U-Prove Offers Security while Protecting Privacy
Microsoft has open sourced U-Prove CTP, a cryptographic solution technology used for performing authentication without disclosing personal information about the user. The CTP contains U-Prove Cryptographic Specification V1.0, a C# and a Java reference implementation of the specification, extensions for WIF, AD FS 2 and CardSpace 2, plus a number of whitepapers explaining the technology.
Current security solutions are based on disclosing some information about the person benefiting from related secure services. Besides, many websites tend to discover as much information as possible about their users in order to improve their business model for greater efficiency and benefits. U-Prove technology intends to offer a higher level security and disclosing only the information the user wants to. This can be compared to anonymous activities, such as buying a product from a vending machine by simply inserting a coin, or anonymous voting.
The U-Prove technology was initially developed by Stefan Brands at Credentica, and became more known to the public after the release of the first SDK in 2007. The technology, including underlying patents, was acquired by Microsoft in 2008 and it was included in Windows Identity Foundation. Microsoft has recently released Microsoft U-Prove CTP, a cryptographic technology consisting of:
- U-Prove Cryptographic Specification V1.0, under Open Specification Promise license
- C# SDK and a Java SDK implementing the specification and released under BSD open source license
- U-Prove CTP White Paper
- U-Prove Technology Overview
- U-Prove Technology Integration into the Identity Metasystem V1.0
- Windows Identity Foundation Extension – an “extension to WIF that provides the ability to build a custom Security Token Service (STS) for U-Prove token issuance (for identity providers), and the ability to verify U-Prove token presentations (for relying parties)”
- Active Directory Federation Services 2.0 - a U-Prove enabled version of AD FS 2.0 that has the ability to issue an information card supporting U-Prove
- Windows CardSpace 2.0 - a U-Prove enabled version of Windows CardSpace 2.0
The U-Prove technology is built around the concept of a U-Prove token, a binary string containing cryptographically protected information known as attributes. There are three parties involved in using the U-Prove token: Issuer – an entity issuing the token, Prover – the user who needs a token, and Verifier – the third party interested in authenticating the user. The Issuer communicates with the Prover through the Issuance Protocol while the Prover communicates with the Verifier through the Presentation Protocol as shown in the following figure:
When the Prover wants a token, he contacts the Issuer through the Issuance Protocol presenting his attributes in a cryptic form. This is different from standard security tokens used today because the Prover can obtain a token without disclosing all his attributes to the Issuer:
In order for a Prover to retrieve a U-Prove token from an Issuer, the two parties must engage in an instance of the U-Prove issuance protocol. This is a cryptographic protocol that takes as its inputs, among others, any attributes to be encoded into the token. The innovative features of the U-Prove technology derive from the cryptographic design of the issuance protocol, which is based on advances in modern cryptography. For the purposes of this overview it suffices to know that the Issuer’s signature is not a conventional RSA or DSA signature, and that issuance is a 3-leg interactive protocol enabling the Prover to hide certain token elements from the Issuer.
The Issuer may use various means to authenticate the Prover including accessing information contained in U-Prove tokens generated by other Issuers. The Issuer will protect the token by signing it and by including a public key known only to the Prover:
- Each issued U-Prove token contains an unforgeable digital signature of its Issuer on the entire contents, created by the Issuer by applying its private key. The Issuer’s signature U-Prove serves as its authenticity mark on the U-Prove token; it enables anyone to verify that the U-Prove token was issued by the Issuer and that its contents have not been altered.
- Replay attack prevention: Each issued U-Prove token also contains a token-specific public key that is known only to the Prover. The Prover randomly generates it during the issuance protocol, together with a corresponding private key for the U-Prove token. In contrast to the token’s public key, this private key is not part of the U-Prove token; the Prover never discloses it when using the U-Prove token. In the next section we will explain how this prevents Verifiers from replaying presented U-Prove tokens.
After obtaining a token, the Prover will use it in relation with a Verifier to establish a trusted relationship between the two via the Presentation Protocol:
To present a U-Prove token to a Verifier, the Prover and the Verifier engage in an instance of the U-Prove presentation protocol. In addition to providing the token attributes (or, as we will see in Section 4.3, only a subset of the attributes), the Issuer’s signature, and the Prover’s token-specific public key, the Prover also sends along a response to the Verifier. To compute this response the Prover applies the private key for the U-Prove token to a presentation challenge of the Verifier. This presentation challenge must include a nonce, that is, a unique number that is never reused; a large random number will do, as will a timestamp or a counter appended to a unique Verifier identifier.
We refer to the Prover-computed response as the presentation proof; it is a cryptographic proof of possession of the private key corresponding to the presented U-Prove token. It proves that the private key has been applied to the presentation challenge but the private key itself remains secret; this security guarantee holds even if all Verifiers and the Issuer collude, examine arbitrarily many presentation proofs created with the same U-Prove token, and deviate from the issuance and the presentation protocols. As a result, Verifiers cannot replay the U-Prove tokens presented to them.
There are several security features related to using U-Prove tokens: Untraceability, Unlinkability, Revocability, Reusability, and others. One of the interesting ones is Selective Disclosure, the ability to include encrypted attributes in the token, information that is not disclosed even to the Issuer unless the Prover wants to.
According to Microsoft, U-Prove can be used in virtually any communication and transaction system, examples being: “digital rights management, electronic voting, electronic payment instruments, electronic health records, electronic postage, online auctions, public transport ticketing, road-toll pricing, loyalty schemes, and e-gaming.” It can also be applied to “non-human entities, such as computer processes, software applications, hardware devices, and so forth”. U-Prove facilitates sharing information via untrusted parties enabling “the design of new applications with no physical-world analogy; one example area of interest is cloud computing services that can perform limited operations on integrity-protected input data from different sources.”
Additional information on U-Prove: U-Prove Home Page, Announcing Microsoft’s U-Prove Community Technical Preview (CTP) and Deep Dive into U-Prove Cryptographic Protocols, two Channel 9 interviews with Stefan Brands, U-Prove CTP: a Developers’ Perspective.
Roy Rapoport Aug 28, 2014