October 2022
Souha Masmoudi's thesis defense: “Privacy-preserving malleable technologies for privacy-aware identity management systems”. On December 9, 2022, Souha Masmoudi will defend her thesis entitled “Technologies malléables préservant la vie privée pour des systèmes de gestion des identités respectueux de la vie privée” at Télécom SudParis, 9 Rue Charles Fourier, at 2pm in the Salle des Conseils, Bâtiment Étoile.
With the explosion in the use of digital identities and the emergence of new online services, individuals are increasingly faced with managing multiple identities and attributes to access services and resources. This poses numerous usability challenges. In addition, the field of digital identities is subject to several security and privacy threats, namely identity theft, massive data collection and individual tracking.
The aim of this thesis work is to design new identity management systems that take into account the dimensions of security, privacy and usability.
Three contributions are proposed in this respect.
The first contribution deals with the management of individuals' real identities and associated attributes, with the particularity that the individual presents himself under a pseudonym. It gives individuals control over their attributes. An individual receives certified attributes from an identity provider. To minimize the number of attributes revealed to service providers, he selects only those that are necessary and adapts the certificate accordingly. Service providers are then able to verify the authenticity of the attributes provided in pseudonymized sessions. This solution is based on a new malleable signature scheme in which modifications made by individuals are restricted and controlled. Non-associability between transactions of the same individual is satisfied across multiple service providers.
The second contribution concerns a new biometric authentication scheme for identity management systems. This scheme enables the physical access of individuals to be controlled in three stages. The first involves physically visiting an identity provider, who delivers an encrypted, certified biometric template to the individual. Then, with the template stored on his or her smartphone, the individual is able to randomize it to register remotely and anonymously with a service provider. Authentication takes place in the third stage, by physically presenting oneself to the service provider, who compares a new biometric modality captured in real time with the registered one. Thanks to malleable signatures and polymorphic encryption, the proposed scheme prevents the use of false biometric identities, guarantees authentication reliability and safeguards individual privacy, notably anonymity and non-associability between different registration sessions for the same individual.
The third contribution looks at data sharing in identity management systems. In particular, it studies the management of ephemeral attributes of individuals, notably contact information, in the context of a proximity tracking application for e-health systems. Individuals share contact information with people in their vicinity, and receive alerts in the event of contamination risk. This solution is based on a hybrid architecture that includes a centralized server and decentralized proxies. It ensures data consistency and integrity while preventing the injection of false alerts, and safeguards individual privacy by preventing attempts to associate contact information with the same individual and to identify people involved in contact with a confirmed case.
The three proposed solutions were implemented and tested on real hardware to validate their feasibility. Experimental results show acceptable computing times, demonstrating the suitability of these solutions for real-world applications.
The jury was composed of :
- Maryline Laurent - Thesis Director - Télécom SudParis
- Nesrine Kaaniche - Thesis Co-supervisor - Télécom SudParis
- Estelle Cherrier - Rapporteur - ENSICAEN
- Melek Onen - Rapporteur - EURECOM
- Benjamin Nguyen - Examiner - INSA Centre Val de Loire
- Eric Totel - Examiner - Télécom SudParis
- Olivier Blazy - Examiner - Ecole Polytechnique
- Sébastien Canard - Examiner - Orange Labs
Souha Masmoudi, PhD student in computer science at the VP-IP Chair.