Anonymous Authorisation in Smart Environments Florian Baumann - - PowerPoint PPT Presentation

anonymous authorisation in smart environments
SMART_READER_LITE
LIVE PREVIEW

Anonymous Authorisation in Smart Environments Florian Baumann - - PowerPoint PPT Presentation

Nov 30, 2022 137 likes •361 views

Anonymous Authorisation in Smart Environments Florian Baumann Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen August 13, 2014 Florian Baumann: Anonymous Authorisation in

slide-1
SLIDE 1

Anonymous Authorisation in Smart Environments

Florian Baumann

Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen

August 13, 2014

Florian Baumann: Anonymous Authorisation in Smart Environments 1

slide-2
SLIDE 2

Outline

1

Motivation & Context

2

Research Questions

3

Analysis Requirements Approaches Comparison of the approaches

4

Solution

5

Schedule

Florian Baumann: Anonymous Authorisation in Smart Environments 2

slide-3
SLIDE 3

Motivation & Context

IDEM Customizable and Tenant-aware System for Energy Control Privacy concerns Tracking of individuals Profiling of individuals and their habits, especially with other sensor data Identity of individual often unnecessary to make authorisation decision Prevention of data breaches and abuse (if there is no data, it can’t be breached or abused)

Florian Baumann: Anonymous Authorisation in Smart Environments 3

slide-4
SLIDE 4

Scenario

Administration rents parts of its building to different companies Companies have Employees, who need to use the different services provided Employees have to authorise, to use services (e.g. Meeting Rooms, Cafeteria)

Florian Baumann: Anonymous Authorisation in Smart Environments 4

slide-5
SLIDE 5

Research Questions

Research Questions

What is a suitable solution for secure, yet anonymous authorisation? What properties does the system need for an anonymous authorisation? How does the user interact with the system?

Florian Baumann: Anonymous Authorisation in Smart Environments 5

slide-6
SLIDE 6

Requirements

Requirements

(R1) Non-linkability of authorisations by the same person (R2) Revocation of Anonymity in special cases (e.g. fraud) (R3) Preventing unauthorised Lending (R4) Non-repudiation (R5) Revocation (R6) Limited show Token

Florian Baumann: Anonymous Authorisation in Smart Environments 6

slide-7
SLIDE 7

Approaches

Existing Authorisation Solutions (Shibboleth, OAuth, Kerberos) Building Tokens/Coins

Similar to coin money, Tokens can be only used once User receives Tokens into a digital wallet (Smartcard, Smartphone) Tokens contain a serial number, building remembers which serial numbers have been used

Digital Credentials

Proposed by Stefan Brands in 1993, borrowing heavily from work by David Chaum Similar to X.509 Certificates, as they contain attributes about the holder Allows for selective disclosure of these attributes, through proofs of knowledge

Florian Baumann: Anonymous Authorisation in Smart Environments 7

slide-8
SLIDE 8

Approaches

Existing Authorisation Solutions (Shibboleth, OAuth, Kerberos) Building Tokens/Coins

Similar to coin money, Tokens can be only used once User receives Tokens into a digital wallet (Smartcard, Smartphone) Tokens contain a serial number, building remembers which serial numbers have been used

Digital Credentials

Proposed by Stefan Brands in 1993, borrowing heavily from work by David Chaum Similar to X.509 Certificates, as they contain attributes about the holder Allows for selective disclosure of these attributes, through proofs of knowledge

Florian Baumann: Anonymous Authorisation in Smart Environments 7

slide-9
SLIDE 9

Approaches

Existing Authorisation Solutions (Shibboleth, OAuth, Kerberos) Building Tokens/Coins

Similar to coin money, Tokens can be only used once User receives Tokens into a digital wallet (Smartcard, Smartphone) Tokens contain a serial number, building remembers which serial numbers have been used

Digital Credentials

Proposed by Stefan Brands in 1993, borrowing heavily from work by David Chaum Similar to X.509 Certificates, as they contain attributes about the holder Allows for selective disclosure of these attributes, through proofs of knowledge

Florian Baumann: Anonymous Authorisation in Smart Environments 7

slide-10
SLIDE 10

Comparison

R1 R2 R3 R4 R5 R6 Existing Solutions ✗ ✗

  • Building Coins

  • Digital Credentials
  • (R1)

