viewing privacy as a security property · viewing privacy as a security property george danezis...

Viewing Privacy as a Security Property

George Danezis

K.U. Leuven, ESAT/COSIC,Kasteelpark Arenberg 10,

B-3001 Leuven-Heverlee, [email protected]

July 26, 2006

George Danezis Viewing Privacy as a Security Property

Perspective and Scope

What is this talk about?I Explore the relations between notions of ‘privacy’ and

‘traditional security’.I Key thesis: Privacy is better understood as security!

How do we proceed?I In two parts: 1) Intro to Privacy 2) Some privacy properties.I High-level: keep out the very technical details that cloud the

overall picture – unless provoked.(Implementation issues, system specific, cryptography,statistics, standards – lots of details.)

I Focus on technology and technology policy in relation toprivacy.(There is also law, sociology, political science, and politics.)

I Look at privacy in the context of computer security – toolslike security properties, adversary models, security policies, . . .

I A clear focus on the real world and its constraints.George Danezis Viewing Privacy as a Security Property

Perspective and Scope

What is this talk about?I Explore the relations between notions of ‘privacy’ and

‘traditional security’.I Key thesis: Privacy is better understood as security!

How do we proceed?I In two parts: 1) Intro to Privacy 2) Some privacy properties.I High-level: keep out the very technical details that cloud the

overall picture – unless provoked.(Implementation issues, system specific, cryptography,statistics, standards – lots of details.)

I Focus on technology and technology policy in relation toprivacy.(There is also law, sociology, political science, and politics.)

I Look at privacy in the context of computer security – toolslike security properties, adversary models, security policies, . . .

I A clear focus on the real world and its constraints.George Danezis Viewing Privacy as a Security Property

Security or Privacy: a caricature of the debate

The terms in which the debate is often framed today.Privacy (vague definition) important but. . .

I . . . what about abuse and accountability?

I . . . difficulties for Law Enforcement?

I . . . copyright or libel?

I (. . . what does a good, honest person has to hide anyway?)

Established wisdom:

I Need for a balance. . .

I Control/limit dangerous technology (or research).

I Result: Surveillance by design → no privacy (often).

Only possible conclusion: Security is most important!

Security and Privacy in Context

A brief history of security (Needham), and where does privacy fit?

I Early days (Pre-1970s): Security for the Government andMilitary. Focus on confidentiality properties. Some work onTamper resistance, signal intelligence, . . . Keep secrets usingcomputer security (and also an army, the full legal system,advanced research, the police, . . . )

I 70s to 90s: Commercial security and security for enterprises.Focus on integrity and authenticity, bank transactions,contracts, audits, signatures. Using computer security (and anarmy of managers, accountants, technicians, lawyers . . . )

I 90s to today: Security for households, citizens, civil society.Most computers get networked, and everyone start havingtheir security worries. BUT Limited budget, and no army ofany type. . . The era of Privacy Concerns.

Privacy is Security (I)

But lets go further – beyond just ‘balance’:I Privacy properties and technologies are there to satisfy valid

security needs.I Definition of privacy I prefer: Informational self-determination

– Giving out less information, gaining more control over one’sinformational environment.

I Examples: freedom from surveillance and profiling, flexibilityto access and use content and services, freedom fromcompulsion, . . .

I Small(ish) entities: no serious means to gain assurance (noexpertise, no budget.)

Question: who are the small entities?I Households and individual citizens.I NGOs, Societies, . . .I Small companies with no tech department?I Small(ish) governments? (Greek illegal wiretapping. . . )

Privacy is Security (I)

But lets go further – beyond just ‘balance’:I Privacy properties and technologies are there to satisfy valid

security needs.I Definition of privacy I prefer: Informational self-determination

– Giving out less information, gaining more control over one’sinformational environment.

I Examples: freedom from surveillance and profiling, flexibilityto access and use content and services, freedom fromcompulsion, . . .

I Small(ish) entities: no serious means to gain assurance (noexpertise, no budget.)

Question: who are the small entities?I Households and individual citizens.I NGOs, Societies, . . .I Small companies with no tech department?I Small(ish) governments? (Greek illegal wiretapping. . . )

Privacy is Security (II)

Like all security, privacy must be technologically supported:

I Privacy/security needs cannot just be satisfied with goodintentions.

