Privacy preservation mechanisms in identity management with application to loT

Abstract

The main objective is devising, designing and implementing secure, usable and privacy-preserving digital identity management solutions for both individuals and devices, applying them to address real-world challenges. To achieve this goal, it has been divided into several specific objectives: - Analyse state of art identity management solutions and their main limitations. - Design, develop and evaluate cryptographic solutions devoted to privacy preservation, particularly related to attribute-based credentials. - Specify novel methods and frameworks for enabling efficient, usable and comprehensive identity management based on attribute-based credentials. - Integrate developed solutions with emerging specifications and technologies such as distributed ledger technologies or verifiable credentials, evaluating the bidirectional impact. - Study, design and implement the extension of privacy-preserving identity management notions to IoT environments covering devices' complete lifecycle according to specific challenges such as heterogeneity or resource constraints. - Validate the developed solutions over different use cases and real scenarios, demonstrating their practicality. Methodology and Results The iterative and incremental methodology of this thesis has been guided by its objectives. In each cycle, we carried out an analysis of the state of the art and the design, implementation and evaluation of technical solutions. In addition, the results have been continuously validated in use cases of practical relevance, particularly in the context of three European Horizon 2020 projects: OLYMPUS, CyberSec4Europe y ERATOSTHENES. In the development of the thesis, multiple technologies have been studied and applied. Among them, p-ABCs stand out, especially the Pointcheval-Sanders multi-signature scheme. Within this thesis, we work on creating systems by employing and enhancing p-ABCs with distributed issuance, establishing links to relevant identity and trust frameworks, and ensuring interoperability and efficient application to IoT scenarios. Another relevant technology because of its decentralisation features has been Distributed Ledger Technologies (DLT), as a supporting tool for the identity ecosystem trust framework. Similarly, specifications linked to self-sovereign identity, such as W3C's Verifiable Credentials, have been part of the focus due to their impact on current digital identity trends. The integration of p-ABCs in such specifications has been one of the results of the thesis, serving both to improve the existing landscape within their application and to tackle the issues of interoperability of previous p-ABC systems. Finally, other technologies such as Manufacturer Usage Description (MUD) files have played a complementary role to the identity techniques investigated. This has led to multiple results published in four main compendium publications. They have been developed within the framework of the identified challenges and gaps in the literature after exhaustive analysis according to Objective 1. As part of the outcomes, we have proposed and evaluated various advances on privacy-preserving cryptographic systems, particularly in the field of distributed privacy-preserving Attribute-Based Credentials, fulfilling Objective 2. Furthermore, in line with Objectives 3 and 4, the developed solutions have been integrated with emerging technologies such as DLTs or Verifiable Credentials, achieving comprehensive authentication and authorisation solutions in the scope of zero-trust architectures and Self-Sovereign Identity. These developments have been extended to cover the needs of IoT environments, such as efficiency or adaptability to the heterogeneous characteristics of IoT contexts, achieving privacy-preserving identity management solutions encompassing devices lifecycle as outlined in Objective 5. Lastly, the practicality of these applications has been validated through various real-world use cases in the context of three H2020 European projects, realizing Objective 6. Conclusions The main conclusions obtained can be summarised as follows: - Distributed privacy-preserving Attribute-Based Credentials (dp-ABC) have been applied to address identity management in an efficient and usable way while mitigating the single point of failure issue of the issuer. - The use of dp-ABC enables privacy, security and functionality notions inherent to ecosystems based on zero-trust authorisation. - The leveraged presentation process of p-ABCs based on linking commitments and commit-and-prove techniques enables modular extensibility retaining formal guarantees of security and privacy. - Particularly, this was demonstrated as a mechanism to efficiently achieve key advanced p-ABC features for contemporary identity use cases, namely inspection, pseudonyms, revocation and range proofs. - The concept of Biometric-Bound Attribute-Based Credentials (bb-ABC), which enables non-transferability through biometrics without dedicated devices per-user, has been formalized through the definition of variants of the traditional p-ABC security properties: correctness, soundness and unlinkability. - The practical relevance of bb-ABC was demonstrated through two complementary constructions and their instantiation with concrete primitives, whose efficiency was showcased through micro-benchmarks. - The applicability of dp-ABC in relevant use cases, particularly IoT environments, was improved through their effective integration into the W3C Verifiable Credential specification. - A framework for flexible, comprehensive and privacy-preserving identity management of IoT devices throughout their lifecycle is crucial, and has been achieved with dp-ABCs as a key enabler. - The developed solutions were successfully applied to solve challenges in multiple relevant use cases, showcasing their relevance in the current identity landscape.