anonymous authentication: a privacy-enabled esurvey use case
TRANSCRIPT
Anonymous Authentication: A privacy-enabled eSurvey use case
Olivier Potonniée, Bart Bombay, Carole BayleSeptember 2013
A case for privacy
2
Many web services ask for personal details that go beyond their strict needUsers do not know what this information will be used forPeople get spammed, tracked, profiledWeb services incur liability risk of data breach for data that they don’t even need
Only minimum personal information is disclosedUser is aware and consent to this information disclosureIdentity of the user may not even need to be disclosed!Web service reduces cost and risk by only retaining minimum information
Imagine if
Sample application: eSurvey
3
Providing strong evidence to the Service Provider that user fulfills the access criteria
While disclosing only the minimum personal informationThe user can be anonymousThe user can present a selected set of trusted attributes
Based on user consent
And ensuring that the Service Provider and Identity Provider cannot track back to the end user real identity even if they collude
Demonstrate how an end user can prove his eligibility to an eService without disclosing all of his personal data
Selective Disclosure
Anonymous Authentication
Explicit Consent
No Traceability
eSurvey Service Provider
eSurvey Demo Actors
4
Trusted Anonymous Identity Provider
Identity Provider
AuthenticatesUser
Issues a trustedanonymous credential
Verifies the trustedanonymous credential
End user
Issuer Verifier
AgeCity
Country
Credential Issuance
6
• The User has a privacy card
• The User connects to the Trusted and Anonymous Identity Provider to activate her privacy card
• The User has first to authenticate to an Identity Provider to validate her personal data
• The Trusted and Anonymous Identity Provider gets the User ‘s consent to load the personal attributes onto the Privacy Card (Age and Residence City & Country)
• The User personal attributes (Age and
Residence City & Country) are signed and loaded onto the Privacy Card. No additional personal information is loaded
• The card generates a key pair for this given credential (not shared with issuer)
Trusted and Anonymous Identity
provider
Identity Provider
Privacy Card
4
0
2
3
1
31
2
2
4
5
5
Trusted
Untraceable
AgeCity
Country
eSurvey Participation
7
The User has a privacy card storing her personal attributes
The User connects to the eSurvey portal and selects the eSurvey in which she wants to participate
eSurvey shows personal attributes it needs (Age and Residence Country), User agrees to disclose them
User votes. The Privacy Card generates a signed token including only the requested personal attributes (Age and Residence Country) + the vote
The Service Provider verifies:The credential is emitted by a trusted issuerRequired criteria (Age over 18 and resident of Utopia)Checks User did not already vote
Service Provider
Privacy card
0
1
2
3
4
User remains anonymous during the whole process
Explicit consent
AgeCity
Country
Selective Disclosure
Sum up: Key Privacy Principles
8
Card credential does not contain the end user identity Thanks to privacy token public key, the service provider can ensure the uniqueness of the vote
Only required personal information is provided to the Service Provider
Each time personal data is used, the end user consent is requested (either to retrieve or to store her personal data)
The random public key generated by the card is never shared with the Trusted and Anonymous IdPCryptographic protection against collusion of issuer and SP.
Selective Disclosure
Anonymous Authentication
No Traceability
Explicit Consent
Online Authentication9
Thank you