The Study Of Security Communication And Computation

Published Date: 02 Nov 2017

In a broad practical sense, cryptography is the study of security communication and computation against malicious adversaries. Traditionally computer communications security deals with security services like confidentiality, integrity and availability. Techniques were designed to attain stealth of communications between conversing parties, and to reduce the possibility that their communications be jammed, intercepted or located and in particular permit conversing parties to stay anonymous or untraceable to each other and to third parties. In highly risk environments, for example in a military context anonymous communications could mask the roles of different communicating entities, their network location or their position in the chain of command. Once such technology is deployed then it would create a rugged effort for an opponent to execute target selection through signal and communications intelligence. On the other hand, anonymous communications can be employed in order to preserve individual’s privacy. In order to protect user’s profile, these primitives can be included in security policies. However at the same time, as the anonymous communication allows a user to mask him to hide his identity, the probability of a user performing an illegitimate action can also be high.

MOTIVATION

Identities may be represented by names, but are usually more complex. An identity may include e-mail ids, driving licenses, passports, social security numbers, social network accounts and taxpayer numbers. These pieces of information are considered identities, since they can uniquely identify individuals. For example, passports are unique per person, in a given country. Moreover, information that is usually considered non-identifying, like gender and education, can become identity too. The combination of few partial identities, like postal address and age, may identify an individual in a given context. Interactions among individuals and organizations are inclined to involve identity information, which creates considerable economic and privacy risks when this information is lost or misused. The cost of identity theft, during 2008, is estimated to be $45 billion in the US [56] and $1.2 billion in the UK [54]. A published survey [55] states that more than 60 percent of Americans are extremely worried about their privacy when shopping online. This represents a significant increase from 47 percent recorded in 2006. Loss and misuse of identities also lead to profiling individuals. When an individual's partial identities are linked together, the private actions can be traced back to that individual. Organizations at which loss or misuse occur are affected as well, since individuals lose trust in these organizations. Protecting individuals' privacy is, therefore, essential for both individuals and organizations.

The threats to one’s privacy over the wire are two-fold [51]: The online actions possibly can be monitored by unauthorized parties who may preserve the information for future access. The personal information can been monitored, logged, and later disclosed even before one can realize and those who compromise the privacy have no concern to warn at any cost. The risk of long-term storage and ultimate disclosure of personal information is sensitive on web. It is technically not so problematic to collect information and store it for long time for years or decades, indexed by one’s name for easy retrieval. Long-term databases threaten individual’s capability to choose what one would like to disclose about his/her past. In recent years advanced techniques were introduced to mine information from the web. This makes it easy to discover and mine personal data about an individual who might not realize its availability on the web. For example, one of the family members might have listed information on their web page without one’s knowledge; search engine technology available today can retrieve one’s information very easily. An individual’s phone number, email id and address are probably listed on the web.

A single query about an individual on internet can compile a huge profile containing extensive personal information from many diverse sources. This progressively becomes a threat since databases containing personal information happen to be electronically traversed and cross linked. The advances in information mining technology and search engines make it easy to collect more databases from the web which becomes an ultimate source for cross linking. For example, information about individual’s address details, personal photos are easily accessible on the Internet. The effect is hazardous: when it is so simple to fabricate a complete profile of an individual, an adversary may take benefit of it, whether for financial gain, vivid entertainment, illicit purposes, or other unauthorized use.

Government body represents the biggest source for individual’s information, and hence is an impending threat to privacy. Government employees have access to the private information of the populace [59], and some employees may abuse the data. There are many instances of abuses by officials [58]: an investigation in 1992 revealed that IRS (Internal Revenue Service’s) staff at one regional office made number of unauthorized queries on taxpayer databases; records of AIDS patients, which was highly confidential were leaked as pointed in. A number of deterrent examples are available. In the context of individuals rating organizations, privacy plays a key role in encouraging individuals to rate. On the other hand, trust management [57] allows individuals to determine the level of trust they should place in an organization. This helps individuals avoid interacting with untrusted organizations; and thus, individuals deprive these organizations from the needed identity information to profile individuals.

Anonymity is a significant form of privacy protection. Anonymity is often used as a means to reach individual’s privacy goals. For instance, if one’s unlisted phone number is available on the internet, but cannot be mapped to one’s identity because of anonymity tools, then this is sufficient to achieve the need for one’s privacy. Achieving this is as effectively as if one had kept the phone number completely secret. "Physical security through anonymity" was the theme of many online applications.

Anonymous social interaction is ethnically accepted in contexts other than internet. For example, some well-known literary writers use pen names; HIV tests are carried out in anonymous labs; police offer anonymity to attract informants for information; the media ensure to guard the anonymity of their confidential sources. All the above examples summarize that, most non-internet technology today permits the ordinary user an access to anonymity. There are good reasons that anonymity was widely appreciated and accepted in society and further took a policy decision to protect and value anonymity off the internet; and that the same interpretation applies to the internet, and therefore we should project to protect online anonymity as well.

PROBLEM STATEMENT

The authentication process adopted today is generally that a user is forced to give personal details to an unknown responder. The details that are provided may allow an attacker to know the user’s personal information, which sometimes may lead to unexpected scenarios. Hence it would be better if there is a provision for a user to authenticate anonymously, without revealing the details. Users are provided with a mechanism to anonymously authenticate themselves with an anonymous credential. Some users try to misbehave by taking advantage of anonymity due to the anonymous nature of the transactions. Hence there is the need to formulate some method to stop misbehavior by such users.

PROPOSED SYSTEM

Anonymous Credential Systems provides a mechanism for the users to authenticate themselves in a privacy enhancing way. As the users can authenticate anonymously without revealing their details, the transactions performed by such a user are inherently anonymous. By taking advantage of their anonymity some users try to misbehave. Hence there is a need to formulate some method to stop and block such users from misbehaving and protect the reputation of the service providers. We introduce a method called BLACTR – Blacklistable Anonymous Credentials with Trust Reputation to revoke misbehaving users with TTP.

SCOPE AND PURPOSE

The work can be implemented over a wide range of disciplines ranging from medical applications to social networking sites, blacklisting anonymous users regardless of their anonymizing network(s) of choice and regardless of application. The purpose of our work is to protect the service providers (responder) from misbehaving users while providing access to non-misbehaving users, blocking the misbehaving user by the service providers, and tracing them with the help of CA and TTP.

THESIS ORGANIZATION

The current Chapter (Chapter 1 - Introduction) is an Introduction Chapter and gives a brief introduction about our problem statement.

Chapter 2 - (Background and Related Work) describes the background information and related work to this research. The chapter surveys the different methods and approaches for anonymous credentials that are available in the literature.

Chapter 3 - (Primitives & Building Blocks) summarizes preliminaries and building blocks for anonymous credentials. The chapter provides an abstract view of the building blocks.

Chapter 4 - (Anonymity as a Security Property) provides the needed definitions and terminology. It presents the required architecture, requirements, properties and other building blocks for anonymous credential system. It gives a framework for designing an anonymous credential system and an overview of the revocation process.

Chapter 5 - (BLACTR) provides a more concrete view of our work. This chapter presents the approach and the required cryptographic support to build an anonymous trust reputation management system to blacklist misbehaving anonymous users.

Chapter 6 - (Experimental Results) describes about the experimental setup and the experimental results carried out.

Chapter 7 - (Discussion of Results) discuss about performance analysis of the experimental results obtained.

Chapter 8 - (Conclusions & Future Work) mentions the conclusions of the present work and possible enhancements of this work; then concludes the thesis.

Bibliography- gives the list of journal, conference papers referred and list of websites visited.

Appendix – gives details of methodologies used in the thesis.

Glossary – mentions definition/ short description about the important keywords.

Contributions to work - Finally we include the list of contributions to the work, listing the number of papers published in journals.

SUMMARY

This chapter has highlighted about motivation, problem statement, scope and purpose of this thesis. Finally it talks about what each chapter focuses on.

CHAPTER 2: BACKGROUND AND RELATED WORK

This chapter highlights on work carried out in the literature.

2.1 RELATED WORK

First, it was Chaum to propose privacy-enhancing cryptographic protocols in which the, amount of personal data disclosed on a network can be minimized. His work [1, 3, and 4] put forward the principles of anonymous credentials and pseudonym systems. These concepts are about issuing a digital signature by some party where the signed message includes information about the user.

