you have something to hide sandro etalle. outline two episodes privacy in context the chair the aim...
TRANSCRIPT
You have something to hide
Sandro Etalle
Outline
• Two Episodes• Privacy in Context• The Chair• The Aim• The Reality Check• Some Projects (if time allows)
Episode 1: Arnold
www.geenstijl.nl (1)
• ... Nee pisventjes. .... Daar worden we een beetje ziek van zelfs. Gelukkig wisten we de hoofddader te achterhalen. Bij deze, lafbek Ixxx xxxx (spiegeltje) (Alle info) , je bent er gloeiend bij! Veel succes de komende dagen op school, op straat, in de kroeg en op familiefeestjes...
• “Dat deze gasten mogen branden in brandend braambos, en nog veel erger.”
Episode 2
Topic & Issues
• Topic: Privacy– Secret data, policy compliance etc.
• Issues– Accountability– Quantitative Privacy Management
Privacy in Context
“if you have nothing to hide you have nothing to fear”
• Skips over the problem by attacking first.
• Is altogether wrong.
The Arguments in Favor
• “huge (security) benefits”– “Stop terrorism”
• “small privacy loss”– only few people have access to the data– (if you have nothing to hide) no-one is
going to really look at your record.
“huge (security) benefits”
• Don’t want to get into this.• See Blog of Bruce Schneier.
“small privacy loss (1)”
• “few people have access to the data”
• trained? • accountable?
• Power balance
“Personal data for 650,000
customers vanishes into thin air”
http://www.theregister.co.uk/2008/01/18/jc_penney_customer_data_lost/
“small privacy loss (2)”
• “(if you have nothing to hide) no-one is going to look at your record.– clerks are not really overpaid– Hackers– Governments
An altogether wrong start
• Experience hath shewn, that even under the best forms of government those entrusted with power have, in time, and by slow operations, perverted it into tyranny. Thomas Jefferson (1743 – 1823)
• “a crime can always be found”
• The mere fact that the data is there, and potentially accessible is a problem.
Indeed
• Definition: “Privacy is the ability to lie about yourself and get away with it”
– Bob Blakley– chief scientist for Security and Privacy at
IBM Tivoli Software
• Corollary: “if you have nothing hidden, you have no privacy”.
Two issues
• Private information– Should be collected/used/etc moderately
• Misuse should be discovered – Power balance issue
• Challenges @ TU/e: – Quantitative Privacy Management– Accountability
Quantitative Privacy Management
• “privacy is being eroded”– Measure it!
• Guaranteeing graceful degradation– Normal in critical infrastructures– Why not for personal Data?
• EHR?
– (also) an architectural challenge.
Part 2: the security chair
The Security Chair
• Started 1/10/2007• SEC is financed by CeDICT, the Centre
for Dependable ICT Systems, one of the centres of excellence of the 3TU Federation of Technical Universities of the Netherlands.
The Security Group• Prof. dr. Sandro Etalle
– Trust management & policies for mobile systems
– Protocol verification, – Intrusion detection, – Risk Management
• Prof. dr. Bart Jacobs 0.2 FTE– Software Security– Cybercryme
• Dr. Jerry den Hartog– Smartcards. Security and
formal methods
• Dr. Nicola Zannone– Access Control
• Vacancy– Embedded Systems Security
• Dr. Fred Spiessens – Trust management
• Dr. Lu – smartcards, side-channels
attacks• Dr. Vacancy
• PhD– Daniel Trivellato
• trust management– Bruno Pontes Soares Rocha
• security of mobile devices– Jing Pan:
• Side channels attacks – Gabriel George Popa– 2/3 more
A technical group working at
technical + non-technical problems
EIPSI
Security (informatica) + Coding and Crypto (wiskunde) =
30 people by the end of 2008.The largest technical security group of NL
Teaching
• Kerckhoffs Security Master– Twente – Nijmegen– Eindhoven
Projects
• TAS3: EU IP– WP leaders
• Poseidon– ESI – Thales
• S-mobile– With VU Amsterdam
• PEARL– Leaders, with RU & TUD
• PinpasJC– With RU
The research dream in a nutshell
The middle ages of compliance control
• Confidential data,– medical record, – RFID data, …
• Policy enforcement– Data should not be disclosed to unauthorized
users• How? Nowadays: DRM, Access Control
– preventive– No control outside the walls– One security domain: no x-organization
• In case of more domains– Lawyers & Auditors
Towards A Posteriori Compliance Control
• Setting: a number of different security domains, – different authorities,– different policies– different policy enforcement
systems
• Goal: policy enforcement– data should be used, & distributed
according to policies
• How: by detecting infringements.
The Idea
• Audit Based Compliance Control– users are responsible.– auditing authorities to detect misuse.
• Does not prevent misuse – actions can always be executed.– A posteriori, an authority can ask for justification – The user submits a proof that justifies the action.
• Architecture– Some degree of trustworthiness
26
27
Technical Challenges
• Access Control:– Security monitor: should this action be
allowed?• A Posteriori Compliance Control
– Auditor: is this observable indicating an infringement?
• {observables} => decision• Depends on the architecture
– User: is this policy the right one?• Authority problem
Reality
Accountability
Logging
Privacy
The role trade-off
Privacy Accountability
PrivateCitizen Manager
Clerk Head of the Army
CEO
30
Summarizing
• A Posteriori Compliance Control – Alternative to access control– Not yet feasible, but this will change
• Salient Features– Notion of observable– Authority problem
Poseidon
• “radar traces concerning boats in the west side of the theatre may be seen only by officers of ally Y or Z with a special clearance”
PEARL
• Privacy Enhancing security Architecture for RFID Labels– Specification & enforcement of privacy
policies– Across domains
• STW/Sentinels– With RUN, Delft– Philips TNO
Trusted Architecture for Securely Shared Services
TopicsTrust management
Information Protection
Workflows
Privacy, Legal
Authentication
Application AreasHealthcare
Employability
FP7 Integrated Project, 1 Jan 2008 - 31 Dec 201118 Partners: KU Leuven, SAP, Oracle, TU/e, ...
S-mobile
• Security of Services on Mobile Systems– Only games endorsed by
ProvacyPreserving.com should access my calendar.
– This applet should not cost me more than 3EUR per week.
• Matching• Trust
• STW/Sentinels, – with VU, Philips, TNO
PINPAS Java CardProgram Inferred Power-Analysis in Software for Java Card
Trend: Security relies on smartcards– bank&cash cards, SIM, biometric passport
Threat: side channel attacks– Passive; timing, power consumption, ...– Active, fault attacks; power glitch, card tear, ...
Goal: Predict and Prevent vulnerabilities– Software simulation (predict)– Coding guidelines (avoid)– Program analysis tools (detect)
Initial Results:– Simulation tool, JavaCard compliance tests, verification
security properties w.r.t. faults
Research at: case-studies by:
Questions?