a world without pets - · pdf filea world without pets a summary of the presentation given by...
TRANSCRIPT
A world without PETs
A summary of the presentation given by Stephan Engberg at the conference 'A Fine Balance 2007'
Stephan Engberg, founder and CEO of Priway has spent the last eight years researching and developing privacy and security enabling systems and mechanisms. He started his presentation by stressing the need for people involved in security and privacy to set aside their previous ways of thinking as digital integration forces us to rethink.
First he suggested a more operational approach to definition of terms. Privacy is security from the point of view of a single stakeholder. In a networked economy, the design of balances are important as - due to interdependence - security of one stakeholder is an illusion unless it also improves security of other stakeholders in cases of breach. Trust is willingness to accept risk in a certain context and as such a growing cost element as risk acceptance continue to drop. A root requirement of a PET is that it breaks the assumption of a zero-sum trade-off by enabling value functionality such as sharing data without compromising on stakeholder security rights and needs in cases of failure.
He then suggested there is no reason to accept losses of privacy – on the contrary individual security and control is the root source of security, innovation and effective society processes – especially government processes. Security deteriorates because identification concentrates risks, creates interdependence and new data vulnerabilities and identity theft. Command controlled models for complex economic systems such as government accumulates inefficiencies as it cannot adapt to the sophisticated needs and requirements of end-customers. Open market innovation deteriorates as attention moves from servicing customer needs to profiling to maximize marketing communication and short-term sales on the expense of overall value creation. An attacker can easily turn a surveillance system into an attack on its purpose exemplified by attaching a bomb triggered by automatic face recognition to a surveillance camera. Surveillance is not part of a security system except as an response to a previous non-invasive mechanisms which have detected a non-responding potential threat.
He pointed towards Government as the critical enabler of privacy and security through the monopoly on the identity structure and regulation of infrastructure. He presented the basics of National ID 2.0 and a Citizen ID Card where root identification is only used to create new keys and identifiers adapted to the specific purpose. By maximizing attention to fall back and the correct distribution of controls, can we protect the increasingly more vulnerable server systems and data bases – as the most critical element of critical infrastructure. Identity has to build in security balances even before a new process even starts in order to maintain security after the transaction. We can no longer protect data in databases, but we can prevent an attacker – internal or external, deliberate or accidental – getting access to utilize the data and keys for attacks elsewhere.
A service provider would have better security and access to better data if an attacker cannot launch or scale an attack based on knowledge in the systems. Data can be shared without establishing risks towards the system owner or end-customer increasing willingness to share. And most importantly value chain attention would be directed towards servicing real and actual customer needs instead of using the continuous profiling for control, persuasion or the use of illegitimate force. In other words, even though a specific entity may prefer lock-in, may desire to control to further selfish objectives or may prefer to be in a position of power over a citizen and such gain a short term gain on the expense of longer term losses – all society interests points
towards the values, needs and possibilities to empower the citizen to pull the value chains for security, efficiency and competitiveness through innovation.
As a simple example to document this is almost always be done, Stephan Engberg, then demonstrated how to maintain security and privacy without the use of trusted third parties even in a Healthcare Emergency situation where the patient is unconscious. It was based on one the many recent PET breakthroughs in the form of RFIDs with built-in end user PET that does not leak identifiers, one-time-only mechanisms and a gradual linkage to first anonymous patient summaries and then gradually to the patient health care file itself. This also provide the basis to securing Healthcare as such as patient controls can be optimized for mutual benefit.
A world without PETs is a world where security, government efficiency and market innovation continue to erode. Data protection cannot compensate for bad security and with good security, data protection and anti-identity theft is build into the root structures. The PET tools are or can be made available, but Government controls the demand. Responsible governments cannot afford or defend not to incorporate PETs as part of critical infrastructure. Research is always needed, but the core problem is the government demand to focus on surveillance and control instead of security and risk mitigation. If the demand-side works, research in outstanding issues will follow.
