introduction - privacy and identitycorrection...

IntroductionPrivacy and Identity

B. Jacobs and M. KoningInstitute for Computing and Information Sciences – Digital SecurityRadboud UniversitySpring 2018

of 50 Jacobs & Koning Spring 2018 Introduction

Outline

Organisation of this course

Identification and authentication

Identity management

A crash course on IRMA

Basic terminology

The Laws of Identity

Page 2 of 50 Jacobs & Koning Spring 2018 Introduction

Currently we are here...



Identity management


Basic terminology


About this course I

I Third year course, 3ec, for cyber security bachelor• also with some people from outside

I This is a bit like a master course• less rigid, requiring more own initiative

I For instance: assignments will be given each week; it is up to you todo them• they are not evaluated/marked• but they help you to prepare for the paper that you have to

write, see later.

I Course website: http://www.ru.nl/ds/education/courses/privacy-identity-2018/• relevant information will appear there, not in Blackboard

Page 3 of 50 Jacobs & Koning Spring 2018 IntroductionOrganisation of this course

http://www.ru.nl/ds/education/courses/privacy-identity-2018/

http://www.ru.nl/ds/education/courses/privacy-identity-2018/

About this course II: “privacy and identity”

I Privacy is a multidisciplinary area: mix of law, ethics, management,computer science

I Identity will be as in Identity Management (IdM)• IdM is usually seen as part of ‘computer security’• focus here on attribute-based IdM

I The course will give an overview of several topics• it is not covering everything• selection may also depend on interests of the teachers and on

current societal discussions• relevance mostly for computer scientists, not focussed on law or

philosophy

I Main topics: basic concepts/vocabulary in IdM, privacy engineering,tracking, privacy enhancing technologies• Great relevance with coming-into-force in May 2018 of GDPR =

General Data Protection Regulation


About this course III: goals

I Understanding ICT-technology in a broader context• Computer scientists are architects, not just of the technical

world, but also of the social worldI Developing sensitivity for the impact of identity-related design

choices• e.g. in the design of a national identity management

infrastructure• or in a health record system• or in almost any app

I This requires intellectual curiosity and openness to non-technicalissues• like in the (later) “law for Computer Scientists” course• it provides an interface to talk to people outside CS

I It requires a certain level of patience before the subtleties of the fieldsink in.


About this course IV: organisation

I Eight weekly lectures, Tue. 10:30, Feb. 6 – March 27.• two teachers: B. Jacobs and M. Koning• one assistant: A. Krasnova• locations may change, due to unexpected high number of

students (± 110); check study guideI Your presence at lectures is compulsory

• presence will be registered via IRMA, starting next week• presence is required at 5 of the 6 remaining lectures, at least

I NO weekly “exercise meetings”• you can ignore these entries in the prospectus (studiegids)• there will be weekly assignments with pointers to articles in the

literature• you are expected to read these articles yourself

I Also: NO written exam


About this course V: examination

I Instead of a written exam: everyone should write a structured essay(paper) on a relevant topic• the writing must be in English• you should select a topic yourself, with some guidance

I The writing proceeds in two phases• phase 1 contains outline and structure, via a form that you will

receive• phase 2 is the paper itself, of about 2500 words• details will follow, also about hand-in deadlines





Identity management


Basic terminology


Recall basic terminology

Computer Security is about regulatingaccess to (digital) assets

I In this course the focus is on regulating access of humansI It involves the three basic steps:

• identification: who are you? / what are your attributes?• authentication: how do you prove this?

I the proof itself is sometimes called a credential• authorisation: what are you allowed to do?

