Post on 13-Mar-2020
© 2017 IBM Corporation
IBM Identity Mixer
Privacy-preserving identity management and authenticationfor Blockchain and beyond
Dr. Maria Dubovitskaya
IBM Research – Zurich
mdu@zurich.ibm.com
Introduction – Deployment – Use Cases – Blockchain – More Features
© 2017 IBM CorporationICT OPEN 21 March 20172
33% of cyber crimes, including identity theft, take less time than to make a cup of tea.
Facts
© 2017 IBM CorporationICT OPEN 21 March 20173
10 Years ago your personal data on the black market was worth $150. Today….
Facts
4 © 2017 IBM CorporationICT OPEN 21 March 2017
ᄅ
Houston, we have a problem!
5 © 2017 IBM CorporationICT OPEN 21 March 2017
ᄅ
Houston, we have a problem!
“Buzz Aldrin's footprints are still up there”(Robin Wilton)
6 © 2017 IBM CorporationICT OPEN 21 March 2017
Computers don't forget
Data storage ever cheaper → “store by default” – also collateral collection, surveillance cameras, Google
Street View with wireless traffic, Apple location history,...
Data mining ever better– self-training algorithms cleverer than their designers– not just trend detection, even prediction, e.g., flu
pandemics, ad clicks, purchases,…– what about health insurance, criminal behavior?
The world as we know it– Humans forget most things too quickly– Paper collects dust in drawers
We build apps with the paper-based world in mind :-(– if it works it works– security too often still an afterthought– implementors too often have no crypto education
7 © 2017 IBM CorporationICT OPEN 21 March 2017
You have no privacy, get over it .....?!?
… “I have nothing to hide!”… “The intelligence agencies have all my data anyway”
Huge security problem!– Millions of hacked passwords (100'000 followers $115 - 2013)– Stolen identities ($150 - 2005, $15 - 2009, $5 – 2013)
Difficult to put figures down– Credit card fraud – Spam & marketing – Manipulating stock ratings, etc..– (Industrial) espionage
We know that 3 letter orgs can do it easily, but they are not the only ones– however, this is not about homeland security– and of course there are limits to the degree of protection that one can achieve
Last but not least: data are the new money, so they need to be protected!
8 © 2017 IBM CorporationICT OPEN 21 March 2017
we need paradigm shift &
build stuff for the moon
rather than the sandy beach!
Privacy is not a lost cause!
9 © 2017 IBM CorporationICT OPEN 21 March 2017
IBM Identity Mixer The paradigm shift for authentication
10 © 2017 IBM CorporationICT OPEN 21 March 2017
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
I wish to see Alice in Wonderland
11 © 2017 IBM CorporationICT OPEN 21 March 2017
Alice wants to watch a movie at Movie Streaming Service
Alice
Movie Streaming Service
You need:- subscription- be older than 12
12 © 2017 IBM CorporationICT OPEN 21 March 2017
Watching the movie with the traditional solution
Alice
Movie Streaming Service
ok, here's - my eID - my subscription
Using digital equivalent of paper world, e.g., with X.509 Certificates
13 © 2017 IBM CorporationICT OPEN 21 March 2017
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
...with X.509 Certificates
14 © 2017 IBM CorporationICT OPEN 21 March 2017
Watching the movie with the traditional solution
Alice
Movie Streaming Service
Aha, you are- Alice Doe- born on Dec 12, 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4, 2018
Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
This is a privacy and security problem! - identity theft
- discrimination
- profiling, possibly in connection with other services
15 © 2017 IBM CorporationICT OPEN 21 March 2017
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
16 © 2017 IBM CorporationICT OPEN 21 March 2017
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, Alice is watching a 12+ movie
17 © 2017 IBM CorporationICT OPEN 21 March 2017
Watching the movie with the traditional solution
Alice
Movie Streaming Service
With OpenID and similar solution, e.g., log-in with Facebook
Aha, you are- Alice@facebook.com- 12+Mplex Customer - #1029347 - Premium Subscription - Expires Jan 13, 2016
Aha, Alice is watching a 12+ movie
18 © 2017 IBM CorporationICT OPEN 21 March 2017
Identity Mixer solves this.
When Alice authenticates to the Movie StreamingService with Identity Mixer, all the services learns is
that Alice
has a subscription
is older than 12
and no more!
19 © 2017 IBM CorporationICT OPEN 21 March 2017
Users' Keys:
One secret Identity (secret key)
Many Public Pseudonyms (public keys)
Privacy-protecting authentication with Privacy ABCs
20 © 2017 IBM CorporationICT OPEN 21 March 2017
Certified attributes from Identity provider
Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3, 1997
21 © 2017 IBM CorporationICT OPEN 21 March 2017
Privacy-protecting authentication with Privacy ABCs
Alice
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
Movie Streaming Service
22 © 2017 IBM CorporationICT OPEN 21 March 2017
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
23 © 2017 IBM CorporationICT OPEN 21 March 2017
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
24 © 2017 IBM CorporationICT OPEN 21 March 2017
Privacy-protecting authentication with Privacy ABCs
Alice
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
Movie Streaming Service
Concept: presentation policy
25 © 2017 IBM CorporationICT OPEN 21 March 2017
Proving identity claims
but does not send credential
only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
Alice
Movie Streaming Service
- valid subscription - eID with age ≥ 12
26 © 2017 IBM CorporationICT OPEN 21 March 2017
Proving Identity Claims: Minimal Disclosure
Alice Doe
Dec 12, 1998
Hauptstr. 7, Zurich
CHsingleExp. Aug 4, 2018 ve
rified
ID
Alice Doe
Age: 12+Hauptstr 7, Zurich
CHsingleExp. Valid ve
rified
ID
27 © 2017 IBM CorporationICT OPEN 21 March 2017
Privacy-protecting authentication with Privacy ABCs
Alice
Aha, you are- older than 12- have a subscription
Movie Streaming ServiceMovie Streaming Service
Proving identity claims
but does not send credential
only minimal disclosure (Public Verification Key of issuer)
28 © 2017 IBM CorporationICT OPEN 21 March 2017
So, let's watch a movie!