Chaum [3] was the first to introduce a scenario with multiple users who manage to transfer credentials from one organization to another while remaining anonymous to the organizations.

Chaum [2] also introduced the concept of blind signatures to be able to protect the privacy of users in applications like electronic payment systems.

Chaum [2] and Brands [7] have proposed two different sets of protocols having the strongest privacy protection of any developed payment system guaranteeing no compromise in the payer’s privacy by the payment procedure against a colluding payee and bank. For this they have used complex cryptographic protocols.

Chaum and Evertse [4] build up a model for pseudonym systems based on RSA. Their solution was based on existence of a third party’s involvement which is semi trusted in all transactions. However, a semi-trusted third party involvement is undesirable.

Damgard [5] constructs a scheme to guard organizations from credential forgery by central authority and malicious users. Their scheme was based on multiparty computations and bit commitments that protect the privacy of the individual. The role of central authority is restricted to ensure that each pseudonym belongs to some legitimate user. The scheme employed general complexity-theoretic primitives like zero-knowledge proofs and one-way functions and hence not applicable for practical use. Moreover, still the protection problem of organizations against colluding users is unresolved.

Chen [6] proposes a scheme based on discrete logarithm where a trusted center has to approve all the pseudonyms. The trusted center does not involve in the credential transfer as the scheme relies on the honest behavior of the trusted center. The scheme was based on discrete-logarithm based blind signatures. Though efficient, this scheme does not address the colluding user’s problem. This scheme carries another drawback that to use one credential multiple times, several signatures are to be obtained by a user from the issuing organization.

Brands [7] provides a certificate system where a user has control over known things about the pseudonym’s attributes. Although a one-show credential system can be inferred from his framework, it does not immediately obtain a credential system with multi-show credentials and may in fact be impossible practically. Another drawback of the system is that the same discrete logarithm group is to be shared by all the users and the certification authorities.

Anna et al [8] gave a formal definition of pseudonym systems in which the trusted center’s involvement is made minimal and further users are recommended not to share their identity with others. A general credential system was proposed by them based on one-way function. They also suggest an efficient and easy to implement practical scheme which is a significant improvement over its predecessors. While this solution captures many desirable properties, in practice it is not usable because their constructions are based on zero-knowledge proofs and one-way functions.

Diaz and Preneel [82] motivate the need for anonymity at the communication layer and describe the potential risks of having traceable communications. They then introduce the legal requirements for data retention that motivate the need for revocability of anonymity upon the request of law enforcement. They describe the main building blocks for anonymous communication and revocation. These building blocks can be combined in order to build a revocable anonymous communication infrastructure that fulfills both privacy and law enforcement requirements.

Serjantov et al [84] provide a rigorous analysis and comparison of several properties of each mix variant, including anonymity, latency, and resistance to blending attacks. They also give intuition and guidelines about which environments and circumstances are most suitable for each mix variant.

Farkas et al [94] studied the problem of anonymity versus accountability in electronic communities. They claim that anonymity often allows people to act without consideration, rudely and can result in serious risks to security. Accountability is required to make entities within the system responsible for their acts. They argue that full anonymity may present a security risk that is unacceptable in certain applications; therefore, anonymity and accountability are both needed. Their main focus of research was to provide accountable anonymity. Based on the general model of an electronic Editorial Board (e-EB) they have developed the concept of Anonymous and Accountable Self-Organizing Communities (A2SOCs).

Diaz et al [91] discusses the issues related to controlled anonymity from a wide perspective. They have selected three applications: controlled anonymous communication systems, controlled anonymous email and controlled anonymous databases. They discuss the anonymity control requirements of these three applications. They describe a set of building blocks that are needed to implement controlled anonymous applications. They present a methodology for designing controlled anonymous applications. They present research results that have advanced the understanding and analysis of anonymous systems.

Patrick P Tsang et al [85] propose the first cryptographic construction that provides anonymous blacklisting, subjective judging simultaneously and eliminates the need to rely on trusted third parties that are capable of revoking the users privacy. They referred their construction as BLAC (Blacklistable Anonymous Credentials).

