nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

GDPR-Compliant Reputation System Based on Self-certifying Domain Signatures

verfasst von : Mirosław Kutyłowski, Jakub Lemiesz, Marta Słowik, Marcin Słowik, Kamil Kluczniak, Maciej Gebala

Erschienen in: Information Security Practice and Experience

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Creating a distributed reputation system compliant with the GDPR Regulation faces a number of problems. Each record should be protected regarding its integrity and origin, while the record’s author should remain anonymous, as long as there is no justified legal reason to reveal his real identity. Thereby, the standard digital signatures cannot be applied to secure the records.

In this paper we propose a Privacy Aware Distributed Reputation Evaluation system, where each subject of evaluation holds its recommendation record. By application of a novel technique of domain signatures we are able to guarantee that (a) integrity of each entry is strongly protected; in particular, the evaluation subject cannot modify it, (b) the author of each entry is anonymous, however all entries of the same author on the same subject appear under the same pseudonym (so the Sybil attacks are repelled), (c) the entries corresponding to the same author but for different evaluation subjects are unlinkable, (d) only registered users can create valid entries, (e) the real identity of the author of an entry can be revealed by relevant authorities by running a multi-party protocol, (f) for each entry one can create a pseudorandom key in a deterministic way.

The first five features correspond directly to the requirements of the GDPR Regulation. In particular, they guard against profiling the users based on the entries created by them.

In order to facilitate practical applications we propose to maintain a pseudorandom sample of all entries concerning a given evaluation subject. We show how to guarantee that the sample is fairly chosen despite the fact that the sample is kept by the evaluation subject. We present a few strategies enabling to mimic some important probability distributions for choosing the sample.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Recovering Internal States of Grain-v1

Nächstes Kapitel Defining a New Composite Cybersecurity Rating Scheme for SMEs in the U.K.

Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: Domain-specific pseudonymous signatures for the German identity card. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 104–119. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33383-5_7CrossRef

Brickell, E., Li, J.: Enhanced privacy ID from bilinear pairing for hardware authentication and attestation. In: 2010 IEEE 2nd International Conference on Social Computing, pp. 768–775, August 2010

Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 132–145. ACM (2004)

Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. Cryptology ePrint Archive, Report 2007/194 (2007)

BSI: Technical guideline TR-03110 v2.21 - advanced security mechanisms for machine readable travel documents and eIDAS token (2016). https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110.html

Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_4CrossRef

Chassaing, P., Gerin, L.: Efficient estimation of the cardinality of large data sets. In: 4th Colloquium on Mathematics and Computer Science, DMTCS Proceedings, pp. 419–422 (2006)

Cichoń, J., Lemiesz, J., Szpankowski, W., Zawada, M.: Two-phase cardinality estimation protocols for sensor networks with provable precision. In: Proceedings of IEEE Wireless Communications and Networking Conference, WCNC 2012, Paris, France. IEEE, April 2012

Cichoń, J., Lemiesz, J., Zawada, M.: On cardinality estimation protocols for wireless sensor networks. In: Frey, H., Li, X., Ruehrup, S. (eds.) ADHOC-NOW 2011. LNCS, vol. 6811, pp. 322–331. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22450-8_25CrossRef

10.

David, H., Nagaraja, H.: Order Statistics. Wiley Series in Probability and Mathematical Statistics. Wiley, Hoboken (2003)CrossRef

11.

Giroire, F.: Order statistics and estimating cardinalities of massive data sets. Discrete Appl. Math. 157(2), 406–427 (2009)MathSciNetCrossRef

12.

Group, T.C.: Main Specification version 2.0 (2016). https://trustedcomputinggroup.org/tpm-main-specification/

13.

Hanzlik, L., Kutyłowski, M., Yung, M.: Hard invalidation of electronic signatures. In: Lopez, J., Wu, Y. (eds.) ISPEC 2015. LNCS, vol. 9065, pp. 421–436. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17533-1_29CrossRef

14.

Intel: Intel Software Guard Extensions (Intel SGX). https://software.intel.com/en-us/sgx

15.

ISO/EIC: 20008–1:2013, anonymous digital signatures - part 1: General (2013). https://www.iso.org/standard/57018.html

16.

Jøsang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43(2), 618–644 (2007)CrossRef

17.

Kolonko, M., Wäsch, D.: Sequential reservoir sampling with a nonuniform distribution. ACM Trans. Math. Softw. 32(2), 257–273 (2006)MathSciNetCrossRef

18.

Liau, C.Y., Zhou, X., Bressan, S., Tan, K.-L.: Efficient distributed reputation scheme for peer-to-peer systems. In: Chung, C.-W., Kim, C.-K., Kim, W., Ling, T.-W., Song, K.-H. (eds.) HSI 2003. LNCS, vol. 2713, pp. 54–63. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45036-X_6CrossRef

19.

Slowik, M., Wszola, M.: An efficient verification of CL-LRSW signatures and a pseudonym certificate system. In: Proceedings of the 4th ACM International Workshop on ASIA Public-Key Cryptography, APKC 2017, New York, NY, USA, pp. 13–23. ACM (2017)

20.

Teacy, W.T.L., Patel, J., Jennings, N.R., Luck, M., Systems, M.: Coping with inaccurate reputation sources: experimental analysis of a probabilistic trust model. In: Proceedings of the 4th International Joint Conference on Autonomous Agents and Multiagent Systems, AAMAS 2005, pp. 997–1004. ACM Press (2005)

21.

The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ec (General Data Protection Regulation). Official Journal of the European Union 119(1) (2016)

22.

Whang, K.Y., Vander-Zanden, B.T., Taylor, H.M.: A linear-time probabilistic counting algorithm for database applications. ACM Trans. Database Syst. 15(2), 208–229 (1990)CrossRef

23.

Zhou, R., Hwang, K.: PowerTrust: a robust and scalable reputation system for trusted peer-to-peer computing. IEEE Trans. Parallel Distrib. Syst. 18(4), 460–473 (2007)CrossRef

Titel: GDPR-Compliant Reputation System Based on Self-certifying Domain Signatures
verfasst von: Mirosław Kutyłowski
Jakub Lemiesz
Marta Słowik
Marcin Słowik
Kamil Kluczniak
Maciej Gebala
Verlag: Springer International Publishing
Buch: Information Security Practice and Experience
Print ISBN: 978-3-030-34338-5

Electronic ISBN: 978-3-030-34339-2

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-34339-2_19

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"