Security and trust are core research issues for the further development of the Information Societ... more Security and trust are core research issues for the further development of the Information Society and for 10 years have played, and continue to play, an integral part in the European Union's Framework Programmes (FPs) for R&D. EU-supported collaborative research projects in trust and security bring together multi-partner stakeholders from industry (technology and service providers, system integrators and end-users), academic and research laboratories working in several interdisciplinary research fields. Sometimes, ...
Complex cryptographic protocols are often designed from simple cryptographic primitives, such as ... more Complex cryptographic protocols are often designed from simple cryptographic primitives, such as signature schemes, encryption schemes, verifiable random functions, and zero-knowledge proofs, by bridging between them with commitments to some of their inputs and outputs. Unfortunately, the known universally composable (UC) functionalities for commitments and the cryptographic primitives mentioned above do not allow such constructions of higher-level protocols as hybrid protocols. Therefore, protocol designers typically resort to primitives with property-based definitions, often resulting in complex monolithic security proofs that are prone to mistakes and hard to verify. We address this gap by presenting a UC functionality for non-interactive commitments that enables modular constructions of complex protocols within the UC framework. We also show how the new functionality can be used to construct hybrid protocols that combine different UC functionalities and use commitments to ensure that the same inputs are provided to different functionalities. We further provide UC functionalities for attribute tokens and revocation that can be used as building blocks together with our UC commitments. As an example of building a complex system from these new UC building blocks, we provide a construction (a hybrid protocol) of anonymous attribute tokens with revocation. Unlike existing accumulator-based schemes, our scheme allows one to accumulate several revocation lists into a single commitment value and to hide the revocation status of a user from other users and verifiers.
Abstract. Fingerprinting schemes enable a merchant,to identify the buyer of an illegally distribu... more Abstract. Fingerprinting schemes enable a merchant,to identify the buyer of an illegally distributed digital good by providing each buyer with a slightly different version. Asymmetric fingerprinting schemes fur- ther prevent the merchant from framing a buyer by making,the finger- printed version known to the buyer only. In addition, an anonymous fingerprinting scheme,allows the buyer to purchase goods without re- vealing her identity to the merchant. However, as soon as the merchant finds a sold version that has been (illegally) distributed, he is able to retrieve a buyer’s identity and take her to court. This paper proposes a new and more efficient anonymous,fingerprinting scheme that uses group signature schemes as a building block. A byprod- uct of independent interest is an asymmetric fingerprinting scheme that allows so-called two-party trials, which is unmet so far.
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society - WPES '13, 2013
ABSTRACT Many Internet users today use an electronic social network service (SNS) to share data w... more ABSTRACT Many Internet users today use an electronic social network service (SNS) to share data with their friends. Most SNSs let users restrict access to their shared data, e.g., to particular groups of friends, or to users satisfying other criteria based on their attributes or relationships. Usually, however, such access control restrictions can only be applied to resources hosted on the SNS itself. In this paper, we present protocols to enable SNS users to protect access to resources that are hosted on external service providers (SPs). Our mechanisms preserve the users' privacy in the sense that (1) the SP does not learn the SNS-identities of users that share or access the resource, nor does it learn anything about the access policy that protects it, (2) the SNS does not obtain any information about the resource, and in particular, does not obtain a link to it, and (3) the SP cannot change the policy set by the owner of the resource, or test the policy on users who never requested access to the resource. We give formal definitions of these security requirements and present a cryptographic protocol based on group signatures that provably fulfills them. We also discuss to what extent our requirements can be fulfilled using the standard OAuth authorization protocol while making only minor changes to the SNS infrastructure.
IFIP International Federation for Information Processing, 2006
Digital credentials and certificates can easily be shared and copied. For instance, if a user pos... more Digital credentials and certificates can easily be shared and copied. For instance, if a user possesses a credential that allows her to access some service, she can easily share it with her friends and thereby let them use the service as well. While with non-anonymous credentials, this sharing can to some extend be detected by the fact that some creden- tials get used too often, such detection is not possible with anonymous credentials. Furthermore, the honest user is also at risk of identity theft: malicious software such as viruses and worms or phishing attacks can without too much diculty steal her credentials. One solution to the problem is to use tamper-resistant hardware tokens to which a credential is bound such that a credential can only be used in connection with the token. Although this approach is sometimes taken for isolated high security applications, it is not used widely because of the organizational overhead to distribute such tokens. Moreover, such tokens are usually very application specific and hence cannot be used with dierent applications (from dierent service providers). Recently, however, manufacturers have started to embed into computers a tamper-resistant piece of hardware, called trusted platform modules (TPM), as specified by the Trusted Computing Group. In this paper we show that this module can in fact be used to secure anonymous as well as non-anonymous credentials. We provide a mechanism to insure that credentials can only be used with the TPM it got issued to. We then extend our solution to one that allows the use of credentials not only with the TPM they got issued to but also with other TPMs of the same user. Finally, we show how to secure a full-fledged anonymous credential system.
