-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pseudonyms Generated and Managed by Authority, Communicated to Users #2
Comments
Why is there a need for a central authority to manage peusodnyms anyway ? In a similar protocol DP3T the devices generates it's own randomized pseudonyms. The central authority is only contacted to get pseudonyms of infected people thus get way less information about users. |
I don't want you to believe I support the design of the ROBERT protocol (I don't) but your specific point is addressed in appendix A. (Summary: it is to avoid repetition of the "one contact" attack.) |
@bortzmeyer the "one contact" attack is dismissed by sending random "false positive" |
Thanks @KAepora for raising this issue. In ROBERT scheme v1.0, the server is indeed responsible for generating, storing and communicating pseudonyms. This is done for two main reasons:
About the pseudonymity of users with regard to the server. The server does not store any other identifiers than the one included in the IDTable database (see section 3.2. Application Registration (Server Side)). During the Application Registration and the Exposure Status Request, the app may expose network identifiers that could compromise her real identity. To mitigate this risk, solutions like Mixnet or proxies could be used (as suggested in Section 6, footnote 11). More generally, concerning the “honest but curious” assumption: this is a key assumption for the ROBERT v1.0 design as you noticed. It is not our responsibility, as privacy researchers, to judge whether or not this assumption is valid. This topic could be discussed for hours, clearly. However, when looking at the “avis CNIL sur le projet d’application mobile StopCovid”, we have the feeling this is a reasonable assumption. |
Could you please care to justify this statement, which appears to be laughably absurd if taken at face value?
Incredibly disappointing, but somehow not surprising, to see an appeal to authority used in a scientific discussion by the INRIA Privatics team. |
The statement of the CNIL (n° 2020-056 of May 25th 2020) relies precisely on the assumption that the server cannot know the contact list of an infected user (see point 41). You are responding to our concern that this point has not been adressed by the protocol by saying that CNIL states it's ok? Aren't we in an infinite non-sense loop here? And yes indeed, we do not have hours and days to discuss this, since the app was voted in France and will be deployed within hours, that is why we would like a more scientific and clear answer. |
Hey @PRIVATICS-Inria, still have the feeling this is a reasonable assumption? |
The ROBERT summary document contains the following diagram, showing authorities generating pseudonyms and transmitting them directly to users:
However, Section 1.3 of version 1.0 of the ROBERT specification states that, as a security and privacy requirement, ROBERT mandates the following:
And yet, this assumption is only meant to hold under an honest authority:
Furthermore, Section 2.2 states the following:
In short, all of ROBERT is built on trust from central authorities and the assumption that they will behave honestly and be impervious to third-party compromise. I am unable to determine how this is a strong, or even serious and realistic approach to real user privacy. Could you please justify how this protocol achieves any privacy from authorities, and how the current model of assuming that all authorities are:
...is in any way realistic or something that can be taken seriously as a privacy-preserving protocol? Given the level of trust assurances that you are attributing to authorities, and given that authorities are responsible for generating, storing and communicating all pseudonyms directly to users to their devices, what security property is actually achieved in ROBERT in terms of pseudonymity between authorities and users?
Furthermore, it appears that the trust model for ROBERT is such that the server allocates pseudonyms and is thereafter trusted to never examine the social graph or any network relationship graph for users, ever. How could this possibly be a reasonable assumption for a privacy-preserving protocol?
The text was updated successfully, but these errors were encountered: