Tag: Privacy

Overview of ISO/IEC 18013-5: Innovations and Vulnerabilities in the mDL Standard

Two weeks ago I gave a talk about the mobile driver’s license
standard at IIW XXXVII, the 37th meeting of
the Internet Identity
Workshop, which took place as usual at the Computer History
Museum in Mountain View.

One of the great things about IIW is that the agenda is created each
day. That makes it possible for people interested in the same topic
to merge their sessions. When I announced the session that I wanted
to convene, Andrew Hughes “hijacked my session”, as he said, to
present a progress update on the series of ISO driving license
standards, which was a perfect introduction to the details of part 5
of the series that I discussed in the second half of the session.
Andrew is a member of the committee that wrote ISO/IEC 18013-5, and
other committee members came to the combined session. The notes of
the session, taken by Dan Bachenheimer, will eventually be in the
Book of Proceedings, and can now be found
here.
My slides
were based in part on an early
draft of a chapter of a book on Foundations of Cryptographic
Authentication that I am coauthoring with Sukhi Chuhan and Veronica
Wojnas.

The mDL standard has many interesting innovations and privacy features.

One innovation, explained in slide 26, is the inclusion of
self-asserted (device-signed) and certified (issuer-signed) data
elements in the same credential. One wouldn’t expect to find
self-asserted claims in a driver’s license, and Section 8.3.2.1.2.2
explicitly says that the structure containing the device-signed
elements may be empty. But the mDL standard is in fact a general
purpose standard for mobile credentials, which competes with
verifiable credentials as discussed in
this UL
white paper.

Both kinds of data elements are retrieved in an encrypted session
established by an ECDH key agreement where both parties use
ephemeral key pairs and therefore neither party is authenticated.
After the session has been established, the mobile device that
carries the credential authenticates as a side-effect of signing the
list of self-asserted data elements requested by the reader, whether
or not it is empty!

Another innovation, explained in slide 28, is a clever use of an
asymmetric key pair to produce a repudiable symmetric signature (an
“ECDH-agreed MAC”), and a third innovation, explained in slide 29,
is a clever adaptation of OpenID Connect to a use case where it
would not seem to be applicable.

Privacy features include declaration by the relying party of the
intent to retain some of the data elements, data minimization using
selective disclosure, and proof of age without revealing the
birthdate by means of age attestations.

Selective disclosure is implemented by means of cryptographic
hashing, as explained in slide 11. Full unlinkability (protection
against tracking by collusion of the issuer and the relying parties)
is not provided, but selective disclosure based on hashing combined
with age attestations provides the key benefits of data minimization
and proof of age in a simpler way than anonymous credentials.
Alternative implementations of selective disclosure, based on hash
functions or proofs of knowledge, are described in slides
12-23.

On the other hand, the mDL standard also has privacy drawbacks and
vulnerabilities to unauthorized access and man-in-the-middle
attacks. The vulnerabilities are discussed in slides 30-39, with an
example of a man-in-the-middle attack shown in slide 37. They are
also discussed in Section 13.1.9 of
the book chapter, along with
proposed mitigations in the current or future versions of the
standard. Privacy is discussed in slides 40-42 and in Section
13.1.10 of the book chapter.

The vulnerabilities and the privacy drawbacks have two independent
root causes.

Continue reading “Overview of ISO/IEC 18013-5: Innovations and Vulnerabilities in the mDL Standard”

A Brief Overview of Cryptographic Authentication with a Discussion of Three Hot Topics

Updated August 8 2023

I have just revamped
the cryptographic
authentication page of the Pomcor site to reflect two
major changes that are happening in internet identity and
authentication:

  1. It is now clear that traditional MFA is vulnerable to MITM
    phishing attacks and cryptographic authentication is the solution.
    But the technology that the industry has bet on as a
    replacement, FIDO
    authentication    , faces user experience (UX) challenges that
    have
    been impeding adoption    .
  2. Governments are trying to issue digital credentials usable instead
    of physical credentials, and some are experimenting
    with verifiable
    credentials
    and self-sovereign
    identifiers    . But
    a UL
    white paper     has noted that
    the ISO/IEC
    18013-5 standard    , although entitled “Mobile driving
    licence (mDL) application”, can be used to define any
    kind of credential and is in direct competition with verifiable
    credentials.
    And the arguably
    most successful government app in the world    , the Diia app of
    Ukraine, described in a presentation to the Canadian CIO Strategy
    Council shown in
    this YouTube
    video    , uses neither verifiable credentials nor the ISO/IEC
    18013-5 standard.

