Digital credential
Encyclopedia
Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport
Passport
A passport is a document, issued by a national government, which certifies, for the purpose of international travel, the identity and nationality of its holder. The elements of identity are name, date of birth, sex, and place of birth....

, a Driver's license
Driver's license
A driver's license/licence , or driving licence is an official document which states that a person may operate a motorized vehicle, such as a motorcycle, car, truck or a bus, on a public roadway. Most U.S...

, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person. Also, digital credentials prove something about their owner. Both types of credentials may contain personal information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.

Because of the still evolving, and sometimes conflicting, terminologies used in the fields of computer science, computer security, and cryptography, the term "digital credential" is used quite confusingly in these fields. Sometimes passwords or other means of authentication are referred to as credentials. In operation system design, credentials are the properties of a process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...

 (such as its effective UID
User identifier (Unix)
Unix-like operating systems identify users within the kernel by an unsigned integer value called a user identifier, often abbreviated to UID or User ID...

) that is used for determining its access rights. On other occasions, certificates
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...

 and associated key material such as those stored in PKCS
PKCS
In cryptography, PKCS refers to a group of public-key cryptography standards devised and published by RSA Security.RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well...

#12 and PKCS
PKCS
In cryptography, PKCS refers to a group of public-key cryptography standards devised and published by RSA Security.RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well...

#15 are referred to as credentials.

Often however, digital credentials, like digital cash, are only associated with anonymous digital credentials. Such credentials, while still making an assertion about some property, status, or right of their owner, do not reveal the owner's identity. Still, the basic concept of credential must be disassociated with either anonymous or identified.

Definition

The dictionary defines credential as "evidence of authority, status, rights, entitlement to privileges, or the like, usually in written form". However, in this article, we will be focusing on the digital form.

Real world, digital world analogy

Real world credentials are a diverse social phenomenon, and as such are difficult to define. As with digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...

s it is misleading to assume a direct correspondence between the real-world and the digital concept. This holds even if defining criteria for credentials in the digital world could be agreed on.

Let us look at the lot of digital signatures. On the one hand the success of digital signatures as a replacement for paper based signatures has lagged behind expectations. On the other hand many unexpected uses of digital signatures were discovered by recent cryptographic research. A related insight that can be learned from digital signatures is that the cryptographic mechanism need not be confused with overall process that turns a digital signature into something that has more or less the same properties as a paper based signature. Electronic signatures such as paper signatures sent by fax may have legal meaning, while secure cryptographic signatures may serve completely different purposes. We need to distinguish the algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...

 from the process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...

.

Digital cash and digital credentials

Why is it that digital cash is associated with digital credentials, while paper or metal coins are usually not considered to be genuine real world credentials? Money
Money
Money is any object or record that is generally accepted as payment for goods and services and repayment of debts in a given country or socio-economic context. The main functions of money are distinguished as: a medium of exchange; a unit of account; a store of value; and, occasionally in the past,...

 is usually not seen as a qualification that is attached to a specific person. Token money
Token money
Token money is money made from tokens of some form, as opposed to account money. Coins are token money, as are paper notes.Token money has a strong privacy feature in that it works as money without the intervention of any other party in each transaction between two parties. Privacy makes money...

 is taken to have a value on its own. We now consider a specific property of digital assets. They are easily copied. Consequently digital cash protocols have to make an extra effort to avoid the double spending of coins. Remember that credentials are a proof of qualification that is attached to a person. Digital cash uses the following technique. E-Coins are given to individuals, who cannot pass them on to others, but can only spend them with merchants. As long as they spend a coin only once, they are anonymous, but should they spend a coin twice, they become identifiable and appropriate actions can be taken by the bank. This commonality, the binding to an individual, is why digital cash and digital credentials share many commonalities. In fact most implementations of anonymous digital credential also realise digital cash.

Anonymous digital credentials

The main idea behind anonymous digital credentials is that users are given cryptographic tokens which allow them to prove statements about themselves and their relationships with public and private organizations anonymously. This is seen as a more privacy-friendly alternative to keeping and using large centralized and linkable user records. Anonymous digital credentials are thus related to privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

 and anonymity
Anonymity
Anonymity is derived from the Greek word ἀνωνυμία, anonymia, meaning "without a name" or "namelessness". In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown.There are many reasons why a...

.
Paper world analogues of personalized, or non-anonymous credential
Credential
A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so....

s are: passports, driving licenses, credit cards, health insurance cards, club membership cards etc. These contain the name of the owner and have some authenticating information such as a signature, PIN or photograph, to stop them being used by anyone other than the rightful owner. Paper world analogues of anonymous credentials are: money, bus and train tickets, and game-arcade tokens. These dont have any personally identifying information and consequently can be transferred between users without the issuers or relying parties being aware of this. Credentials are issued by organizations that ascertain the authenticity of the information which can be provided to verifying entities on demand.