I Laws are necessary but not sufficient to protectprivacy/security.Think of a bridge, or top secret documents. . .

I Technology must provide assurances where possible –procedures and audits where it is not.

I Hence the development of Privacy Enhancing Technologies.

One more twist: we all use the same infrastructure!

I Despite varying capabilities infrastructure is shared!

I Telecommunications, operating systems, search engines,on-line shops, software, . . .

I Denying security to some, means denying it to all! (ex:crypto, DRM)

Privacy is Security (II)

Like all security, privacy must be technologically supported:

I Privacy/security needs cannot just be satisfied with goodintentions.

I Laws are necessary but not sufficient to protectprivacy/security.Think of a bridge, or top secret documents. . .

I Technology must provide assurances where possible –procedures and audits where it is not.

I Hence the development of Privacy Enhancing Technologies.

One more twist: we all use the same infrastructure!

I Despite varying capabilities infrastructure is shared!

I Telecommunications, operating systems, search engines,on-line shops, software, . . .

I Denying security to some, means denying it to all! (ex:crypto, DRM)

Where next?

Present some interesting privacy/security properties:

I A critical look at the standard security properties, and howthey can be fortified for privacy.

I Some new concept that are antithetical to current securitypractises. (non-repudiation vs. Plausible deniability.)

I Why are these useful?

At the beginning there was Authentication

Early work on security focused on authentication (Needham) – thefist step before any security policy can be applied.

I Makes sense in a government, commercial or military context.

I But does it make sense when you do not have a closed usergroup?

I From Authentication to Identity Management (KimCameron’s work).

Privacy preserving Authentication mechanisms:

I Private Authentication: to protect against 3rd parties.

I Anonymous Credentials: to protect against all.

Private Authentication

How does authentication traditionally works:

I (Alice) → (Bob): Hi all! I am Alice, and I think you are Bob,and here is some crypto stuff.

I (Bob) → (Alice): Hi Alice, Bob here! . . .

Great for flirting on WiFi, not great for privacy.

I Solution: hide from third parties Alice’s identity (PrivateAuthentication.)

I Hiding both Alice and Bob is a bit more tricky (Need publickeys, really.)

I Failed authentication should not give out any informationabout either.

I When both have multiple identities even more tricky.

It is great to see that such an old field has so much life left in it.

Anonymous Credentials

The cinema scenario: you can come in if you have bought a ticket!

I Aim: gain privileges by proving that you have some attributes,according to some authority, without revealing any identity.

I Players: Authority (the box office), Prover (the spectator),Verifier (the ticket checker).

I Distinct from capabilities (Needham): no ID string.

The state of the art:

I Any string or number as an attribute.

I can prove arbitrary boolean statements on attributes

I can prove range statements.

I With double spending controls you have digital cash.

Downside: Heavy crypto and patents. Multishow (IBM), Singleshow (Credentica).

A fresh look at “The Secure Channel”

Commonly deployed security mechanism.

I A success story – what we can do well!

I Widely deployed for messages and streams.

I Examples: PGP, SMIME, SSL, SSH, IPSec, . . .

A closer look at the properties:

I Authenticity – we talked about this before.

I Confidentiality – no third party should be able to read it.

I Integrity – no third party should be able to modify it.

I (Non-repudiation) – you should not be able to deny what yousaid.

Does all this sounds right?

Security is wispering into each other’s ear

The secure channel model was good for the military/commercialworld:

I Key management can be done safely (remember the armies.)

I Want to archive carefully.

I B2B transactions may need to turn up in court.

What about instant messaging? Keep things Off-The-Record.

I or briefing a journalist, talking on the phone to your lawyer. . .

I Plausible Deniability (not non-repudiation): No bit-string canbe used in court to prove that some action was performed orthat you said something (Michael Roe!).

I Forward secrecy: once the communication is securely over, Icannot decrypt it any more. (It is gone, and no amount ofpressure will do!)

I Still want Authenticity, Confidentiality and Integrity.

