This section contains general news about the ABC4Trust project.
To keep you updated, we have a RSS Feed containing ABC4Trust News.
ABC4Trust has been listed by the European Commission as an example of a successful EU funded research and innovation in the Societal Challenges areas which already is integrated into commercially viable products, start-ups and services. Read more in the brochure: https://ec.europa.eu/digital-agenda/en/eu-funded-societal-challenges-projects-lab-market
ABC4Trust Clip on Privacy-ABCs
A main part of ABC4Trust's efforts is to explain the problem of linkage and creation of usage patterns when using online services, the functionality and advantages of Privacy-ABCs and how they help the user to protect his or her privacy. Raising the awareness for this issue is not easy as the threat is not obvious.
This basic information is addressed in the video clip ABC4Trust has produced. Furthermore, it explains how Privacy-ABCs come into play. The clip had its premiere at the Summit Event on January 20, 2015.
The idea behind the clip is to explain Privacy-ABCs and the achievements of ABC4Trust in an entertaining but still informative way. The language used is simple and the duration of the clip does not exceed five minutes.
Download (68 MB)
Download (7 MB)
On youtube: https://www.youtube.com/watch?v=utk4EyoaxAk
All rights reserved.
In its latest Deliverable 4.2 – Final Reference Implementation, ABC4Trust describes how to use a demonstration the project developed in order to allow interested parties to actually try out Privacy-ABCs in practice. Embedded in a hotel room booking scenario, you can follow all steps from obtaining a credential, to make use of it and revoke it in the end.
The demonstration is deployed as a virtual machine in iso format. (Download Virtual Machine)
The scenario showcases most of the features provided by reference implementation, namely issuance with key carry-over, verification and revocation of credentials. Inspection and issuance with carry-over attributes are not included in the demonstration, but could be included in a future version. The scenario is based around the case of booking a hotel room. In order to book a room, a user must possess valid passport and credit card credentials; however the user will be forced to reveal neither her identity nor her credit card number. A potential feature to add in a future version of the demonstration would be to make the credit card number in the presentation token inspectable in case of a (late) cancellation. This would allow the hotel to withdraw a fee from the customer if certain criteria are met. Similarly, an additional issuer of student card credentials could be implemented. This could be used to showcase advanced issuance (where the student’s attributes are carried over from his student card to the credit card credential) as well as the verifier having different presentation policies, offering students a discount.
The demonstration consists of the following services:
A Grails application running the webpage for a hotel, acting as the verifier.
A Grails application running the webpage for a bank, acting as the issuer of credit card credentials.
A Grails application running the webpage of governmental agency, acting as the issuer of passport credentials.
A revocation service, able to revoke credit card credentials.
A user service, able to manage credentials, communication with smartcards and perform presentations of credentials.
A user UI service, providing a GUI for the user service.
For further details please read D4.2 - Final Reference Implementation. (Download: PDF)
The official project flyer is available as download now.
On 26th May 2014, the ABC4Trust project published a new press release on the result of its pilots. The press release can be viewed here.
A report on ABC4Trust's workshop "Putting Privacy-ABCs into Practice" can be found here.
Microsoft released updated U-Prove cryptoarchitecture
Already fully compatible with ABC4Trust engine
On December 19, 2013 Microsoft released a public update to its U-Prove Cryptographic Specification V1.1 and open-source C# SDK. This Revision 3 is now interoperable with the ABC4Trust architecture as recently described in "H2.2. ABC4Trust Architecture for Developers".
This smooth integration had also been enabled by the fact, that ABC4Trust had already used a previously unreleased iteration of this release that is now publicly available.
