Integrating Anonymous Credentials with eIDs for Privacy-respecting Online Authentication Ronny Bjones, Ioannis Krontiris, Pascal Paillier, Kai Rannenberg 10 October2012 Annual Privacy Forum - Limassol, Cyprus Ioannis Krontiris Goethe University Frankfurt
15
Embed
Integrating Anonymous Credentials with eIDs for Privacy-respecting Online Authentication
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Integrating Anonymous Credentials with eIDs
for Privacy-respecting Online Authentication Ronny Bjones, Ioannis Krontiris, Pascal Paillier, Kai Rannenberg
10 October2012
Annual Privacy Forum - Limassol, Cyprus
Ioannis Krontiris Goethe University Frankfurt
Overview
• Example of German eID
• Privacy problems
• Privacy-ABCs to the rescue
• Integration to the German eID system
• Privacy-ABCs on Smart Cards
2
eIDs in Europe
• A number of eIDs and qualified electronic signatures (QES) already exist – e-Government services
– Healthcare services
– Financial services
– Online shopping
3
The German e-ID system
Notice & Selective Disclosure 4
Security and Privacy Problems
• eID server knows all user transactions
The eID server traces and links all communications and transactions of each user
• eID server knows all customers of the service provider The eID server learns all customers trying to access a specific service
• User impersonation Insiders can copy or alter user’s credentials and impersonate them to
services.
• Availability
Denial of service attacks against the eID server impacts all applications using the service.
5
Moving Ahead
“As such, privacy-enhanced PKI technologies have significant potential to enhance existing eID card privacy functions. Although these technologies have been available for a long time, there has not been much adoption in mainstream applications and eID card implementations”
• the available technologies based on Privacy-ABCs use different terminology for their features and even different cryptographic mechanisms to realize them
• the performance of Privacy-ABCs on smart cards (like eIDs) was poor and did not allow practical deployment
• Privacy-ABCs are very complex and hard to understand for non-specialists
6
• Scheduled duration: November 2010 – October 2014
• Funding: The ABC4Trust project receives research funding from the European Union's Seventh Framework Programme under grant agreement n° 257782 as part of the “ICT Trust and Security Research” theme.