Privacy-Preserving Telemonitoring for eHealth Mohamed Layouni , - - PowerPoint PPT Presentation

Introduction Settings Requirements Building Blocks Protocol Description Discussion

Privacy-Preserving Telemonitoring for eHealth

Mohamed Layouni⋆, Kristof Verslype†, Mehmet Tahir Sandıkkaya‡, Bart De Decker†, Hans Vangheluwe⋆

⋆School of Computer Science, McGill University, Canada †Department of Computer Science, KULeuven, Belgium ‡ Katholieke Hogeschool Sint-Lieven, Gent, Belgium

MSDL 2009 Summer Presentations 27 August 2009 McGill University

1 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Motivation

Telemonitoring ≡ monitoring patients’ health in their natural environment (home, work, family etc.) Why is it useful? Reduces the burden on public healthcare system Helps patients remain active and improves the healing process Helps elderly people remain active/independent and avoid nursing homes . . .

2 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Motivation

But! Privacy concerns are still a big obstacle to the adoption of such a system/service Patients are skeptical about the way their data is handled Patients are also concerned about the dependability/ reliability of the system

3 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Focus of this work : Information Security and Privacy

We try to answer questions such as : Who gets to see the patient’s information? How is this information stored? retained? processed? Can the patient decide what information gets revealed? to whom? In case a monitoring device is used, is it possible to control what data this device communicates to the outside world?

4 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Outline

1

Introduction

2

Settings

3

Requirements

4

Building Blocks

5

Protocol Description

6

Discussion

5 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Overview

M

Doctor Hospital ... ... ... ... Patient Patient Home Device Master Monitoring

Figure: Setting of the Health Telemonitoring System

6 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Sample Security and Privacy Requirements

Privacy Requirements Selective disclosure Patient-centricity Pseudonimity Conditional deanonymization Security Requirements Confidentiality Integrity

7 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion General Overview

U O M ... ...

SymEnc (D1) SymEnc (Dn) Measuremnent Device n Measuremnent Device 1 Master Monitoring (Hospital) Sanitized Data Sanitized Data Encrypted Signed Device Joint Signing Patient−controlled Computer Patient SmartCard (Observer ) Monitoring Center

Figure: Health Telemonitoring System – General Overview

Execution sequence : Black, Blue, Red

8 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion General Overview

Proposed construction based on : Wallet-based Anonymous Credentials. Perfectly Blinding Commitment Schemes. Conventional Symmetric-Key Cryptosystems.

9 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Anonymous Credentials

Issuer

User Deposit Showing Transcript Cred Prove Pred(A1,...,An) Provide Service Show Cred Verifiers A1,..,An Verifier

Figure: Anonymous Credential Issuing, Showing, and Depositing

10 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Anonymous Credentials

Properties of Privacy-preserving (Anonymous) Credentials Selective disclosure (in the sense of Zero Knowledge) Unforgeability (issuing) Soundness (no false claims) No framing (showing transcript unforgeability) Untraceability (showings unlinkable to user’s identity) Unlinkability (between showings) Limited-show unlinkability, untraceability . . . Existing Commercial Implementations IBM’s IDEMIX (Camenisch and Lysyanskaya) Credentica’s (now Microsoft) U-Prove (Brands)

11 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials

O U

(Observer ) User SmartCard Computer User−controlled

Verifier/Issuer

Issuing Joint Credential Showing /

Figure: Wallet-based Anonymous Credential Showing (Wallet-based Issuing is similar)

◮ Wallet-with-Observer paradigm invented by Chaum and Pedersen [CP92]. Improved by Cramer and Pedersen [CP93], and later by Brands [Br00]. ◮ Properties of wallet-based Anonymous Credentials: Inflow/Outflow prevention Cred showing fraud prevention Two-factor authentication . . .

12 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials

Public Info: (gi)0≤i≤ℓ, h0 = gx0

0 , (gx0 i )1≤i≤ℓ, hx0 0 , q, Gq, H, gO

Observer O User’s computer U Issuer CA (x, e, certCA(e)) (x3, · · · , xℓ−1) (x0, xℓ′+1, · · · , xℓ−1) x1, x2 ∈R Zq

m0

← − −

m0

← − − m0 = nonce||... com1 := gx1

1 gx2 2

comx0

1

:= (gx0

1 )x1(gx0 2 )x2

com1,comx0

1 ,(e,certCA(e))

− − − − − − − − − − − − − − − − − − − − − − − − − − − →

SPK{α1,α2,β:com1=gα1 1 gα2 2 ∧e=gβ O}(m0)

