At the European eID Interoperability Concepts and Compliance Conference, ABC4Trust partner IBM Research will be present with a demonstration on Privacy-Preserving Authentication by Attribute-based Credentials. The conference will take place in Biel, Switzerland from May 27th-28th, 2012.
Authentication is an all-embracing mechanism in today’s digital society. Current authentication systems require users to provide more personal data than actually necessary, and offer many attack vectors due to insecure authentication methods such as username/passwords. With Privacy-preserving Attribute-based Credentials, systems that allow for minimizing the data released during authentication do exist. A combination of these technologies with eID solutions could provide the necessary security and trust for all participants while preserving the user’s privacy at the same time. In the current discussion for future electronic IDcards and other means to authenticate online and offline, the growing privacy threats for users are not sufficiently reflected. Therefore, any upcoming European and national eID schemas should help citizens to protect their privacy by providing secure authentication methods with which the user can verify only the relevant attributes but does not need to reveal more than these necessary attributes. Users would be enabled to act under a pseudonym with their real identity unknown to the service provider. However, acknowledging risks for service providers, it should be possible to trace back a so far pseudonymous user under certain previously specified conditions. With Privacy-preserving Attribute-based Credentials, such as IBM’s Identity mixer presented at the conference in Biel or Microsoft’s U-Prove, technology can be a key enabler for privacy preserving eID solutions in the future.
The demonstration in the conference’s exhibition area will show data-minimizing authentication with attribute-based credentials based on the scenario of a teenage chat room, where the chat provider requires authentication with respect to a service-specific privacy-preserving policy. When a user wants to enter the chat room, the implementation determines whether and how the user can fulfil the policy with her credentials. A graphical user interface allows the user to select and verify which personal information she wants to use to fulfil the policy. Prior to sending any information, the user interface also provides her with a detailed summary of which information she is about to release to the service provider. Based on the user's input, the prototype generates a cryptographic presentation token that shows fulfilment of the service provider's policy without revealing any unnecessary information. Finally, this presentation token is sent to the service provider for verification who grants access to the chat accordingly. Our prototype is the first implementation of such far reaching data-minimizing privacy-preserving authentication.
Visitors of the demo will learn that it is possible to perform online authentication in a privacy-preserving manner.
For first information on Privacy-ABCs, the problems they can solve and what the project is about see the ABC4Trust Flyer.
For a description of the demo to be shown in Biel see Bichsel/Preiss, A Comprehensive Framework Enabling Data-Minimizing Authentication, 2011.
Read more on an architecture to make existing systems of Privacy-ABCs interoperable, and the how the processing of personal data can be limited to enhance privacy and legal compliance: D2.1 Architecture for Attribute-based Credential Technologies.