Crypto-Book: an architecture for privacy preserving online identities

Abstract

Through cross-site authentication schemes such as OAuth and OpenID, users increasingly rely on popular social networking sites for their digital identities--but use of these identities brings privacy and tracking risks. We propose Crypto-Book, an extension to existing digital identity infrastructures that offers privacy-preserving, digital identities through the use of public key cryptography and ring signatures. Crypto-Book builds a privacy-preserving cryptographic layer atop existing social network identities, via third-party key servers that convert social network identities into public/private key-pairs on demand. Using linkable ring signatures, these key-pairs along with the public keys of other identities create unique pseudonyms untraceable back to the owner yet can resist anonymous abuse. Our proof-of-concept implementation of Crypto-Book creates public/private key pairs for Facebook users, and includes a private key pickup protocol based on E-mail. We present Black Box, a case study application that uses Crypto-Book for accountable anonymous whistle-blowing. Black Box allows users to sign files deniably using ring signatures, using a list of arbitrary Facebook users -- who need not consent or even be aware of this use -- as an explicit anonymity set.