Proceedings of the 9th ACM conference on Computer and communications security - CCS '02, 2002
ABSTRACT Anonymous credential systems [8, 9, 12, 24] allow anony-mous yet authenticated and accou... more ABSTRACT Anonymous credential systems [8, 9, 12, 24] allow anony-mous yet authenticated and accountable transactions be-tween users and service providers. As such, they represent a powerful technique for protecting users' privacy when con-ducting Internet transactions. ...
Proceedings of the 7th ACM workshop on Digital identity management - DIM '11, 2011
We use the Internet for shopping, staying in contact with friends, paying our bills, and declarin... more We use the Internet for shopping, staying in contact with friends, paying our bills, and declaring our taxes -- for almost everything. Thereby we emit a lot of sensitive information that is exchanged, processed, and stored at many different places. Sometimes we release our information voluntarily and consciously but quite often also unconsciously and unnoticed. In any case, once released, we can impossibly control the dispersal of this information, let alone remain aware where the information about us is stored and processed. However, the press reports daily on incidents where sensitive information has been lost, stolen, or misused -- often even information originally collected by large and reputable organizations. This situation puts our privacy and security at risk. Fortunately, there exist a fair number of privacy-enhancing technologies which can help in minimizing the amount of information that needs to be revealed in transactions, on the one hand, and in limiting the information's dispersal, on the other hand. Examples are the privacy-enhancing technologies developed by the PrimeLife project. PrimeLife was a three year project funded by the European Commission and involved about 50 participants from 15 academic, industrial and public organizations. PrimeLife's goals were threefold: first, to make the existing research results and technologies available and useable, second, to fill the gaps between research prototypes and the requirements of practical applications, and third, to invent and develop new solutions to the privacy issues raised by the recent Internet applications such as social networks, cloud storage, and wikis. In this talk we will present and discuss a number of results from the PrimeLife project. These include, for instance, the social network Clique url{clique.primelife.eu} where users can easily determine the audience of their postings, a concept that has found its way in Google+, and our tool Scamble! which ensure by encryption that indeed only the intended audience is able to decrypt a user's posting. We will further review PrimeLife's efforts to make privacy-enhancing technologies available and finally briefly discuss its successor ABC4Trust which will conduct two pilots with the privacy preserving credential technologies Identity Mixer and U-Prove. For more information we refer to the books by PrimeLife and its predecessor PRIME summarizing their results [1,2] and to their respective websites www.primelife.eu and www.prime-project.eu. Information on the ABC4Trust project is found at www.abc4trust.eu.
. The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It all... more . The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It allows a member of a group to sign messagesanonymously on behalf of the group. In case of a later dispute adesignated group manager can revoke the anonymity and identify theoriginator of a signature. In this paper we propose a new efficient groupsignature scheme. Furthermore we
We conduct an increasing part of our daily transactions electronically and thereby we leave an et... more We conduct an increasing part of our daily transactions electronically and thereby we leave an eternal electronic trail of personal data. We are almost never able to see what data about us we imprint, where it is processed or where it is stored. Indeed, controlling the dispersal of our data and protecting our privacy has become virtually impossible. In this talk we will investigate the extent to which tools from cryptography and other technical means can help us to regain control of our data and to save our privacy. To this end, we will review the most important of the practical cryptographic mechanisms and discuss how they could be applied. In a second part, we will report on the readiness of the industry to indeed employ such technologies and on how governments address the current erosion of privacy.
Abstract. The trusted computing group (TCG) specified two protocols that allow a trusted hardware... more Abstract. The trusted computing group (TCG) specified two protocols that allow a trusted hardware device to remotely convince a communi-cation partner that it is indeed a trusted hardware device. In turn, This enables two communication partners to establish that the other end is ...
Proceedings of the second ACM workshop on Digital identity management - DIM '06, 2006
User centricity is a significant concept in federated identity management (FIM), as it provides f... more User centricity is a significant concept in federated identity management (FIM), as it provides for stronger user control and privacy. However, several notions of user-centricity in the FIM community render its semantics unclear and ham- per future research in this area. Therefore, we consider user-centricity abstractly and establish a comprehensive taxonomy encompassing user-control, architecture, and usability aspects of user-centric FIM.
... Page 20. 20 Zurich Research Laboratory Direct Anonymous Attestation - TCG TPM v1.2 Solution 3... more ... Page 20. 20 Zurich Research Laboratory Direct Anonymous Attestation - TCG TPM v1.2 Solution 3: Dealing with rogue TPM's ■ TPM sends also Nym = f(DAA-secret) = ζ DAA-secret mod p, where - if ζ is random: published keys can be detected, protocol is still anonymous ...