In order to investigate certain privacy specific properties of credentials, we take a more detailed look at two kind of 'credentials', physical money and credit cards. Without doubt both of them provide adequate information for doing payment transactions. However the amount and quality of the information disclosed varies. Money is protected from forgery by its physical properties. Beyond that, only very little information is revealed:
Coins feature an engrained value and the year of coining; in addition bank notes contain a unique serial number in order to provide the traceability required by law enforcement.

On the other hand the use of a credit card, whose main purpose is similar to money, allows for the creation of highly detailed records about the card owner. Credit cards are therefore not privacy protecting. The main privacy advantage of money is that its users can remain anonymous. There are however other security and usability properties that make real world cash popular.

Credentials used in a national identification system are also especially privacy relevant. Such an ID, be it a passport, a driver's license, or some other type of card usually contains essential personal information. In certain situations it may be advantageous to reveal only parts of the information contained on the ID, e.g., some lower limit for the person's age or the fact that the person is capable of driving a car.

Anonymous digital credentials and pseudonyms

The original anonymous credential system proposed by David Chaum
David Chaum
David Chaum is the inventor of many cryptographic protocols, including blind signature schemes, commitment schemes, and digital cash. In 1982, Chaum founded the International Association for Cryptologic Research , which currently organizes academic conferences in cryptography research...

 is sometimes also referred to as a pseudonym system. This stems from the fact that the credentials of such a system are obtained from and shown to organizations using different pseudonyms which cannot be linked.

The introduction of pseudonyms is a useful extension to anonymity.
Pseudonyms allow users to choose a different name with each organization. While pseudonyms allow organizations to associate users with accounts, organizations cannot determine the real identities of their customers. Nevertheless using an anonymous credential certain statements about the relationship of a user with one organization, under a pseudonym, can be proven to another organization that knows the user only under a different pseudonym.

History of anonymous digital credentials

As already mentioned anonymous credential systems are related to the concept of untraceable or anonymous payments. In this important work, Chaum presents a new cryptographic primitive, blind signature
Blind signature
In cryptography a blind signature as introduced by David Chaum is a form of digital signature in which the content of a message is disguised before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital...

 protocols. In such a scheme the signer neither learns the message he signs, nor the signature the recipient obtains for his message. Blind signatures are an important building block of many privacy-sensitive applications, such as anonymous payments, voting, and credentials.
The original idea for an anonymous credential system was derived from blind signatures, but relied on a trusted party
Trusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...

 for credential transfer—the translation from one pseudonym to another.
The blind signature scheme introduced by Chaum was based on RSA signatures.
Blind signature schemes based on the discrete logarithm
Discrete logarithm
In mathematics, specifically in abstract algebra and its applications, discrete logarithms are group-theoretic analogues of ordinary logarithms. In particular, an ordinary logarithm loga is a solution of the equation ax = b over the real or complex numbers...

 problem can also be used for constructiong anonymous credential systems.

Stefan Brands
Stefan Brands
Stefan Brands is an entrepreneur and former cryptography researcher whose work has focused on digital identity, electronic money, and information privacy. He obtained his doctorate from Eindhoven University of Technology while at CWI in Amsterdam. In 2002 Stefan founded Credentica to advance his...

 generalized digital credentials to a great extent, with his secret-key certificate based credentials, improving on Chaum's basic blind-signature based system in both the discrete log and strong RSA assumption settings. Brands credentials provide the fullest feature set, the most efficient algorithms by a large margin, and provide privacy in an unconditional security setting. Brands has tight proofs of security, compact credential representation and messages. Brands credentials have seen commercial use in digicash, ecafe esprit project, zero-knowledge systems and credentica. Brands protocls have seen wider security peer-review than the competing systems. Brands credentials are 1 to 2 orders of magnitude more computationally efficient than the comparable alternatives. They also include an efficient observer setting (augmenting security with a low performance smart card without compromising privacy guarantees). And many other features missing in competing less efficient systems such as ability to demonstrate boolean formula in the attributes, demonstrate ranges in attributes without revealing specific values, ability to combine attributes from different credentials and even different issuers, a privacy preserving black-list method using an efficient zero-knowledge proof of non-membership in the blacklist.