Page 8 of 50 Jacobs & Koning Spring 2018 IntroductionIdentification and authentication

Identification has many forms

I Identification may be based on, for instance:• identifying numbers/descriptions/identifiers, like a registration

number (passport nr., BSN), email, phone nr., bank account nr.• biometry: physical characteristics or deeply ingrained behaviour

or skills that identify a person• pseudonyms: meaningless numbers, linked to some• attributes: personal properties which may be:

I non-identifying like “student”, “older than 18”, “female”I identifying like for the above identifiers

• anonymous ephemeral descriptions, or random ephemeralnumbers

I The form of authentication must correspond to the form ofidentification at hand


Real-world and virtual-world authentication

I In daily life we rely oncontext for many forms of(implicit) authentication• uniforms / places /

behaviour / etc

I In the online world suchcontexts are either lacking,or easy to manipulate (fakee-banking site)

“On the internet nobodyknows you’re a dog”

(Peter Steiner, New Yorker, 1993)


CorrectionIn the age of profiling this anonimity suggestion is completely outdated!


Human to computer authentication

The three basic human-to-computer authentication mechanisms arebased on:(1) something you have, like a (physical) key, or card

Risk? theft, copying

(2) something you know, like a password or PINRisk? eavesdropping (shoulder-surfing), brute-force trials, forgetting (howsecure is the recovery procedure?), social engineering, multiple use, fakelogin screens (use wrong password first!)

(3) something you are, ie. biometrics, like fingerprints or irisRisk? imitation (non-replaceability), multiple use


More about passwords

It is common wisdom that at least a 64 bit string is needed to be secureagainst password guessing. These 64 bit amount to:I 11 characters, randomly chosenI 16 characters, computer generated but pronounceableI 32 characters, user-chosenWith modern brute force and rule-based techniques, passwords can bebroken easily. A well-known system to do so is Crack

HeuristicsReasonably good passwords come from longer phrases, eg. as first lettersof the words in a sentence: they are relatively easy to remember, andreasonably arbitrary (with much entropy).It is then still wise to filter on bad passwords.

An alternative is to use one-time passwords, distributed via anindependent channel (eg. via a generator, via GSM or TAN-lists).


Password change policies

Does it make sense to force users to change their passwords periodically(say every 3 months)?I Pro: compromised passwords are usable for only a relatively short

amount of timeI Against: lot’s of things:

• the cause of a password compromise (if any) is ignored, and maybe re-exploited

• users get annoyed, and use escape techniques:I insecure variations: passwd1, passwd-2018 etc.I writing passwords down

(so that they become ‘something you have’)• more helpdesk calls, because people immediately forget their

latest version• sometimes requests to change passwords are sent by mail, with

login link!! Every heard of phishing? (This happened @RU)


Password recovery

What to do when a user forgets his/her password? This happensfrequently. Hence recovery procedures should not be too complicated (orexpensive). What to do?

Some options:I self service password reset, by supplying answers to previously set

security questions, like “where was your mother born?” “what’s yourfirst pet’s name?” etc.Often, answers can be obtained by social engineering, phishing or simpleresearch (recall the Sarah Palin mailbox incident in 2008)

I Provide a new password via a different channel• face-to-face transfer is best, but not always practical• ING bank provides new password via SMS

(recall: GSM (esp. SMS) is now broken)I force re-registration (like DigiD does in NL)


Biometrics: intro

Biometrics refers to the use of physical characteristics or deeply ingrainedbehaviour or skills to identify a person.I Physical characteristics: facial features, fingerprints, iris, voice, DNA,

and the shape of hands or even ears.I Behaviour or skill: handwritten signature, but also someone’s gait, or

the rhythm in which someone types on a keyboard.

Different types of biometrics have important differences in:I accuracy (percentage of false matches/non-matches)I how easy they are to fakeI which population groups they discriminate againstI how much information they reveal about us, and how sensitive this

information is (eg. your DNA may reveal health risks of interest toinsurance companies)


Biometrics: intentional or unintentional

Important difference between types of biometrics:I necessarily intentional and conscious production, like with signature

(except under extreme coercion)I possibly unintentional production: people leave copies of their

fingerprints and samples of their DNA wherever they go.• With the increased use of surveillance cameras we also leave our

facial image and gait in many places. This is what enables suchbiometrics to be used in law enforcement

• It also makes fingerprint information more valuable to the owner,and to potential attackers, as fake fingerprints could be plantedat a crime scene.