Security and trust are core research issues for the further development of the Information Societ... more Security and trust are core research issues for the further development of the Information Society and for 10 years have played, and continue to play, an integral part in the European Union's Framework Programmes (FPs) for R&D. EU-supported collaborative research projects in trust and security bring together multi-partner stakeholders from industry (technology and service providers, system integrators and end-users), academic and research laboratories working in several interdisciplinary research fields. Sometimes, ...
Complex cryptographic protocols are often designed from simple cryptographic primitives, such as ... more Complex cryptographic protocols are often designed from simple cryptographic primitives, such as signature schemes, encryption schemes, verifiable random functions, and zero-knowledge proofs, by bridging between them with commitments to some of their inputs and outputs. Unfortunately, the known universally composable (UC) functionalities for commitments and the cryptographic primitives mentioned above do not allow such constructions of higher-level protocols as hybrid protocols. Therefore, protocol designers typically resort to primitives with property-based definitions, often resulting in complex monolithic security proofs that are prone to mistakes and hard to verify. We address this gap by presenting a UC functionality for non-interactive commitments that enables modular constructions of complex protocols within the UC framework. We also show how the new functionality can be used to construct hybrid protocols that combine different UC functionalities and use commitments to ensure that the same inputs are provided to different functionalities. We further provide UC functionalities for attribute tokens and revocation that can be used as building blocks together with our UC commitments. As an example of building a complex system from these new UC building blocks, we provide a construction (a hybrid protocol) of anonymous attribute tokens with revocation. Unlike existing accumulator-based schemes, our scheme allows one to accumulate several revocation lists into a single commitment value and to hide the revocation status of a user from other users and verifiers.
Abstract. Fingerprinting schemes enable a merchant,to identify the buyer of an illegally distribu... more Abstract. Fingerprinting schemes enable a merchant,to identify the buyer of an illegally distributed digital good by providing each buyer with a slightly different version. Asymmetric fingerprinting schemes fur- ther prevent the merchant from framing a buyer by making,the finger- printed version known to the buyer only. In addition, an anonymous fingerprinting scheme,allows the buyer to purchase goods without re- vealing her identity to the merchant. However, as soon as the merchant finds a sold version that has been (illegally) distributed, he is able to retrieve a buyer’s identity and take her to court. This paper proposes a new and more efficient anonymous,fingerprinting scheme that uses group signature schemes as a building block. A byprod- uct of independent interest is an asymmetric fingerprinting scheme that allows so-called two-party trials, which is unmet so far.
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society - WPES '13, 2013
ABSTRACT Many Internet users today use an electronic social network service (SNS) to share data w... more ABSTRACT Many Internet users today use an electronic social network service (SNS) to share data with their friends. Most SNSs let users restrict access to their shared data, e.g., to particular groups of friends, or to users satisfying other criteria based on their attributes or relationships. Usually, however, such access control restrictions can only be applied to resources hosted on the SNS itself. In this paper, we present protocols to enable SNS users to protect access to resources that are hosted on external service providers (SPs). Our mechanisms preserve the users' privacy in the sense that (1) the SP does not learn the SNS-identities of users that share or access the resource, nor does it learn anything about the access policy that protects it, (2) the SNS does not obtain any information about the resource, and in particular, does not obtain a link to it, and (3) the SP cannot change the policy set by the owner of the resource, or test the policy on users who never requested access to the resource. We give formal definitions of these security requirements and present a cryptographic protocol based on group signatures that provably fulfills them. We also discuss to what extent our requirements can be fulfilled using the standard OAuth authorization protocol while making only minor changes to the SNS infrastructure.
IFIP International Federation for Information Processing, 2006
Digital credentials and certificates can easily be shared and copied. For instance, if a user pos... more Digital credentials and certificates can easily be shared and copied. For instance, if a user possesses a credential that allows her to access some service, she can easily share it with her friends and thereby let them use the service as well. While with non-anonymous credentials, this sharing can to some extend be detected by the fact that some creden- tials get used too often, such detection is not possible with anonymous credentials. Furthermore, the honest user is also at risk of identity theft: malicious software such as viruses and worms or phishing attacks can without too much diculty steal her credentials. One solution to the problem is to use tamper-resistant hardware tokens to which a credential is bound such that a credential can only be used in connection with the token. Although this approach is sometimes taken for isolated high security applications, it is not used widely because of the organizational overhead to distribute such tokens. Moreover, such tokens are usually very application specific and hence cannot be used with dierent applications (from dierent service providers). Recently, however, manufacturers have started to embed into computers a tamper-resistant piece of hardware, called trusted platform modules (TPM), as specified by the Trusted Computing Group. In this paper we show that this module can in fact be used to secure anonymous as well as non-anonymous credentials. We provide a mechanism to insure that credentials can only be used with the TPM it got issued to. We then extend our solution to one that allows the use of credentials not only with the TPM they got issued to but also with other TPMs of the same user. Finally, we show how to secure a full-fledged anonymous credential system.
