Download - Vanishing Documents Impact on Privacy
![Page 1: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/1.jpg)
VANISHING DOCUMENTSIMPACT ON PRIVACY
George B. DobbsChief Architect & Director Shared Services, Knights of Columbus Supreme Council
![Page 2: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/2.jpg)
KNIGHTS OF COLUMBUS• Fraternal Benefit Society
with 1.7M members • United States, Canada, Latin
America, Philippines & Poland• Membership driven• Insures its members and
their families • Whole life, Term life, Fixed
annuities and Long term care products
• Career Agency System ~1400 agents
• Fortune 997, ~1.5 B Revenue
![Page 3: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/3.jpg)
EPHEMERAL DOCUMENTS Give access – but only for a
while Owner’s copies are still valid Correspondent not fully trusted Example: shopping a business
plan Intentional forgetting
All copies vanish after an interval
Correspondent trusted but lazy Example: frank conversation in
email, later to be regretted.
![Page 4: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/4.jpg)
PROVIDE ACCESS ONLY FOR A WHILE
Encrypt but control key access Correspondent must get key each time
(central control) or
Key is stored locally for a while for offline use
Requires client side container/code that could be attacked.
Commercial products in the Digital Rights Management category
Subject to legal or technical attacks on key holder
![Page 5: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/5.jpg)
INTENTIONAL FORGETTING Encrypt but key access removed
after a while No action needed by user No retroactive retrieval by adversary
Even from storage such as caches, mail routers or backup tapes
No one can access after the interval expires even the owner has no access to they
key Research project at U. Washington Subject to key capture during the
interval Correspondent may copy message
during interval
![Page 6: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/6.jpg)
VANISH RESEARCH PROJECT University of Washington
(Aug 2009) Use cases focus on
trusted but lazy correspondents
Splits symmetric key into parts
Used an open distributed hash table
![Page 7: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/7.jpg)
AVOIDING A CENTRALIZED STORE Distributed Hash Tables
Used for many P2P applications Academic studies since 2001 Unless refreshed, DHT, times out entries
![Page 8: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/8.jpg)
PREPARING A VANISHING DATA OBJECT
Pick a random symmetric key, K Encrypt the user data locally,
yielding C Pick a seed, L, for pseudo random
number generation Use L to generate indices in the
hash table x1..xn Divide the key into pieces k1..kn
where m parts are needed to compute the key, K. (Shamir Secret Sharing)
put(xi,ki) for i=1 to n destroys the local copy of the key, Sends {C,L} to correspondent
![Page 9: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/9.jpg)
World-Wide DHT
HOW VANISH WORKS
Vanish
Encapsulate (data, timeout)
Vanish Data ObjectVDO = {C, L}
Secret Sharing
(M of N)
k1k2
kN
...k3
k1k2k3
kN
Ann
C = EK(data)
L
K
k1
k3kN
k2
9
VDO = {C, L}Carla
![Page 10: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/10.jpg)
HOW VANISH WORKS
10
Vanish
Encapsulate (data, timeout)
Ann
C = EK(data)
World-Wide DHT
Vanish
Decapsulate (VDO = {C, L})
data
Carla
Secret Sharin
g(M of
N)
...k1
k3
kN
data = DK(C)
kNk3
k1
L L
KSecret
Sharing
(M of N)
X
VDO = {C, L}
k2k2
Vanish Data ObjectVDO = {C, L}
![Page 11: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/11.jpg)
THE FIREFOX PLUG IN Implemented as an extension to the GPG plug in
Entirely client side
Shows potential for becoming mainstream
![Page 12: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/12.jpg)
ATTACK Defeating Vanish (Sep 2009)
Researchers showed feasible to Infiltrate the open DHT Record all keys
Originators responded with improvements Use hybrid of open and closed DHT Closed DHT restricts entry of nodes into system
![Page 13: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/13.jpg)
END OF TECHNICAL PART Next section
scratches at possible issues from an Enterprise point of view
Please suggest your own thoughts.
