When we think about authentication and more specifically about strong authentication mechanisms based on cryptographic primitives, we first think about techniques generating non-repudiable identity proofs. It seems like the more “secure” an authentication scheme is, the less control the Subject have over its privacy using it. Facing the Security vs Privacy debate, we might be tempted to intuitively (but wrongly) assume that those concepts are diametrically opposed. In this talk, the presenter will introduce some concepts and associated techniques which could be leveraged to provide secure authentication without sacrificing privacy. This talk will first highlight the privacy side effects associated with the classical authentication schemes based on X.509 certificates before having a closer look at selective disclosure, ZKIP, Digital Credential and their implementations in the real world. Application Security Forum 2011 27.10.2011 - Yverdon-les-Bains (Switzerland) Speaker: Simon Blanchet

1. Harmonizing Identity and
Privacy in Digital Identity and
Authentication technologies
Simon Blanchet
Information Security & Risk Team Leader - Application Security
{Undisclosed} Private Bank

2. Who Am I?
Simon Blanchet, CISSP
11+ years in Information System Security Security
Security / Cryptographic Software Developer
Information Security Professional (Application /
Software Security) in Private Banking
Hooked: Computers, BBSes, “hacking scene”
Computer Science
Passionate about Cryptology (Classical, Applied) &
Software (In)Security
27.10.2011 Application Security Forum - Western Switzerland - 2011 2

3. Who Am I?
Crypto / Security Software Developer
Secure Email Solution (X.509, OpenSSL, MS CAPI, …)
Meta-IDS built on OpenBSD (aggregation, correlation)
Digital Credential initial PoC / SDK
Information Security Professional (Swiss Banking)
Application Security Architect (PKI, AAA, libs (authn, crypto), …)
Smartcard Programming & Integration (PKCS11, APDUS)
Application Security Team Lead – Private Bank
Software Security, ARA, Threat Modeling, Security Testing
27.10.2011 Application Security Forum - Western Switzerland - 2011 3

4. Who Am I?
Fun facts:
Own (too) many books on Cryptology and Brewing
Some of which are signed by the author with dedication
Foodies, Beer aficionado
Urban travelers, love languages
27.10.2011 Application Security Forum - Western Switzerland - 2011 4

5. Agenda
What this talk IS about / What this talk is NOT about
Authentication & Privacy
Identity Meta System (IdP, RP, Subject / Principal, …)
PKI, X.509, Case Study: SSL mutual authentication
Introducing the Laws of Identity
Some issues with current authentication schemes
Introducing Elementary Cryptographic Primitives
Introducing Digital Credential
27.10.2011 Application Security Forum - Western Switzerland - 2011 5

6. What this talk IS about
Digital Identity
Authentication
Digital Privacy in the authentication world
Identity Provider, Relying Parties, Subject
Limitations of current implementations
Elementary cryptographic primitives
RSA, Digital Signature, Discrete Logarithms, ZKIP,
Blind Signature, Selective Disclosure, …
27.10.2011 Application Security Forum - Western Switzerland - 2011 6

7. What this talk is NOT about
Anonymous browsing
MIX networks / Onion Routing
Hiding identity at the network level
Political statement / Privacy evangelism
27.10.2011 Application Security Forum - Western Switzerland - 2011 7

8. Authentication & Privacy
Definition, means, why, conflicting /
diametrically opposed concepts?
Security vs Privacy debate
27.10.2011 Application Security Forum - Western Switzerland - 2011 8

9. Identification & Authentication
Identification
Act or process of identifying somebody or something or of being
identified. So, it’s an act or process of showing who somebody is.
Act of claiming an identity, where an identity is a set of one or
more signs signifying a distinct entity.
Authentication
Act or process of proving something to be valid, genuine or true
about someone’s identity.
Act of verifying that identity, where a verification consists in
establishing, to the satisfaction of the verifier, that the sign
signifies the entity.
27.10.2011 Application Security Forum - Western Switzerland - 2011 9