1
© Priway, Nov, 2007Fine Balance
1
Fine Balance - A world without PETs
Stephan J. EngbergPriway
From Central Command & Control toCitizen Empowerment & Dependability
Strategic Advisory BoardEU ICT Security &
Dependability Taskforcewww.securitytaskforce.euwww.hydra.eu.com
www.priway.com
www.rfidsec.com
.. when bureaucrats erode competitivenessor “why Europe is not making a secure mobile phone?”
© Priway, Nov, 2007Fine Balance
2
Agenda - A world without PETs
1. Basic terms & PET Cases
– Cases: Product RFID, Emergency Care & Citizen-controlled Passports
2. Major problems
– Security, Innovation & government efficiency
3. Disarming the conflict – how deep is the rabbit hole?
– Sustainable principles for Identity & Security – top-down principles
4. Designing for Trustworthiness & Innovation
– Distributed Empowerment – Semantic Resolution
Without changing our pattern of thought, we will not be able to solve the problems we created with our current patterns of thought.Albert Einstein
2
© Priway, Nov, 2007Fine Balance
3
What is Privacy?
Privacy is security from the point of view of a single stakeholder
Multi-stakeholderBalance is needed
in transactions.
Risk MinimisationPurpose specification
and revokability.
Application Specific
Context determine Security requirements.
© Priway, Nov, 2007Fine Balance
4
What is Trust?
the amount of Risk willingly acceptedin a given context
Trust ::
Citizens make subjective rational choices
Price / RiskLoss of control
Product / ServiceComfort / values
Nobody ”wants surveillance” - they want bad guys caught, butnobody likes to be controlled
3
© Priway, Nov, 2007Fine Balance
5
What is a PET?
A Privacy Enhancing technology or PET
is a technology or system
enabling citizen security and control
that breaks the assumption of zero-sum trade-offs
Freedom vs. Security, Sharing vs. Privacy
A PET will make Pareto improvements
E.g. facilitate data sharing.
value creation or mitigate risks
without creating interdependance
and accumulating threats
to citizens and systems
© Priway, Nov, 2007Fine Balance
6
Security/Privacy NOT Zero-sumPriway Identity Model
Security forCitizen
Security againstCitizen
Weak Security
Virtual
Identities(Trust Enabling)
Identification
Tracea
billity
Anonymity
Non-Identified
Non-T
race
abill
ity
Identified
√ Fallback Security√ Privacy & Trust√ Enforcing Rights
√ Mutual Trust√ Crime prevention√ Semantic Id
4
© Priway, Nov, 2007Fine Balance
7
Application DeviceRFIDReader
Even in devices without power PET Security for Passive RFID
Store DTagainst replaySS Shared Secret
Datestamp as nonce : DT One-time-pad shield : RSK XOR F(DT XOR SS) Validation : G(RK XOR SS)
Response : H(RSK XOR SS XOR DT)
SS Shared SecretRSK Random Key
F, G and H Pseudo-random functions
• In most secure implementation
– Zeroknowledge Random Oracle
– Validation response – G - can be 1 bit
• In Silent / Secure Modes
– Transfer of EXCLUSIVE control to owner
– Firewall is on (stealth)
– 128 bit shared plus 128 bit session secret
– Attacker cannot learn persistent identifiers
– No need to trust readers
• Implemented to full compatibility with HF - ISO 14443 and ISO 15693 – dual implementation
• Multiple keys, support context-specific id
• Key to security in low-computational devices:
– Even if an extremely powerful attacker could
theoretically analyse all possible key
combinations through brute force
– Attacker still need to test all – RFID SLOW !!!