It is worth mentioning another credential form that adds a new feature to anonymous credentials: multi-show unlinkability. These are the group signature
Group signature
A Group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. The concept was first introduced by David Chaum and Eugene van Heyst in 1991...

 related credentials of Camenisch et al. The introduction of Group signature
Group signature
A Group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. The concept was first introduced by David Chaum and Eugene van Heyst in 1991...

s opened up the possibility of multi-show unlinkable showing protocols.
While blind signatures are highly relevant for electronic cash and one-show credentials, a new cryptographic primitive, called group signature
Group signature
A Group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. The concept was first introduced by David Chaum and Eugene van Heyst in 1991...

, opened new possibilities for the construction of privacy enhancing protocols. As is observed in their article, group signatures bear a resemblance to Chaum's concept of credential systems.

Using a group signature scheme, the members of a group can sign a message with their respective secret keys. The resulting signature can be verified by everyone who knows the common public key, but the signature does not reveal any information about the signer except that she is a member of the group. Usually there exists another entity called the group manager, who can reveal the exact identity of the signer, and handles the adding of users to and the removal of users from the group—usually by issuing or revoking group membership certificates.
The anonymity, unlinkability, and anonymity revocation provided by group signatures lends itself for a variety of privacy sensitive applications like voting, bidding, anonymous payment, and anonymous credentials

An efficient constructions for group signatures was given by Ateniese, Camenisch, Joye, and Tsudik.
The most efficient multi-show unlinkable anonymous credential systems—the latter is essentially a low profile version of idemix—are based on similar ideas. This is particularly true for credential systems that provide efficient means for implementing anonymous multi-show credentials with credential revocation.

Both schemes are based on techniques for doing proofs of knowledge
Proof of knowledge
In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds 'convincing' a verifier that it knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the...

.
Proofs of knowledge relying on the discrete logarithm problem for groups of known order and on the special RSA problem for groups of hidden order form the basis for most of today's group signature and anonymous credential systems. Moreover direct anonymous attestation
Direct anonymous attestation
The Direct Anonymous Attestation is a cryptographic protocol which enables the remote authentication of a trusted platform whilst preserving the user's privacy...

 a protocol for authenticating trusted platform module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...

s is based on the same techniques.

Direct anonymous attestation
Direct anonymous attestation
The Direct Anonymous Attestation is a cryptographic protocol which enables the remote authentication of a trusted platform whilst preserving the user's privacy...

 can be seen as the first commercial application of multi show anonymous digital credentials, even though in this case credentials are not attached to persons, but to chips and consequently computer platforms.

From an applications' point of view, the main advantage of Camenisch et al.'s multi-show unlinkable credentials over the more efficient Brands credentials is the multi-show unlinkable property. However, this property is mainly of practical interest in an off-line setting. Brands credentials provide a mechanism that gives analogous functionality without sacrificing performance: an efficient batch issuing protocol which can simultaneously issue many unlinkable credentials. This mechanism can be combined with a privacy preserving certificate refresh process (which gives a fresh unlinkable credential with the same attributes as a previous spent credential).

See also

  • Electronic commerce
    Electronic commerce
    Electronic commerce, commonly known as e-commerce, eCommerce or e-comm, refers to the buying and selling of products or services over electronic systems such as the Internet and other computer networks. However, the term may refer to more than just buying and selling products online...

  • Privacy enhancing technologies
    Privacy enhancing technologies
    Privacy enhancing technologies is a general term for a set of computer tools, applications and mechanisms which - when integrated in online services or applications, or when used in conjunction with such services or applications - allow online users to protect the privacy of their personally...

  • Anonymous internet banking
    Anonymous internet banking
    Anonymous Internet banking is the proposed use of strong financial cryptography to make electronic bank secrecy possible. The bank issues currency in the form of electronic tokens that can be converted on presentation to the bank to some other currency...

  • Cypherpunk
    Cypherpunk
    A cypherpunk is an activist advocating widespread use of strong cryptography as a route to social and political change.Originally communicating through the Cypherpunks electronic mailing list, informal groups aimed to achieve privacy and security through proactive use of cryptography...

    s
  • Smart contract
  • Token money
    Token money
    Token money is money made from tokens of some form, as opposed to account money. Coins are token money, as are paper notes.Token money has a strong privacy feature in that it works as money without the intervention of any other party in each transaction between two parties. Privacy makes money...

  • Trust negotiation
    Trust negotiation
    Trust Negotiation is an approach to gradually establishing trust between strangers online through the iterative exchange of digital credentials. In contrast to a closed system, where the interacting entities have a preexisting relationship , trust negotiation is an open system, and complete...

  • Credentials
  • Direct anonymous attestation
    Direct anonymous attestation
    The Direct Anonymous Attestation is a cryptographic protocol which enables the remote authentication of a trusted platform whilst preserving the user's privacy...

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK