Anonymous Credentials and e-Cash Jan Camenisch Principle Researcher; TL Cryptography & Privacy IBM Research – Zurich @JanCamenisch ibm.biz/jancamenisch Facts 33% of cyber crimes, including identity theft, take less time than to make a cup of tea. Facts 10 Years ago, your identity information on the black market was worth $150. Today…. Facts $15'000'000'000 cost of identity theft worldwide (2015) Attackers hide easily in the vast of cyberspace ﾩ Houston, we have a problem! The Problem is This: Computers Never Forget # Data is stored by default # Data mining gets ever better # Apps built to use & generate (too much) data # New (ways of) businesses using personal data # Humans forget most things too quickly # Paper collects dust in drawers # But that’s how we design and build applications! Where's all my data? The ways of data are hard to understand # Devices, operating systems, & apps are getting more complex and intertwined # Mashups, Ad networks # Machines virtual and realtime configured # Not visible to users, and experts # Data processing changes constantly → No control over data and far too easy to loose them IoT makes this even worse! The problem is this… Learnings from Snowden – Take Aways NSA collects massive amounts of data Not by breaking encryption schemes! But by openness & insecurity of systems, infiltration, ... # However, Snowden had limited access to docs (no crypt-analysis reports) Many things doable by ordinary hackers or somewhat sophisticated crooks # CA compromise # Stealing data at rest # Extortion, system manipulations,.. Some things of course require large budget and organization # FPGA, ASICS # Deliberate weakening of infrastructure (e.g., PRG standards) – btw, a very bad idea! You have no privacy, get over it ! vs Security # Huge security problem! # Millions of hacked passwords (100'000 followers $115 - 2013) # Stolen credit card number ($5 - 2013) # Stolen identity ($150 - 2005, $15 - 2009, $5 – 2013) # Lots of not reported issues (industrial espionage, stock manipulation, … # Data is the new money – so we better protect it # and we have not event discussed social issues such as democracy etc 11 So it seems beach hurt is rather put on Venus... Security & Privacy is not a lost cause! We need paradigm shift: build stuff for the moon rather than the sandy beach! Security & Privacy is not a lost cause! That means: # Use only minimal data necessary # Encrypt every bit – and keep it like that # Attach usage policies to each bit Good news: Cryptography allows for that! Cryptography to the Aid! Mix Networks Oblivious Transfer Searchable Encryption Onion Routing Confirmer signatures Anonymous Credentials OT with Access Control Group signatures Pseudonym Systems e-voting Priced OT Blind signatures Private information retrieval Secret Handshakes Homomorphic Encryption Legal side of privacy Laws and regulations – History Notion of privacy has changes throughout history (Curtains, shades, etc) Code of fair information practices (1973) # Notice/Awareness # Choice/Consent # Access/Participation # Integrity/Security # Enforcement/Redress Laws and regulations – History Many laws follow the same principles # US Privacy Act 1974 # OECD Guidelines 1980 # EU data protection directive 1995 # General Data Protection Regulation (GDPR) 2018 But: Often only own citizens are protected! # See, e.g., US laws Laws are always lagging behind technology, often difficult to capture OECD Privacy Principles # Collection Limitation There should be limits to the collection of personal data and any such data obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject. # Data Quality Personal data should be relevant to the purposes for which they are to be used, and, to the extend necessary for those purposes, should be accurate, complete and kept up-to-date. # Purpose Specification The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes. OECD Privacy Principles # Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified under the preceding purpose specification principle # except with the consent of the data subject, or # by the authority of law. # Security Safeguards Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure. # Accountability A data controller should be accountable for complying with measures that give effect to the principles stated above. OECD Privacy Principles # Openness There should be a general policy of openness about developments, practices and policies with respect to personal data. # Individual Participation An individual should have the right: # to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; # to have communicated to him, data relating to him # within a reasonable time, # at a charge, if any, that is not excessive, # in a reasonable manner, and Individual Participation in a form that is readily intelligible to him; # to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and # to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. Privacy laws & regulations vary widely throughout the world Laws# European Throughout Data Protection the World Directive # privacy = fundamental human right # requires all European Union countries to adopt similar comprehensive privacy laws # revision in process (higher fines are foreseen) # US sets on self-regulation, some sector-specific laws, with relatively minimal protections # Constitutional law governs the rights of individuals wrt the government # Tort (Schadenersatz) law governs disputes between private individuals or other private persons # Federal Trade Commission (FTC) deals with consumer protection # HIPAA (Health Insurance Portability and Accountability Act, 1996) # COPPA (Children’s Online Privacy Protection Act, 1998) # GLB (Gramm-Leach-Bliley-Act, 1999) → over 7,000 State Legislations & Enforcement activity/Class Actions # Australia: Privacy Act 1988, Amendment 2012 # Notify users about collection; Notice if data are sent overseas, stronger access rights In most countries, fines are minimal. More information http://www.informationshield.com/intprivacylaws.html 535The breaches Worst Data during Breaches 2011 that ofinvolve 2011 30.4 million sensitive records (2013: 601 breaches recorded, involving 55 million records) # Sony – after over a dozen data breaches Sony faces class action lawsuits over its failure to protect over 100 million user records. # Epsilon – 60 million customer emails addresses # Sutter Physicians Services – stolen desktop contained 3.3 million patients’ medical details including name, address, phone number, email address & health insurance plan. # Tricare and SAIC – backup tapes were stolen from the car of a Tricare employee; led to a $4.9 billion lawsuit being filed. Privacy Rights Clearinghouse (PRC) (https://www.privacyrights.org/top-data-breach-list-2011) And the trend continues :-( → Importance of strict privacy & security policies (incl. data retention) → Avoid “breaches” simply by properly encrypting sensitive data or, better, using privacy enhancing technologies... Business Case for Privacy # Business case always depends on specific example – no solution that fits all # The bad news: data is money – so every one wants it # Big data, sensors, etc. # Marketing # No data is easier to protect than lots of data # e.g., losing credit card number # Privacy is part of security # identity theft # getting access to and manipulating systems, etc. # Laws are an important driver (like security in other areas, e.g. cars) 24 Back to Rocket Science Privacy & Security by design.... July 4, 2017 Jan Camenisch - CySeP 2017 - Summer School - Stockholm © 2017 IBM Corporation Privacy by design.... @ Communication layer # TOR, JAP, etc @ Authentication layer # privacy-preserving attribute-based credentials @ Application layer # eVoting, ePolls, .... # all apps should be done as “privacy by design” Cryptography at the network layer Anonymous communication e.g., mix networks, onion routing (TOR), DC-nets Bandwidth suffers Physical layer notoriously hard to protect 27 Authentication without identification – An example of “rocket science” What is an identity? work language skills marital status public salary authority phone number name credit card number birth date address hobbies shopping insurance blood group nick name health status leisure health care 29 Identities – Identity Management ■ ID: set of attributes shared w/ someone – attributes are not static: user & party can add ■ ID Management: two things to make ID useful – authentication means – means to transport attributes between parties ■ Control attributes with policies: – define requested data – define allowed usage (audience) ■ Privacy by design – minimal amount of data → Privacy-preserving attribute-based credentials 30 Identities Authentication and attribute transfer 31 July 4, 2017 Jan Camenisch - Summer School Trento © 2017 IBM Corporation Alice wants to watch a movie at Mplex I wish to see Alice in Wonderland Alice Movie Streaming Service Alice wants to watch a movie at Mplex I need proof of: - subscription - be older than 12 Alice Movie