Biometric systems in operation

A biometric system works in several steps(1) its sensors capture a presented biometric(2) this input signal is then processed to extract features from it(3) these features are compared to previously recorded and stored

biometric information(4) it is decided if there is a match or notIdeally, not the raw biometric information is stored, but a template withcrucial info about features extracted from the raw data

Fingerprint exampleI raw information: image of the fingerprint (stored eg. in e-passport)I template: so-called minutiae, bifurcations and endpoints of ridges,

which most fingerprint recognition systems useStoring such templates goes some way towards preventing abuse, assuming thatfingerprints cannot be reconstructed from the templates.


Biometrics for verification or identification

Biometrics can be used in two completely separate ways:I Verification: a person is matched with one particular stored

biometric (template), eg. the fingerprint on his e-passport, to checkthat someone has a certain claimed identityOperational examples:• unlock (login to) your smart phone — and also confirmations• automatic border passageWhich types of biometry are used? Where are the templates stored?

I Identication: a person is matched with a large collection of storedbiometrics, for example to see if he occurs in a database of knowncriminals, or has not already applied for a passport under a differentname(Clearly, this is more error-prone than one-to-one matches, since inone-to-many matches errors accumulate)


e-Passport example in NL

I Originally proposed for verification only (against look-alike fraud)

I function creep happened in the form of central storage of allbiometrics: now usable for identification and law enforcement

I in 2011 these central storage plans were abanoned again• official reason: technique not ready• opposition in parliament: privacy concerns, fear of data loss• no convincing use cases, except creepy ones


DNA example in NLI In 2012 similar plans emerged to store DNA of all citizens in NL in

order to find criminals more easily• in the wake of the solving of the Marianne Vaatstra murder• most likely this is not allowed by law (ECHR): authorities are

only allowed to collect data on suspectsI What else is the problem with this?

• Remember that in a state of law there should be a balance ofpower between citizens and the authorities!

• Also remember the historical experience that authorities maybecome unfriendly

• And imagine the privacy-disaster if such a DNA database getscompromised, by hacking or mismanagement

I There are two DNA databases in NL (operated by NFI)(1) for missing persons(2) for suspected and convicted people of serious crime (typically

with punishment ≥ 4 years)


Biometric systems are not perfect

I False match: the system reports a match when in fact the storedbiometric comes from someone elseExample: innocent person barred from boarding a plane

I False non-match: the system reports that the two don’t match, eventhough both are from the same personExample: Bin Laden gets on board

Note on terminologyFalse matches are often called false accepts, and false non-matches false rejects.This can be confusing: if a database of biometrics is used to check that knownterrorists do not enter the country, then a false non-match leads to a falseaccept (into the country), not a false reject


Biometrics performance

I Exact rates of false (non-)matches depend on the type of biometryused and the particulars of the system (eg. verification oridentification).

I There is a trade-off between the false match and non-match rates:by turning up the precision required for a match, the false non-matchrate of a system can be decreased at the expense of a higher falsematch rate.

Tuning the system for a good balanceI what is the purpose: do you prefer a higher false non-match rate or a

higher false match rate?I who controls the tuning: guards with a no-entry list hate false

matches because of the hassle (angry customers). Hence theyminimise false matches, leading possibly to a greater risk of falsenon-matches (terrorist entering the building)


Biometrics performance studies

NL passport fingerprint study (2005, 15.000 participants)I At enrollment phase, 3.2% of fingerprints could not be recorded

• 1.9% impossible to record two fingerprints• 1.3% only possible to record one

I In verification phase, in 4.3% one finger could not be verified;in 2.9% neither finger

Fingerprints from NL passports are never used!! Why are they still there?

