Re: Unforgeable Blinded Credentials

2006-04-02 Thread Apu Kapadia

I came across the same problem a couple of years ago (and indeed  
iterated through private/public key solutions with a colleague). The  
problem is that you can still give your private key to somebody else.  
There's no real deterrent unless that private key is used for many  
other purposes, thereby discouraging sharing. But if that's the case,  
there's no real anonymity anymore, since the private key is tied to  
the person's identity.

I found that Chameleon Certificates had nice properties. You have a  
master certificate that lists all your attributes. For  
authentication, you generate an unlinkable slave certificate with any  
subset of attributes. You have to possess the master certificate at  
time of use to generate the slave certificate, so you can't pass a  
slave certificate to a friend for later use. Then you just need to  
ensure that the master certificate includes personal details like  
credit card number, SSN, etc. to deter sharing of master  
certificates. Note that the slave certificates won't have this  
information, so this personal information is safe as long as the  
master certificate is not leaked. Since sharing an attribute amounts  
to sharing all your attributes, including personal information, this  
property serves as a good deterrent. Maybe somebody else can comment  
on the technical viability + crypto details of the paper.

P. Persiano and I. Visconti. An Anonymous Credential System and a  
Privacy-Aware PKI. In Information Security
and Privacy, 8th Australasian Conference, ACISP 2003, volume 2727 of  
Lecture Notes in Computer Science. Springer Verlag, 2003. 

Here's the abstract:
 In this paper we present a non-transferable anonymous credential  
system that is based on the concept of a chameleon certificate. A  
chameleon certificate is a special certificate that enjoys two  
interesting properties. Firstly, the owner can choose which  
attributes of the certificate to disclose. Moreover, a chameleon  
certificate is multi-show in the sense that several uses of the same  
chameleon certificate by the same user cannot be linked together.

We adopt the framework of Brands [2] and our construction improves  
the results of Camenisch et al. [5] and Verheul [16] since it allows  
the owner of a certificate to prove general statements on the  
attributes encoded in the certificate and our certificates enjoy the  
multi-show property.


Apu Kapadia, Ph.D.
Research Fellow, Institute for Security Technology Studies (ISTS)
Dartmouth College, Hanover NH 03755, USA

On Apr 1, 2006, at 6:35 AM, Ben Laurie wrote:

It is possible to use blind signatures to produce anonymity-preserving
credentials. The general idea is that, say, British Airways want to
testify that I am a silver BA Executive Club cardholder. First I  
a random number (a nonce), I blind it, then send it to BA. They  
sign it

with their “this guy is a silver member” signing key, I unblind the
signature and then I can show the signed nonce to anyone who wants to
verify that I am silver. All they need to do is check the signature
against BA’s published silver member key. BA cannot link this nonce  

to me because they have never seen it, so they cannot distinguish me
from any other member.

However, anyone I show this proof to can then masquerade as a silver
member, using my signed nonce. So, it occurred to me that an easy  
way to

prevent this is to create a private/public key pair and instead of the
nonce use the hash of the public key. Then to prove my silver status I
have to show that both the hash is signed by BA and that I possess the
corresponding private key (by signing a nonce, say).

It seems to me quite obvious that someone must have thought of this
before - the question is who? Is it IP free?

Obviously this kind of credential could be quite useful in identity
management. Note, though, that this scheme doesn’t give me  
unless I only show each public/private key pair once. What I really  

is a family of unlinkable public/private key pairs that I can somehow
get signed with a single “family” signature (obviously this would need
to be unlinkably transformed for each member of the key family).




The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: security questions

2008-08-06 Thread Apu Kapadia

On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote:

For Web sites these days, I generate random strong passwords and keep
them on a keychain on my Mac.  Actually, the keychain gets  

automatically across all my Mac's using .mac/MobileMe (for all their
flaws).  When I do this, I enter random values that I don't even
record for the security questions.  Should something go wrong, I'm
going to end up on the phone with a rep anyway, and they will have
some other method for authenticating me (or, of course, a clever
social-engineering attacker).

An except from my recent blog post:

Now, this topic is not new. Bruce Schneier wrote about it a few years  
ago [2]. Schneier says that he “type[s] a completely random answer,”  
but consider this anecdote: a colleague of mine uses the same  
technique. He called up customer service once, who then asked him,  
“what’s the answer to your security question?” He said, “some random  
numbers.” The response was “okay.” So picking random numbers might be  
less secure than picking a realistic answer? :-)


Apu Kapadia, Ph.D. UIUC 2005
Research Assistant Professor
Department of Computer Science, Dartmouth College, USA

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]