Sicherheit in Rechnernetzen

1
Anonymity, unobservability, pseudonymity and
identity management requirements for an AmI world
Andreas Pfitzmann Dresden University of
Technology, Department of Computer Science,
D-01062 DresdenPhone 0351/ 463-38277, e-mail
pfitza_at_inf.tu-dresden.de, http//dud.inf.tu-dresde
n.de/
2
Excerpts from Treaty Establishing a Constitution
for Europe
Article I-2 The Union's values The Union is
founded on the values of respect for human
dignity, freedom, democracy, equality, the rule
of law and respect for human rights, including
the rights of persons belonging to minorities. ...
Article I-3 The Union's objectives 2. The Union
shall offer its citizens an area of freedom,
security and justice without internal frontiers,
and an internal market where competition is free
and undistorted.
3
Excerpts from Treaty Establishing a Constitution
for Europe

• Article II-68 Protection of personal data
• Everyone has the right to the protection of
  personal data concerning him or her.
• Such data must be processed fairly for specified
  purposes and on the basis of the consent of the
  person concerned or some other legitimate basis
  laid down by law. Everyone has the right of
  access to data which has been collected
  concerning him or her, and the right to have it
  rectified.

4
Distrust is the basis
Cooperation on the basis of mutual distrust
(e.g. separation of powers, checks and balances)
is the basis of organizing modern societies, not
trust.
5
Threats and corresponding protection goals
for authorized users
1) cannot be detected, but can be
prevented cannot be reversed2)3) cannot be
prevented, but can be detected can be reversed
6
Distrust is the basis, revisited
Cooperation on the basis of mutual distrust
(e.g. separation of powers, checks and balances)
is the basis of organizing modern societies, not
trust. Cf. confidentiality vs. integrity /
availability You cant check whether your trust
has been justified even after the fact vs. you
can check whether your trust has been justified.
7
Transitive propagation of errors and attacks
symbol explanation
computer
program
A used B todesign C
A
C
B
8

Trojan horse
unauthorized disclosure of information
(covert)output channel
unauthorizedmodification of information
write access
write accessnon-terminationresource consumption
Trojan horse
unauthorized withholding of information or
resources
9
Protection against whom ?
Laws and forces of nature - components are
growing old - excess voltage (lightning, EMP) -
voltage loss - flooding (storm tide, break of
water pipe) - change of temperature ...
faulttolerance
Human beings - outsider - user of the system -
operator of the system - service and
maintenance - producer of the system - designer
of the system - producer of the tools to design
and produce - designer of the tools to design
and produce - producer of the tools to design
and produce the tools to design and
produce - designer ...
Trojan horse universal transitive
10
Which protection measures against which attacker ?
protection concerning protection against
to achieve the intended
to prevent the unintended
designer and producer of the tools to design
and produce
intermediate languages and intermediate results,
which are analyzed independently
see above several independent designers
designer of the system
independent analysis of the product
producer of the system
service and maintenance
control as if a new product, see above
restrict physical access, restrict and
log logical access
operator of the system
physical and logical restriction of access
user of the system
protect the system physically and protect data
cryptographically from outsiders
outsiders
11
Multilateral security

• Each party has its particular protection goals.
• Each party can formulate its protection goals.
• Security conflicts are recognized and compromises
  negotiated.
• Each party can enforce its protection goals
  within the agreed compromise.

