Topics in Computer Security: Introduction: PETs and TETs Simone Fischer-Hübner

Topics in Computer Security: Introduction: PETs and TETs

Simone Fischer-Hübner

Overview

I. Introduction to PrivacyII. Introduction to PETsIII. Transparency Enhancing ToolsIV. Anonymous Communication

Technologies & TORV. Private Information Retrieval

I. Introduction to Privacy:Privacy Dimensions

Informational self-determination

Spatial privacy

Basic Privacy principles (implemented in EU-Directive 95/46/EC)

Legitimisation by law, informed consent (Art. 7 EU Directive)

Data minimisation and avoidance (Art. 6 I c, Art. 7)

Purpose specification and purpose binding (Art. 6 I b)• ”Non-sensitive” data do not exist !

Example for Purpose Misuse

Lidl Video Monitoring Scandal

Basic privacy principles (II)

Transparency, rights of data subjects

Supervision (Art. 28) and Sanctions (Art.24)

Requirement of security mechanisms (Art.17)

EU Directive 2002/58/EC on privacy and electronic communications

Location data other than Traffic data (Art.9): May only be processed when made anonymous, or

with the informed consent of the user/subscriber

Where consent has been obtained, the user/subscriber must still have possibility of temporarily refusing the processing of location data

Privacy Challenges of Emerging Technologies...

Global networks, cookies, webbugs, spyware,...

LBS Ambient Intelligence, RFID Biometrics...

Privacy Risks of Social Networks - Facebook

Intimate personal details about social contacts, personal life, etc.

Not only accessible by ”friends”

The Internet never forgets completely....

Privacy Risks of Social Networks – Facebook (II)

Privacy Risks of Social Networks – Facebook Beacons

II. Introduction to PETsNeed for Privacy-Enhancing Technologies

Law alone is not sufficient for protecting privacy in our Network Society

PETs needed for implementing Law PETs for empowering users to

exercise their rights

Classifications of PETs1. PETs for minimizing/ avoiding personal data (-> Art. 6 I c., e. EU Directive 95/46/EC) (providing Anonymity, Pseudonymity, Unobservability, Unlinkability) At communication level:

• Mix nets• Onion Routing, TOR• DC nets• Crowds

At application level:• Anonymous Ecash• Private Information Retrieval• Anonymous Credentials

2. PETs for the safeguarding of lawful processing (-> Art. 17 EU Directive 95/46/EC)

• P3P• Privacy policy languages• Transparency Enhancing Tools (TETs)

3. Combination of 1 & 2• Privacy-enhanced Identity Management

III. Transparency Enhancing ToolsDirective 95/46/EC - Transparency

Art. 6: personal data must be processed fairly and lawfully Recital No. 38: data subject must be given accurate and full

information Art. 10/11: Controller must provide Information

the identity of the controller / representative the purposes of the processing any further information (recipients, replies obligatory or voluntary,

consequences of failure to reply, existence of the right of access / to rectify the data)

Art. 12 (a): Right of access (get information from controller about e.g. data processing, purpose, recipients, etc.).

Art 12 (b): Right to rectification, blocking deletion. Art. 14: ensure that data subjects are aware of the existence of

the right to object e.g. data processing for direct marketing

Flash Eurobarometer 2003 Survey

37% of companies said they systematically provide data subjects with the identity of the data controller

46% said they always informed data subjects of the purpose for which the data would be used

42% of EU citizens are aware that those collecting personal information are obliged to provide individuals with certain information (such as at least their identity and the purpose of the data collection)

Transparency Enhancing Tools:Example: “Data Track” in PRIME

Advanced search

Transparency: ”Data Track” providing:

User side-DB with user-friendly search function for transaction records (incl. data, pseudonyms, credentials, timestamp, policy)

Online-Functions for exercising rights

Online Functions for Exercising Rights

Problem: Users do not know their privacy rights and do not exercise them

Can Online Functions help to overcome this threshold and raise trust ?

