Logo_CSP2013Logo_TDL

 

ABC4Trust will be present at the joint event of the Cyber Security Privacy EU Forum 2013 and Trust in the Digital World 2013 in Brussels, April 18th-19th, 2013.

 

ABC4Trust involvement

  • ABC4Trust session, Thursday, April, 18th, 16:15.
  • Presentation “Privacy-Enhancing Attribute-Based Credentials and eIDs: Chances, technical Possibilities and legal Prerequisites” as be part of the session security and Privacy Services in The Horizon”, Friday, April 19th, 14:00.
  • Demonstration of the ABC4Trust university pilot in the demonstration area.

 

The ABC4Trust session

In June 2012 the EU Commission adopted a proposal for a “Regulation of the European Parliament and the Council on electronic identification and trust services for electronic transactions in the internal market” (COM/2012/238/FINAL, hereinafter eIDAS Regulation). The eIDAS Regulation aims to bring trust to electronic transactions in the European market by inter alia providing for a mutual recognition and acceptance of national eID solutions. To have its national eID solution recognized and accepted in other Member States the Member State of origin may notify its national eID solution to the commission. Provided a series of requirements are fulfilled such notified schemas must be recognized EU wide. At present, the draft eIDAS Regulation is open for discussion and comments in the European parliament. A session with expert input and discussions with the high level audience may positively influence the decisions on details of the Regulation. The eIDAS Regulation causes concerns that it may hinder or even block the further development of privacy-enhancing solutions in the field of electronic Identifiers (eIDs). Some of these aspects have been pointed out in the ABC4Trust position paper on the eIDAS Regulation.

The ABC4trust session on Thursday will focus on the potential of privacy-enhancing attribute-based credentials (Privacy-ABCs) in the field of eIDs. For this part, we will start with a quick introduction to the privacy-enhancing features of the solution, and to the ABC4Trust project as a whole followed by a more detailed description of the ABC4Trust architecture. Two different approaches for integrating Privacy-ABCs with eID systems will be discussed, and elaborated on the benefits of Privacy-ABCs when building privacy-respecting eID systems. ABC4Trust’s Greek university pilot where smartcards are deployed for a secure and anonymous authentication towards a system for evaluating lectures – deployable e.g. for online participation of citizens in local decisions, polls, or surveys is presented next. Finally a data protection-oriented view on the draft eIDAS Regulation will be provided, elaborating on how Privacy-ABCs could enhance future eIDs, showing which adaptations might be necessary to the current draft eIDAS Regulation in order to allow and support such adaptations. The last talk is intended to encourage an open discussion with the participants on these particular topics of the eIDAS Regulation.

The ABC4Trust project and privacy-enhancing Attribute-based Credentials – enabling data protection features for future electronic authentication, by Prof. Kai Rannenenberg,

The first talk will introduce the ABC4Trust project before central principles and functionalities of Privacy-ABCs will be described. The audience will learn how anonymous authentication can be performed trustworthy and securely bound to one person, e.g. the holder of an eID token, by deploying cryptographic mechanisms. Further, necessary features such as an issuance, presentation, and revocation of credentials will be discussed. Provided the user submitted her identity information in an encrypted container at time of authentication, the optional inspection feature allows to later identify an otherwise anonymous user under previously fixed conditions, e.g. if that user violated applicable laws.

The ABC4Trust Architecture – making Privacy-ABCs deployable and interoperable, by Dr. Ioannis Krontiris

The goal of the presentation is to show that Privacy-ABCs have become an attractive solution to offer privacy in eID systems. In particular, we will report on the progress being made within the ABC4Trust project in terms of bringing together different Privacy-ABC technologies and building a unified architecture for their interoperation.

ABC4Trust_architecute_diagram_with_involved_entities

Figure: A high level view of the ABC4Trust Architecture

Then, we will discuss some of the privacy and security threats that exist in today’s eID systems, and elaborate on the advantages of using Privacy-ABCs to address these threats. Following that, we will discuss two approaches for integrating Privacy-ABCs with eID systems, taking the German eID system as a case study. In the first approach, we show that by introducing a new entity in the current German eID system, the citizen can get a lot of the Privacy-ABCs advantages without further modifications. Then, we will concentrate on the possibility of putting Privacy-ABCs directly on smart cards, and we will present new results on performance, which demonstrate that it is now feasible for smart cards to support the required computations these mechanisms require.

 

Anonymous authentication for polls and surveys with Privacy ABCs – The ABC4Trust university pilot leading the path to more eID features for citizen eParticipation?, by Prof. Yannis Stamatiou

The presentation on the ABC4Trust university pilot is intends to show the results of one of the two pilots in ABC4Trust. The ABC4Trust project addresses the federation and “interchangeability” of technologies that support Privacy-ABCs. For this pilot, the participating students collect a series of credentials to verify that they are eligible to anonymously participate in an evaluation of the quality of a lecture. The pilot, whose operation may be presented during a demo at the CSP EU Forum, comprises the provision of credentials to the students of a Greek university that certifies, using Privacy-ABCs, a number of facts of the students (e.g. registered courses, class attendance information, etc.). Eligible Students will be able to anonymously provide feedback on courses and teachers they had during a semester by using proper credentials stored on their smart cards. The attribute selection feature here allows students to verify information such as their participation in a course, without giving away their name or matriculation number stored on the same eID token. The pilot thus also provides a good test bed for other types of polls, petitions, and other means of opinion making. Such features may be interesting to support for national eIDs enabling citizens to easily participate in local politics, petitions, or other means of direct democracy in governmental and private organisations.

 

The draft eIDAS Regulation and its impact on privacy preserving technologies in the field, namely Privacy-enhancing Attribute-based Credentials, by Harald Zwingelberg

The legal and policy oriented presentation on the draft eIDAS Regulation will summarize the currently foreseen framework described in chapter two of the draft eIDAS Regulation. European eID experts share the opinion that upcoming eID schemas should support data minimisation by allowing attribute selection and that pseudonymous or anonymous authentication should be possible and enforced on relying parties where necessary (see SSEDIC eID Adoption Survey p. 32 et seq.). However, the current draft of the eIDAS Regulation does not foresee data minimisation, nor does it require foreign services to adhere to the principle of data minimisation even if the national eID of the customer supports such features. Here, further development in the area of eIDs should not be hindered but rather encouraged, in order to raise hope that future versions of eIDs may support privacy enhancing solutions such as Privacy-ABCs or the already existing solution of the German national eID “neuer Personalausweis”.

Further, the national authentication service, which is mandatory for all notified eID schemas, is likely to be able to profile the behavior of the users by learning which services from outside of the own member state have been visited by the users. For the authentication services, but also for any other involved entities, clear data protection rules including maximum retention periods for personal data are necessary, and need to be incorporated in the eIDAS Regulation. This presentation will provide some potential solutions as basis for further discussion with the audience.

See also the ABC4Trust web-page dedicated to the eIDAS Regulation here.

Additional information