Dual Degree Ph.D. Student Research Work on Cryptography
Luís Brandão Presents Paper at the Privacy Enhancing Technologies
||We live in a world where digital identity has
become an essential aspect of daily life. At any time, different platforms can
be used to access multiple online services – private and public – and remotely
request and execute actions on behalf of a human user. This scenario raises questions about privacy and
security: what constitutes a secure identification or authentication? When is
anonymity recommendable or acceptable? Which third parties should be able to
track activities of users in online services? Interested in these questions, a
dual degree doctoral student of the CMU Portugal Program, Luís Brandão, has
recently presented a paper at the 15th Privacy Enhancing Technologies
2015), exposing privacy and security problems in two
identification/authentication systems being developed in the United States and
the United Kingdom for nation-scale use by citizens.
|Freely available online
via open access, the paper is entitled "Toward Mending Two Nation-Scale Brokered Identification Systems" and results from joint work by four
co-authors. Luís Brandão
is at Faculdade de Ciências da Universidade de Lisboa
(FCUL) and Carnegie Mellon University (CMU). The other co-authors are Nicolas Christin (CMU),
George Danezis (University College London), and an anonymous author.
The paper is about the Connect.Gov and the
GOV.UK Verify systems, respectively being developed, and in early stages of
deployment, in the US and UK. These
systems publicly advertise “enabling trusted digital interactions between
people & government” (Connect.Gov
) and being “the new way to prove who you are
online so you can use government services safely” (GOV.UK Verify
). However, Luís Brandão explains that “the
paper describes serious privacy and security shortcomings in these systems,
which can be inferred from publicly available information. If these systems
reach the intended operational activity – altogether more than a hundred
million users and a myriad of online services – then the identified
vulnerabilities could be exploited to support undetected mass surveillance. The
paper also proposes repairs to identified problems, describing how certain
cryptographic techniques can be embedded to enable desired privacy and
Luís Brandão’s Ph.D. research is in the area of
cryptography, mainly focused on secure two-party computation (S2PC) – “allowing
two parties to make computations over their combined inputs while retaining
privacy of their inputs and outputs.” “Interestingly, S2PC can be used as a
privacy-enhancing tool to solve a major privacy problem found in the analyzed
systems,” says Luís Brandão, explaining that “on a more personal academic level this research was a direct opportunity
to put in practice technical expertise acquired throughout the Ph.D.”
"The paper describes serious privacy and security shortcomings in these systems, which [...] could be exploited to support undetected mass surveillance [... It] also proposes repairs to identified problems."
Portugal: What is the high-level goal of
the systems being analyzed in this paper?
Brandão [LB]: The systems intend to
provide a more convenient mechanism for citizens to identify and authenticate
online to public-sector services (extendable in the future to private-sector
services). This is done without relying on any kind of national electronic
identity-card. Suppose that a user connected to the Internet would like to
confer some personal details of its social security account online, and also
submit tax declarations online, and access personal records held at an online
account in a hospital … and access 20 or
50 or more online “service providers.” The systems we analyzed intend to allow
each user to choose one (or possibly several) "identity provider(s),"
certified by a trusted (and trustworthy) authority, to help the user identify
and authenticate to any service provider. This avoids the costly process of
initial identity registrations of the user in presence at each service provider
(e.g., to show identification cards in hand and request sending of a password
to a physical address), and does not require the user to maintain specific
credentials (e.g., username, password, hardware token) for each service
provider. One of the main privacy goals is to prevent
the identity providers from tracking users across different service providers,
and vice-versa. While related documentation calls this property
“unlinkability,” our paper characterizes several other types of unlinkability
and shows that these systems fail to achieve most of them, with great risk to
Portugal: The paper talks about brokered-identification systems – what does it
mean and does it bring more flexibility, privacy and/or security to the
brokered identification system is one where the communication between service
provider and identity provider is brokered (i.e., mediated) by another
party. The systems we looked at propose using a central online entity (a
"hub") as the broker, and leave the user with a mostly passive
participation. Their brokering mechanisms enable hiding the accessed service
providers from the identity provider, but fail, for example, to prevent
linkability by the hub, who becomes able to track users across all service
providers. One main consideration addressed in our paper is how to prevent such
capability, while keeping the hub as a mediator
(a structural constraint of Connect.Gov and GOV.UK Verify) and enabling
auditability and forensics.