– Multiple fallbacks, e.g. change keys
© Priway, Nov, 2007Fine Balance
8
Value Chain - RFID 2.0 with PETs
Value
Chain
PointOf Sales
Product
ManufacturerProduction
Public Mode
Point of SOA ServicesProduct Id = URL
Privacy ModePrivacy Mode
One-timeCategory Information
Recycling
Zero-leak interactions
Mobile /
Home Usage
Auto-Id with optionalauthenticity verification
Stealth with exclusiveOwner Control
One context
Available: E.g. RFIDsec – security protocol published
Transfer ofControl
5
© Priway, Nov, 2007Fine Balance
9
Special Case - One-time-onlyHealthcare Emergency / disaster
Stepwise RFID-based one-time-only EHR linkage
Unconscious userRFID with Zeroleak™
Medic / AmbulanceAnywhere in the
world
Emergency Care PET Infrastructure
Service
Domestic connection to
Healthcare files
Local Hospital
2. Firewall wake-upGroup key plus one-time specific key
3.One-time-onlyData-ref (+ auth) Decryption key
1. Request help
4. Request Profile
6. Establish connection to home & relatives
7. Establish connection / ID
5. Emergency profile (anonymous)8. In transport
treatment
Relatives
6a. InformRelatives
Emergency Care Server learns NOTHING – no identifers no data
Mediq get anonymous patient profile – not linkable, one-time only
Identifier & Key to EHR stored with patient – Supports PET EHR !!
© Priway, Nov, 2007Fine Balance
10
RFID can support person IdSecuring RFID in Passports
(User control of activation & passport revocation)
User Device 1st GenOn-card biometrics
“Zero-knowledge” protocolRFID Owner key + Data Decryption
key
Border ControlPassport
RFID with Zeroleak™Encrypted data segment4. Request Data
3. Session decryption key(to public key)
2. Activate + temporarysession decryption key
1. Establish ContextPresent Public keyRequest Authentication
5. Re-encrypted Data
Passport lockdown built-inNo exchange of
non-revokable biometrics
needed – VISA can be added as blinded certificate
6
© Priway, Nov, 2007Fine Balance
11
Distrust
More identification
Collection ofPersonal Data
More ”Security”
Growing ”Risk Premium”
More ”ab”useof personal data
More CrimeIdentity Theft
More and largerSecurity Failures
Pervasive surveillanceAnd abuse of surveillance“Criminals can do everythinggovernment can do”
BusinessSilosId asProperty
Identification CredentialsE.g. biometrics spoofing.More Identity Theft andReverse burden of proof
Non-trustworthy
Risk accumulation
Failure of Critical
infrastructure
Root problemIdentificationcreate risk !
Problem # 1 - Security erode
© Priway, Nov, 2007Fine Balance
12
Problem # 1.1 The Security Gap
Central Command & Control
Digital Integration
Security
Risks
Growing Threats & failuresDamaging Trust
Requiring COMPENSATION
Increasing threats
Added protection
With digital integration risks accumulate
Many transactions with small perceived
risks accumulate to huge threats
7
© Priway, Nov, 2007Fine Balance
13
Problem #1.2 - Living at Gunpoint
CASE: Surveillance Smart Bombs
Assume deployment of
Radio-update
• A series of small RFID-bombs• Attached to passive RF-reader• Located at fashionable locations• Close to normal RFID-reader• Triggers updated via FM-radio• Proximity-triggered by target
Busines case – Bombs for hireHighly scalable business model, bombs dispersed in majorCities near parliaments. We will get your man in 10 days.
NEW – Bluetooth or Face Recognition versiontapping into any camera & advertising sign.
© Priway, Nov, 2007Fine Balance
14
Problem # 2
PETs critical for innovation
Consumer
Distributor
Manufacturer
Retailer
Supply Push
Profile marketing
Cross-context data
Collection and use
Who ”own” customer?
Demand Pull
Mass customisation
Demand-driven innovation
versus
Servicing Needs
Purpose-specific sharing
Value network sourcing
9-9.9 out of 10
new products fail
Customer force focus
on actual needs
& gradual improvements
PET worldSurveillance societý
8
© Priway, Nov, 2007Fine Balance
15
Problem #3 Walled Fortress
PETs critical for efficiency
Firewall, Access Control (getting weaker)
Government focus on Centralisation
Security But ALSO EfficiencyEroding !
