D11.1: Collection of Topics and Clusters of Mobility and Identity – Towards a Taxonomy of Mobility and Identity

Title: PRIVACY BY CREDENTIAL-BASED IDENTITY MANAGEMENT

Privacy-enhancing technologies ensure anonymity by preventing an attacker from tracing the user and identifying him. Linkability based on communication data can be prevented by using anonymity mechanisms such as a mix network (Chaum, D., 1981). In order to prevent linkability on the application layer, David Chaum proposed an identity management system with unlinkable credentials (Chaum, D., 1985). In the following, we focus on credential-based identity management systems.

Identity Management Systems

We categorise today’s identity management systems according to the use of credentials. The first kind of identity management systems uses credentials on partial identities. A partial identity (Clauß, S. and Köhntopp, M., 2001) represents a role of a user for a specific situation. It consists of a pseudonym and user’s attributes. Examples are iManager (Jendricke, U. and Gerd tom Markotten, D., 2000) and Microsoft InfoCard (Microsoft Corporation, 2005). A CA certifies the association between a partial identity of a user and one of his pseudonyms by a credential according to X.509. All pseudonyms and credentials of a user depend on his private key. A CA has to be a Trusted Third Party (TTP) with respect to non-linkability. Additionally, transactions of a user are linkable, if using the same credential in different transactions. A user can prevent attackers from tracing him by using a credential for one partial identity only once.

Identity management systems using credentials for browser-based attribute exchange differ from systems using credentials on partial identities in that a trusted third party called identity provider manages the attributes including pseudonyms of a user on his behalf. A trusted third party (TTP) issues credentials for proving the identity of a user towards service providers. Thus a TTP acts as an anonymity proxy: on the one side, the user is identifiable and traceable to the TTP whereas on the other side, this user appears with a pseudonym. The secret of a user is his password for his account at a TTP. Examples are Liberty Alliance (Liberty Alliance Project, 2005), Shibboleth (Erdos, M. and Cantor, S., 2002) and IBM BBAE (Pfitzmann, B. and Waidner, M., 2003). Another browser-based attribute exchange protocol is Microsoft .NET Passport (Microsoft Corporation, 2003). This system does not prevent their users against undesired identification and profiling. With regard to Microsoft .NET Passport review guide (Microsoft Corporation, 2003), every user has a global identifier and each service may obtain every attribute of a user.

Identity management systems of the third kind realise anonymous credentials. Stefan Brands (Brands, S., 2000) as well as Jan Camenisch and Anna Lysyanskaya (Camenisch, J. and Lysyanskaya, A., 2001) have developed protocols for anonymous credentials. The latter protocols are implemented by IBM idemix (Camenisch, J. and Herreweghen, E.V., 2002). A user is able to show a credential without revealing any identifying attributes. This is done by using zero-knowledge proofs. A credential can be shown be using different pseudonyms so that these transactions seem to be independent. Even a CA cannot recognise a user if he shows a credential issued by this CA with a different pseudonym. Furthermore, a user can decide which attributes of a credential are revealed in a proof. From the service providers’ view, idemix supports accountability so that the identity of a user can be revealed by a third party under certain conditions. In order to prevent users from sharing their credentials, idemix binds all pseudonyms and credentials of a user on his secret key and uses alternatively two non-transferability mechanisms: PKI-based non-transferability and all-or-nothing transferability.

Delegation of Rights and Identity Management Systems

Identity management systems with anonymous credentials and credentials for browser-based attribute exchange support non-linkability by controlling the disclosure of personal data, the latter under the condition of an involved TTP relating to privacy. Identity management systems are not suitable to protect personal data once they have been revealed. This is exactly the case when sharing credentials.

Concerning browser-based attribute exchange, Liberty Alliance Phase 2 considers in their specification (Liberty Alliance Project, 2005) an approach for delegation of rights. But their approach contradicts with their trust model with respect to privacy. They assume a delegatee to be the attacker and a TTP hides the identity of the user by encrypting it with the public key of the end service provider. This end service is thereby able to encrypt it and identify the user. Contrary to this trust model, the specification (Liberty Alliance Project, 2005) assumes that every service provider wants to share their profiles about their users.

Concerning anonymous credentials, idemix assumes that the cryptographic key on which all credentials are based on is kept secret. Sharing this secret key with a delegatee would infringe this assumption. This delegatee is able to link the transactions of a user with other service providers by revealing user’s identity. Additionally, this user would lose control of his credentials since the delegatee would be able to impersonate the user and thereby use all credentials of this user. He is able to get credentials and establish pseudonyms for own purposes but on behalf of the user.

Consequently, if a user delegates credentials to untrustworthy delegatees, he will not have privacy at all. A privacy-preserving delegation mechanism should introduce an alternative for sharing user’s secret and ensure the use of delegated credentials according to the security interests of this user. We will use idemix and protect delegated, anonymous credentials from misuse and tracing back to the user by an access control which focuses on the identified privacy criteria.