Dual Degree Ph.D. Student Research Work on Cryptography

Luís Brandão Presents Paper at the Privacy Enhancing Technologies Symposium

Luis_B  We live in a world where digital identity has become an essential aspect of daily life. At any time, different platforms can be used to access multiple online services – private and public – and remotely request and execute actions on behalf of a human user. This scenario raises questions about privacy and security: what constitutes a secure identification or authentication? When is anonymity recommendable or acceptable? Which third parties should be able to track activities of users in online services? Interested in these questions, a dual degree doctoral student of the CMU Portugal Program, Luís Brandão, has recently presented a paper at the 15th Privacy Enhancing Technologies Symposium (PETS 2015), exposing privacy and security problems in two identification/authentication systems being developed in the United States and the United Kingdom for nation-scale use by citizens.
Freely available online via open access, the paper is entitled "Toward Mending Two Nation-Scale Brokered Identification Systems" and results from joint work by four co-authors. Luís Brandão is at Faculdade de Ciências da Universidade de Lisboa (FCUL) and Carnegie Mellon University (CMU). The other co-authors are Nicolas Christin (CMU), George Danezis (University College London), and an anonymous author.
  
The paper is about the Connect.Gov and the GOV.UK Verify systems, respectively being developed, and in early stages of deployment, in the US and UK. These systems publicly advertise “enabling trusted digital interactions between people & government” (Connect.Gov) and being “the new way to prove who you are online so you can use government services safely” (GOV.UK Verify). However, Luís Brandão explains that “the paper describes serious privacy and security shortcomings in these systems, which can be inferred from publicly available information. If these systems reach the intended operational activity – altogether more than a hundred million users and a myriad of online services – then the identified vulnerabilities could be exploited to support undetected mass surveillance. The paper also proposes repairs to identified problems, describing how certain cryptographic techniques can be embedded to enable desired privacy and security.”
  
Luís Brandão’s Ph.D. research is in the area of cryptography, mainly focused on secure two-party computation (S2PC) – “allowing two parties to make computations over their combined inputs while retaining privacy of their inputs and outputs.” “Interestingly, S2PC can be used as a privacy-enhancing tool to solve a major privacy problem found in the analyzed systems,” says Luís Brandão, explaining that “on a more personal academic level this research was a direct opportunity to put in practice technical expertise acquired throughout the Ph.D.”

 "The paper describes serious privacy and security shortcomings in these systems, which [...] could be exploited to support undetected mass surveillance [... It] also proposes repairs to identified problems."


 

CMU Portugal:  What is the high-level goal of the systems being analyzed in this paper? 

Luís Brandão [LB]: The systems intend to provide a more convenient mechanism for citizens to identify and authenticate online to public-sector services (extendable in the future to private-sector services). This is done without relying on any kind of national electronic identity-card. Suppose that a user connected to the Internet would like to confer some personal details of its social security account online, and also submit tax declarations online, and access personal records held at an online account in a hospital … and access 20 or 50 or more online “service providers.” The systems we analyzed intend to allow each user to choose one (or possibly several) "identity provider(s)," certified by a trusted (and trustworthy) authority, to help the user identify and authenticate to any service provider. This avoids the costly process of initial identity registrations of the user in presence at each service provider (e.g., to show identification cards in hand and request sending of a password to a physical address), and does not require the user to maintain specific credentials (e.g., username, password, hardware token) for each service provider. One of the main privacy goals is to prevent the identity providers from tracking users across different service providers, and vice-versa. While related documentation calls this property “unlinkability,” our paper characterizes several other types of unlinkability and shows that these systems fail to achieve most of them, with great risk to citizens' privacy.

CMU Portugal: The paper talks about brokered-identification systems – what does it mean and does it bring more flexibility, privacy and/or security to the identification/authentication process? 

