Cryptographic Enforcement of Segregation of Duty...1 7. 1 1. 2 0 1 5 t h o m a s m a u s Cryptographic Enforcement of Segregation of Duty “доверяй, но проверяй”

17

.11

.201

5

t hom

as

mau

s

Cryptographic Enforcement of Segregation of Duty

● “доверяй, но проверяй”– old russian proverb

“rely yet verify”

● Thomas Maus◉ thomas.maus alumni.uni-karlsruhe.de

● DeepSec 2015

17

.11

.201

5

t hom

as

mau

s

Introduction● started with IT 1979 – school experiment● Computer Science, University of Karlsruhe◉ study + research◉ EISS = European Institute of System Security● 1993: self-employed IT security consultant● some representive talks: ◉ risk analysis + mgmt (DECUS 2003 + others)

◉ eHealth (in)security (21C3+22C3, various others) ◉ crypto-analytic password quality measures (various) ◉ RFID (in)security (various) ◉ Tale Telling Timings (various)

17

.11

.201

5

t hom

as

mau

s

Introduction … ● home-town: Trier◉ situated between Eifel and Hunsrück◉ low population density➜ scarce public transport facilities● hitchhiking?◉ too dangerous …

17

.11

.201

5

t hom

as

mau

s

Introduction … ● IT supported + secured hitchhiking?● objectives:◉ anonymity as far as possible◎ at least strong pseudonymity◎ no tracking◉ crime prevention + prosecution◎ mutually verifiable registration status◎ “on-line” transaction registry◎ tracking of missing persons by police + next of kin◉ coordination + matching of

travel opportunities and wishes◉ integration into public transport system◎ tickets◎ payment of transport providers

17

.11

.201

5

t hom

as

mau

s

Introduction … ● school administration SW of federal state◉ developed by participants of school experiment◉ i.e. mostly by pupils!◉ chosen by proven computer versatility◉ e.g. successful hacking of school computer ;-)● challenge:◉ forestall impeachment of pupil programmer's

graduation diploma◉ build confidence in correctness → reliance

17

.11

.201

5

t hom

as

mau

s

Introductory Conclusions ● multi-lateral security needed● multiple security dimensions◉ “classical”: confidentiality+integrity+availability◉ correctness◉ verifiability / auditability◉ separation of duties◉ non-repudation / proof of volition vs. error◉ privacy◎ transparency + control for subject◎ non-traceability / data minimization◎ robustness against inference and extrapolation◉ …

17

.11

.201

5

t hom

as

mau

s

Example for Illustration:Data Retention

● soft or social Science Fiction◉ “how a technology could transform a society”◉ hard science core = cryptography ◎ ¼ century around: public-key cryptography◎ construct of ideas open for debate◉ soft socio-political outer shell◎ fictional stances of society and various personas◎ only for demonstration purposes◎ suspense of disbelief requested

17

.11

.201

5

t hom

as

mau

s

content

content- ⚜⚜

content- ⚜⚜

content⚜⚜

Visualization ofCryptographic Instruments

● asymmetric keys of cyan persona (Alice)◉ private key◉ public key● asymmetric keys of red persona (Bob) ● usage examples◉ sealed (signed) with red private key◉ encrypted with cyan public key◉ first sealed, then encrypted◉ first encrypted, then sealed◉ typically implicit and invisible: symmetric keys◉ decryption possible by Alice or Bob,

with detached seal by Carol content ⚜⚜

17

.11

.201

5

t hom

as

mau

s

Our fictitious Society:Dramatis Personae

● civil society◉ constitutional democracy◉ politically participating citizens (citoyen)◉ civil rights organisations● investigative authorities◉ police detectives◉ public prosecutor● examining magistrate (=Ermittlungsrichter)● (federal) privacy commissioner● telecommunication service providers

17

.11

.201

5

t hom

as

mau

s

Dramatis Personae:Civil Society

● ultimate democratic sovereign◉ votes + referenda◉ political parties◉ NGOs● objectives◉ active political participation ◉ protect ◎ constitutional democracy◎ fundamental human + civil rights◉ vigilant about◎ panopticon effect◎ correct exercise of office by representatives + officials◉ crime prevention + prosecution