Security is wispering into each other’s ear

The secure channel model was good for the military/commercialworld:

I Key management can be done safely (remember the armies.)

I Want to archive carefully.

I B2B transactions may need to turn up in court.

What about instant messaging? Keep things Off-The-Record.

I or briefing a journalist, talking on the phone to your lawyer. . .

I Plausible Deniability (not non-repudiation): No bit-string canbe used in court to prove that some action was performed orthat you said something (Michael Roe!).

I Forward secrecy: once the communication is securely over, Icannot decrypt it any more. (It is gone, and no amount ofpressure will do!)

I Still want Authenticity, Confidentiality and Integrity.

Pushing the boundaries of the secure channel: Anonymity

Key questions and properties:

I Should anyone know with whom I am talking? (3rd partyanonymity.)

I Should the website I am visitng know who I am? Andcorrelate my visits? (Sender/Initiator anonymity.)

I Should those who want to contact me know who I am/where Iam? (Receiver/Server anonymity.)

More generally: freedom from traffic analysis?

I TA can be used to extract information – particularly fromstreams of data (SSL RFC has a warning.)

I TA can be used for target selection: which laptop to steal?Which house to break in? Which server to attack?

I Location privacy is becoming a problem. Anonymizationtechniques are useful there too.

Deployed systems: Java Anon Proxy, Tor, Mixminion, Anonymizer.George Danezis Viewing Privacy as a Security Property

Pushing the boundaries of the secure channel: Anonymity

Key questions and properties:

I Should anyone know with whom I am talking? (3rd partyanonymity.)

I Should the website I am visitng know who I am? Andcorrelate my visits? (Sender/Initiator anonymity.)

I Should those who want to contact me know who I am/where Iam? (Receiver/Server anonymity.)

More generally: freedom from traffic analysis?

I TA can be used to extract information – particularly fromstreams of data (SSL RFC has a warning.)

I TA can be used for target selection: which laptop to steal?Which house to break in? Which server to attack?

I Location privacy is becoming a problem. Anonymizationtechniques are useful there too.

Deployed systems: Java Anon Proxy, Tor, Mixminion, Anonymizer.George Danezis Viewing Privacy as a Security Property

Compulsion Resistance – (please don’t hurt me!)

Already hinted at forward secrecy / security:

I After some time/steps no one should be able to compromisethe security properties.

I Anyone who may come under physical pressure / blackmailwould value that.

I An issue for those without armies, security fences and guards.

Other forms of compulsion resistance:

I Steganographic file systems: Under compulsion you can revealsome files, but hide others. (First step: encrypted, fail-safe)

I Safebox folders: you can put data in, but not decrypt it untilyou are back home. (Photographers / journalists in war zoneswould love that. No need for public key crypto.)

I Election schemes: you cannot prove how you vote – ‘receiptfreeness’.

Compulsion Resistance – (please don’t hurt me!)

Already hinted at forward secrecy / security:

I After some time/steps no one should be able to compromisethe security properties.

I Anyone who may come under physical pressure / blackmailwould value that.

I An issue for those without armies, security fences and guards.

Other forms of compulsion resistance:

I Steganographic file systems: Under compulsion you can revealsome files, but hide others. (First step: encrypted, fail-safe)

I Safebox folders: you can put data in, but not decrypt it untilyou are back home. (Photographers / journalists in war zoneswould love that. No need for public key crypto.)

I Election schemes: you cannot prove how you vote – ‘receiptfreeness’.

The Hard Part: Data Sharing

To buy things and get services you need to share data:

I Payments, delivery addresses, system configuration, . . .

I Often with more powerful entities, and little choice.

I Once your data is out there, how to protect it? How tocontrol its use?

Data protection regimes:

I EU/Canada/Australia: Data Protection Legislation imposesstandards.

I Little enforcement: violations are well funded andtechnologically supported, enforcement is underfunded andnon-technological.

I Technologies to support data protection: automatic audits,chinese firewall policies, design of privacy friendlyarchitectures, standard protocols.Integration of privacy in the overall s/w process (JC Cannon.)

The Hard Part: Data Sharing

To buy things and get services you need to share data:

I Payments, delivery addresses, system configuration, . . .