Online services can use the code to protect customer’s data and reduce exposure to liabilities in case of personal data breaches
“Privacy is an integral part of human dignity and personal freedom”, as Vice-President of the European Commission Viviane Reding stressed at a speech regarding the proposal for a Data Protection Regulation. Personal data breaches cause major liability risks and loss of reputation for businesses and may impact the life of the compromised person in a long term. Protection of personal data is served best by taking data protection aspects into account right from the planning phase. The draft for a General Data Protection Regulation demands privacy by design and privacy by default when developing new processes. This is taken into account by the EU-funded project “Attribute-based Credentials for Trust” (ABC4Trust) that is piloting cryptographic solutions to authenticate persons in a privacy-preserving way with selective disclosure of attributes in authentication processes.
Appropriate privacy-enhancing technologies (PET) as developed in the ABC4Trust project allow secure authentication while only revealing the data essential for the requested service and no longer require verifying every detail of a user’s identity. Reducing data in this early state may aid businesses to comply with these principles by avoiding unnecessary data processing, and citizens gain more privacy. To assist online services in implementing such technologies, the ABC4Trust project has published the source code of the first version of its solution.
Electronic identity solutions are based on attributes about a person with the respective attribute value like the person’s name or date of birth. Classic electronic identification does not allow presentation of selected attributes without invalidating the issuer’s signature and thus risking a rejection. Advanced and privacy-preserving solutions support selective disclosure of attributes: the service provider can only learn those pieces of information that are necessary for the given purpose while the signature verifying the correctness of the information remains intact. The privacy-enhancing attribute-based credentials (Privacy-ABCs) deployed in the ABC4Trust project’s pilots support the above-mentioned attribute selection.
The use of Privacy-ABCs has now become accessible for a broader audience, as the ABC4Trust project has released the first iteration of the Attribute-based Credential Engine (ABCE) implementation. The ABCE allows owners and implementers of online services to leverage the potential of Privacy-ABCs to protect customer’s data and reduce exposure to liabilities in case of personal data breaches.
The first iteration of the ABCE consists of a number of core components and a user interface needed to implement a Privacy-ABC system. The release includes source code and documentation on how to setup and integrate the ABCE and can be found on the ABC4Trust website: https://abc4trust.eu/index.php/source. The components deal with issuing, verifying, inspecting, and revoking privacy-preserving attribute-based credentials, as well as handling the required user interaction. ABC4Trust has developed two applications that are currently deployed and being used by users in two pilot trials; one in Söderhamn, Sweden and the other in Patras, Greece.
Building on the basic components fully functioning support for Privacy-ABCs can be implemented in a given system. The ABCE is provided with adapters for storing keys on smart cards and a very generic user interface. Additional customization will be required regarding the storage of keys and credentials along with the user interaction.
All parts of the ABCE are released under the Apache License 2.0 license. However, the cryptographic engines underlying the ABCE are not currently a part of the ABCE, and must be downloaded separately. The cryptographic engines are IBM Identity Mixer (Version 2.4 or later) and Microsoft U-Prove. The U-Prove binary can be downloaded from https://microsoft.com/u-prove. The IBM Identity Mixer can be downloaded from https://abc4trust.eu/idemix.
The Annual Privacy Forum 2014 will take place in Athens on 20th and 21th of May 2014 in course of the Greek Presidency of the Council of the EU. The conference is jointly organized by the European Commission's Directorate General for Communications Networks, Content & Technology (DG CONNECT) and the European Union Agency for and Information Security (ENISA).
Local host for the event is the Systems Security Laboratory (SSL) of the University of Piraeus. The Call for Papers is open.
[Update:] The deadline for proposals has been extended until December 23rd, 2013. Proposed papers should focus on these topics.
