A Privacy-Preserving
Campus Access Control System
楊皓丞、許育銘、黃文彥
唐浩、薛佳哲
Problem Description
- COVID-19 resulted in a strict campus access control system in NTU
- Debate on privacy vs. epidemic prevention
- Goal: propose a scheme involving the school, personnel, and CDC that satisfies both privacy and epidemic prevention requirements
Threat Model & Security Properties
school
database
(ID, time, building)
(ID, time, building)
(ID, time, building)
.
.
.
personnel
send data
record
Current scheme
find patient's footprints
and contacts
confirmed
diagnosis
Threat Model & Security Properties
school
database
(ID, time, building)
(ID, time, building)
(ID, time, building)
.
.
.
personnel
send data
record
Current scheme - possible attacks
personnel
visitor
fake identity
school
external
attacker
read
database
find patient's footprints
and contacts
confirmed
diagnosis
Threat Model & Security Properties
school
database
(time, building, \(\sigma\))
(time, building, \(\sigma\))
(time, building, \(\sigma\))
.
.
.
personnel
authenticate
record
Proposed scheme
find patient's footprints
and contacts
verify
CDC
send data
confirmed
diagnosis
Threat Model & Security Properties
school
database
(time, building, \(\sigma\))
.
.
.
personnel
authenticate
record
Proposed scheme - threat model & security properties
find patient's footprints
and contacts
verify
CDC
send data
confirmed
diagnosis
school
external
attacker
read
database
Anonymity
Unlinkability
Traceability
personnel
visitor
fake identity
Authentication
Proposed Scheme
- We want an anonymous authentication protocol
- Authentication: school can verify whether a person
is a legitimate personnel - Anonymous: school doesn't know a person's exact
identity when authenticating - In case of confirmed diagnosis, a more authorized
unit (CDC) can de-anonymize the records - Patient and the contacts will not be able to enter buildings for the next 14 days
- We can apply a group signature scheme
Signature
- Speaking of authentication protocols, we think
of the cryptographic primitive digital signature - Using the signer's public key, the school can verify
a valid signature and allow entrance - But different personnel's signatures have to be
verified using different public keys - No anonymity!
- School only needs to verify the signer belongs to
the group of all personnel
Group Signature
- A group of \(n\) people, each has secret key
\(\bold{sk_i}\), single group public key \(\bold{gpk}\) - Verifier use \(\bold{gpk}\) to verify the signer is one
of the \(n\) group members - A group manager secret key \(\bold{gmsk}\)
- The group manager can use \(\bold{gmsk}\) to reveal the signer's identity
- How possibly can this be achieved?
Zero Knowledge Proof
- A computational hard problem \(P\)
- The \(n\) secret keys are \(n\) solutions to \(P\)
- Signer proves knowledge of a solution to \(P\)
via the signature - Verifier only knows that signer is one of the
\(n\) members, but doesn't know which one - \(P\) contains the variable \(\bold{gmsk}\)
- Knowing the variable \(\bold{gmsk}\), the group manager can recover signer's identity from the signature
Zero Knowledge Proof
- \(P:\text{find }(A, x)\text{ that }A^{x + \gamma}=g_1\), where \(\gamma\) is in \(\bold{gmsk}\)
- \(\bold{sk_i}\) contains a solution \((A_i, x_i)\)
- A pairing function \(e\) satisfying \(e(g_1^a,g_2)=e(g_1,g_2^a)\)
- Public key \(\bold{gpk}\) contains \(g_1, g_2, w=g_2^\gamma\)
- Signer proves knowledge of \((A_i, x_i)\) in signature
- Verifier checks \(e(A_i, wg_2^{x_i})=e(g_1,g_2)\)
- Group manager uses \(\gamma\) inside \(\bold{gmsk}\) to recover \(A_i\), hence the identity \(i\) from the signature
System Architecture
school
personnel
1. send today's revocation list
CDC
2. record the revocation list
Everyday morning
Note: even with the revocation
functionality, the group signature is anonymous and backward unlinkable
database
System Architecture
personnel
1. generate a signature of the message containing building and timestamp
3. verify the signature is valid and the signer not revoked
When a personnel enters a building
2. send the message
with signature
4. allow entrance and record to database
school
database
CDC
System Architecture
personnel
1. notify school of a confirmed diagnosis
When there is a confirmed diagnosis in school
2. send records of
past 14 days to CDC
3. open the signers' identity to find patient footprint and contacts
school
database
CDC
4. revoke the patient and contacts for the next 14 days
5. send patient footprint
and contacts
Analysis
- Security
- Assumption
- CDC is trustworthy and protected
- Link between CDC and school is authenticated
- All security properties guaranteed by the group signature scheme
- Assumption
- Efficiency
- We have two schemes, one is more efficient but no revocation functionality
- No overhead for CDC when there's no
confirmed diagnosis
Experiment Results
SGS | VLR | |
---|---|---|
keygen (30000 users) | 58.539s | 82.342s |
authentication time (no revoked personnel) |
0.898s | 1.535s |
authentication time (1000 revoked personnel) |
X | 2.585s |
open (total 3000 records, 900 quarantine records) | 12.818s | 1945s (32 mins) |
Prototype
Discussion & Future Works
- Hardware implementation: where to generate
the signatures?- ID cards cannot perform calculations
- Card reader, may need special hardware design
- Phone, use bluetooth for communication
- More precise detection of contacts with the patient
- Contacts are now detected by entrance in a same day of a same building
- What if we can require personnel to swipe card too when leaving a building?
Q&A
A Privacy Preserving Campus Access Control System
By Howard Yang
A Privacy Preserving Campus Access Control System
- 79