Non-linkability (R2) Anonymity Revocation (R3) Unauthorised Lending (R4) Non-repudiation (R5) Revocation (R6) Limited show Token Florian Baumann: Anonymous Authorisation in Smart Environments 8

slide-11
SLIDE 11

Digital Credentials

Source: ABC4Trust

Implemented by idemix (IBM) and U-Prove (Mircosoft) Privacy-Preserving Attribute-Based Credential Engine (ABC4Trust) provides interoperability

Florian Baumann: Anonymous Authorisation in Smart Environments 9

slide-12
SLIDE 12

Credential Types

Credential Types

CompanyCred

CompanyID, Name, NotBefore, NotAfter, Revocation Handle

EmployeeCred

UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred

ServiceCred

ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred

Florian Baumann: Anonymous Authorisation in Smart Environments 10

slide-13
SLIDE 13

Credential Types

Credential Types

CompanyCred

CompanyID, Name, NotBefore, NotAfter, Revocation Handle

EmployeeCred

UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred

ServiceCred

ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred

Florian Baumann: Anonymous Authorisation in Smart Environments 10

slide-14
SLIDE 14

Credential Types

Credential Types

CompanyCred

CompanyID, Name, NotBefore, NotAfter, Revocation Handle

EmployeeCred

UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred

ServiceCred

ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred

Florian Baumann: Anonymous Authorisation in Smart Environments 10

slide-15
SLIDE 15

Credential Types

Credential Types

CompanyCred

CompanyID, Name, NotBefore, NotAfter, Revocation Handle

EmployeeCred

UserID, Name, NotBefore, NotAfter, Revocation Handle CompanyID carried over from the CompanyCred

ServiceCred

ServiceID, NotBefore, NotAfter, Revocation Handle UserID, CompanyID carried over from EmployeeCred Flag specifying, if User can pass it on to someone else Bound to same Key as EmployeeCred

Florian Baumann: Anonymous Authorisation in Smart Environments 10

slide-16
SLIDE 16

Issuance

Issuance

Administration

Issues CompanyCreds to Companies Issues ServiceCreds to Users, requires EmployeeCred

Companies

Issues EmployeeCreds to Users, requires CompanyCred Issues ServiceCreds to Users, requires EmployeeCred

Florian Baumann: Anonymous Authorisation in Smart Environments 11

slide-17
SLIDE 17

Verification

Verification

User states his CompanyID to Verifier Verifier retrieves the Issuing Public Key of the Company from the Knowledge Base (Trusted Storage) Verifier sends PresentationPolicy to User, stating which types

  • f Credentials and Attributes he wants to see

User chooses an appropriate combination from his Credentials to satisfy the policy Verifier check the received PresentationToken Verifier can store this token for later inspection

Florian Baumann: Anonymous Authorisation in Smart Environments 12

slide-18
SLIDE 18

Revocation

Normal Revocation

Revocation Authority periodically publishes Revocation Info (List of Revocation Handles) User proofs, that the Revocation Handle of its Credential is not in the list of revoked Handles

Revocation of all Credentials issued by a Company

Once a Company leaves the building its Public Key is deleted from the Knowledge Base As a consequence all Credentials issued will not be verifiable anymore

Florian Baumann: Anonymous Authorisation in Smart Environments 13

slide-19
SLIDE 19

Revocation

Normal Revocation

Revocation Authority periodically publishes Revocation Info (List of Revocation Handles) User proofs, that the Revocation Handle of its Credential is not in the list of revoked Handles

Revocation of all Credentials issued by a Company

Once a Company leaves the building its Public Key is deleted from the Knowledge Base As a consequence all Credentials issued will not be verifiable anymore

Florian Baumann: Anonymous Authorisation in Smart Environments 13

slide-20
SLIDE 20

Schedule

July August September October 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Familiarisation Concept This Talk Implementation Testing Thesis Submission Defense

Florian Baumann: Anonymous Authorisation in Smart Environments 14

slide-21
SLIDE 21

Thank you

Thank you for listening. Any Questions?

Florian Baumann: Anonymous Authorisation in Smart Environments 15