On a Possible Privacy Flaw in Direct Anonymous Attestation

Adrian Leung and Chris J. Mitchell

(2007)

Adrian Leung and Chris J. Mitchell (2007) On a Possible Privacy Flaw in Direct Anonymous Attestation.

Our Full Text Deposits

Full text access: Open

Full Text - 451.87 KB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

A possible privacy flaw in the TCG implementation of the Direct Anonymous Attestation (DAA) protocol has recently been discovered by Rudolph. This flaw allows a DAA Issuer to covertly include identifying information within DAA Certificates, enabling a colluding DAA Issuer and one or more verifiers to link and uniquely identify users, compromising user privacy and thereby invalidating the key feature provided by DAA. In this paper we argue that, in typical usage scenarios, the weakness identified by Rudolph is not likely to lead to a feasible attack; specifically we argue that the attack is only likely to be feasible if honest DAA signers and verifiers never check the behaviour of issuers. We also suggest possible ways of avoiding the threat posed by Rudolph's observation.

Information about this Version

This is a Published version
This version's date is: 23/12/2007
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/b6d2b2e3-6812-e832-98b5-948cbf23d81b/1/

Item TypeMonograph (Technical Report)
TitleOn a Possible Privacy Flaw in Direct Anonymous Attestation
AuthorsLeung, Adrian
Mitchell, Chris J.
DepartmentsFaculty of Science\Mathematics

Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010

Notes

References

[1] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation.
In Proceedings of the 11th ACM Conference on Computer and Commu-
nications Security, Washington DC, USA, October 25{29, 2004, pages
132{145. ACM Press, 2004.
[2] C. J. Mitchell, editor. Trusted Computing. IEE Press, London, 2005.
[3] C. Rudolph. Covert identity information in direct anonymous attes-
tation (DAA). In H. Venter, M. Elo®, L. Labuschagne, J. Elo®, and
R. von Solms, editors, 22nd IFIP TC-11 International Information Se-
curity Conference (SEC2007) on \New Approaches for Security, Privacy
and Trust in Complex Environments", Sandton, South Africa, May 14-
16, 2007. Proceedings, volume 232 of IFIP International Federation for
Information Processing, pages 443{448. Springer, Boston, 2007.
[4] Trusted Computing Group (TCG). TCG Speci¯cation Architecture
Overview. Version 1.2, The Trusted Computing Group, Portland, Ore-
gon, USA, April 2004.

Details