10. Identification vs Authentication
Identification
Ex: “Hi I’m Simon”, “Hi I’m the owner of this car”
Authentication
Ex: “Hi I’m Simon, here’s my passport”
Something I own Passport
Ex: “Hi I’m Simon, here’s my passport and let me sign
this piece of paper”
Something I own Passport
Something I am My signature
27.10.2011 Application Security Forum - Western Switzerland - 2011 10

11. Authentication (1/2)
Authentication factors
Knowledge Something you know
Ex: Password, Pin code, Passphrase, answer to a special ?
Ownership Something you own
Ex: Security Token, Cell phone, Private Key associated to a cert
Inherence Something you do or are
Ex: Fingerprint, voice, retina (think biometrics)
Multi-factor Authentication
Any combination of more than one of the above…
27.10.2011 Application Security Forum - Western Switzerland - 2011 11

12. Authentication (2/2)
SSL Mutual Authentication
Public Key Digital Signature (more on this later…)
Hardware / Security Token
Shared Secret Key Authentication
OTP based on Shared Secret + Time
OTP based on Shared Secret + Counter
OTP based on Shared Secret + Challenge
The minimum requirement of any token is at least an inherent
unique identity…
OpenID / SAML / …
27.10.2011 Application Security Forum - Western Switzerland - 2011 12

13. Privacy
Ability of a person to control the availability of
information about and exposure of himself or
herself. It is related to being able to function in
society anonymously (including
pseudonymous or blind credential
identification)
27.10.2011 Application Security Forum - Western Switzerland - 2011 13

14. Anonymity / Pseudonymity
Anonymity
No information linking an identifier to its entity
Identity that is not bound or linked to an entity
Obscuring the identity of an entity
Pseudonymity
Pseudonym is a fictitious identifier which is not
immediately associated to an entity
Ex: Pen names, Nicknames, …
Linking & Tracking possible, pseudo revealed: Game Over
27.10.2011 Application Security Forum - Western Switzerland - 2011 14

15. Security vs Privacy
Is this a real dilemma?
Conflicting / diametrically opposed concepts?
We hear a lot about trading your Privacy to
increase your Security in airport security
Full-Body Scanners anyone?
27.10.2011 Application Security Forum - Western Switzerland - 2011 15

16. Security vs Privacy
Post 9/11
How much privacy are you willing to give up for security?
Security or Privacy?
Fundamental dichotomy? NOT really…
Security affects Privacy when it's based on identity
Real question: Liberty versus Control
Quoting Benjamin Franklin:
"Those who would give up essential liberty to purchase a little
temporary safety, deserve neither liberty nor safety."
27.10.2011 Application Security Forum - Western Switzerland - 2011 16

17. Identity Meta System
IdP - Identity Provider
Issues digital identity
Ex: CA for X.509 Digital Certificate
RP - Relying Parties
Requires identity / Trust IdP
Ex: Mutual SSL authn protected web server
S / P – Subject / Principal
Entities about whom claims are made
Ex: Individual owning a cert & its associated private key
27.10.2011 Application Security Forum - Western Switzerland - 2011 17

18. PKI
IdP is the Certification Authority (CA)
Authenticate
Validate CSR
Issue Cert Cryptographic
IdP binding Identity
+ Public Key
Subjec Access Request
RP
t
Certificate + Proof of
Keep Private Key possession private key
Sign(Attrib + Pub Key) CSR
27.10.2011 Application Security Forum - Western Switzerland - 2011 18

19. Case Study
SSL Mutual Authentication
27.10.2011 Application Security Forum - Western Switzerland - 2011 19

20. SSL Mutual Authentication
Common Trusted IdP (CA) between RP & S
CA issues a digital certificate to Subject
Client-side key pair generation
PKCS10 Certificate Signing Request sent to CA
CA authenticate Subject & verify proof of
possession of associated Private Key
CA issues X.509 certificate to Subject
27.10.2011 Application Security Forum - Western Switzerland - 2011 20

