Re: IBM donates new privacy tool to open-source Higgins

2007-02-05 Thread Anne Lynn Wheeler

Anne  Lynn Wheeler wrote: 

from above:

The encrypted credentials would be for one-time use only. The next purchase or 
other transaction will require a new credential. The process is similar to the 
one-time-use credit card numbers that Citigroup card holders can already 
generate on the bank's Web site.

... snip ...

past post: IBM donates new privacy 
tool to open-source Higgins

... so if you had to go to the credential issuing website every time you needed 
a one-time use credential (one-time use is countermeasure to replay attacks 
involve static data credentials) ... what mechanism are you using to 
authenticate yourself to the credential issuing website.

if the mechanism for authentication to the credential issuing website is of 
reasonably strong security ... then why don't you use that mechanism directly 
in the regular transaction ... rather than having to have an intermediary 
credential involved.

this is somewhat the argument used about digital certificates being redundant 
and superfluous in an online environment ... whatever was used to acquire the 
(x.509 identity) digital certificate ... especially a relying-party-only 
digital certificate

to avoid repeatedly spraying personal information all over the world ... just 
use that interaction directly ... and avoid the superfluous and redundant 
digital certificate.

this is the certificateless public key infrastructure operation

in the x9.59 financial standard transaction

or in the similar FAST transaction (for matters other than financial 
transaction authorization) done by FSTC in the 90s

one might claim that this new mechanism is another approach to addressing the enormous privacy exposure represented by the x.509 identity digital certificates from the early 90s ... but my oft repeated claim is that the while credentialing and certificate paradigm is left-over from the offline era. in the online era ... if the relying party either 1) has their own online information and/or 2) has online, realtime access to the responsible authoritative agency or institution ... then credentials and certificates purely represent relics predating online infrastructures. 

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: IBM donates new privacy tool to open-source Higgins

2007-02-04 Thread Hal Finney
John Gilmore forwards:

 IBM donates new privacy tool to open-source
   By  Joris Evers
   Staff Writer, CNET
   Published: January 25, 2007, 9:00 PM PST

 IBM has developed software designed to let people keep personal  
 information secret when doing business online and donated it to the  
 Higgins open-source project.

   The software, called Identity Mixer, was developed by IBM  
 researchers. The idea is that people provide encrypted digital  
 credentials issued by trusted parties like a bank or government agency  
 when transacting online, instead of sharing credit card or other  
 details in plain text, Anthony Nadalin, IBM's chief security architect,  
 said in an interview.

I just wanted to note that the idemix software implements what we
sometimes call Camenisch credentials.  This is a very advanced credential
system based on zero knowledge and group signatures.  The basic idea is
that you get a credential on one pseudonym and can show it on another
pseudonym, unlinkably.  More advanced formulations also allow for
credential revocation.  I don't know the specifics of what this software
implements, and I'm also unclear about the patent status of some of the
more sophisticated aspects, but I'm looking forward to being able to
experiment with this technology.

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: IBM donates new privacy tool to open-source Higgins

2007-02-03 Thread Anne Lynn Wheeler

John Gilmore wrote:

IBM donates new privacy tool to open-source
  By  Joris Evers
  Staff Writer, CNET
  Published: January 25, 2007, 9:00 PM PST


For example, when making a purchase online, buyers would provide an  
encrypted credential issued by their credit card company instead of  
actual credit card details. The online store can't access the  
credential, but passes it on to the credit card issuer, which can  
verify it and make sure the retailer gets paid.

  This limits the liability that the storefront has, because they don't  
have that credit card information anymore, Nadalin said. All you hear  
about is stores getting hacked.

  Similarly, an agency such as the Department of Motor Vehicles could  
issue an encrypted credential that could be used for age checks, for  
example. A company looking for such a check won't have to know an  
individual's date of birth or other driver's license details; the DMV  
can simply electronically confirm that a person is of age, according to  

this was somewhat the issue with x.509 identity certificates from the early 90s,
they were being overloaded with personal information ... and then the proposal
that everybody should then spray such digital certificates frequently all
over the world. in this period, they were also being touted for use in
electronic driver's licenses, passports, etc.

In the mid-90s, with the realization of the enormous privacy exposures of
such a paradigm ... there was some parties retrenching to relying-party-only
certificates ... basically a record pointer ... which was then used as
reference to the record with the necessary information ... and only the
absolutely necessary information was then divulged.

however, it was trivially possible to demonstrated that the actual
digital certificate was redundant and superfluous ... all that was
necessary was the record pointer, a digital signature ... and the
responsible agency could verify the digital signature with public
key on file ... at the same time they processed the request using
the record pointer.

This was basically the FSTC organizations

model for FAST (financial authenticated secure transaction). The transaction
is mapped into existing ISO 8583 message and uses the existing infrastructure
operations. Rather then divulging age, a FAST (/8583) transaction ... digital
signed by the individual ... could ask whether the person meets some age
criteria, address criteria, etc ... getting YES/NO response ... w/o divulging
any additional information (like actual date of birth). This was modeled
after existing (ISO 8583, debit, credit, etc) financial transaction which 
effectively asks whether the merchant gets paid or not (simply YES/NO


This is also, effectively the X9.59 financial standard

The X9A10 financial standard working group, in the mid-90s was given the
requirement to preserve the integrity of the financial infrastructure for
all retail payments. The transaction is sent with digital signature,
the responsible agency validates the digital signature, examines the
transaction request and then responds YES/NO regarding whether the
merchant gets paid or not.

The other characteristic of X9.59 was that it included a business rule that
X9.59 account numbers couldn't be used in non-X9.59 transaction. That
made the associated account numbers (record pointers) unusable w/o the
accompanying digital signature i.e. random people couldn't generate
random (valid) transactions against the account number/record number.
This had the effect of eliminating a lot of the existing skimming/harvesting

It isn't necessary to have an encrypted credential ... since if it was
purely static data ... and simply presenting such static data exposes
the infrastructure to various kinds of replay attack. In that sense,
the static data can be any recognizable information specific to the
responsible agency handling the transaction. The static data is used
by the responsible party to lookup the actual information (including,
if necessary the public key)  ... and the digital signature on every 
transaction prevents various kinds of replay attacks ... that might be
possible in an infrastructure relying on only static data. If the 
agency is going to lookup something (rather than have it carried around

in large encrypted packet ...) then it becomes immaterial whether the
actual (static data) record locator is encrypted or not.

related post in this thread:  Securing financial transactions a 
high priority for 2007  Securing financial transactions a 
high priority for 2007