Man H. Au et al [88] made the first notable effort to extend TTP-free anonymous revocation with subjective blacklisting to more broad behavior-based policies. Their construction BLACR (BLacklistable Anonymous Credentials with Reputation) was designed by extending the approach BLAC, while unlike PEREA [104] does not require identifying misbehaviors within a "revocation window". They showed how various negative or positive scores can be assigned to anonymous sessions across various categories of misbehavior resulting in users being blocked based on their reputation scores. By their results they show that, to support reputation-based anonymous revocation BLACR can indeed be used in practical settings.

Camenisch et al [92] build a system that permits a user to authenticate anonymously for at most n times in a given single time period. A user shows an e-token to authenticate himself to a verifier and further each e-token cannot be reused. A verifier can identify a reused e-token; however anonymity of honest users is preserved who don’t reuse e-tokens. A user can withdraw a dispenser of n e-tokens. The dispenser is automatically refreshed for every time period.

Wright et al [86] surveyed the threats that passive logging attacks pose to anonymous communications. Their previous work analyzed these attacks under limiting assumptions. Their analysis shows that the defense improves anonymity in the static model, where nodes stay in the system, but fails in a dynamic model, in which nodes leave and join.

Brickell et al [79] described the direct anonymous attestation scheme (DAA). Trusted Computing Group adopted this system as the means for remote authentication of a hardware module called, trusted platform module (TPM).

Camenisch and Lysyankaya [67] proposed the first practical solution in which a user is allowed to unlinkably demonstrate possession of a credential multiple number of times with respect to the requirement, without involving the issuing organization. They proposed for the first time, optional anonymity revocation for specific transactions to prevent misuse of anonymity. Their scheme offers separability: cryptographic keys can be chosen by all organizations without depending on each other. Moreover, they suggest a better method called all-or-nothing sharing to prevent users from sharing their credentials with others.

Camenisch and Grob [95] presented an extension to anonymous credential system of Camenisch-Lysyanskaya [67], and they claimed that their scheme is efficient for selective disclosure of attributes. Their system can integrate a large number of discrete binary and finite-set values and encode them as prime numbers, compresses all such attributes into a single attribute base. Their approach boosts the efficiency of all proofs of possession and their method can be better utilized in devices like smart cards and cell phones which have restricted computational capabilities.

Danezis and Sassaman [97] assess the two leading classes of anonymity revocation systems, and pointed out the fundamental flaws in their architecture, failure to guarantee proper anonymity revocation, as well as added weakness for users not targeted for anonymity revocation. They locate the two suggestions for "conditional anonymity" to be a significant departure from the strength and security assurances in traditional, non-backdoor anonymity systems.

Camenisch and Herreweghen [68] depict the design and implementation of idemix (identity mix). The system is based on new high-level primitives and interfaces allowing for easy integration into access control systems. They also discuss about the deployment issues.

Pashalidis and Mitchell [98] identified certain privacy threats that apply to anonymous credential systems. They focused on timing attacks that apply even if the system is cryptographically secure. They provide some simple heuristics that aim to mitigate the exposure to the threats.

Danezis et al [90] set up a message based anonymous remailer protocol with secure single use reply blocks referred as Mixminion. Mix nodes cannot differentiate Mixminion forward messages from reply messages, hence forward and reply messages share the same anonymity set. They add directory servers that let users to find out public keys and performance statistics of participating remailers, and they describe Nym servers that provide long-term pseudonyms using single-use reply blocks as a primitive. Their design integrates link encryption between remailers to provide forward anonymity.

Chase and Lysyankaya [99] formally define the notion of a signature of knowledge. They then extend their definition to allow signatures of knowledge to be nested i.e., a signature of knowledge can itself serve as a witness for a new signature of knowledge. As a consequence, they obtain the first delegatable anonymous credential system, i.e., a system in which one can use one’s anonymous credentials as a secret key for issuing anonymous credentials to others.

Brands [93] provides a technical overview of Digital Credentials. Digital Credentials are the digital equivalent of paper documents, plastic tokens, and other tangible objects issued by trusted parties. At the same time, they are much more powerful than their physical counterparts. For example, individuals can selectively disclose properties of the data fields in their Digital Credentials while hiding any other information. Digital Credentials also provide much greater security. As a result, they can be used to securely implement objects that traditionally are made identifiable in order to deal with certain kinds of fraud.