Proceedings of the 9th ACM conference on Computer and communications security - CCS '02, 2002
ABSTRACT Anonymous credential systems [8, 9, 12, 24] allow anony-mous yet authenticated and accou... more ABSTRACT Anonymous credential systems [8, 9, 12, 24] allow anony-mous yet authenticated and accountable transactions be-tween users and service providers. As such, they represent a powerful technique for protecting users' privacy when con-ducting Internet transactions. ...
Proceedings of the 7th ACM workshop on Digital identity management - DIM '11, 2011
We use the Internet for shopping, staying in contact with friends, paying our bills, and declarin... more We use the Internet for shopping, staying in contact with friends, paying our bills, and declaring our taxes -- for almost everything. Thereby we emit a lot of sensitive information that is exchanged, processed, and stored at many different places. Sometimes we release our information voluntarily and consciously but quite often also unconsciously and unnoticed. In any case, once released, we can impossibly control the dispersal of this information, let alone remain aware where the information about us is stored and processed. However, the press reports daily on incidents where sensitive information has been lost, stolen, or misused -- often even information originally collected by large and reputable organizations. This situation puts our privacy and security at risk. Fortunately, there exist a fair number of privacy-enhancing technologies which can help in minimizing the amount of information that needs to be revealed in transactions, on the one hand, and in limiting the information's dispersal, on the other hand. Examples are the privacy-enhancing technologies developed by the PrimeLife project. PrimeLife was a three year project funded by the European Commission and involved about 50 participants from 15 academic, industrial and public organizations. PrimeLife's goals were threefold: first, to make the existing research results and technologies available and useable, second, to fill the gaps between research prototypes and the requirements of practical applications, and third, to invent and develop new solutions to the privacy issues raised by the recent Internet applications such as social networks, cloud storage, and wikis. In this talk we will present and discuss a number of results from the PrimeLife project. These include, for instance, the social network Clique url{clique.primelife.eu} where users can easily determine the audience of their postings, a concept that has found its way in Google+, and our tool Scamble! which ensure by encryption that indeed only the intended audience is able to decrypt a user's posting. We will further review PrimeLife's efforts to make privacy-enhancing technologies available and finally briefly discuss its successor ABC4Trust which will conduct two pilots with the privacy preserving credential technologies Identity Mixer and U-Prove. For more information we refer to the books by PrimeLife and its predecessor PRIME summarizing their results [1,2] and to their respective websites www.primelife.eu and www.prime-project.eu. Information on the ABC4Trust project is found at www.abc4trust.eu.
. The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It all... more . The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It allows a member of a group to sign messagesanonymously on behalf of the group. In case of a later dispute adesignated group manager can revoke the anonymity and identify theoriginator of a signature. In this paper we propose a new efficient groupsignature scheme. Furthermore we
We conduct an increasing part of our daily transactions electronically and thereby we leave an et... more We conduct an increasing part of our daily transactions electronically and thereby we leave an eternal electronic trail of personal data. We are almost never able to see what data about us we imprint, where it is processed or where it is stored. Indeed, controlling the dispersal of our data and protecting our privacy has become virtually impossible. In this talk we will investigate the extent to which tools from cryptography and other technical means can help us to regain control of our data and to save our privacy. To this end, we will review the most important of the practical cryptographic mechanisms and discuss how they could be applied. In a second part, we will report on the readiness of the industry to indeed employ such technologies and on how governments address the current erosion of privacy.
Abstract. The trusted computing group (TCG) specified two protocols that allow a trusted hardware... more Abstract. The trusted computing group (TCG) specified two protocols that allow a trusted hardware device to remotely convince a communi-cation partner that it is indeed a trusted hardware device. In turn, This enables two communication partners to establish that the other end is ...
Proceedings of the second ACM workshop on Digital identity management - DIM '06, 2006
User centricity is a significant concept in federated identity management (FIM), as it provides f... more User centricity is a significant concept in federated identity management (FIM), as it provides for stronger user control and privacy. However, several notions of user-centricity in the FIM community render its semantics unclear and ham- per future research in this area. Therefore, we consider user-centricity abstractly and establish a comprehensive taxonomy encompassing user-control, architecture, and usability aspects of user-centric FIM.
... Page 20. 20 Zurich Research Laboratory Direct Anonymous Attestation - TCG TPM v1.2 Solution 3... more ... Page 20. 20 Zurich Research Laboratory Direct Anonymous Attestation - TCG TPM v1.2 Solution 3: Dealing with rogue TPM's ■ TPM sends also Nym = f(DAA-secret) = ζ DAA-secret mod p, where - if ζ is random: published keys can be detected, protocol is still anonymous ...
Uploads
Papers by Jan Camenisch