I Often with more powerful entities, and little choice.

I Once your data is out there, how to protect it? How tocontrol its use?

Data protection regimes:

I EU/Canada/Australia: Data Protection Legislation imposesstandards.

I Little enforcement: violations are well funded andtechnologically supported, enforcement is underfunded andnon-technological.

I Technologies to support data protection: automatic audits,chinese firewall policies, design of privacy friendlyarchitectures, standard protocols.Integration of privacy in the overall s/w process (JC Cannon.)

The new availability: censorship resistance

Presenting privacy as security for the small entities explains itslinks with Peer-to-Peer computing.

I In pure p2p all nodes can perform all functions – massiveresilience: perfect for the weak.

I No a-priory centralisation – Only loose coordination.

I Obvious first application: communicate and share information.(The surprise says a lot about system and security design.)

I Popularity due to hostile environment (security/resilience.)

Reputable and marketable applications:

I Efficient and resilient distributed systems (Rowstron – Pastry.)

I Robust and cheap delivery: Bit-Torrent.

I Bridging NATs: Skype – firewall piercing modes of Tor.

I Bypassing port 22 (SSH) restrictions.

I The future: Social Networking / Expert finding. . .

The new availability: censorship resistance

Presenting privacy as security for the small entities explains itslinks with Peer-to-Peer computing.

I In pure p2p all nodes can perform all functions – massiveresilience: perfect for the weak.

I No a-priory centralisation – Only loose coordination.

I Obvious first application: communicate and share information.(The surprise says a lot about system and security design.)

I Popularity due to hostile environment (security/resilience.)

Reputable and marketable applications:

I Efficient and resilient distributed systems (Rowstron – Pastry.)

I Robust and cheap delivery: Bit-Torrent.

I Bridging NATs: Skype – firewall piercing modes of Tor.

I Bypassing port 22 (SSH) restrictions.

I The future: Social Networking / Expert finding. . .

Abuse Resistance is a PET enabler

Privacy friendly security policies must integrate countermeasures toabuse. Examples:

I Credentials: double spending for coins, private black listing forabusers.

I Bulletin Boards: Social network based reputation, ranking ofarticles, moderation.

I Peer-to-peer: Sybil attack (John Douceur) resistance.

I Open research area – dependant on application.

The dangers of ‘escrow’ or ‘revocable privacy’:

I Why would you trust the revocation authority?

I Often too abstract.

I Include the revocation process into the security model, andjudge its robustness to abuse. Impose technical checks andbalances. Demand efficient and automated audits.

I Otherwise ‘just say no’ – too tempting to abuse.

Abuse Resistance is a PET enabler

Privacy friendly security policies must integrate countermeasures toabuse. Examples:

I Credentials: double spending for coins, private black listing forabusers.

I Bulletin Boards: Social network based reputation, ranking ofarticles, moderation.

I Peer-to-peer: Sybil attack (John Douceur) resistance.

I Open research area – dependant on application.

The dangers of ‘escrow’ or ‘revocable privacy’:

I Why would you trust the revocation authority?

I Often too abstract.

I Include the revocation process into the security model, andjudge its robustness to abuse. Impose technical checks andbalances. Demand efficient and automated audits.

I Otherwise ‘just say no’ – too tempting to abuse.

Some Conclusions. . .

A fresh view of privacy:I It is time for privacy properties to become first class security

properties, and a new set of directions.I Privacy as information self-determination: control over your

information environment – the most valued security property.I Use tools from security engineering to achieve this (not

marketing! But maybe economics, usability. . . )

Challenges and opportunities:I Properties would also benefit enterprises, governments and

overall strengthen infrastructure.I In high assurance circles: traffic analysis resistance, location

anonymity, compulsion resistance, . . . already requirements.I Data Sharing assurances must be integrated in the process

(but so is all security!) Novel technical support badly needed.I Abuse control: Necessary to find solutions outside the

(escrow) box.

. . . and pointers.

I Any questions?

I Contact me: George [email protected]

I Come to the Privacy Enhancing Technologies Workshop,Ottawa, May-June 2007.

viewing privacy as a security property · viewing privacy as a security property george danezis...

Documents