Groth et al [100] resolve two problems regarding NIZK (Non Interactive Zero Knowledge). It was Groth group who first gave the construction for perfect NIZK argument system for any NP language. They construct the first UC (Universal Composability) secure NIZK argument for any NP language in the presence of a dynamic/adaptive adversary.

Belenkiy et al [101] build an efficient delegatable anonymous credentials system, in which users can delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to compute it) is O (Lk), where k is the security parameter. They formally define the notion of randomizable non-interactive zero-knowledge proofs, and give the first instance of controlled re-randomization of non-interactive zero-knowledge proofs by a third-party. Their construction uses Groth-Sahai proofs [96].

Claessens et al [80] provide a solution for revocable anonymous access to the Internet. Their solution provides anonymous access to every user; however when appropriate, and only with the help of a trusted party, the anonymity can be revoked to reveal the real identity of a particular user. Their proposed solution provides a high level of anonymity for the ordinary user, while at the same time technically guaranteeing good identifiability of misbehaving users. Although their solution is conceptually suited for all IP-based communication, it is probably more realistic to be deployed for specific services or in specific locations only.

Cramer et al [77] describe and analyze a new digital signature scheme. Their scheme is quite efficient, does not require the signer to maintain any state, and can be proven secure against an adaptive chosen message attack under a reasonable intractability assumption, the so-called strong RSA assumption. Moreover, a hash function can be incorporated into the scheme in such a way that even in the random oracle model it is secure under the standard RSA assumption.

Danezis and Diaz [89] summarize the field of anonymous communications, from its establishment. Key systems presented are categorized based on their underlying principles: semi-trusted relays, mix systems, remailers, onion routing, and systems to provide robust mixing. They also include extensive discussions of the threat models and usage models provided by different schemes, and the trade-offs between the security properties offered and the communication characteristics supported by different systems.

Sassaman et al [83] describe the Pynchon Gate, a practical pseudonymous message retrieval system. Their design uses a simple distributed trust private information retrieval protocol to prevent adversaries from linking recipients to their pseudonyms, even when some of the infrastructure has been compromised. Their approach resists global traffic analysis significantly better than existing deployed pseudonymous email solutions, at the cost of additional bandwidth.

Dingledine et al [87] present Tor (The Onion Routing), a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, and a practical design for location-hidden services via rendezvous points. Tor works on the real-world Internet, requires no special privileges or kernel modifications, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efficiency.

R. Bhaskar et al [102] discuss the vulnerabilities in anonymous credential systems. They present concern about the existing anonymous credential systems, emphasizing the need for additional debate about the definitions of security requirements for anonymous credential systems. They conclude that a compromise is required, either in the security requirements or in the amount of trust bestowed on the participants, in order to achieve a practical and efficient anonymous credential system.

The Direct Anonymous Attestation scheme (DAA) [79] was complex and requires demanding computations to be performed on a tamper-proof device for example secure smart cards which are typically resource constrained. Michael et al [103] present the first implementation of the simplified Direct Anonymous Attestation protocols suitable for contemporary Java Card smart cards.

Yang et al [105] propose a new and efficient approach for anonymous password authentication. Their approach assumes a different setting where users do not register their passwords to the server; rather, they use passwords to protect their authentication credentials. They present a concrete scheme, and get over a number of challenges in securing password protected credentials against off-line guessing attacks.

Chen and Xu [60] proposed a scheme of anti-collusion anonymous credentials based on any secure public key algorithm. In their scheme, there is no need of a trusted third party to issue the public keys and the secret keys, the scheme takes the advantage of the relation of the public key and the secret key, i.e., it is easy to generate a pair of public key and the corresponding secret key, but hard to deduce the secret key from a particular public key.

Yao and Tamassia [61] introduce a decentralized trust management model called anonymous role-based cascaded delegation. In their model, a delegator can issue authorizations without revealing identity. In order to provide an efficient storage and transmission mechanism for credentials they present a new signature scheme that supports both signer anonymity and signature aggregation. Their scheme makes it especially suitable for ubiquitous computing environments because of compact role signatures, where users may have mobile computing devices with narrow communication bandwidth and small storage units.