![Page 14: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/14.jpg)
ORGANIZATIONAL DILEMMAS Lets suppose the
vanish ability becomes mainstream
What kinds of scenarios can we dream up?
![Page 15: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/15.jpg)
LITIGATION HOLDS Legal framework
Stop the clock on document destruction Clearly this prohibits organizations
from originating these documents If someone does create a VDO
Keys and plaintext gone, but Crypto text is evidence that the document
existed What controls can we envision to
prevent their use?
![Page 16: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/16.jpg)
INBOUND COMMUNICATIONS VDO’s could come from ‘outside’
Are there business reasons to allow this?
What about going ‘out’ to visit a VDO?
Are there cases when a VDO should not be opened?
Are there cases when it must be opened?
![Page 17: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/17.jpg)
BUSINESS USES Probably few legitimate uses for large
commercial enterprises. Customer Service Brand Management
Public Safety Attorneys under privilege
![Page 18: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/18.jpg)
GOING OUTSIDE TO VIEW Go to a website to view a VDO Does that constitute corporate knowledge?
Company uses social networking site Stay in contact with customers for customer
service, say Since VDO is mainstream,
A user turns it on for ALL communications, thinking that safer
But for enterprise, it’s a business transaction So….
Does it need to be ‘imported’ for preservation? Capture the key and ciphertext or just the
plaintext?
![Page 19: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/19.jpg)
LETTING VDOS IN Email with a vanishing data object Options:
1. Detect and prevent entry, like spam2. Allow in, but prevent acquisition of keys,
through network policy.3. Allow in, but decode passing through gateway4. Allow in with quarantine & special handling
Is there a duty to preserve it? For e-Discovery? Would the court consider the unpacked as
equivalent? To prove it is equivalent you’d need the key
![Page 20: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/20.jpg)
FOR SAFETY, MUST OPEN
Suppose clear text subject line contains a threat: “Bomb active. Defuse
instructions enclosed” Mail is received but
enterprise policies prevent acquisition of key
This scenario indicates some sort of handling
![Page 21: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/21.jpg)
BRAND BUZZ Corporations sometimes
watch what is being said about them in public venues If social network acts as an
amplifier/repeater, and the VDOs time out say in 8 hours
Watcher scan cycle time would need to be less than the timeout
If today a daily scan is adequate, it might need to be every few hours
![Page 22: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/22.jpg)
OUTBOUND COMMUNICATIONS Lying to a customer
EE or Agent promises something Controllable on internal equipment/email
Employee sends stolen company info User A with enterprise IP goes to sneaky.com Under the cover of HTTPS writes a VDO with
internal information User B an investor, foreign power etc, reads info In order to stop
Blacklist sneaky.com Terminate SSL at border
Intercept & decode, possibly quarantine Prevent anything that appears further encrypted.
![Page 23: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/23.jpg)
NOT, PERHAPS, JERICHO, BUT Millions of consumer computers
Harnessed to provide some privacy Is an example of how
The walled garden model of the enterprise May no longer be sufficient
![Page 24: Vanishing Documents Impact on Privacy](https://reader035.vdocuments.net/reader035/viewer/2022081520/56815b99550346895dc99f4f/html5/thumbnails/24.jpg)
REFERENCES Vanish Self-Destructing Digital Data
http://vanish.cs.washington.edu/ New Technology to Make Digital Data Self-Destruct
http://www.nytimes.com/2009/07/21/science/21crypto.html
Distributed Hash Tables http://en.wikipedia.org/wiki/Distributed_hash_table
Attack http://z.cs.utexas.edu/users/osa/unvanish/papers/vanish-broken.pdf
Vanishing E-mail and Electronically Stored Information: an E-Discovery Hazard http://www.rlgsc.com/blog/ruminations/vanishing-electronic-data-ediscovery.html