21. SSL Mutual Authentication
RP is a Web Server configured to require a
client certificate
SSL “Server Hello” – “Client Certificate Request”
$ openssl s_server -www -key myca_privkey.pem -cert
myca.pem -state -msg -debug -Verify myca.pem
27.10.2011 Application Security Forum - Western Switzerland - 2011 21

22. SSL Mutual Authentication
Copyright IBM Corporation 1999, 2011. All Rights Reserved.
This topic's URL: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/com.ibm.mq.csqzas.doc/sy10660_.htm
27.10.2011 sy10660_ Application Security Forum - Western Switzerland - 2011 22

23. SSL Mutual Authentication
So the client is only sending his certificate
back to the server or is he?
What else would be needed and why?
Proof of possession of associated private key
A certificate is public by definition …
How to prove to a RP that we own such key?
Someone said “Digital Signature”?
What is really signed here? Why?
27.10.2011 Application Security Forum - Western Switzerland - 2011 23

24. SSL Mutual Authentication
What can be signed?
Who’s providing the material to sign?
The server only?
The client only?
Both? Why?
What can go wrong if not both?
What’s the outcome of all of this?
Server obtain a proof that the Client owns the
private key associated with the cert shown
27.10.2011 Application Security Forum - Western Switzerland - 2011 24

25. Laws of Identity ii.a
27.10.2011 Application Security Forum - Western Switzerland - 2011 25

26. Laws of Identity ii.a
1. User Control and Consent
2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts
27.10.2011 Application Security Forum - Western Switzerland - 2011 26

27. Some issues with current
schemes
27.10.2011 Application Security Forum - Western Switzerland - 2011 27

28. Privacy Issues with current schemes
IdP sees the certificates it issues
RP can always track the entity authenticating
RP can store all the certificates presented
Different RPs can exchange & link those
certificates
ALL the attributes contained in the certificate
are disclosed to the RP
CRLs are distributed to all RP
27.10.2011 Application Security Forum - Western Switzerland - 2011 28

29. X.509 SSL Mutal Authn (1/2)
1. User Control and Consent ✗ / ?
By Default: NO under most common OSes
MS CAPI Private Key Security Level
2. Minimal Disclosure for a Constrained Use ✗
ALL attributes embedded in the cert are
disclosed
27.10.2011 Application Security Forum - Western Switzerland - 2011 29

30. Issues with X.509 authn (2/2)
Cert contains direct unique identifiers such as:
Subject Key Identifier ( 2.5.29.14 )
IssuerDN + Serial Number
Common Name*
Cert contains indirect unique identifiers:
Public Key
CA’s Signature
Computed Thumbprint
27.10.2011 Application Security Forum - Western Switzerland - 2011 30

31. Cryptographic Primitives
27.10.2011 Application Security Forum - Western Switzerland - 2011 31

32. Cryptographic Primitives
RSA
Discrete Logarithm Problem (DLP)
Zero-Knowledge Proof (ZKP)
Prover Subject
Verifier RP
Blind Signature
Selective Disclosure
27.10.2011 Application Security Forum - Western Switzerland - 2011 32

33. RSA
P & Q: Large random prime numbers
n = P * Q Modulus common to privkey & pubkey
Compute φ(n) = (p – 1)(q – 1)
Choose an integer e such that 1 < e < φ(n) and
gcd(e,φ(n)) = 1 public key
d = e–1 mod φ(n) private key
Encryption-Decryption / Signature-Validation
ENC/DEC: c = me (mod n), m = cd (mod n)
SIG/VAL: s = hd (mod n), h = se (mod n) h’=h?
27.10.2011 Application Security Forum - Western Switzerland - 2011 33