Maaser and Ortmann [62] present an approach that allows a fully anonymous use of services. The certificates are signed by a trusted authority that knows the identity and hence the rights and properties of the user, but is not able to track the issued certificates. The certificates are signed in blind, which protects the user’s privacy from the authority. The ownership of a certificate can be proven by the presenter without releasing his identity. This protects the privacy of the user against the service he uses.

Ge and Tate [64] present a new system for anonymous authentication, which allows a user to prove possession of an authenticated credential while not revealing his or her identity. Their system is an extension of an existing group signature scheme, providing additional features drawn from work on traceable signatures and direct anonymous attestation. Their first extension, a property taken from traceable signatures, allows a signer to later "claim" a signature, proving that they are indeed the individual who created this signature. Their second extension, taken from the work on direct anonymous attestation, allows a prover and verifier to agree on the degree of linkability of transactions, ranging from completely non linkable transactions, to being able to link transactions made within a fixed time period (like a day), to completely linkable transactions. Their scheme is proved to be secure under the decisional Diffie-Hellman assumption and the strong RSA assumption.

Ding et al [71] work is motivated by attractive features of group signatures, particularly, their potential to serve as foundation for anonymous credential systems. They re-examined the entire notion of group signatures from a systems perspective and identify two new security requirements: leak-freedom and immediate-revocation, which are crucial for a large class of applications. They then present a new group signature scheme that achieves all identified properties. Their scheme is based on the so-called systems architecture approach. It is more competent than the degree of advanced stage of technology and facilitates easy implementation. Moreover, it reflects the well known separation-of-duty principle. Another benefit of their scheme is the obviated reliance on underlying anonymous communication channels, which are necessary in previous schemes.

Xin and Qiu-liang [72] present a scheme called Abstract-Hidden identity-based signatures (abbreviated as Hidden-IBS) as a variant of the traditional notion of group signature schemes. Compared with group signature schemes, Hidden-IBS is more attractive in the application of identity management systems and anonymous credential systems. They compared their scheme with Kiayias-Zhou scheme and have obtained better results.

Aimeur et al [73] introduce the Anonymous Credentials for E-learning Systems (ACES), a set of protocols to preserve learner’s privacy in E-learning environments. To prevent the misuse of privacy, ACES prevents the possibility of sharing credentials between learners. Although the ACES can be easily adapted to the other privacy and tracking levels, considerations is due to the complexity of the protocol, and the implied overhead with the higher levels of privacy and tracking.

Lixin et al [74] propose a remote anonymous attestation scheme with an improved Privacy CA. The Privacy CA issues an Anonymous Attribute Credential for a Trusted Computing Platform and doesn’t need to be involved in all attestations. The proposed scheme is highly efficient and fulfills the requirements of anonymous credential system very well. At last, they analyze two types of attack and the results show that their scheme is able to resist them.

Critchlow and Zhang [76] present a revocation scheme for an Anonymous Accountable PKI (Public Key Infrastructure) (A2PKI) certificate tree. Their proposed revocation scheme for A2PKI certificate trees enables the certificate holder to revoke a certificate and all down-stream child certificates with a single revocation request message. The protocol provides much needed facilities for A2PKI certificate issuers and holders whilst necessitating minimal changes to the present PKI infrastructure. Furthermore, the integration of A2PKI and ‘classical’ PKI certificate revocation schemes further enhances the accountability of A2PKI certificates.

Zhang and Chen [78] proposed an efficient delegation model based on anonymous credential where a user can prove the possession of valid credentials without interacting with identity providers, and grant delegatee to perform actions on his behalf. Beyond user-centricity, they present a universal identity management model based on the delegation model to unify the relationship-focused and credential focused paradigms. Their model focuses on the privacy-preservation of users through the unlinkability of pseudonyms, data minimization and selective release of personal information. Their model extends WS-Federation with enhanced credentials supporting efficient service composition.

2.2 SUMMARY

In this chapter we studied the related work carried out in the area of anonymous communications, anonymous credential systems and revocation mechanisms.