"[...] the hub, controlled by the government, can track users across all their authentications, because it sees persistent user pseudonyms in all authentications [...] it even sees (in clear text) additional identifiable attributes of the user [... it] could even impersonate users to access their accounts at service providers."
Portugal: It seems that the analyzed systems – Connect.Gov and GOV.UK Verify –
propose achieving a convenient service and a privacy benefit at the cost of
other problems. In the paper the authors state that these systems, "which
altogether aim at serving more than a hundred million citizens, (…) suffer from
serious privacy and security shortcomings, fail to comply with
privacy-preserving guidelines they are meant to follow, and may actually
degrade user privacy.” What specific problems are you addressing in the paper?
LB: The paper highlights that the identified
vulnerabilities could be exploited as a technical capability for undetected
mass surveillance, if the systems reach the intended nation-scale operational
activity. The identified problems are in sharp opposition to privacy-preserving
guidelines from the public strategies that these systems claim to follow – respectively, the "National Strategy for Trusted
Identities in Cyberspace" (NSTIC) in the US and the "Identity
Assurance Principles" in the UK. The paper alerts that in GOV.UK Verify
and Connect.Gov the hub, controlled by the government, can track users across all
their authentications, because it sees persistent user pseudonyms in all
authentications. Furthermore, it even sees (in clear text) additional
identifiable attributes of the user, e.g., name and contact information,
flowing from identity providers to service providers. Another problem exposed
in the paper is that a hub compromised by an adversary could even impersonate
users to access their accounts at service providers. In the paper we succinctly
describe possible impersonation attacks.
CMU Portugal: Why is it problematic to give
such linkability capability to the hub?
LB: It is
well recognized by the privacy-research community that the ability to link
related events may pose a serious threat to privacy. Valuable private information can be inferred by linking
different events to the same user, and any
privacy breach at any seemingly unimportant service provider may also disclose additional
information linkable to accesses at other more sensitive services. To make the
case worse, the hub also sees directly-identifiable information (e.g., name,
birth-date, social security number, etc.) in some user authentications.
"[...] certain cryptographic techniques can be used to enable desired privacy and security properties [...] The paper recommends that these findings be taken as a contribution in a process that should still better formalize the privacy and security requirements (including a balance with auditability and forensics, as a way to promote better accountability)..."
CMU Portugal: Does the paper propose repairs to the identified vulnerabilities?
paper describes how certain cryptographic techniques can be used to enable
desired privacy and security properties. The solutions take into account the structural constraint of using a central online entity (the "hub") to mediate all
communications, and the users being passive in most of the authentication
protocol. The paper recommends that these findings be taken as a contribution
in a process that should still better formalize the privacy and security
requirements (including a balance with auditability and forensics, as a way to
promote better accountability) and should still define a solution that fully
integrates all desired properties and includes an unambiguous description made
available for public review.
CMU Portugal: What does this mean for the end-user, the citizen?
LB: An implementation
without adequate repairs means developing a central entity with the capability
to impersonate and track the activities of all end-users across a myriad of
online services. This capability can hypothetically be abused by some entity
(internal or external) that (detectably or undetectably) is able to compromise
the hub. It could (wrongly) seem at first glance that the described issues are
necessary as a tradeoff to achieve the desired operational convenience.
Conversely, this paper shows that upon implementing appropriate repairs it is
possible to achieve resilience against a compromised hub. The paper states that this matter requires further research, formalization and public review. For now it remains unclear if, when or how the analyzed brokered identification systems may evolve in the direction of repairing the identified privacy and security issues that could affect their end-users.
Luis Brandão Presents Paper at Asiacrypt 2013 more