Security with minimal assumptions about others
12
Protection Goals Sorting
Content
Circumstances
Confidentiality Hiding
Anonymity Unobservability
Prevent the unintended
Integrity
Accountability
Achieve the intended
Reachability Legal Enforceability
Availability
13
Protection Goals Definitions
Confidentiality ensures the confidentiality of
user data when they are transferred. This assures
that nobody apart from the communicants can
discover the content of the communication.
Hiding ensures the confidentiality of the
transfer of confidential user data. This means
that nobody apart from the communicants can
discover the existence of confidential
communication. Anonymity ensures that a user can
use a resource or service without disclosing
his/her identity. Not even the communicants can
discover the identity of each other. Unobservabili
ty ensures that a user can use a resource or
service without others being able to observe that
the resource or service is being used. Parties
not involved in the communication can observe
neither the sending nor the receiving of
messages. Integrity ensures that modifications of
communicated content (including the senders
name, if one is provided) are detected by the
recipient(s). Accountability ensures that sender
and recipients of information cannot successfully
deny having sent or received the information.
This means that communication takes place in a
provable way. Availability ensures that
communicated messages are available when the user
wants to use them. Reachability ensures that a
peer entity (user, machine, etc.) either can or
cannot be contacted depending on user
interests. Legal enforceability ensures that a
user can be held liable to fulfill his/her legal
responsibilities within a reasonable period of
time.
14
Correlations between protection goals
Confidentiality Hiding
Anonymity Unobservability
Integrity
Accountability
Reachability Legal Enforceability
Availability
15
Golden rule
Since tamper-resistance of HW is all but good
and organizations are far from perfect keeping
secrets
Correspondence between organizational and IT
structures
Personal data should be gathered, processed and
stored, if at all, by IT in the hands of the
individual concerned.
16
Superposed sending (DC-network)
D. Chaum 1985 for finite fields A. Pfitzmann 1990
for abelian groups
station 1
M1 3A781
K1?2 2DE92
K1?3 4265B
99B6E
station 2
M2 00000
anonymous access
-K1?2 E327E
4AE41
3A781
M1 M2 M3
K2?3 67CD3
67EE2
station 3
M3 00000
-K1?3 CEAB5
User station
-K2?3 A943D
Pseudo-random bit-stream generator

Modulo- 16-Adder
Anonymity of the sender If stations are connected
by keys the value of which is completely unknown
to the attacker, tapping all lines does not give
him any information about the sender.
17
Protection of the communication relation
MIX-network
D.Chaum 1981 for electronic mail
MIX1 batches, discards repeats,
MIX2 batches, discards repeats,
18
Identity management

• Privacy-enhancing identity management is only
  possible w.r.t. parties which dont get GUIDs
  anyway, by
• the communication network (e.g. network
  addresses)
• the user device (e.g. serial numbers, radio
  signatures),
• or even
• the user him/herself (e.g. by biometrics).

19
Personal identifier
845 authorizes A ___
A notifies 845 ___
845 pays B
B certifies 845 ___
C pays 845
20
Role-relationship pseudonyms and transaction
pseudonyms
762 authorizes A __
A notifies 762 ___
451 pays B
B certifies 451 ___
B certifies 314 ___
C pays 314
21
Pseudonyms Linkability in detail
Distinction between 1. Initial linking between
the pseudonym and its holder 2. Linkability due
to the use of the pseudonym in different contexts
22
Pseudonyms Initial linking to holder
Public pseudonym The linking between pseudonym
and its holder may be publicly know from the very
beginning. Initially non-public pseudonym The
linking between pseudonym and its holder may be
know by certain parties (trustees for identity),
but is not public at least initially. Initially
unlinked pseudonym The linking between pseudonym
and its holder is at least initially not
known to anybody (except the holder).
Phone number with its owner listed in public
directories
Bank account with bank as trustee for
identity,Credit card number ...
Biometric characteristics DNA (as long as no
registers)
23
Pseudonyms Use in different contexts gt partial
order
number of an identity card, social security
number, bank account
pen name, employee identity card number
customer number
contract number
one-time password, TAN
A ? B stands for B enables stronger anonymity
than A
24
Summing up

• Requirements for a multilaterally secure and
  privacy-
• enabling AmI world
• Make sure that others cannot gather unnecessary
  data (just not gathering it is not enough, as
  history tells us).
• Since trust in foreign infrastructures w.r.t.
  confidentiality properties (e.g. privacy) will be
  very limited at best, each human should have
  his/her trusted device(s) to provide for his/her
  security. This device might act in an ambient way
  in the interests of its owner.
• Communication of humans with their
  ICT-environment should be by means of their
  trusted device only.
• Develop trusted devices which have no identifying
  radio signature.
• Minimize sensor abilities w.r.t. sensing foreign
  human beings directly.

25
Terminology and further reading

• http//dud.inf.tu-dresden.de/Anon_Terminology.shtm
  l