Civil Rights

17

.11

.201

5

t hom

as

mau

s

Dramatis Personae:Investigative Authorities

● obligations◉ crime investigation for prevention + prosecution● conflicting interests◉ fundamental civil rights◎ privacy of correspondence, posts + telecommunications◎ privacy of the home◎ …

● intentions◉ tactical secrecy of investigation◉ earning + keeping public confidence◉ auditability◉ exoneration capabilities● public prosecutor's keys

17

.11

.201

5

t hom

as

mau

s

Dramatis Personae:Examining Magistrate

● obligations◉ individual decisions within legal framework◉ crime investigation ↔ fundamental rights● conflicting interests◉ enable optimal crime investigation◉ protect fundamental civil rights● intentions◉ tactical secrecy of investigation◉ earning + keeping public confidence◉ auditability◉ exoneration capabilities● examining magistrate's keys

17

.11

.201

5

t hom

as

mau

s

Dramatis Personae:Federal Privacy Commissioner

● obligations◉ formal control of disclosure requests◉ official auditing + statistics + reporting◉ investigation + information in special cases:

e.g. medical doctors, lawyers, priests, …◉ official investigation of complaints◉ destruction of own private key in certain cases● intentions◉ protection of fundamental rights within statutes◉ earning + keeping public confidence● federal privacy commissioner's keys

☂

17

.11

.201

5

t hom

as

mau

s

✆

Dramatis Personae:Telecommunication Service Providers

● obligations◉ provide legally required data structures to

investigation authorities● intentions◉ compliance◉ minimal involvement◉ exoneration capabilities ➜ rapid erasure of cleartext connection data ● telecommunication provider's keys

(pars pro toto)

17

.11

.201

5

t hom

as

mau

s

Manifold Imaginable Socio-Political Decisions

● much flexibility needed within framework!● creative leeway + areas of decisions◉ initial data for investigation services?◉ keeper of data?◉ sequence of workflows?◉ veto powers?◉ …

17

.11

.201

5

t hom

as

mau

s

Initial Data forInvestigation Services

● selection of data to be disclosed● general data structure◉ “handle” → “opaque protected data”◉ “handle” =◎ information freely available to investigators◎ not perceived as impairing fundamental rights◉ “opaque protected data” =◎ information pertaining to fundamental rights◎ accessible only via safeguarded procedure○ crypto-enforced ○ segregation of duty○ review + control○ auditability

17

.11

.201

5

t hom

as

mau

s

Initial Data:The “Handle”

● subset of communication data as selector ● example of inappropriate handles◉ (calling id, precise start time, precise end time)◉ (called id, precise start time, precise end time)☢ correlate time stamps → infere speaking parties● dilution of precision / obscuration of handles!◉ protection against inference + extrapolation◉ balanced with specificity● example of diluted handles◉ (calling id, diluted start time, diluted duration)◉ (called id, diluted start time, diluted duration)◉ (diluted location, diluted time period)

17

.11

.201

5

t hom

as

mau

s



e.g.● per minute● ⌊5 minutes⌋● ⌊¼ hours⌋● …● depending on time-of-day

17

.11

.201

5

t hom

as

mau

s



e.g.● per minute● {<1, <2, <3, <5, <10, <15, …} minutes

17

.11

.201

5

t hom

as

mau

s



e.g.● cell base station● precinct● geo coord ⌊arc minute⌋● …● depending on area

17

.11

.201

5

t hom

as

mau

s

Initial Data:“Opaque protected Data”

● anonymous + unique?◉ records of identical individual differ always● pseudonymous? ◉ indirection◎ “handle” → “pseudonym”◎ “pseudonym” → “opaque protected data”◉ pre-inspection or pseudonymous investigation◎ pseudonyms in area AND called in time period◎ which pseudonyms communicated often in time frame◎ …

● a continuum anonymous ↔ pseudonymous!