Issues to be addressed at the user side

Authentication for digital identity – not straight forward if pseudonyms were used

Access request should not reveal more than known by service provider

Issues to be addressed by service side Service side automated response

support needed Laws might need to be updated to allow

Online requests (e.g. in Sweden the PUL only provides the right to access data once in a year)

Service side transparency and accountability tools need to be privacy-enhanced

Example: E-Government Transparency Service: MyPage/MinSide

Provides full Transparency, but could also be used as a perfect profiling tool

Accountability vs. Privacy

For transparency of data use/accountability: ”Policy-aware” transaction logs needed, which however contain personal data about users and data subjects

Appropriate protection schems for logs needed (access control, pseudonymisation,...)

IV. Anonymous Communication TechnologiesDefinitions - Anonymity

Anonymity: The state of being not identifiable within a set of subjects (e.g. set of senders or recipients), the anonymity set

Source: Pfitzmann/Hansen

Definitions - Unobservability

Unobservability ensures that a user may use a resource or service without others being able to observe that the resource or service is being used


Definitions - Unlinkability

Unlinkability of two or more items (e.g., subjects, messages, events): Within the system, from the attacker’s

perspective, these items are no more or less related after the attacker’s observation than they were before

Unlinkability of sender and recipient (relationship anonymity): It is untraceable who is communicating with

whom

Definitions - Pseudonymity

Pseudonymity is the use of pseudonyms as IDs

Pseudonymity allows to provide both privacy protection and accountability

Person pseudonym

Rolepseudonym

Relationship pseudonym

Role-relationship pseudonym

Transaction pseudonym

LINKABILITy


Definitions - Pseudonymity (cont.)


Mix-nets (Chaum, 1981)

A2, r1 A3, r2 Bob, r3, msg K3 K2 K1

Mix 1

Mix 2

Mix 3

AliceBob

A3, r2 Bob, r3, msg K3 K2

Bob, r3, msg K3

msg

Ki: public key of Mixi, ri: random number, Ai: address of Mixi

Functionality of a Mix Server (Mixi)

Inp

ut

Mess

age

Mi

Discard repeated messages

Collect messages in batch or pool

Sufficient messages from many senders ?

Change outlook *)

Reorder

Outp

ut

Mess

ag

e M

i+1

to M

ixi+

1

Message DB M I X i

*) decrypts Mi = EKi[Ai+1, ri, Mi+1] with the private key of

Mixi,

ignores random number ri,

obtains address Ai+1 and encrypted Mi+1

Why are random numbers needed ?

If no random number ri is used :

Mixi

E Ki(M, Ai+1 ) M

E Ki (M, Ai+1) = ?

Mixi+1

Address(Mixi+1) = Ai+1

Sender Anonymity with Mix-nets

Sender (Alice) chooses Mix-Sequence Mix1, ….., Mixn, Mixn+1

Mixn+1 = recipient

Ai (i =1..n+1): address of Mixi

Ki (i=1..n+1): public key of Mixi

zi: random bit stringsM: message for recipientMi: message that Mixi will receive

Sender prepares her message:Mn+1 = EKn+1 (M)

Mi = EKi (zi, Ai+1, Mi+1) for i=1…n

and sends M1 to Mix1

Sender Anonymity with Mix-nets (cont.)

Mix

1

Mix

2

Mix

3

Each Mixi decrypts:

EKi(zi, Ai+1, Mi+1) -> Ai+1: address of next Mix

Mi+1: EKi+1(zi+1, Ai+2, Mi+2),

encoded message for Mixi+1

zi: random string, to be discarded

and forwards Mi+1 to Mixi+1

Sender (Alice)

Ek1(z1, A2, M2) Ekn+1(M)

Recipient (Bob)

Recipient Anonymity with Mix- nets

Mix1Mix

2

Mixm

Recipient Bob chooses Mix-Sequence Mix1, ….., Mixm

and creates anonymous return address RA:

Rm+1 = e

Rj = Ekj(cj, Aj+1, Rj+1) for j=1..m

RA = (c0, A1, R1)

e : label of return address

cj: symmetric key, used by Mixj to encode message on the return path

Aj (j =1..m): address of Mixj

kj (j=1..m): public key of Mixj

zj: random bit strings

Recipient Bob sends RA anonymously to Sender Alice:Ekm(zm, Am-1,Ekm-1(…EK1(z1,A0,RA)..)) RA

Bob

Sender Alice

Recipient anonymity with Mix- nets (cont.)