- Building privacy by design and by default
- Cryptography for privacy
- Data protection technologies
- Economics of privacy and PETs
- Enhancing privacy in existing systems
- Identity management and privacy
- Location and mobility privacy
- Privacy awareness raising and education
- Privacy and inference control in databases
- Privacy and privacy technologies attacks
- Privacy by policy
- Privacy models
- Privacy-enhanced access control or authentication/certification
- Privacy Friendly Biometrics
- Privacy-friendly payment mechanisms for PETs and other services
- Privacy in Online Social Networks
- Pseudonyms, anonymization, identity management, link ability, and reputation
- Reliability, robustness and abuse prevention in privacy systems
- Traffic analysis
- Transparency enhancing tools
- Usability issues and user interfaces for PETs
The second round of the Patras pilot started on the 4th of November 2013 and will last until mid of February 2014. The participants are 59 volunteers who attend the course “Distributed Systems I” of the Department of Computer Engineering and Informatics, at the University of Patras. They have already obtained their Smart Cards and, according to the pilot scenarios, have received their first attendance unit in the lecture room, on the 4th of November. Their entry to the pilot system is the portal residing in https://ces.cti.gr/Portal/Portal.html The students can, also, download from there a students' manual that describes all the details relevant to their participation in the pilot.
Before the start of the pilot, the students were shown brief introductory slides on the concepts of Privacy-ABCs, the goals of the pilot as well as the use cases. After the end of the slide presentation, the lecturer and CTI members initiated an open discussion related to the concepts of Privacy-ABCs, the objectives of the project and the scenarios of the pilot. Their interest in the pilot as well as the Privacy-ABCs was high and we expect them to give, in the end, a very helpful evaluation of the technology they used.
The proposal for a Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS) is currently under evaluation by the European Parliament. The research project ABC4Trust (Attribute-based Credentials for Trust) is providing its position as input to the legislative process. ABC4Trust considers electronic identification means (eIDs) as an optimal use case for the broad deployment of privacy-enhancing attribute-based credentials (Privacy-ABCs).
The privacy concept of data minimisation is an already legally fixed principle in the Member States and also central to the current draft for a General Data Protection Regulation. A way to enable and enforce data minimisation with technical means is the concept of selective disclosure of attributes. Electronic identity solutions are based on attributes about a person with the respective attribute-value, e.g. name: Johannson, first name: Sven, place of residence: Stockholm, profession: advocate, date of birth: 1975-02-07, etc. Classic identification tokens or certificates do not allow presenting only a selected attribute without invalidating the issuer’s signature. Advanced and privacy-preserving solutions supporting selective disclosure of attributes make it possible to let a service provider only notice those pieces of information that are necessary for the given purpose while the signature verifying the correctness off the information remains intact. Besides the Privacy-ABCs deployed in the ABC4Trust project also the German eID solution supports attribute selection.
ABC4Trust currently evaluates the interoperability and functionality of Privacy-ABCs in two deployment pilots: a school network in Söderhamn, Sweden, and the evaluation of Lectures at the University of Patras, Greece. The first experiences from the pilots show that Privacy-ABCs work with secure smart cards – fulfilling a necessary prerequisite for many Member States to incorporate a technology into their national eID solution.
Consequently the ABC4Trust project considers it necessary that the concept of data minimisation is pointed out more prominent in the eIDAS regulation and welcomes existing proposals from other parties supporting this view. As a minimum Member States must be allowed to notify eID solutions permitting selective disclosure of attributes and other Member States should be hindered to reject a privacy-enhancing solution solely to the fact that not a full set of identifying data is provided but only the necessary information. Member States should be further encouraged to deploy the feature of selective disclosure of attributes in the future.
Finally ABC4Trust suggests making privacy of users and citizen s a central aspect of the regulation. It should be clarified that also the national issuers of eIDs and any services and third parties that may become necessary to make eIDs interoperable also across borders are bound to the European data protection legislation, namely must adhere to the principle of data minimisation and must not, whatsoever, use the data of the citizens or relying parties for tracking or profiling purposes.
Summarizing the above considerations amendments to the eIDAS are necessary in three major aspects:
I. Emphasize the concept of authentication instead of identification
II. Remove barriers for privacy-preserving eID solutions
III. Clarify applicability of data protection requirements also for eID services
More information on this topic from researchers of the ABC4Trust project promoting the deployment of Privacy-ABCs for eID solutions is provided here:
- The ABC4Trust position paper on the draft eIDAS regulation (2 pages).