34. Discrete Logarithm Problem
g and h are elements of a finite cyclic group G then a
solution x of the equation gx = h is called a discrete
logarithm to the base g of h in the group G.
Given g ≠1 and a random h := gx, it is not possible to
find x from computational complexity standpoint.
27.10.2011 Application Security Forum - Western Switzerland - 2011 34

35. Zero Knowledge Proof
For Children… (from Jean-Jacques Quisquater’s paper*)
Repeat until confidence level is reached…
• http://en.wikipedia.org/wiki/Zero-knowledge_proof
27.10.2011 Application Security Forum - Western Switzerland - 2011 35

36. Introducing digital credential
• Issuing protocol Blind Signature
– Subject can (blind) “randomize” its public key
– IdP can still sign without “knowing” the public key
– The resulting IdP signature is also “blinded” from
the IdP perspective
• Showing protocol Selective Disclosure
– Subject can blind, hence selectively disclose only
the attributes he wishes to do to the RP (Verifier)
27.10.2011 Application Security Forum - Western Switzerland - 2011 36

37. Conclusion
Pseudonymity != Anonymity
Security XOR Privacy? NOT Really
Liberty VS Control THE real question
Most current authentication schemes were not built with
“privacy” in mind and currently don’t comply with the “7
Laws of Identity”
Some cryptographic constructs exists to implement
privacy and empower the Subject
Implementations of those constructs already exist
27.10.2011 Application Security Forum - Western Switzerland - 2011 37

38. © flickr.com/horiavarlan
horiavarlan
Questions
Questions ?
27.10.2011 Application Security Forum - Western Switzerland - 2011 38

39. Thank You! / Merci!
Simon Blanchet
simon.blanchet@gmail.com
http://ch.linkedin.com/in/sblanchet
SLIDES A TELECHARGER
PROCHAINEMENT:
http://slideshare.net/ASF-WS
27.10.2011 Application Security Forum - Western Switzerland - 2011 39

40. References (1/2)
i. Microsoft’s Vision for an Identity Metasystem
a. http://www.identityblog.com/stories/2005/10/06/IdentityMetasystem.pdf
ii. The Laws of Identity, Kim Cameron
a. http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf
iii. Rethinking Public Key Infrastructures and Digital Certificates, Stefan Brands
a. http://mitpress.mit.edu/catalog/item/default.asp?sid=DB63048D-0822-4233-8765-
55C534600287&ttype=2&tid=3801
b. http://www.credentica.com/the_mit_pressbook.html
iv. Work of David Chaum & Stefan Brands, School of Computer Science and
Statistics at Trinity College Dublin (Michael Peirce’s homepage)
a. http://ntrg.cs.tcd.ie/mepeirce/Project/chaum.html
b. http://ntrg.cs.tcd.ie/mepeirce/Project/Mlists/brands.html
v. The Id Element
a. http://channel9.msdn.com/Shows/Identity
b. http://channel9.msdn.com/shows/Identity/Deep-Dive-into-U-Prove-Cryptographic-protocols
27.10.2011 Application Security Forum - Western Switzerland - 2011 40

41. References (2/2)
v. 7 Laws of Identity, Ann Cavoukian
a. http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf
vi. The problem(s) with OpenID, The Identity Corner
a. http://www.untrusted.ca/cache/openid.html
vii. An Overview of an SSL Handshake & How SSL provides authentication,
confidentiality, and integrity
a. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/advanced/print.jsp?topic=/com.ibm.mq.
csqzas.doc/sy10670_.htm&isSelectedTopicPrint=true
b. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas
.doc%2Fsy10660_.htm
viii. Links Blog (Identity), Ben Laurie
a. http://www.links.org/?cat=8
ix. U-Prove Crypto SDK V1.1 (Java Edition) - Apache 2.0 open-source
license
a. http://archive.msdn.microsoft.com/uprovesdkjava
x. Random Thoughts on Digital Identity, Digital Identity Glossary
a. http://blog.onghome.com/glossary.htm
27.10.2011 Application Security Forum - Western Switzerland - 2011 41