Government services & private sector suffer increasingly from
Planned Economy Syndroms accumulating inefficiencies.
Workforce run faster but are doing the wrong things wrong.
A danish analysis suggest that danish public sector productivity has fallen 25% behind private sector productivity over only 15 years
WHY? No needs-driven innovation mechanisms to allocate & adapt
No fallback
No drivers
© Priway, Nov, 2007Fine Balance
16
Fine Balances - why PET?
Anarchic
Totalitarian
Market
(Liberal)Collective
(Socialist)
Fascism Communism
FundamentalismEgocentrism
Integration is pushing
towards the extremes
9
© Priway, Nov, 2007Fine Balance
17
Fine Balances
Efficiency& Innovation
EqualityDriven by needs
Fascism Communism
FundamentalismEgocentrism
Freedom withAccountability
Freedom& Security
Trust &Accountability
© Priway, Nov, 2007Fine Balance
18
Empowerment & Fallback security Key to National Id trustworthiness
Anonymity Identification
Risks growCrime/fraudId Theft etc.
Interdependance
National ID 2.0
CommerceGovernment
Risks grow Crime/fraudLack of traces
10
© Priway, Nov, 2007Fine Balance
19
Open Metropolis – free flow
Profile & Channel Mgt
Citizen
Portals
Client-sideIdentity Mgt
Optional Delegation
Outsourced
��
Purpose-specific encryption of key and sensitive data
E.g. DOCTOR know client-side more than server application
Distribute the data keys Client-side
Free to share in contextRequire consent or action to link across
The design task is how to structure data, keys and processes.
© Priway, Nov, 2007Fine Balance
20
eGovernment id model
Identitymodel
E.g. UK should
Move straight to
National Id 2.0
Citizen Demand Pull
Trust-focused
eGovernment
Single Id
Unstructured
Scandinavia
Structured
Scandinavian Challenge: Move from Single National Id
To Context id
UK, Germany
US
Multi-Id
General Challenge:Damand Pull Effectivisation
AND security
11
© Priway, Nov, 2007Fine Balance
21
Successfull PETs
• Cash
• GPS
• Asymmetric encryption
• Proxies/NAT
• C/O addresses / mailbox
• Bearer tokens/tickets
Etc.
• Democratic election – BIGGEST Success
Problem:
GOVERNMENT is not promoting
SECURITY but only surveillance
and centralisation.
Therefore PETs mostly get
deployed in versions empowering
the bad guys
© Priway, Nov, 2007Fine Balance
22
Security Tools available
Available or soon available• Anonymous Credentials
– Certified profile & attribute data
– E.g. Credentica
• Identity metasystem
– Heterogeneous id environment
– E.g. Microsoft
• Private Biometrics & Biometric encryption
– Client-side Biometrics
– E.g. readers on card
• Anonymisers
– Mixnets / onion routing
– E.g. TOR, ANON
• Hardware-traceability
– Verifiable accountability
– E.g. TCG
”Privacy Highway” inventions • Secure RFID with PET
– RFID with privacy control
– Anti-counterfeiting & Anti-theft
• Non-linkable Digital Payment
– Anti-counterfeit, Anti-theft,
– Anti-laundering, Credit, additional
• Citizen Id Cards - Anti-Identity Theft
– Create & manage new ids to context
– Traceable & accountable to Root Id
– Privacy Authentication
– Instant revocation
– Id Accountability negotiation
• Other
– Receiver-controlled Communication
– Indirect means to e.g. control Cameras
– GRID Context Security
12
© Priway, Nov, 2007Fine Balance
23
Priway Identity ModelPET Roadmap
Security forIndividual
Security againstCitizen
Tracea
billity
Non-IdentifiedNon
-Tra
ceab
illity
Identified
HumanRecognition
Photo Id National Id 1.0
Biometrics ID & Surveillance
Revokable
Biometrics
National Id2.0
PGP
HumanRecognition
Basic Internet
Mixnets
PETs
with anti-crime
PETs
Government block here
Central Command &
Control Paradigm fail
to recognice needs
Government block
market by promoting
& buying surveillance
© Priway, Nov, 2007Fine Balance
24
Strategi Advisory Boardon Biometrics -> Citizen control
For instance biometrics is problematic for use for authentication as the ”secret key” is not secret, revocable or unique – biometrics can be spoofed and victims of identity theft cannot get a new set of biometrics, and using several spoofable biometrics can merely create more ”fake security”.
