ISO IEC 27551 pdf – Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication
For each of the roles controlled by the adversary, the adversary may arbitrarily deviate from the protocol specification in attempts to defeat the unlinkability. It is common that after a successful authentication, a session is held between U and RP. The session management ensures that during the session, it is same U that is talking to RP, thus it is linkable within the session. In this document, the notion of unlinkability discussed is between the sessions and not within. Annex A describes each of the unlinkability notions in more detail.
7.3.2 Passive outsider unlinkability (anti-tracking from passive outsiders) An attribute-based authentication protocol is said to achieve passive outsider unlinkability if an adversary that is only allowed to observe the exchanges among U, AP and RP cannot link these observations to U. For example, when Alice, assuming the role of U, authenticates herself to RP via the help of the AP, if the adversary cannot link the run of the protocol to Alice, passive outsider unlinkability is satisfied. Achieving this notion of unlinkability is not considered technically difficult. Usually, passive observations can be neutralised by careful use of encryption throughout the protocol.
7.3.3 Active outsider unlinkability (anti-tracking from active outsiders) Unlike in the passive outsider unlinkability case, the adversary now can intercept the message exchanges among U, AP and RP and can potentially modify them. In other words, the adversary is an entity that remains external to all parties but has read-write access to the contents of the messages exchanged at each stage of the protocol. In particular, the adversary may carry out man-in-the-middle attacks while parties are interacting as per the protocol. The adversary attempts to link a protocol run to U and active outsider unlinkability is satisfied when it is shown that this is not possible. Achieving this notion of active outsider unlinkability is not considered technically difficult. Active outsiders can be neutralized by carefully using the correct combination of existing encryption and authentication throughout the protocol.
7.3.4 RP-U unlinkability (“anonymous visits” to an RP) This is a common notion of user anonymity towards RP. The RP cannot tell whether the user-agent U that arrived at the RP has visited it before. If RP-U unlinkability is not satisfied and RP can link visits made by the same user-agent, then U is not anonymous from the point of view of the RP but is only pseudonymous. RP-U unlinkability is satisfied when an adversary that assumes the role of RP and has also read-write access to all transmissions between U, RP and AP, cannot link U across authentications.
Satisfying RP-U unlinkability guaranties that U is protected by a strong form of anonymity towards RP when performing successive authentications.
7.3.5 AP-U unlinkability In this notion of unlinkability, the AP attempts to tell whether the user-agent U that arrived at the RP has visited it before. If AP-U unlinkability is not satisfied and AP can link visits made by the same user-agent, then U is not anonymous from the point of view of the AP but is only pseudonymous. AP-U unlinkability is satisfied when an adversary that assumes the role of AP and has also read-write access to all transmissions between U, RP and AP, cannot link U across authentications. Satisfying AP-U unlinkability guaranties that U is protected by a strong form of anonymity towards AP when performing successive authentications.
7.3.6 RP+AP-U unlinkability (anti-RP-AP-collusion) In this notion of unlinkability, RP and AP collude, i.e. share all their resources, in an attempt to link authentications performed by the same user-agent. The RP-AP collusion has also read-write access to all transmissions between U, RP and AP. If the authentication protocol protects the user from this kind of attack, RP+AP-U unlinkability is said to be achieved. An attribute-based protocol that satisfies RP+AP-U unlinkability provides the strongest possible form of anonymity for the user, as the user remains anonymous even if the rest of the universe is adversarial.