) M1 xℓ ∈R Zq Store (x1, x2) com2 := gx3

3 · · · g x′ ℓ ℓ′ gxℓ ℓ

com2,M1 − − − − − − − − − − − − − − − − − − − − − − − − − →

SPK{ε3,··· ,εℓ′ ,εℓ:com2=gε3 3 ···g ε′ ℓ ℓ′ gεℓ ℓ ∧ P(ε3,··· ,εℓ′ ,εℓ)=TRUE}(m0,M1)

w0 ∈R Zq a0 := gw0 b0 := (com1.com2 . g

xℓ′+1 ℓ′+1 · · · g xℓ−1 ℓ−1

. h0)w0 α1, α2, α3 ∈R Zq,

a0,b0

← − − − − − − − − f := com1.com2. g

xℓ′+1 ℓ′+1 · · · g xℓ−1 ℓ−1

. h0 h := f α1 z = f x0 := comx0

1 .(gx0 3 )x3 · · · (gx0 ℓ−1)xℓ−1.hx0

z′ := zα1 a′

0 := hα2 0 gα3 0 a0

b′

0 := (z′)α2hα3bα1

c′

0 := H(h, z′, a′ 0, b′ 0)

c0 := c′

0 + α2 mod q c0

− − − − − − − →

r0

← − − − − − − − r0 := c0x0 + w0 r′

0 := r0 + α3

Accept iff a′

0b′ 0 = (g0h)r′ 0(h0z′)−c′

Store h, σCA(h) = (z′, r′

0, c′ 0), com1, α1, (x3, · · · , xℓ)

Figure: Wallet-based Anonymous Credential Issuing

13 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials

Issuing Protocol Summary At the end of the issuing protocol, the pair (O, U) obtains an anonymous credential (h, σCA(h)) with attributes x1, · · · , xℓ, such that: U knows only x3, · · · , xℓ. O knows only x1, x2. Issuer knows only xℓ′+1, · · · , xℓ−1, where ℓ′ ≤ ℓ − 2. O and Issuer do not learn information on (h, σCA(h)).

14 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials

Public Info: (gi)0≤i≤ℓ, h0 = gx0

0 , (gx0 i )1≤i≤ℓ, hx0 0 , q, Gq, H, gO

Observer O(x1, x2) U(x3, · · · , xℓ, α1, com1, h, σCA(h)) Verifier σCA(h) = (z′, r′

0, c′ 0)

h = (h0. Qℓ

i=1 gxi i )α1

= hα1

0 . Qℓ i=1 g(α1xi) i m

← − − − m := nonce||.. w1, w2 ∈R Zq β, γ1, γ2, w0, wi ∈R Zq, where i ∈ [3, ℓ] aO := gw1

1 gw2 2 aO

− − → aU := hw0

0 . Qℓ i=3 gwi i

a := aO.aU.com(α1β)

1

gγ1

1 gγ2 2

c := H(h, a, m) rO,1 := w1 + cOx1

cO

← − − cO := α1(c + β) rO,2 := w2 + cOx2

rO,1,rO,2

− − − − − − → r1 := rO,1 + γ1 r2 := rO,2 + γ2 ri := wi + c (α1xi), where i ∈ [3, ℓ] r0 := w0 + cα1

h,σCA(h),a,(r0,··· ,rℓ)

− − − − − − − − − − − − − − → c := H(h, a, m) accept iff σCA(h) is valid AND a

?

= “ hr0

0 . Qℓ i=1 gri i

” .h−c

Figure: Wallet-based Anonymous Credential Showing

15 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Wallet-based Anonymous Credentials

Showing Protocol Summary At the end of the showing protocol, the Verifier is convinced that: U holds a valid credential (h, σCA(h)). U knows the attributes x3, · · · , xℓ (ie., is the cred owner). O approved the showing. The verifier learns only information willingly disclosed by the pair (O, U).

16 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion High-level description

M O U

(b) SPK Patient (sEHR)

Monitoring Center (Hospital)

M(SPK),sEHR}

{Sig (c) EncHospital

Device SmartCard Computer

x1,x2 x ,...,xl

3

Jointly compute signature SPK (a) sanitized EHR (sEHR)

Master Monitoring Patient−Controlled Patient

Figure: High-level Protocol Architecture (with two-factor message authentication)

17 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion Security and Privacy Analysis

Selective disclosure (Anon Creds) Patient-centricity (Wallet-based Signed Proof of Knowledge) Pseudonimity & Conditional Deanonymization (Data Sanitization + Anon Cred Sig + Group Signature) Defense against covert channels (Wallet-with-Observer Inflow/Outflow Prevention Mechanisms) Integrity (Secure Sig Schemes) Confidentiality (Secure Encryption)

18 / 19

Introduction Settings Requirements Building Blocks Protocol Description Discussion

Thank you!

19 / 19