Abstract
Authentication is a prerequisite for proper access control to many eservices. Often, it is carried out by identifying the user, while generally, verification of certified attributes would suffice. Even worse, this kind of authentication makes all the user’s transactions linkable and discloses an excessive amount of personal information, and thus erodes the user’s privacy. This is in clear contradiction to the data minimization principle put forth in the European data protection legislation.
In this paper, we present data-minimizing mobile authentication, which is a kind of attribute-based authentication through the use of anonymous credentials, thereby revealing substantially less personal information about the user. We describe two typical scenarios, design an architecture, and discuss a prototype implemented on a smart phone which minimizes the disclosure of personal data in a user-to-terminal authentication setting. The prototype uses the Identity Mixer anonymous credential system (Idemix) and realizes short-range communication between the smart phone and the terminal using visual channels over which QR codes are exchanged. Furthermore, the security has been improved and unauthorized sharing of credentials prevented by storing the credentials’ secret key in a secure element hosted by the mobile phone. Our measurements show that the use of smart phones for data-minimizing authentication can be an actual “game changer” for a broad deployment of anonymous credential systems.
Chapter PDF
Similar content being viewed by others
Keywords
References
Backes, M., Camenisch, J., Sommer, D.: Anonymous yet accountable access control. In: Proceedings of ACM WPES 2005 (November 2005)
Bangerter, E., Camenisch, J., Lysyanskaya, A.: A Cryptographic Framework for the Controlled Release of Certified Data. In: Security Protocols Workshop, pp. 20–42 (2004)
Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard Java Card. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) Proc. 16th ACM CCS, pp. 600–610. ACM Press (November 2009)
Brands, S.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge (2000)
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 132–145. ACM, New York (2004)
Camenisch, J., Damgård, I.: Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 331–345. Springer, Heidelberg (2000)
Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: ACM Conference on Computer and Communications Security, pp. 21–30 (2002)
Camenisch, J., Lysyanskaya, A.: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)
Camenisch, J., Mödersheim, S., Neven, G., Preiss, F.-S., Sommer, D.: A card requirements language enabling privacy-preserving access control. In: Proceedings of SACMAT 2010, pp. 119–128 (2010)
Camenisch, J., Sommer, D., Zimmermann, R.: A general certification framework with applications to privacy-enhancing certificate infrastructures. In: SEC, pp. 25–37 (2006)
Chari, S., Kermani, P., Smith, S., Tassiulas, L.: Security Issues in M-Commerce: A Usage-Based Taxonomy. In: Liu, J., Ye, Y. (eds.) E-Commerce Agents. LNCS (LNAI), vol. 2033, p. 264. Springer, Heidelberg (2001)
Chaum, D.: Security Without Identification: Transaction Systems to Make Big Brother Obsolete. Commun. ACM 28(10), 1030–1044 (1985)
Claessens, J.: Analysis and design of an advanced infrastructure for secure and anonymous electronic payment systems on the Internet. PhD thesis, Katholieke Universiteit Leuven, Bart Preneel and Joos Vandewalle, promotors (2002)
Danes, L.: Smart Card Integration in the pseudonym system idemix. Master’s thesis, University of Groningen (2007)
IBM. Specification of the Identity Mixer cryptographic library, v. 2.3.3. Ibm research report, IBM Research (2011)
Liao, K.-C., Lee, W.-H., Sung, M.-H., Lin, T.-C.: A one-time password scheme with QR-code based on mobile phone. In: Fifth International Joint Conference on INC, IMS and IDC, NCM 2009, pp. 2069–2071 (August 2009)
Louvel, J., Boileau, T.: Restlet: Official Developer’s Guide to Restful Web Applications in Java, 1st edn. Apress (2010)
Mayrhofer, R., Gellersen, H.: Shake Well Before Use: Authentication Based on Accelerometer Data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)
McCune, J., Perrig, A., Reiter, M.: Seeing-Is-Believing: using camera phones for human-verifiable authentication. International Journal of Security and Networks 4(1), 43–56 (2009)
Mostowski, W., Vullers, P.: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards. In: Kesidis, G., Wang, H. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 243–260. Springer, Heidelberg (2012)
Richardson, L., Ruby, S.: RESTful web services. O’Reilly Series. O’Reilly (2007)
Soriente, C., Tsudik, G., Uzun, E.: HAPADEP: Human-Assisted Pure Audio Device Pairing. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 385–400. Springer, Heidelberg (2008)
Starnberger, G., Froihofer, L., Goeschka, K.: QR-TAN: Secure mobile transaction authentication. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 578–583 (March 2009)
Sterckx, M., Gierlichs, B., Preneel, B., Verbauwhede, I.: Efficient implementation of anonymous credentials on java card smart cards. In: First IEEE International Workshop on Information Forensics and Security, WIFS 2009, pp. 106–110. IEEE Computer Society Press (December 2009)
Varshavsky, A., Scannell, A., LaMarca, A., de Lara, E.: Amigo: Proximity-Based Authentication of Mobile Devices. In: Krumm, J., Abowd, G.D., Seneviratne, A., Strang, T. (eds.) UbiComp 2007. LNCS, vol. 4717, pp. 253–270. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bichsel, P., Camenisch, J., De Decker, B., Lapon, J., Naessens, V., Sommer, D. (2012). Data-Minimizing Authentication Goes Mobile. In: De Decker, B., Chadwick, D.W. (eds) Communications and Multimedia Security. CMS 2012. Lecture Notes in Computer Science, vol 7394. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32805-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-32805-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32804-6
Online ISBN: 978-3-642-32805-3
eBook Packages: Computer ScienceComputer Science (R0)