US-VISIT study (2004, 6.000.000 in database)I false match rate of 0.31% (1 in 300 hassle for innocent travellers)I changing operational parameters:

• false match rate reduced to 0.08%• false non-match rate rise to 4% to 5%


Biometrics usage

For identification Useful, with error marginsI basis for usage in surveillance systems

For authentication Problematic, since it assumes that:I only you are the source of fresh biometric measurementsI freshness of such measurements can be recognisedI you provide input to these fresh measurements intentionally and

consciously

For non-repudiation Unsuitable: same spoofing problemsI biometrics not suitable as signatures in payment systems

How about biometrics for access to secure facilitiesI only rarely used type of biometrics, like hand-palm or irisI spoofing/transfer is more difficult


Privacy issues in biometrics

(1) biometric measurements may contain much more information than isstrictly needed for identification• eg. DNA contains your genetic build up (and of subsequent

generations)• also claimed for eyes, by irisscopists

(2) when improperly stored (as original measurements and not asabstract templates) and protected, biometrics may actually increasethe risk of identity fraud

(3) biometric information may be used for tracing people, either openly,for instance via public security cameras, or covertly


Biometrics, conclusions

I biometrics are often proposed as solution to the security problemsassociated with passwords

I however, they are problematic themselves (highly overrated)• always the same, in every application• not replaceable (after compromise)

I entangled error rates associated with false (non-)matches• errors accumulate in one-to-many comparisons

I really useful only for local usage, on one’s own device





Identity management


Basic terminology


What is Identity Management (IdM)?

Identity Management is about organisingaccess of humans to computer systems

Aspects of IdMI Identification / Authentication / AuthorisationI Personalisation, service adjustment to individual preferencesI Provisioning, i.e. automatic propagation of changes in identity

data, esp. enroll, update, suspend, restore, remove

I IdM has become an area in itself — as part of computer securityI the issues and complexities are non-trivial: imagine you have to

design IdM for an international company like Microsoft• with all its employees and contractors,• and customers and users (non-paying, like for outlook webmail)

Page 28 of 50 Jacobs & Koning Spring 2018 IntroductionIdentity management

Advantages & disadvantages of IdM

Advantages of IdMI centralisation of control, administration and policyI ease for usersI structuring of roles and responsabilities within organisationsI cost reduction

Concerns in IdMI possible reliability reduction, via single point of failure;I linking of activities, harming privacy.


Examples of IdM systemsI Kerberos, one of the first standardsI OpenId, a modern authentication standard using OAuthI DigiD, operated by NL governmentI iDIN, operated jointly by NL banksI Eduroam, operated by universities worldwide for Wifi accessI Facebook Connect / Google+ loginI . . .I IRMA, attribute-based authentication, from Nijmegen

Some characteristicsI Some of these, like Eduroam, are federated, connecting IdM from

different organisationsI The architectures and information flows are highly relevant:

• for privacy: who gets to see what?• for commercial reasons: who can charge for what?• for (societal) control: who decides about what?





Identity management


Basic terminology


IRMA Demo: reveal only relevant attributes

Essentials:

I attributes instead ofidentities

I collected by user him/herselfI attributes are reliable

(digitally signed by source)I decentralised architecture:

attributes only on users ownphone

I IRMA is free & open source

Page 31 of 50 Jacobs & Koning Spring 2018 IntroductionA crash course on IRMA

IRMA history, in two phases

I 2008 – now: scientific research project at Radboud University• active research line on attribute-based authentication• 3 PhD theses so far, postdocs too, many publications• financial support from: NLnet, Translink, BZK, NWO, KPN• prototype implementations on:

I smart card — at first, but no longer supportedI smart phone — for Android only

I 2016 – now: technology deployment via non-profit foundation• https://privacybydesign.foundation set up in fall 2016• foundation runs infrastructure, and issues attributes• eg. from: iDIN (banks), SURFconext (academia), BIG (health)• both Android and iOS apps, with common code-base in Go• attribute verification pilots are emerging• attribute-based signatures will be added


Example identity services

Public Private Non-profit

DigiD Facebook login SURFconext

iDensys

iDIN

IRMA


Centralised versus decentralised, schematically

Centralised: everything goes via the Identity Provider (think iDIN)

IdentityProvider 3

prove //3 **Verifier Verifier · · ·

User1

;;

2authenticatecc

1

88

2

cc

Decentralised: everyting goes via the User (think IRMA)