LB: A brokered identification system is one where the communication between service provider and identity provider is brokered (i.e., mediated) by another party. The systems we looked at propose using a central online entity (a "hub") as the broker, and leave the user with a mostly passive participation. Their brokering mechanisms enable hiding the accessed service providers from the identity provider, but fail, for example, to prevent linkability by the hub, who becomes able to track users across all service providers. One main consideration addressed in our paper is how to prevent such capability, while keeping the hub as a mediator (a structural constraint of Connect.Gov and GOV.UK Verify) and enabling auditability and forensics.


"[...] the hub, controlled by the government, can track users across all their authentications, because it sees persistent user pseudonyms in all authentications [...] it even sees (in clear text) additional identifiable attributes of the user [... it] could even impersonate users to access their accounts at service providers."


CMU Portugal: It seems that the analyzed systems – Connect.Gov and GOV.UK Verify – propose achieving a convenient service and a privacy benefit at the cost of other problems. In the paper the authors state that these systems, "which altogether aim at serving more than a hundred million citizens, (…) suffer from serious privacy and security shortcomings, fail to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy.” What specific problems are you addressing in the paper? 

LB: The paper highlights that the identified vulnerabilities could be exploited as a technical capability for undetected mass surveillance, if the systems reach the intended nation-scale operational activity. The identified problems are in sharp opposition to privacy-preserving guidelines from the public strategies that these systems claim to follow – respectively, the "National Strategy for Trusted Identities in Cyberspace" (NSTIC) in the US and the "Identity Assurance Principles" in the UK. The paper alerts that in GOV.UK Verify and Connect.Gov the hub, controlled by the government, can track users across all their authentications, because it sees persistent user pseudonyms in all authentications. Furthermore, it even sees (in clear text) additional identifiable attributes of the user, e.g., name and contact information, flowing from identity providers to service providers. Another problem exposed in the paper is that a hub compromised by an adversary could even impersonate users to access their accounts at service providers. In the paper we succinctly describe possible impersonation attacks.

CMU Portugal: Why is it problematic to give such linkability capability to the hub? 

LB: It is well recognized by the privacy-research community that the ability to link related events may pose a serious threat to privacy. Valuable private information can be inferred by linking different events to the same user, and any privacy breach at any seemingly unimportant service provider may also disclose additional information linkable to accesses at other more sensitive services. To make the case worse, the hub also sees directly-identifiable information (e.g., name, birth-date, social security number, etc.) in some user authentications.


 "[...] certain cryptographic techniques can be used to enable desired privacy and security properties [...] The paper recommends that these findings be taken as a contribution in a process that should still better formalize the privacy and security requirements (including a balance with auditability and forensics, as a way to promote better accountability)..."


 CMU Portugal: Does the paper propose repairs to the identified vulnerabilities? 

LB: The paper describes how certain cryptographic techniques can be used to enable desired privacy and security properties. The solutions take into account the structural constraint of using a central online entity (the "hub") to mediate all communications, and the users being passive in most of the authentication protocol. The paper recommends that these findings be taken as a contribution in a process that should still better formalize the privacy and security requirements (including a balance with auditability and forensics, as a way to promote better accountability) and should still define a solution that fully integrates all desired properties and includes an unambiguous description made available for public review.

CMU Portugal: What does this mean for the end-user, the citizen? 

LB: An implementation without adequate repairs means developing a central entity with the capability to impersonate and track the activities of all end-users across a myriad of online services. This capability can hypothetically be abused by some entity (internal or external) that (detectably or undetectably) is able to compromise the hub. It could (wrongly) seem at first glance that the described issues are necessary as a tradeoff to achieve the desired operational convenience. Conversely, this paper shows that upon implementing appropriate repairs it is possible to achieve resilience against a compromised hub. The paper states that this matter requires further research, formalization and public review. For now it remains unclear if, when or how the analyzed brokered identification systems may evolve in the direction of repairing the identified privacy and security issues that could affect their end-users.

September 2015

 

____
Luis Brandão Presents Paper at Asiacrypt 2013 more