17

.11

.201

5

t hom

as

mau

s

Initial Data:Degrees of Pseudonymity

● scope of pseudonyms ◉ specific per location (for location requests) ◎ different granularities (≥ location requests) ○ country, state, district, postal code, base station, …

◉ specific per contact (for contact requests) ◎ pseudonyms only constant within conversation pairs◎ … within areas – e. g. Vienna ↔ Graz, Vienna ↔ Salzburg

● durability of pseudonyms◉ pseudonyms change at intervals◉ … change event-driven – e.g. after disclosure● how? e.g.◉ key = HMAC(Nonce(Interval,Provider), conversation)

◉ pseudonym = encrypt(key, Nonce(Subscriber))

17

.11

.201

5

t hom

as

mau

s

Initial Data:Degrees of Pseudonymity

● visibility of pseudonyms◉ investigation services (cleartext)?◉ examining magistrate – opaque for investigators?◉ privacy commissioner?● different pseudonym-levels per persona◉ e. g. short-lived per contact for investigators◉ long-term absolute for examining magistrate

17

.11

.201

5

t hom

as

mau

s

Initial Data:“Opaque protected Data”

● anonymous?⊕ maximum of non-traceability⊖ lots of disclosure requests + effort + delay⊖ many unnecessary disclosures● pseudonymous?⊖ less non-traceability (scalable)⊕ less more specific+promising disclosure requests⊕ minimization of disclosures possible⊕ flexible degrees of pseudonymity⊕ investigations more unbiased⊕ high efficiency● framework accommodates whole continuum

17

.11

.201

5

t hom

as

mau

s

Sketch of Example forDisclosure Procedure

● for sake of simplicity + demonstration:1 representative workflow outline

● fundamental decisions◉ examining magistrate is gatekeeper of process◎ sequencing + veto powers◉ examining magistrate involves in parallel

civil NGOs + federal privacy commissioner◎ parallelizing + distributed veto powers◉ civil NGO decision model variations◎ quorum decisions◎ soft decisions + graded denial

17

.11

.201

5

t hom

as

mau

s

Investigation Phase 1Investigative Authorities

● free access to all

● select relevant records by handle● narrow down by pseudonyms● build disclosure request

handle → pseudonym, ???⚜⚜

?????????

investigator's disclosure request● urgency● reasons for request● optional further selection criteria● set of records to be disclosed● optional tactical secrecy considerations

(what must not or may be disclosed to other parties) ⚜⚜

17

.11

.201

5

t hom

as

mau

s

Investigation Phase 2.1Examining Magistrate

● decrypts + verifies investigators request● decrypts every

● selects data records for disclosure

?????????

PoV Examing Magistrate● decision-relevant infos about caller + callee

(e.g. medical or law office, emergency service, …)● more significant pseudonyms (potentially)

● ⚜⚜???

???

17

.11

.201

5

t hom

as

mau

s

Investigation Phase 2.2Examining Magistrate

● prepares “decision audit record”◉ complete decision grounds (including all facts) ◉ complete investigator's disclosure request● prepares “disclosure decision”

● submits decision …

magistrate's disclosure decision● urgency● decision grounds (as far as tactical secrecy permits)● for all selected records:

⚜⚜

??????

decision audit record ⚜⚜

17

.11

.201

5

t hom

as

mau

s

Investigation Phase 3.1Federal Privacy Commissioner

● decrypts + verifies disclosure decision● decrypts every

● archives decisions for review + verification

☂

PoV Federal Privacy Commissioner● decision-relevant infos about caller + callee

(e.g. medical or law office, emergency service, …)● more significant pseudonyms (potentially)● (individual random key per record) ⚜⚜

???

17

.11

.201

5

t hom

as

mau

s

Investigation Phase 3.2Federal PrivacyCommissioner

● purely formal + automated decisions◉ pseudonyms (potentially)◎ narrow selection by investigator's algorithmic criteria◉ decision-relevant infos◎ verify statutory periods and subscriber criteria◎ trigger specific ○ audit watch-lists○ notifications to specific institutions○ bumping of subscriber Nonces

● keys of approved selected records◉ actually indexed list of either◎ keys◎ denials with justifications

● statistics for periodic reports

☂

⚜⚜

17

.11

.201

5

t hom

as

mau

s

Investigation Phase 4Delegates of Civil Society

● decrypts + verifies disclosure decision● decrypts every

● role of delegates?● many creative possibilities!◉ 1st: as privacy commissioner (but more independent)

◎ purely formal + automated decisions of key disclosure◎ own criteria of reporting◉ more later …

PoV Civil Society● decision-relevant infos about caller + callee

(e.g. medical or law office, emergency service, …)● (individual random key per record) ⚜⚜

???