IdentityProvider Verifier Verifier · · ·

User##1

issuecc{{ 2

prove ;;

qq 3prove

88


Relevant players in the identity platform IRMA

I User: the individual who collects attributes locally and disclosesthem selectively• attributes are all bound to a single secret key of the User

I Issuer: a (trusted) party that issues attributes to Users• the User authenticates to the Issuer first, before issuing• the Issuer digitally signs the issued attributes & expiry date• (in IRMA, connected attributes are combined in a “credential”)

I Verifier or Relying Party: an organisation that accepts attributesfrom Users as part of its authorisation process for transactions• Verifiers check Issuer signatures and expiry dates• they also perform a zero knowledge proof with the User

I The Foundation: the Privacy by Design foundation that developsIRMA software, runs the infrastructure, and also issues attributes


IRMA assignment

(1) Install the IRMA app on your phone — available for Android & iOS• registration requires an email address that you control• choose a 5-digit PIN; remember it carefully, it cannot be

changed

(2) Obtain iDIN and SURFconext credentials• iDIN via your Dutch bank account login

(if you don’t have a Dutch bank account, you can also use Facebook)• SURFconext via your Radboud login(Needed from the second week onwards to register your presence)

(3) Read IRMA documentation to understand how it works, see• https:

//privacybydesign.foundation/irma-explanation/• to go deep: https://github.com/privacybydesign• or look at the privacy policy: https:

//privacybydesign.foundation/privacy-policy-en/


https://privacybydesign.foundation/irma-explanation/

https://privacybydesign.foundation/irma-explanation/

https://github.com/privacybydesign

https://privacybydesign.foundation/privacy-policy-en/

https://privacybydesign.foundation/privacy-policy-en/




Identity management


Basic terminology


Relevant terms

Next we discuss basic terms like:I attributes — sometimes called claimsI (partial) identitiesI anonymity and pseudonimityI (un)linkabilityI reputation and accountability

This discussion is loosely based on:I Andreas Pfitzmann, Marit Hansen: A terminology for talking about privacy

by data minimization: Anonymity, Unlinkability, Undetectability,Unobservability, Pseudonymity, and Identity Management

I See https://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf

Page 37 of 50 Jacobs & Koning Spring 2018 IntroductionBasic terminology

Attributes

Attributes are properties of people with some level of stability.I Examples: given name, family name, address, date-of-birth, email

address, phone number, nationality, etc.• attributes are typically “small” pieces of information• they are distinguished from larger “records” and “dossiers”

I An attribute can be:• (uniquely) identifying, like a student number — in a context• non-identifying, like gender, or “older than 18”

I Attributes have a certain validity period, after which they expire• Example: “younger than 15”

I Basic ideas in attribute-based IdM:• authorisation can be done based on attributes• different attributes are shown in different contexts: contextual

authentication• selection of attributes should be minimal, for privacy protection


Identities

DefinitionThe (complete) identity of a person is the set of all attributes that holdfor that person — at a particular point in time.

DefinitionA partial identity or persona is a subset of attributes that uniquelyidentify a person — at a point in time, in a certain context

An essential part of privacy is keeping information in context, see laterI this involves formalising partial identities in IdMI attribute-based IdM can do that


https://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf

https://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf

Reputation and accountability

A reputation is a set of opinions about a person that is based on theperson’s past actionsI digitally a reputation often takes the form of a rating or scoreI reputations are used to formalise trust in the “sharing economy” and

on many platforms (like eBay or Uber)

Accountability is the acknowledgment and assumption of responsibilityfor one’s actions, taking blame or liabilityI it is most often applied to Users: did you really do that?I it applies to Verifiers too: did you really check “older than 18”?I and to Issuers: were you sure when you issued “older than 18”?