idemixdemo.mybluemix.net
29 © 2017 IBM CorporationICT OPEN 21 March 2017
Identity Mixer Not Only Benefits Consumers
Identity Mixer eliminates the need for retailers and other service providers from collecting the data in the first place. Less storage costs,
less security costs and
less public apologies.
30 October 28, 2014© 2017 IBM CorporationICT OPEN 21 March 2017
Identity Mixer as a service
31 © 2017 IBM CorporationICT OPEN 21 March 2017
Movie Service Example
IdentityMixer Issuer
IdentityMixer
VerifierCredential Wallet
Verifier as a service
Issuer as a service
32 October 28, 2014© 2017 IBM CorporationICT OPEN 21 March 2017
Use cases
33 © 2017 IBM CorporationICT OPEN 21 March 2017
Age verification
Movie streaming services
Gaming industry
Online gambling platforms
Dating websites
Social benefits for young/old people
Proving 12+, 18+, 21+ without disclosing the exact date of birth – privacy and compliance with age-related legislation
34 © 2017 IBM CorporationICT OPEN 21 March 2017
Subscriptions, membership
Patent databases
DNA databases
News/Journals/Magazines
Transportation: tickets, toll roads
Loyalty programs
Who accesses which data at which time can reveal sensitive information about the users (their research strategy, location, habits, etc.)
???
35 © 2017 IBM CorporationICT OPEN 21 March 2017
Healthcare Use Case
Anonymous consultations with specialists– online chat with a psychologist
– online consultation with IBM Watson
1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment
Alice gets a health insurance credential
Insurance
Insurance
Health portal
5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.
4. Alice gets treatment from physician, hospital, etc
36 © 2017 IBM CorporationICT OPEN 21 March 2017
Payment Use Case
Credential = Bank note
Double spending need to be prevented/detected– On-line or Off-line modi possible
Money laundering can also be taken care of
bank
merchant
deposits money
withdrawal
payment
37 © 2017 IBM CorporationICT OPEN 21 March 2017
Polls, recommendation platforms
Online polls – applying different restrictions on the poll participants: location, citizenship
Rating and feedback platforms
– anonymous feedback for a course only from the students who attended it
– wikis
– recommendation platforms
Providing anonymous, but at the same time legitimate feedback
38 October 28, 2014© 2017 IBM CorporationICT OPEN 21 March 2017
Idemix & Blockchain
39 © 2017 IBM CorporationICT OPEN 21 March 2017
Permissioned Blockchain
40 © 2017 IBM CorporationICT OPEN 21 March 2017
Identity Mixer & Blockchain
Signing transactions within Blockchain (in-fabric)– Unlinkably signing transactions on Blockchain
– Selective disclosure of attributes
– Advanced features: revocation, audit
41 © 2017 IBM CorporationICT OPEN 21 March 2017
Signing transactions with X.509
42 © 2017 IBM CorporationICT OPEN 21 March 2017
Multiple X.509 certificates
43 © 2017 IBM CorporationICT OPEN 21 March 2017
Signing transactions unlinkably with Idemix
44 © 2017 IBM CorporationICT OPEN 21 March 2017
Audit
- Only Auditor can track the transactions
- Auditor’s key can be shared between multiple parties to distribute the trust
45 © 2017 IBM CorporationICT OPEN 21 March 2017
Revocation
- Certificates can be revoked at any time
- Non-revocation proof is unlinkable
46 © 2017 IBM CorporationICT OPEN 21 March 2017
Summary: Identity Mixer
Strong Privacy-Preserving Authentication – Better than PKI or OpenID– Protocols are verified by the scientific community, code is open source – Advanced features: revocation, audit, usage limitation
Easy to use: as a service + mobile app– Setup issuer/verifier in just a few minutes– All personal data is stored locally on the user's device
Many use cases and scenarios– Healthcare, age verification, polls, payments, Blockchain
Blockchain– Signing transactions within Blockchain– Identity Management on top of Blockchain
47 October 28, 2014© 2017 IBM CorporationICT OPEN 21 March 2017
Thank you!eMail: idemix@zurich.ibm.com
twitter: @IdentityMixer
Links:– www.zurich.ibm.com/idemix– idemixdemo.mybluemix.com– https://github.com/IBM-Bluemix/idemix-issuer-verifier– console.ng.bluemix.net/catalog/services/ibm-identity-mixer/– https://www.ted.com/watch/ted-institute/ted-ibm/maria-dubovitskaya-
a-personal-data-filter-that-releases-only-whats-needed– www.abc4trust.eu– www.futureID.eu– www.au2eu.eu– www.PrimeLife.eu – github.com/p2abcengine & abc4trust.eu/idemix