Home - Topics - Papers - Theses - Blog - CV - Photos - Funny

Identity Management through Privacy-Preserving Authentication

Ewa Syta
Ph.D. thesis advised by Bryan Ford
August 11, 2015


Maintaining privacy on the Internet is increasingly difficult in this ever-connected world. In most cases, our online interactions are a highly personalized experience and require some form of identity verification, most commonly, logging into an account. Unfortunately, people frequently give away a lot of information while obtaining accounts, reuse usernames and passwords across different services, or link their accounts to take advantage of single sign-on to avoid retyping passwords. This approach seriously blurs the line between different aspects of one’s digital life, specifically personal and professional, as services dedicated for personal use (e.g., Facebook, bank accounts) and professional use (e.g. LinkedIn, corporate email account) become intertwined.

Identity management, the process of making decisions about online identities or accounts, is inherently linked to authentication, the process of creating and using online identities. However, the link between these two critical concepts is not always clear because of the lack of understanding of these terms as well as proper terminology to describe them. Identity management is further hindered by the lack of privacy-preserving authentication solutions that target specific applications and result in identities appropriate for those applications. Depending on the application, effective solutions to manage identities can be very diverse with unique or unexpected properties. In certain cases allowing users to hide their identity is as valuable as providing unforgeable identities. Nonetheless, currently deployed authentication protocols do not reflect this approach.

In response, we make the following contributions. We carefully analyze the relationships between authentication, privacy and identity management and discover subtle yet important distinctions between the related concepts. As a result, we propose new terminology in order to clarify and draw distinctions between these critical concepts. We identify two distinct cases of authentication and propose privacy-preserving protocols to implement them. The protocols, PrivateEyes and DAGA, target different applications and produce identities that balance the requirements of their intended applications as well as their clients’ privacy and security needs.

PrivateEyes is an efficient remote biometric identification protocol. It uses unique biometric characteristics in a privacy-preserving fashion for client verification, producing an identity that is suitable for applications requiring a high level of assurance of the client’s real-world identity.

DAGA is a deniable anonymous authentication protocol. It offers four properties that give clients strong security and privacy protection, making it suitable for applications such as whistleblowing or access to sensitive resources. The properties are anonymity, proportionality, deniability, and forward anonymity. Anonymity and proportionality allow a client to authenticate as some group member without revealing exactly which one but only once per time period. Deniability makes it possible to deny ever participating in a protocol, while forward anonymity ensures protection even in case of a compromise of client’s private key.

Ph.D. Thesis: PDF

Topics: Security Privacy Anonymity Identity Cryptography Biometrics Bryan Ford