Private Authentication

Frequently, communication between two principals reveals their identities and presence to third parties. These privacy breaches can occur even if security protocols are in use; indeed, they may even be caused by security protocols. However, with some care, security protocols can provide authentication for principals that wish to communicate while protecting them from monitoring by third parties. This paper discusses the problem of private authentication and presents two protocols for private authentication of mobile principals. In particular, our protocols allow two mobile principals to communicate when they meet at a location if they wish to do so, without the danger of tracking by third parties. The protocols do not make the (dubious) assumption that the principals share a long-term secret or that they get help from an infrastructure of ubiquitous on-line authorities. 1 Privacy, authenticity, and mobility Although privacy may coexist with communication, it often does not, and there is an intrinsic tension between them. Often, effective communication between two principals requires that they reveal their identities to each other. Still, they may wish to reveal nothing to others. Third parties should not be able to infer the identities of the two principals, and to monitor their movements and their communication patterns. For better or for worse, they often can. In particular, a mobile principal may advertise its presence at a location in order to discover and to communicate with certain other principals at the location, thus revealing its presence also to third parties. Authentication protocols may help in addressing these privacy breaches, as follows. When a principal A wishes to communicate with a principal B, and is willing to disclose its identity and presence to B but not to other principals, A might demand that B prove its identity before revealing anything. An authentication protocol can provide this proof. It can also serve to establish a secure channel for subsequent communication between A and B. However, authentication protocols are not an immediate solution, and they can in fact be part of the problem. Privacy is not one of the explicit goals of ?? This work was started at Bell Labs Research, Lucent Technologies, and at InterTrust’s Strategic Technologies and Architectural Research Laboratory, and is partly supported by the National Science Foundation under Grant CCR-0208800. common authentication protocols. These protocols often send names and credentials in cleartext, allowing any eavesdropper to see them. An eavesdropper may also learn substantial information from encrypted packets, even without knowing the corresponding decryption keys; for example, the packets may contain key identifiers that link them to other packets and to certain principals. Furthermore, in the course of authentication, a principal may reveal its identity to its interlocutor before knowing the interlocutor’s identity with certainty. If A and B wish to communicate but each wants to protect its identity from third parties, who should reveal and prove theirs first? This last difficulty is more significant in peer-to-peer communication than in client-server communication, although the desire for privacy appears in both settings. – In client-server systems, the identity of servers is seldom protected. However, the identity of clients is not too hard to protect, and this is often deemed worthwhile. For example, in the SSL protocol [14], a client can first establish an “anonymous” connection, then authenticate with the protection of this connection, communicating its identity only in encrypted form. An eavesdropper can still obtain some addressing information, but this information may be of limited value if the client resides behind a firewall and a proxy. (Similarly, the Skeme protocol [19] provides support for protecting the identity of the initiator A of a protocol session, but not the identity of the interlocutor B.) – The symmetry of peer-to-peer communication makes it less plausible that one of the parties in an exchange would be willing to volunteer its identity first. Privacy may nevertheless be attractive. In particular, mobile principals may want to communicate with nearby peers without allowing others to monitor them (cf. Bluetooth [7] and its weaknesses [18]). Thus, privacy seems more problematic and potentially more interesting in the fluid setting of mobile, peer-to-peer communication. This paper gives a definition of a privacy property (informally). This property implies that each principal may reveal and prove its identity to certain other principals, and hide it from the rest. The definition applies even if all parties are peers and have such privacy requirements. Standard authentication protocols do not satisfy the privacy property. However, we show two protocols that do, and undoubtedly there are others (to the extent that informally described protocols can satisfy informally defined properties). In our protocols, a session between two principals A and B consists of messages encrypted under public keys and under session keys in such a way that only A and B discover each other’s identity. The protocols differ from standard protocols by the absence of cleartext identity information. More subtly, they rely on some mild but non-trivial assumptions on the underlying cryptographic primitives. One of the protocols also includes a subtle “decoy” message in order to thwart certain active attacks. Our protocols do not assume that the principals A and B have a long-term shared secret. Neither do they require an infrastructure of on-line trusted third parties, or suppose that the world is organized into domains and that each principal has a home domain. In this respect, the protocols contrast with previous ones for related purposes (see for example [4, 6, 23, 30] and section 5). Because of their weak infrastructure needs, the protocols are consistent with ad hoc networking. As an example, consider a mobile principal A that communicates with others when they are in the same (physical or virtual) location. In order to establish connections, A might constantly broadcast “hello, I am A, does anyone want to talk?”. An eavesdropper could then detect A’s presence at a particular location. An eavesdropper could even monitor A’s movements without much difficulty, given sensors at sufficiently many locations. Our protocols are applicable in this scenario, and are in fact designed with this scenario in mind. Suppose that two principals A and B arrive anonymously at a location. Although A and B may know of each other in advance, they need not have a long-term shared key. Furthermore, neither may be certain a priori that the other one is present at this location. If they wish to communicate with one another, our protocols will enable them to do it, without the danger of being monitored by others. The next section defines and discusses the privacy property sketched above. Section 3 presents the assumptions on which our protocols rely. Section 4 develops the two protocols and some optimizations and extensions. Section 5 discusses some related problems and related work (including, in particular, work on message untraceability). Section 6 concludes. This paper does not include a formal analysis for the protocols presented. However, formalizing the protocols is mostly a routine exercise (for example, using the spi calculus [1] or the inductive method [25]). Reasoning about their authenticity and secrecy properties, although harder, is also fairly routine by now. More challenging is defining a compelling formal specification of the privacy property. Such a specification should account for any “out-of-band” knowledge of attackers, of the kind discussed in section 3. In this respect, placing private authentication in the concrete context of a system may be helpful. We regard these as interesting subjects for further work. Recently, several researchers who read drafts of this paper (Vitaly Shmatikov and Dominic Hughes, Hubert Comon and Véronique Cortier, and Cédric Fournet) have made progress on these subjects. Their ideas should be applicable to other systems with privacy goals, beyond the protocols of this paper.