Crypto-Book: an architecture for privacy preserving online identities

Through cross-site authentication schemes such as OAuth and OpenID, users increasingly rely on popular social networking sites for their digital identities--but use of these identities brings privacy and tracking risks. We propose Crypto-Book, an extension to existing digital identity infrastructures that offers privacy-preserving, digital identities through the use of public key cryptography and ring signatures. Crypto-Book builds a privacy-preserving cryptographic layer atop existing social network identities, via third-party key servers that convert social network identities into public/private key-pairs on demand. Using linkable ring signatures, these key-pairs along with the public keys of other identities create unique pseudonyms untraceable back to the owner yet can resist anonymous abuse. Our proof-of-concept implementation of Crypto-Book creates public/private key pairs for Facebook users, and includes a private key pickup protocol based on E-mail. We present Black Box, a case study application that uses Crypto-Book for accountable anonymous whistle-blowing. Black Box allows users to sign files deniably using ring signatures, using a list of arbitrary Facebook users -- who need not consent or even be aware of this use -- as an explicit anonymity set.

[1]  Prateek Mittal,et al.  EASiER: encryption-based access control in social networks with efficient revocation , 2011, ASIACCS '11.

[2]  Dakshi Agrawal,et al.  Limits of Anonymity in Open Environments , 2002, Information Hiding.

[3]  George Danezis,et al.  Statistical Disclosure or Intersection Attacks on Anonymity Systems , 2004, Information Hiding.

[4]  Suziah Sulaiman,et al.  Analysis of Open Environment Sign-in Schemes-Privacy Enhanced & Trustworthy Approach , 2011 .

[5]  Ueli Maurer,et al.  Non-interactive Public-Key Cryptography , 1991, EUROCRYPT.

[6]  Evangelos P. Markatos,et al.  SudoWeb: Minimizing Information Disclosure to Third Parties in Single Sign-on Platforms , 2011, ISC.

[7]  Ryu Watanabe,et al.  Account Management Method with Blind Signature Scheme , 2011 .

[8]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[9]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[10]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[11]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[12]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[13]  Bryan Ford,et al.  Scalable Anonymous Group Communication in the Anytrust Model , 2012 .

[14]  Toshiya Itoh,et al.  An ID-based cryptosystem based on the discrete logarithm problem , 1989, IEEE J. Sel. Areas Commun..

[15]  Detlef Hühnlein,et al.  Towards Practical Non-interactive Public Key Cryptosystems Using Non-maximal Imaginary Quadratic Orders , 2000, Selected Areas in Cryptography.

[16]  David Wolinsky,et al.  Dissent in Numbers: Making Strong Anonymity Scale , 2012, OSDI.

[17]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[18]  Arkajit Dey,et al.  PseudoID: Enhancing Privacy in Federated Login , 2010 .

[19]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[20]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[21]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[22]  Qi Xie,et al.  FaceCloak: An Architecture for User Privacy on Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[23]  Bryan Ford,et al.  Dissent: accountable anonymous group messaging , 2010, CCS '10.

[24]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[25]  Yvo Desmedt,et al.  Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?) , 1986, CRYPTO.

[26]  David Wolinsky,et al.  Faceless: decentralized anonymous group messaging for online social networks , 2012, SNS '12.

[27]  Elaine Shi,et al.  Opaak: using mobile phones to limit anonymous identities online , 2012, MobiSys '12.

[28]  Shirley M. Radack Updated Digital Signature Standard Approved as Federal Information Processing Standard (FIPS)186-3 | NIST , 2009 .

[29]  Refik Molva,et al.  Safebook: A privacy-preserving online social network leveraging on real-life trust , 2009, IEEE Communications Magazine.

[30]  Hatsukazu Tanaka A Realization Scheme for the Identity-Based Cryptosystem , 1987, CRYPTO.

[31]  Joseph K. Liu,et al.  Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (Extended Abstract) , 2004, ACISP.

[32]  Nikita Borisov,et al.  FlyByNight: mitigating the privacy risks of social networking , 2008, WPES '08.