Empowerment considerations involve ensuring that the use of biometrics is Identity
and key management is based on easily and securely revocable keys such as privacy biometrics (integration of biometrics characteristics in mobile tamper-resistant reader-devices) or bio-cryptography (integration of biometrics characteristics in revocable cryptography keys) while enabling the use of a plurality of identity schemes. Indeed, Empowerment and dependability are not achievable if control is always with someone else and attacks commit identity theft based on faking biometric credentials.
Source: www.securitytaskforce.org - Recommendations, p. 14
13
© Priway, Nov, 2007Fine Balance
25
User-controlled Biometrics
1. Root Identity
2. Context Identity
3. Identity Recognition
4. Identity Revocation
User control of Device & Channel Management
User-controlled ONLY !!!! On-card Biometrics authenticationPossible Biometric Encryption
Government can revoke Root IdentityCitizen can revoke context id & devices
On-card Biometrics authentication
Prevent terrorist dual enrolment
Enable Vitness relocation & police Undercover
NEVER collect non-revokable biometrics
Only use to create
© Priway, Nov, 2007Fine Balance
26
Semantic Resolution of Security
EnrolmentAuthentication
Negative CredentialsPositive Credentials
DynamicSecurity Resolution
and negotiation towards
Application Risk Profile
AccountabilitySemanticIdentity
Virtualisation
www.hydra.eu.com
Incl dynamic reponses to external alertsE.g terrorthreat
Id negotiated and customised to contextCan be recognised / reused
No need for surveillance until specific
threat do not respond to requests using
Non-invasive means
14
© Priway, Nov, 2007Fine Balance
27
Dynamic Security Escalation
Least invasive means by default
Normal Heightened Critical
Biometric Id & Surveillance(last resort)
National Id(Singular Id)
Trusted Id(Trusted party)
Trustworthy Id(Transaction Accountable)
Credential Id(specific credential proofs)
Local Id(anonymous handle)
Check against Negative credentials(each provide proof NOT on a fugitive-list)
Threat Status
© Priway, Nov, 2007Fine Balance
28
The Security Gap eliminated
with Citizen Empowerment
Digital IntegrationIntegration
Security
Risks
Increasing threats
Added protection
Choices are independentand security is separated from service interests.Model is transparent.
15
© Priway, Nov, 2007Fine Balance
29
Summation
• The Command & Control Paradigm will increasingly fail
– PETs needed for security, innovation & efficiency
– Single national Id is the security PROBLEM damaging economy
– PETs has to be supported already in ID Cards – Citizen Id
• We need BOTH stronger traceability AND empowerment
– Always use revocable biometrics only - critical
– Purpose-specific Id, Open Semantic resolution & interoperability
– User devices facilitating trust in Id & key management
• To make effective, innovative & trustworthy Balances
– Design as if there is no trust -> Trustworthy
– National Id is only a platform for Context Id -> Free Flow Data
– Empower Citizens to pull Digital Value Chains -> Drive value
WHY IS EUROPE NOT MAKING A SECURE MOBILE PHONE?
© Priway, Nov, 2007Fine Balance
30
Questions?
Without changing our pattern of thought, we will not be able to solve the problems we created with our current patterns of thought.Albert Einstein
Stephan J. EngbergPriway
Security in context.. because the alternative is not an option
From Central Command & Control toCitizen Empowerment & Dependability
Use non-invasive mechanisms maintaining post-transaction balances.
Only activate Surveillance when a specific threat is detected