Security without identification: transaction systems to make big brother obsolete
Communications of the ACM
Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy
Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy
Design and implementation of the idemix anonymous credential system
Proceedings of the 9th ACM conference on Computer and communications security
Security Issues in M-Commerce: A Usage-Based Taxonomy
E-Commerce Agents, Marketplace Solutions, Security Issues, and Supply and Demand
An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Proceedings of the 11th ACM conference on Computer and communications security
Anonymous yet accountable access control
Proceedings of the 2005 ACM workshop on Privacy in the electronic society
Restful web services
HAPADEP: Human-Assisted Pure Audio Device Pairing
ISC '08 Proceedings of the 11th international conference on Information Security
Seeing-Is-Believing: using camera phones for human-verifiable authentication
International Journal of Security and Networks
Anonymous credentials on a standard java card
Proceedings of the 16th ACM conference on Computer and communications security
A One-Time Password Scheme with QR-Code Based on Mobile Phone
NCM '09 Proceedings of the 2009 Fifth International Joint Conference on INC, IMS and IDC
Shake well before use: authentication based on accelerometer data
PERVASIVE'07 Proceedings of the 5th international conference on Pervasive computing
Amigo: proximity-based authentication of mobile devices
UbiComp '07 Proceedings of the 9th international conference on Ubiquitous computing
A card requirements language enabling privacy-preserving access control
Proceedings of the 15th ACM symposium on Access control models and technologies
A cryptographic framework for the controlled release of certified data
SP'04 Proceedings of the 12th international conference on Security Protocols
| Hi-index | 0.00 |
Authentication is a prerequisite for proper access control to many eservices. Often, it is carried out by identifying the user, while generally, verification of certified attributes would suffice. Even worse, this kind of authentication makes all the user's transactions linkable and discloses an excessive amount of personal information, and thus erodes the user's privacy. This is in clear contradiction to the data minimization principle put forth in the European data protection legislation. In this paper, we present data-minimizing mobile authentication, which is a kind of attribute-based authentication through the use of anonymous credentials, thereby revealing substantially less personal information about the user. We describe two typical scenarios, design an architecture, and discuss a prototype implemented on a smart phone which minimizes the disclosure of personal data in a user-to-terminal authentication setting. The prototype uses the Identity Mixer anonymous credential system (Idemix) and realizes short-range communication between the smart phone and the terminal using visual channels over which QR codes are exchanged. Furthermore, the security has been improved and unauthorized sharing of credentials prevented by storing the credentials' secret key in a secure element hosted by the mobile phone. Our measurements show that the use of smart phones for data-minimizing authentication can be an actual "game changer" for a broad deployment of anonymous credential systems.