Mix1

Mix2

Mix3

Sender Alice replies:

Each Mixj receives: cj-1(…c0(M)..), Rj,

decrypts: Rj = Ekj(cj, Aj+1, Rj+1) -> (cj, Aj+1, Rj+1),

forwards: cj(cj-1(…c0(M)…)), Rj+1 to Mixj+1

Label e indicates Bob which c0,..,cm he has to use to decrypt M

c0(M), R1

Bob

cm(cm-1(…c0(M)…)),e

Two-Way Anonymous Conversation

Existing Mix-based systems for HTTP (real-time)

Simple Proxies Anonymizer.com ProxyMate.com

Mix-based Systems considering traffic analysis: Onion Routing (Naval Research Center) TOR (Free Haven project) JAP (TU Dresden, ”Mix Cascade”)

Onion Routing Onion = Object with layers of public key encryption to

produce anonymous bi-directional virtual circuit between communication partners and to distribute symmetric keys

Initiator's proxy constructs “forward onion” which encapsulates a route to the responder

(Faster) symmetric encryption for data communication via the circuit

ZY

XU

ZY

X ZY Z

Forward Onion for route W-X-Y-Z:

Each node N receives (PKN = public key of node N): {exp-time, next-hop, Ff, Kf, Fb, Kb, payload} PKN exp-time: expiration time next_hop: next routing node (Ff, Kf) : function / key pair for symmetric encryption of data

moving forward in the virtual circuit (Fb, Kb) : function/key pair for symmetric encryption of data

moving backwards in the virtual circuit payload: another onion (or null for responder´s proxy)

X exp-timex, Y, Ffx, Kfx, Fbx, Kbx

Y exp-timey, Z, Ffy, Kfy, Fby, Kby,

Z exp_timez, NULL, Ffz, Kfz, Fbz, Kbz, PADDING

Onion Routing- Building up virtual circuit

Create command accompanied by Onion: If node receives onion, it peels off one layer, keeps

forward/backward encryption keys, it chooses a virtual circuit (vc) identifier and sends create command+ vc identifier + (rest of) onion to next hop.

It stores the vc identifier it receives and the one that it sent out as a pair.

Until circuit is destroyed -> whenever it receives data on one connection, it sends it off to the other

Forward encryption is applied to data moving in the forward direction, backward encryption is applied in the backward direction

Example: Virtual Circuit with Onion Routing

Send data by the use of send command:Data sent by the initiator is ”pre-encrypted” prepeatedly by his proxy.If W received data sent back by last Z, it applies the inverse of the backward cryptographic operations (outermost first).

Onion Routing - Review Functionality:

Hiding of routing information in connection oriented communication relations

Nested public key encryption for building up virtual circuit

Expiration_time field reduces costs of replay detection

Dummy traffic between Mixes (Onion Routers) Limitations:

First/Last-Hop Attacks by Timing correlations Message length (No. of cells sent over circuit)

TOR (2nd Generation Onion Router)

First Step TOR client obtains a list of TOR nodes from a directory

server Directory servers maintain list of which onion routers are

up, their locations, current keys, exit policies, etc.

Directory server

TOR client

TOR circuit setup Client proxy establishes key + circuit with Onion

Router 1

TOR client

TOR circuit setup Client proxy establishes key + circuit with Onion Router 1

Proxy tunnels through that circuit to extend to Onion Router 2

TOR client proxy

TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router

2 Etc.

TOR client proxy

TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit

TOR client proxy


TOR client proxy


TOR client proxy


TOR client proxy


TOR client proxy


TOR client proxy


TOR client proxy

TOR: Building up a two-hop circuit and fetching a web page

Alice Link is TLS-encrypted OR 1

OR 2

Link is TLS-encrypted Web siteUnencrypted

Create c1, E (g

x1)Created c1, g y1, H(K1)Relay c1 {Extend, OR2, E (g

x2)}

Relay c1 {Extended, g y2, H(K2)}

Relay c1 {{Begin <website<:80}}

Relay c1 {{Connected}}

Relay c1 {{Data, HTTP Get...}}

Relay c1 {{Data, (response)}}

Create c2, E (g

x2)Created c2, g y2, H(K2)

Relay c2 {Begin <website<:80}

Relay c2 {Connected}

Relay c2 {Data, HTTP Get...}

Relay c2 {Data, (response)}

(TCP handshake)

HTTP Get...

