Identity & Profile Management - The Right Way -

1. Identity & Profile Management- The Right Way - Dr. Stefan Brands Presented to: June 11, 2002

2. Credentica Inc. • Incorporated January 2002, based in Canada • What we do: building an Identity & Profile Management system that removes fundamental security, privacy, and usability barriers • Who we are: seasoned cryptographers, developers and security experts - lots of experience in designing secure systems

3. Ad-Hoc Networking  Main Street  “Tornado” Wireless internet    “Bowling Alley” Web Services   Chasm  Early Market Internet Extranets Private networks Market Trends Steep acceleration of Digital Identity & Profileinformation bartering sensitivity Trust & Collaboration Digital ID spanning many administrative domains Suspicion & Competition t

4. “Nearly 70% of consumers cite privacy concerns as one reason that could make them stop using e-government services.” — Gartner survey (May 2001) “meeting data protection standards is a key component [of e-government]. In the area of on-line authentication and identification in particular there is still much work to be done. [...] enhancing privacy should be a Government objective." — UK Information Commissioner Annual report (June 2001) Problem: Privacy intrusions (systematic identification, no control over data usage, linkability, conflicts with privacy laws, etc.) Identity & Profile Management

5. “The lack of trustworthy security services is a major obstacle to the use of information technology in private, in business as well as in public services.” — European Parliament, Directorate General for Research (March 2001) “Identification and authentication are becoming more important with the move towards e-government and the rising incidence of identity fraud.” — U.K. Cabinet Office, Performance and Innovation Unit, “Privacy and data-sharing: The way forward for public services” (April 2002) Problem: Inadequate security (system abuse, identity theft, data propagation, etc.) Identity & Profile Management

6. “A single authentication server / service equals a single point of failure.” — Information Security Magazine (September 1998) 54% of respondents were extremely concerned with the possibility of government employees misusing their personal information, and 64% were extremely concerned about the risk of hackers breaking into government computers. — Hart-Teeter, “E-GOVERNMENT: To Connect, Protect, and Serve Us” (November 2001) Problem: Heavy dependence on real-time connection to central servers Identity & Profile Management

7. GAO (US General Accounting Office) found that at the Department of Veterans Affairs, many employees were sharing passwords: "These types of weaknesses make the financial transaction data and personal information on veteran medical records and benefits stored on these systems vulnerable to misuse, improper disclosure and destruction", GAO said. — Government Executive Magazine (September 1998) “…a device like a card is likely to disappear if the carrying person does not feel that its presentation will be of benefit to him.” — European Committee For Standardization, “Health Informatics” (1998) Problem: Lending, copying, discarding of credentials (access rights, attributes, profile) Identity & Profile Management

8. Privacy Dangers of traditional PKI

9. Lessons Learned • Real world solutions must address security, privacy, and usability for all parties • PKI & digital signatures not designed to offer multi-party security & privacy • Solution must be built into architecture • Policies & legislation must surround a multi-party secure architecture, not replace it

10. Credentica’s Identity & Profile Management Platform • Name: “Credential Management Platform” • Multi-party secure (holistic solution) • Any mix of local & central profile data • Platform independence (PCs, mobile phones, Bluetooth devices, 8-bit chipcards, etc.) • Privacy slider: Identification & Pseudonymity & Role-Based & Anonymity & Selective Disclosure • Security “slider”: Trust-only & Passwords & Kerberos & X.509 & Digital Credentials

11. Credential Management Platform

12. Digital Credentials • Inherit all the strengths of PKI & digital signatures, but avoid their weaknesses • Protocols described in open literature (350-page MIT Press book & 31 publications) • Scrutinized by world's top cryptographers (Shamir, Rivest, Schnorr, …) • Unanimous acclaim from security, legal, and privacy experts worldwide

13. Digital Credentials

16. Properties of Digital Credentials • Privacy: • Untraceable & unlinkable authentication • Selective disclosure of attributes • Private reissuing & updating of credentials • Security: • Information separation between instances • Limited-show credentials • Lending/discarding protection • Chip-card integration • Flexibility: • Online/offline clearing for regulated credentials • Selective records • Server-assisted protocols • Integration with X.509-based PKI • Multi-purpose credentials

17. Selective Disclosure

18. Fraud Detection

19. Additional Information Contact Information: • Credentica Inc. 3710 St-Laurent Blvd, Suite #1 Montreal, Québec Canada H2X 2V4 • Tel/fax: (514) 985-4111 • E-mail: brands@credentica.com Further Reading: • http://www.credentica.com/technology/book.html • http://www.ercim.org/publication/Ercim_News/enw49/brands.html • http://www.credentica.com/technology/overview.pdf