Civil Rights

⚜⚜

17

.11

.201

5

t hom

as

mau

s

☂

Investigation Phase 5Examining Magistrate

● receives + pairs symmetric keys per record

connection / location / subscriber data ⚜⚜

⨁ = ??????

clearance of innocent bystanders ⚜⚜

● check lock by potential other investigations● order bumping subscriber's Nonce

order of re-pseudonymisation ⚜⚜ ✆

17

.11

.201

5

t hom

as

mau

s

Verification Phase 1Civil Society +Privacy Commissioner

● verification of disclosure requests/decisions◉ after investigation is closed or tried◉ after statutory period◉ individually or jointly by both bodies◉ according audit watch-lists + random sampling● “decision audit record” copies of bodies◉ decrypted by

examining magistrate◉ content verified via detached seal◉ review of complete procedure◉ discrepancies published + officials impeached● verification/initiation of re-pseudonymisation

☂ Civil Rights

decision audit record ⚜⚜

17

.11

.201

5

t hom

as

mau

s

Roles Variants of the Delegates of Civil Society

● more freedom: power of disclosure denial◉ imagine whatever-gate scandal scenario◎ disclosure requests for journalist contacts◎ delegates of civil society may require○ concessions of supervising investigation○ guarantees that investigation is unrelated (→ verification phase!)

● e.g. delegates elected for privacy manifestos◉ voting weight according vote percentages◉ algorithmic defined manifestos (speed of decision!) ◉ possible individual consideration of circumstances● e.g. “examining jurors/assessors” ◉ sworn to secrecy◉ part + PoV of examining magistrate

Civil Rights

17

.11

.201

5

t hom

as

mau

s

Qualified Majority Control of Powers

● quorum decisions◉ ≥ t “pros” out of N delegates◉ secret-sharing / split-key schemes◎ 2/3 quorum: simple approach○ perfect secrecy < threshold t ○ doesn't scale …

◎ Shamir: polynomials, perfect secrecy < threshold◎ Blakley: hyperplanes, “leaks”= pros reduce search space◎ …

● modeling political + negotiable decisions?◉ real-life ≠ mathematical “clear+hard” decisions◉ effectively demonstrating reluctance + renitency?◉ stimulating intended behavior?

Civil Rights

17

.11

.201

5

t hom

as

mau

s

Sketch for “Soft” Decision MakingPreparation Phase

● k random bits (≥key size)● key derivation function◉ with carefully chosen stretching● ECC: correct erasures ◉ intended: quorum q ◉ recover < (1-q)·n missing bits ● split secret to parties◉ according voting weights◉ encrypt with respective

public keys◉ propagate within

opaque records

KDF

✆

random bits

ECC(q=75%)

ECCed bits

part 1 part 2 part m…


17

.11

.201

5

t hom

as

mau

s

Sketch for “Soft” Decision MakingDecision Phase

● each delegates withholds◉ nothing at all◉ part of share◉ complete share● extent of denial ◉ < quorum q bits → efficient key recovery◉ > q bits+some margin → list-decoding (polynominal) ◉ beyond → brute-force = exponential time …● fine-tuned effects of graded denial possible◉ showing raising resistance non-detrimentally◉ gradually slowing disclosure, forcing priorisation● democratic, decentralized mechanism!


Civil Rights

part 2 part m…✘

17

.11

.201

5

t hom

as

mau

s

Thank You for Your Attention!

● Thomas Maus◉ thomas.maus alumni.uni-karlsruhe.de

● Questions?● Discussion …

Documents

Cryptographic Enforcement of Segregation of Duty...1 7. 1 1. 2 0 1 5 t h o m a s m a u s Cryptographic Enforcement of Segregation of Duty “доверяй, но проверяй”