Protocols and systems for privacy preserving protection of digital identity

Abhilasha Bhargav-Spantzel, Purdue University

Abstract

To support emerging online activities within the digital information infrastructure, such as commerce, healthcare, entertainment and scientific collaboration, it is increasingly important to verify and protect the digital identity of the individuals involved. Identity management systems manage the digital identity life cycle of individuals which includes issuance, usage and revocation of digital identifiers. Identity management systems have improved the management of identity information and user convenience; however they do not provide specific solutions to address protection of identity from threats such as identity theft and privacy violation. One major shortcoming of current approaches is the lack of strong verification techniques for issuance and usage of digital identifiers. In the absence of verification mechanisms, digital identifiers can be misused to commit identity theft. Another shortcoming is the inability of individuals to disclose minimal data while satisfying strong identity verification requirements. The extraneous data collected can potentially be aggregated or used in a manner that would lead to violation of an individual's privacy. Finally, current identity management systems do not consider biometric and history-based identifiers. Such identifiers are increasingly becoming an integral part of an individual's identity. Such types of identity data also need to be used with other digital identifiers and protected against misuse. In this thesis we introduce a number of techniques that address the above problems. Our approach is based on the concept of privacy preserving multi-factor identity verification. The technique consists of verifying multiple identifier claims of an individual, without revealing extraneous identity information. A distinguishing feature of our approach is that we employ identity protection and verification techniques in all stages of the identity life cycle. We also enhance our approach with the use of biometric and history-based identifiers. In particular we provide the following key contributions: (1) A new cryptographic primitive referred to as aggregate proof of knowledge to achieve privacy preserving multi-factor verification. This primitive uses aggregate signatures on commitments that are then used for aggregate zero-knowledge proof of knowledge (ZKPK) protocols. Our cryptographic scheme is better in terms of the performance, flexibility and storage requirements than existing efficient ZKPK techniques that may be used to prove, under zero-knowledge, the knowledge of multiple secrets. (2) Algorithms to generate biometric keys reliably from an individual's biometric images. These keys are used to create biometric commitments that are subsequently used to perform multi-factor identity verification using ZKPK. Several factors, including various traditional identity attributes, can thus be used in conjunction with one or more biometrics of the individual. We also ensure security and privacy of the biometric data and show how the biometric key is not revealed even if all the data, including cryptographic secrets, stored at the client machine are compromised. (3) A series of protocols for the establishment and management of an individual's transaction history-based identifiers encoded as receipts from e-commerce transactions. These receipt protocols satisfy the security and privacy requirements related to the management of the electronic receipts. We also demonstrate how the users receipt protocols can be employed in the context of mobile phones. In particular we provide techniques to manage the portable identity information on such devices, and use them at physical locations of the service providers.

Degree

Ph.D.

Advisors

Bertino, Purdue University.

Subject Area

Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server
.

Share

COinS