A basic IdM matrix

Attribute Reputation Accountability Privacy

Identifyingattribute + for the User –

Pseudonym* + if linkable to aUser

if notlinkable

Non-identifyingattribute – for Verifiers, not

for Users +

Anonimity(no attributes) – – +

* A pseudonym is a meaningless attribute, whose value is unique per User





Identity management


Basic terminology


Background

I In 2005, Kim Cameron, an architect from Microsoft, published apaper The Laws of Identity• See http://www.identityblog.com/stories/2005/05/13/

TheLawsOfIdentity.pdfI It’s a relatively old article, but it is not outdated! Its setting:

• the internet has been designed without “identity” in mind• this hampers many applications & has led to ad hoc solutions• many of them are abused, leading to limited trust and missed

opportunities• there is no single solution, since “identity is related to context”

I Seven laws of identity are introduced• “law” not legally but scientifically: hypothesis about the world• “claims” are used, subtly related to “attributes”• quote: “attributes” are the things expressed in claims• claims have to be “evaluated” or “verified” by a relying party

Page 42 of 50 Jacobs & Koning Spring 2018 IntroductionThe Laws of Identity

http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf

http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf

Laws of Identity I

User Control and ConsentTechnical identity systems must only reveal information identifying a userwith the user’s consent.

Additional quoted explanation:I Earning this trust requires a holistic commitment. The system must

be designed to put the user in control — of what digital identitiesare used, and what information is released.

I The system must also protect the user against deception, verifyingthe identity of any parties who ask for information.


Laws of Identity II

Minimal Disclosure for a Constrained UseThe solution which discloses the least amount of identifying informationand best limits its use is the most stable long term solution.

In the GDPR-terminology: data minimalisation and purpose binding


Laws of Identity III

Justifiable PartiesDigital identity systems must be designed so the disclosure of identifyinginformation is limited to parties having a necessary and justifiable place ina given identity relationship.

This requires minimalisation of the number of participants, like in thedecentralised (IRMA) versus centralised (iDIN) architectures.


Laws of Identity IV

Directed IdentityA universal identity system must support both “omni-directional”identifiers for use by public entities and “unidirectional” identifiers for useby private entities, thus facilitating discovery while preventingunnecessary release of correlation handles.

I “omni-directional” means visible to everyone and persistent, like theURL (and certificate) of a website

I “unidirectional” means one-on-one and ephemeral (short-lived, toprevent linkability)• Google / Facebook / . . . ask you to login with the same

identifier everywhere• IRMA uses blindable credentials, which look different on each

occasion but remain valid under blinding


Laws of Identity V

Pluralism of Operators and TechnologiesA universal identity system must channel and enable the inter-working ofmultiple identity technologies run by multiple identity providers.

Additional quoted explanation:I A universal system must embrace differentiation, while recognizing

that each of us is simultaneously — in different contexts — a citizen,an employee, a customer, a virtual persona.

Identity managment is highly sensitive to historical and culturaldifferences — which can be reflected by using attributes instead ofidentities.


Laws of Identity VI

Human IntegrationThe universal identity metasystem must define the human user to be acomponent of the distributed system integrated through unambiguoushuman-machine communication mechanisms offering protection againstidentity attacks.

This calls for easy-to-understand and uniform interfaces for users.


Laws of Identity VII

Consistent Experience Across ContextsThe unifying identity metasystem must guarantee its users a simple,consistent experience while enabling separation of contexts throughmultiple operators and technologies.

Additional quoted explanation:I To make this possible, we must “thingify” digital identities – make

them into “things” the user can see on the desktop, add and delete,select and share.

I As users, we need to see our various identities as part of anintegrated world which none the less respects our need forindependent contexts.


Assignment: laws for Self-Sovereign Identity

In recent years Cameron’s laws of identity have been reformulated byChristopher Allen as laws for self-sovereign identityI Read this e.g. at http://www.lifewithalacrity.com/2016/04/

the-path-to-self-soverereign-identity.html

I Investigate what the differences are between these laws forself-sovereignty and Cameron’s laws

I Investigate to what extend IRMA satisfies the laws of self-sovereignidentity

I Often the story of self-sovereign identity is coupled with blockchaintechnology• for instance for uPort or Sovrin• think about whether this combination is necessary


http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

introduction - privacy and identitycorrection...

Documents