Privacy Preserving Identity Attribute Verification in Windows CardSpace
- 1. Privacy Preserving Identity Attribute Verification in Windows CardSpace Kevin Steuer Jr Ruchith Fernando Elisa Bertino October 8, 2010
- 3. Identity Manager Identity Selector Relying Party
- 4. Identity Manager ● Information card issuer ● Security Token Service
- 8. XML Descriptor Issued by an identity manager Managed & Self Issued
- 9. Relying Parties/Service Providers ● Specifies the required claims ● Expects an XML token containing the values
- 11. Problems ?
- 12. Identity Manager is trusted in securely storing user's identity attribute values Identity Manager holds the attribute values in plain
- 15. Relying Party → User : Do you have a Social Security Number?
- 16. Just proving that the user does is sufficient!
- 17. No need to give away the SSN to the Relying Party!
- 18. Let the Identity Manager store only a COMMITMENT of the SSN We use the Pedersen commitment
- 19. Pedersen Commitment c=gxhr ●G : Finite cyclic group of large prime order p so that the Computational Diffie-Hellman (CDH) problem is hard in G ● A generator g ∊ G ● x, r ∊ {0, 1, ... , p-1} = Fp
- 20. The user obtains a signed identity attribute value from an identity provider Sets up the commitment with the identity manager
- 21. How is it used with at a Service Provider?
- 22. Zero Knowledge Proof Of Knowledge
- 23. Schnorr protocol 1. U randomly chooses y, s ∊ F*p , and sends V the element d = gyhs ∊ G 2. V picks a random value e ∊ F*p , and sends e as a challenge to U. 3. U sends u = y + ex, v = s + er, both in Fp, to V. u v e 4. V accepts the proof if and only if g h = d c in G.
- 26. <ic:SupportedClaimType Uri="http://veryidx...strongclaims/ssn"> <ic:DisplayTag>Strong Claim SSN</ic:DisplayTag> <ic:Description>Strong Claim ...</ic:Description> </ic:SupportedClaimType> <vi:SupportedStrongClaimValues xmlns:vi="http://veryi..."> <vi:StrongClaimValue Uri="http://veryidx...strongclaims/ssn"> <vi:Commitment>743872676989=</vi:Commitment> <vi:R>329839797987493827983=</vi:R> </vi:StrongClaimValue> </vi:SupportedStrongClaimValues>
- 27. User is prompted to enter the value of the strong claim to carryout the proof
- 28. But ....
- 29. What about the 2nd and 3rd attempts?
- 30. Linkability Consistent attribute values to the relying parties
- 31. The identity selector will prove the same commitment value to the relying party!
- 32. Make sure we don't present the same commitment twice to the relying party!
- 33. Original Commitment : c1 = gxhr Commitment in the token to RP : ci = gc1hri
- 34. Request Security Token Response <wst:RequestSecurityTokenResponse> ... <vi:SupportedStrongClaimValues> <vi:ClaimValue Uri="http://veryidx...strongclaims/xyz"> <vi:Commitment>77666876989=</vi:Commitment> <vi:R>329839797987493827983=</vi:R> </vi:ClaimValue> </vi:SupportedStrongClaimValues> </wst:RequestSecurityTokenResponse> Used by the identity selector to retrieve the new commitment and random values
- 35. Identity Manager : WSO2 Identity Server (IS) Identity Selector : Higgins Relying Party : WSO2 IS Java RP ZKPK implementation : VeryIDX
- 36. Thank You !