- Panel participation the conference on eID and Trust services at the European Parliament organized by Amelia Andersdotter, MEP, Jürgen Creutzmann, MEP, and Marielle Gallo, MEP, held April, 10th 2013, (slides of the ABC4Trust presentation).
- Video Interview for a webcast by Amelia Andersdotter, MEP (to come).
- ABC4Trust session at the joint event of the Cyber Security Privacy EU Forum 2013 and Trust in the Digital World 2013 in Brussels, April 18th-19th, 2013.
- The ABC4Trust detailed analysis on the eID section of the eIDAS regulation with proposals for amendments
For further questions please do not hesitate and contact the ABC4Trust project team at ULD.
The ABC4Trust project will be present at the 8th International Conference on Risks and Security of Internet and Systems, CRiSIS 2013 from October 23th-25th, 2013 in La Rochelle, France. The conference is concerned with challenges to the security of Internet applications, networks and systems. It promotes the exchange of the industry, academia and government to combat increasing security and privacy risks.
Hamza Ghani will be presenting two papers of the DEEDS research group at the Technische Universität Darmstadt. The papers “Predictive Vulnerability Scoring in the Context of Insufficient Information Availability”(authors' version) and “Quantitative Assessment of Software Vulnerabilities Based on Economic-Driven Security Metrics” (authors' version) focus on the assessment of vulnerabilities e.g. in terms of prioritizing countermeasures.
On 22nd of January 2013, just a day before the Conference on Privacy and Data Protection (CPDP) ABC4Trust will hold a workshop on privacy and identity management standards, jointly organised with ISO/IEC JTC 1/SC 27 - Security techniques. The workshop will look into relevant standards in ISO and elsewhere, and contextualize this within the policy space, as well as exploring further potential for ABC4Trust technology.
It follows a workshop previously held in Berlin, Germany, this summer, gathering first feedback on the issues involved and is geared to a more international community. Participants from various different stakeholders, including the French DPA (CNIL), Japanese researcher Kazue Sako from NEC and Thomas Roessler from W3C have accepted an invitation to this event, which will be held at the Hanse-Office, the representation of the German federal states of Schleswig-Holstein and Hamburg in Brussels.
Participation is open to all interested parties, for more details see the invitation letter agenda and registration form.
ABC4Trust released today a new heartbeat document H2.1 (download PDF, XML schema) on the architecture that focuses on application developers. In particular, compared to D2.1, this heartbeat removes the details of how the ABCE layer looks internally and gives a simpler and more modular explanation of its functionality. Correspondingly, it presents an updated "external" API that the ABCE layer offers to the application layer, as well as an updated version of the data formats. It also presents some updates in the definition of concepts and features of ABCs. This document takes into account early feedback from the implementation and pilot work packages, and describes the functionality realized by the first reference implementation.
The important differences with deliverable D2.1 are listed below.
- Key binding now replaces and unifies the previous concepts of user binding and device binding. A credential can optionally be bound to at most one secret key. Knowledge of the secret key is required to create a valid presentation token from a key-bound credential and to derive pseudonyms. The secret key could be stored on a trusted device like a smart card, which effectively realizes the previous concept of device binding.
- A list of supported attribute encodings is now included in the document, together with the implications for which predicates can be used in combination with these encodings, and whether the encoded attribute values will be inspectable.
- New issuance data formats and interfaces are introduced to let the user-side ABCE return a description of the newly issued credential, and to let the issuer-side ABCE store the issuance token for future reference, together with all issuer-chosen attribute values of the new credential. In particular, the stored issuance token contains the revocation handle of the issued credential, by means of which the credential can later be revoked so required.
- Human-friendly names for credentials and attributes as well as graphical representations (icons) for credentials have been added to the credential specification. This enables the issuer to pass additional information to the identity selection user interface, so that the user can better understand the different options and so that the issuer can brand its issued credentials with custom images. See Section 4.2.1 for more details.
- Minor XML schema changes to simplify XML parsing in the ABCE.
The next update on the architecture will be in D2.2 which will release the final version. D2.2 will be released in beginning of 2014.