking to deploy a Sybil attack in an identity domain• attackers seeking to identify relationships between pseudonyms
• Attacker Strength• can eavesdrop all network communications
• Attacker Limitation• the TTP is honest, i.e. has at most 1 initial identity(initial Sybil-free set)
WISTP’08©LAM2008 21/32
15/05/2008
Solution Overview
• from the initial Sybil-free set, we propagate the Sybil-freeness to n-identity domains
A
BC
D
∩B A
∩C A
∩D A
WISTP’08©LAM2008 22/32
15/05/2008
Assumptions and Construction
• Assumption:• every user U has a membership certificate certU
obtained from TTP (bootstrap), i.e. the initial assumption• each identity domain has a unique identifier ctx
• Construction• variation of Camenisch et al. periodically spendable e-token*
ctx
*Camenisch et al. How to Win the Clone Wars: efficient periodicn-times anonymous authentication. In: ACM CCS 2006
WISTP’08©LAM2008 23/32
15/05/2008
Solution Overview (detailed)
• for each identity set ctx
generate a fresh public-key pk(U, ctx)
• membership certificate is used to get :• self-certified pseudonym• pseudonyms certificate
• detection of multiple pk(U, ctx)
• (Sybil node detection)• obtain the user permanent pkU
ctx
pk(U, ctx)
pk’’(U, ctx)pk’(U, ctx)
WISTP’08©LAM2008 24/32
15/05/2008
Protocols and Operation Phases
• Enrollment Phase• IKg outputs issuer I key pair (pkI, skI)
• UKg outputs user’s key pair (pkU, skU)
• Obtain Issue outputs membership certificate certU I keeps track of pkU and revocation
inform
• membership certificate is a e-token dispenser that will be used to generate the pseudonyms (and the transcripts)
WISTP’08©LAM2008 25/32
15/05/2008
Creating of an Identity Domain
• Any node can set new Identity Domains• identity domains may have a validity time (included in ctx)• the ctx name of an Identity Domain must be unique
2 domains with the same ctx are understood as the same domain
• attackers can try to reuse a ctx to identify honest users
• Requirements regarding ctx use• users never turn their clock back• users keep a list with all non-expired identity domains• users never join expired domains
WISTP’08©LAM2008 26/32
15/05/2008
Protocols and Operation Phases
• Identity Domain Buildup and Use Phase• Sign generates pseudo-random pseudonyms
P(U, ctx) and pseudonyms certificates cert(U, ctx)
• Verify verifies P(U, ctx) and cert(U, ctx) correctness
• Identify given 2 cert(U, ctx) generated by the same user for a same ctx, but 2 different (pk(U, ctx) , pk’(U, ctx) ),
computes pkU+ Revoke
WISTP’08©LAM2008 27/32
15/05/2008
Security Analysis
• Sybil-Proof Property• 1 user can have at most 1 pseudonym per set• users can check the uniqueness of all other participants
• Unlinkability Property• strong unlinkability properties between pseudonyms generated for
different identity domains
• Membership Certificate Sharing/Theft
• Corrupt Identity Domain Issuers (or ctx issuers)
WISTP’08©LAM2008 28/32
15/05/2008
Summary
• Self-Certified Sybil-Free Framework• privacy-preserving identifiers
unlikable pseudonyms in different sets• detection of Sybil identities• no continuous involvement of a TTP
• Applications:• networked environments with need for cooperation (especially when a TTP is not available all times)
WISTP’08©LAM2008 29/32
15/05/2008
Acknowledgments
www.prime-project.eu
www.fidis.net