The revamped page includes a definition of the term cryptographic
authentication that manages to encompass authentication with
key pairs, public key certificates, anonymous credentials, symmetric key
credentials and verifiable credentials. It also includes a
classification of cryptographic credentials and authentication
methods, a recapitulation of the benefits and challenges of
cryptographic authentication, and a discussion of three hot topics unsettled issues:

  1. How to use cryptographic authentication to actually provide
    effective protection against MITM phishing attacks.
  2. How to let the user authenticate on multiple devices, and
  3. How to provide protection to combine the cryptographic factor with additional factors for protection against theft of the
    device that carries the credential.

Airport Security in the Age of COVID-19

As the travel restrictions imposed to control the coronavirus pandemic are beginning to be relaxed in some parts of the world, it is time to start rethinking airport security in the age of COVID-19. Even if an effective vaccine is found for COVID-19, it will be out of the question to go back to long lines at security checkpoints and boarding gates, and the manual checking of identity documents and boarding passes.

In a provisional patent application that I coauthored with Karen Lewison before the pandemic and have now published, we proposed an automated method of verifying the identity of travelers that could be used in the post-pandemic world to speed up the security check and the boarding process, and to eliminate the face-to-face interaction with a security officer at the checkpoint and a flight attendant at the boarding gate. The method takes advantage of the high accuracy achieved by today’s deep neural networks for face recognition, while overcoming the privacy concerns raised by the collection and storage of facial images.

Here is a summary of the method.

Continue reading “Airport Security in the Age of COVID-19”

A New Tool Against the Surge of Application Fraud

This blog post has been coauthored with Karen Lewison

In recent posts we have been concerned with online credit card fraud
and how to fight it using cardholder authentication. In this post we
are concerned with another kind of financial fraud, known as
application fraud or new account fraud. Both kinds of fraud have been
rising after the introduction of chip cards, for reasons mentioned by
Elizabeth Lasher in her
article The
Surge of Application Fraud:


“Due to the high volume of data breaches, Social Security numbers,
mailing addresses, passwords, health history, even the name of our
first pet is all for sale on the Dark Web. When you combine this
phenomenon with the economic pressure applied on fraudsters to find a
new cash cow after chip and signature plugged a gap in card-present
fraud in the US, there is a perfect storm.”

The term “application fraud” refers to the creation of a
financial account, such as a bank account or a mortgage account, with
the intention to commit fraud. Application fraud can be first-party
fraud, where the account is opened under the fraudster’s own identity,
or third-party fraud, where the fraudster uses a stolen identity.
Here we are primarily concerned with the latter.

Continue reading “A New Tool Against the Surge of Application Fraud”

Will Cardholder Authentication Ever Come to the US?

This blog post has been coauthored with Karen Lewison

You may have heard that the EU is struggling to implement the Strong
Customer Authentication (SCA) requirements of Payment Services
Directive 2
(PSD2).
The directive was issued four years ago, Regulatory Technical
Standards
(RTS)
followed two years later, and the SCA requirements went into effect on
September 14. But on October 16 the European Banking Authority (EBA) had
to postpone enforcement until December 31, 2020, due to pushback from
the National Competent Authorities (NCAs) of the EU member countries.
In
an opinion
announcing the postponement, the EBA cited as a reason for the
pushback the fact that 3-D Secure 2
(3DS2)
is not ready.

The problems that the EBA is having with the SCA requirements have
more to do with the bureaucratic formulation of the requirements in
PSD2, than with the technical difficulty of providing strong security.
We will discuss this in another post, but first we want to ask here
whether cardholder authentication will ever come to the US.

Continue reading “Will Cardholder Authentication Ever Come to the US?”

An Omission-Tolerant Cryptographic Checksum

This is part 1 of a series on omission-tolerant integrity
protection and related topics.
A technical report on the topic is available
on this site and
in the IACR ePrint Archive.

Broadly speaking, an omission-tolerant cryptographic checksum
is a checksum on data that does not change when items are removed from
the data but makes it infeasible for an adversary to modify the data
in other ways without invalidating the checksum.

We discovered the concept of omission-tolerant integrity protection
while working on rich
credentials. A rich credential includes subject attributes and
verification data stored in a typed hash tree. We noted in an interim
report that the root label of the tree could be viewed as an
“omission-tolerant cryptographic checksum”. Prof. Phil
Windley, who read the report, told us that he had not seen the concept
before, and asked if we had invented it. We then added a section on
typed hash trees and omission-tolerant integrity protection to the
final report.

We’ve now written a new technical
report that discusses omission-tolerant checksums and
omission-tolerant integrity protection in a broader context than rich
credentials. The main contributions of the new paper are a formal
definition of omission-tolerant integrity protection, a method of
computing an omission-tolerant checksum on a bit-string encoding of a
set of key-value pairs, and a formal proof of security in an
asymptotic security setting that uses the system
parameterization concept introduced by Boneh and Shoup in
their online
book.

I have not said much in this blog about omission-tolerant integrity
protection, and there is a lot to say: how an omission-tolerant
checksum can be used to implement selective disclosure of subject
attributes in public key certificates; how public key certificates
with selective disclosure could easily provide security and privacy
for client authentication in TLS; what’s special about Boneh and
Shoup’s system parameterization concept and how we use it in our
definitions and proofs; how can a typed hash tree provide
omission-tolerant integrity protection whereas a Merkle tree cannot;
and a number of narrower but no less interesting topics. This is
the first of a series of posts on these topics.

Pomcor Contributes Biometrics Chapter to HCI and Cybersecurity Handbook

Karen Lewison and I have contributed the chapter on Biometrics to the book
Human-Computer
Interaction and Cybersecurity Handbook, published by Taylor &
Francis in the CRC Press series on Human Factors and Ergonomics. The
editor of the paper, Abbas Moallem, has received the SJSU 2018 Author
and Artist Award for the book.

Biometrics is a very complex topic because there are many biometric
modalities, and different modalities use different technologies that
require different scientific backgrounds for in-depth understanding.
The chapter focuses on biometric verfication and packs a lot of
knowledge in only 20 pages, which it organizes by identifying general
concepts, matching paradigms and security architectures before diving
into the details of fingerprint, iris, face and speaker verification,
briefly surveying other modalities, and discussing several methods of
combining modalities in biometric fusion. It emphasizes presentation
attacks and mitigation methods that can be used in what will always be
an arms race between impersonators and verifiers, and discusses the
security and privacy implications of biometric technologies.

Feedback or questions about the chapter would be very welcome as
comments on this post.

New Conference to Address the Human Aspects of Cybersecurity and Cryptography

Human factors are an essential aspect of cybersecurity. Take for
example credit card payments on the web. A protocol for reducing
fraud by authenticating the cardholder, 3-D Secure, was introduced by
VISA in 1999 and adopted by other payment networks, but has seen
limited deployment because of poor
usability. Now 3-D
Secure 2.0 attempts to reduce friction by asking the merchant to
share privacy-sensitive customer information with the bank and giving
up on cardholder authentication for transactions deemed low-risk based
on that data. A protocol
with better usability would provide better security without
impinging on cardholder privacy.

But human factors are not limited to the usability of
cybersecurity defenses. In biometric authentication, human factors
are the very essence of the defense. Human factors are also of the
essence in cybersecurity attacks such as phishing and social
engineering attacks, and play a role in enabling or spreading attacks
that exploit technical vulnerabilities.

The 1st
International Conference on HCI for Cybersecurity, Privacy and Trust
(HCI-CPT) recognizes the multifaceted role played by human factors
in cybersecurity, and intends to promote research that views
Human-Computer Interaction (HCI) as “a fundamental pillar
for designing more secure systems”. A call for participation
can be found here.

Continue reading “New Conference to Address the Human Aspects of Cybersecurity and Cryptography”

Storing Cryptographic Keys in Persistent Browser Storage

Update (March 5, 2025):
This post, and the presentation at ICMC 2017,
show how to use a browser as a credential wallet for same-device
presentation. Section 12.4 in
Chapter 12 of a
book I’m writing with
Sukhi Chuhan and Veronica Wojnas shows how it can also be used for
cross-device presentation, and how a WebView component of a native app
can be combined with a native code component to further support
proximity presentation over BlueTooth or NFC.


This blog post is a companion to a presentation made at the
2017 International Cryptographic Module Conference
and refers to the presentation
slides, revised after the
conference. Karen Lewison is a co-author of the presentation and of
this blog post.

Slide 2: Key storage in web clients

Most Web applications today use TLS, thus relying on cryptography to
provide a secure channel between client and server, and to
authenticate the server to the client by means of a cryptographic
credential, consisting of a TLS server certificate and its
associated private key. But other uses of cryptography by Web
applications are still rare. Client authentication still relies
primarily on traditional username-and-password, one-time passwords,
proof of possession of a mobile phone, biometrics, or combinations of
two or more of such authentication factors. Web payments still rely
on a credit card number being considered a secret. Encrypted
messaging is on the rise, but is not Web-based.

A major obstacle to broader use of cryptography by Web applications is
the problem of where to store cryptographic keys on the client side.
Continue reading “Storing Cryptographic Keys in Persistent Browser Storage”

What kind of “encrypted fingerprint template” is used by MasterCard?

In a press
release, MasterCard announced yesterday an EMV payment card that
features a fingerprint reader. The release said that two trials have
been recently concluded in South Africa and, after additional trials,
a full roll out is expected this year.

In the United States, EMV chip cards are used without a PIN. The
fingerprint reader is no doubt intended to fill that security gap.
But any use of biometrics raises privacy concerns. Perhaps to address
such concerns, the press release stated that a fingerprint template
stored in the card is “encrypted”.

That’s puzzling. If the template is encrypted, what key is used to
decrypt it before use?

Continue reading “What kind of “encrypted fingerprint template” is used by MasterCard?”