Title: ON MULTI-STAGE BUSINESS PROCESSES

Since all anonymous credentials and pseudonyms of customer are based on his secret key kU, a delegation of anonymous credentials also implicitly means the transmission of kU. The transmission of anonymous credentials is explicitly not supported by IBM idemix. Two mechanisms are in fact used which should prevent a delegation of credentials. This involves a PKI-based and an all-or-nothing non-transferability of credentials (Camenisch and Lysyanskaya, 2001).

For a PKI-based non-transferability, the customer’s secret key kU is linked to his private key skU. For this, a certification authority outside the idemix-PKI certifies the external public key of customer U. Furthermore, the customer deposits the pertaining private key skU in encrypted form with the certification authority which then publishes it. This encryption is made with the symmetric key kU. If the customer transmits his secret key kU, he also transmits with it his private key skU. Each person in possession of the symmetric key kU can encrypt the private key skU of customer U.

With all-or-nothing non-transferability of anonymous credentials, all credentials and pseudonyms of a customer in an idemix-PKI are transmitted if the customer transmits his secret key kU. The all-or-nothing non-transferability of credentials is based on the use of the secret key kU for each generation of a pseudonym and publication of all pseudonyms, credentials and the pertaining test values. In order to use these, only the information about the secret key kU is missing. If customer U transmits it, his proxy can use all the customer’s pseudonyms and credentials without restrictions.

Figure 5.19 shows the use of IBM idemix for a business process with a proxy. Steps one to four proceed analogously to the use of IBM idemix in a single-stage business process. In step five, however, must the customer transmit his secret key kU with the requested data, in the form of an anonymous credential, to his proxy so that he can use this anonymous credential in the eighth step where the target service provider is concerned. The transmission of the secret key kU is based on the all-or-nothing non-transferability attribute of the IBM idemix system.

Figure 5.19 Use of IBM idemix on multi-stage business processes with the use of the all-or-nothing non-transferability of anonymous credentials.

Security Properties of

IBM idemix is primarily an anonymous credential system that is in fact integrated into an identity management system (Camenisch, Shelat, Sommer, Fischer-Hübner, Hansen, Krasemann, Lacoste, Leenes and Tseng, 2005). Since IBM idemix is independent of an identity management system though, the security properties of the credential system are analyzed in the following. A secure data storage and a situation-dependent release of personal data are not part of the system but can be extended by an identity management system. The security properties of IBM idemix for access to personal data are as follows:

1. Unlinkability of transactions: Through the use of pseudonyms and of the attribute of zero-knowledge proofs used for the verification of anonymous credentials, various transactions of a customer U cannot be traced back to him without further information.

2. Authentication without showing identifying data: The IBM idemix anonymous credential system uses zero-knowledge proofs with the issuance and verification of anonymous credentials and pseudonyms. The connection between the credential and pseudonyms to the secret key kU of customer U remains concealed, but without giving up the accountability of his transactions to him. This anonymous can be extended to the certified personal data of a customer, so that its attribute but not the concrete value is verified with an authentication. This results in no identifying data about customer U accruing during his authentication and an undesirable identifying and profile formation is therefore avoided.

3. Non-repudiation of customer’s transactions: Through the linking of anonymous credentials and pseudonyms to the secret key kU of the customer and its application in the protocols of IBM idemix, an accountability of the transactions to the owner of kU, i.e. the customer is guaranteed.

4. Revoking customer’s anonymity in case of fraud: The extension of the basis system by a de-anonymisation provider achieves the lifting of a customer’s anonymity in the case of fraud. However, he either only discloses the anonymity for transactions on a certain anonymous credential or all transactions on all the anonymous credentials of a customer. Without additional information, i.e. the protocol notes, a lifting is not possible. The customer must in fact trust the de-anonymisation provider that he only discloses the customer’s anonymity in the case of a verifiable breach on his part of the agreed conditions.

A controlled usage of personal data is not considered by IBM idemix. Both mechanisms for non-transferability of anonymous credentials in fact prevent a delegation. If IBM idemix is used for the transmission of personal data in the form of an anonymous credential to a proxy, however, the customer will lose the control over the usage of all of his certified data and pseudonyms.

Conclusion

With the IBM idemix anonymous credential system, a customer can use services anonymously and at the same time verify certain attributes or data of his person with anonymous credentials. No identifying data about the customer is known with the authentication with an anonymous credential, provided that service does not require it. On the other hand, his anonymity can be revoked by a certain service provider and under previously agreed conditions. This service provider cannot however relate all the customer’s transactions if the revocation of the anonymity only applies to a certain anonymous credential.

IBM idemix therefore fulfils the criteria for the protection of privacy concerning access to personal data with the exception of secure storage of data and the situation-dependent release of personal. These criteria are not considered by IBM idemix. Privacy is however not protected with regard to the use of transmitted personal data. The protocol specification of IBM idemix in fact provides two mechanisms which should prevent a delegation of anonymous credentials and with the use on multi-stage business processes result in a loss of control of the customer over his identity. According to these assumptions, the customer must trust his proxy when using IBM idemix as with the delegation of the secret key kU the customer delegates his identity or the amount of his credentials and pseudonyms and his proxy can use these without restriction.