(response)

Legend:E(x): RSA encryption{X}: AES encryptioncN: a circuit ID

TOR - Review Some improvemnets in comparision with Onion

Routing: Perfect forward secrecy Resistant to replay attacks Many TCP streams can share one circuit Seperation of ”protocol cleaning” from anonymity:

Standard SOCKS proxy interface (instead of having a seperate application proxy for each application)

Content filtering via Privoxy Directory servers Variable exit policies End-to-end integrity checking Hidden services

Still vulnerable to end-to-end timing and size correlations

Private Information Retrieval (PIR)

Privacy for the item of interest: Allows a user to retrieve an item from a

database/news server without revealing which item he is interested in

Application example: patent database

Simple (but expensive) solution: Download all database entries and

make local selection

Enhanced PIR solution – Cooper/Birman 1995

t+1 servers with identical databases (composed of m cells each) are queried

To each database an m-bit vector is sent, where each bit represents a cell in the database. If the bit is 1, the corresponing cell is selected, otherwise not.

If the pth cell should be read, the t+1 query vectors are created acoording to the following scheme:

t query vectors are random bit vectors of length m Create the t+1st vector by exclusive-oring the t random bit

vectors and then flipping the pth bit (in order to read cell p) This will create a set of t+1 bit-vectors that, when exclusive-ored

together, will yield the bit-vector Ip:

0 if j <> pIp[j] =

1 if j= p

0 1 0 0 0 0 0........0p

PIR – Example of Sample Bit-Vectors for t=3, p=1

0 1(=p) 2 3 4 6 m-10 1 1 0 1 0 0

1 1 0 1 1 0 1

1 1 1 1 0 00 1

0 1 0 0 0 0 0

........

........

........

........

0 0 0 0 0 0 0........

7

0

1

0

1

11

Vector

V1

V2

V3

V1

V2 V3

V4

flip

p

0 1 0 0 0 0 0........0V1

V2

V3

pV4

IP=

PIR- Bit-Vector Protocol

][1][

11

iMriV ][

1][2

2

iMriV ][

1][1

1

iMriV

tt

Client Server 1 Server 2 Server t+1

Step 1. Choose V1, V2, ...Vt+1 such that Ip=

V1 V2 V3... Vt+1

Step 2.

Step 3. answer =

121 ... trrr

Communication of bit vectors and responses must be encrypted

...........

PIR - Review Protection goal: Unlinkability of a user and

an item of interest Security: If each of the bits in the t random

bit vectors are set to 1 with probability ½ then an attacker who has access to at most t of the requests/responses associated with the bit-vectors will gain no information about which cell the client is reading

Updates are complex: Changes/Adding new messages must take place simultanously

Repetition

Repetition: Diffie-Hellman Key exchange

Global Public Elements:q: prime number: < q and is a primitive root of q

[If is a primitive root of prime number p, then the numbers: mod p, 2 mod p,…, p-1 mod p are distinct and are a permutation of {1..p-1}.

For any integer b<p, primitive root of prime number p, one can find

unique exponent i (discrete logarithm), such that b= i mod p, 0≤ i ≤ (p-1)

For larger primes, calculating discrete logarithms is considered as practically infeasible ]

Diffie-Hellman Key Exchange

K = XA XB mod q

q: prime number, : primitive root of q

Some Literature Andreas Pfitzmann et al. ”Communication Privacy”, in:

Aquisti et al. (Eds.), Digital Privacy – Theory, Technologies, and Practices, Auerbach Publications, 2008

TOR: Anonymity Online, http://www.torproject.org/ Roger Dingledine, Nick Mathewson, Paul Syverson, TOR:

The Second-Generation Onion Router, Proceedings of the 13th Usenix Security Symposium, August 2004, http://www.torproject.org/svn/trunk/doc/design-paper/tor-design.pdf

David Cooper, Kenneth Birman, ”Preserving Privacy in a Network of Mobile Computers”, Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, May 1995.

Documents

Topics in Computer Security: Introduction: PETs and TETs Simone Fischer-Hübner