Upload
hoanghanh
View
224
Download
3
Embed Size (px)
Citation preview
4th ETSI Security Workshop January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 1
Incorporating privacy into security standardization
13 January 2009
Claire Vishik, Intel UK
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 2
Summary
• Introduction: technology & security trends, security & privacy, standards landscape
• Building privacy friendly standards
• Examples: privacy as a necessary component of accepted security technologies– Mobile telephony: GSM
– Networks (IPv6)
– Services: authentication, delegation
– Hardware: Trusted Computing
• Conclusions
• Questions & Discussion
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 3
Purpose
• Explain that privacy is a complex set of requirements that permeates all aspects of electronic communications, data, and services and is necessary for the acceptance of new technologies
• Touch upon some of the methods used to ensure privacy-friendly features in security & adjacent standards
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 4
Introduction
• Technology trends, relationship between privacy & security, relevant standards’ landscape
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 5
Some Technology Trends
• Increasing mobility
• Ubiquitous connectivity
• Increasing computing power of diverse devices
• Different level of security & privacy protection of various devices & networks involved in the same set of activities
• Global digital economy
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 6
Today’s interconnected environment & data exchanges
A very large number of identifiers pass through networks and backend/client systems
E-commerce systemsPlatform IDs
Mobile Commerce: Transfer of identifiers
Passes through a WAP Gateway (TCP/IP Translation)
3
1An e-commerce transaction starts on a phone (Phone & Subscriber IDs)
4
HeterogeneousNetworks
X
Is transmitted through wireless and wireline network2
Wireline log(wire IDs)
Wireless context(Wireless ID’s)
Moves to TCP/IP networks andbackend systems (user and system IDs)
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 7
Communications, Services
Content
Internet
Commerce
FTP, SSHWeb Services/SOAP
HTTPAS1, AS2, AS3,
SSL/TLSS/MIME
Internal Business Units
Internal Business Units
Internal Business UnitsBack-end
Massive Standardization Efforts
Web Services/SOAP
HTTP
SSL/TLS
XML
SAML
Directory
Web Services/SOAP
HTTP, XML, RSS
Many standards are an integral part of today’s computing environment
and require security & privacy support
Many standards are an integral part of todayMany standards are an integral part of today’’s computing environments computing environment
and require security & privacy supportand require security & privacy support
IPv6/IPv4
Wi-Fi Wimax
GSM, 3G, 4F
Trusted Computing
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 8
Core Technologies & Standards: “Group” Effort
Protect Client
Devices
Protect Back-
end Systems
Protect
Networks
Protect Users
Ensure
Privacy
•Secure OS, virtualization•Hardware security & Trusted Comp• “Protection” software
•Anonymity•Verification, not identification•Strict privacy policies•Privacy-friendly design
•Authentication• Firewalls, IDS, extrusion detection systems• Increase resilience•Response and remediation
• Identity management•Strong authentication•Training•Usability
•OS Hardening, virtualization•Hardware security•Transport encryption•Encryption for data at rest
TCG, OASIS, IETF, UEFI,
others
W3C, OASIS, TCG, IETF, IEEE
IEFT, OASIS, ETSI, ITU-T
OASIS, Liberty Alliance, IEEE
W3C, JTC1
GoalGoal ApproachesApproaches StdsStds BodiesBodiesKey PlayersKey PlayersOEMs, components &
OS vendors, researchers,
“protection” tools vendorsISVs
Hardware, OS,
security/encryption,
database, integration
vendors, researchers
Network equipment, Telecoms, firewalls, IDC vendors, CERTs
Authentication, OS &hardware vendors,
OEMs, ISPs, researchers,
regulators
All key players, researchers, ISVs,
regulators
4th ETSI Security Workshop January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 9
Definitions; Some Methods Used to Implement Privacy Friendly Features
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 10
Privacy/Privacy Enhancing Technologies
• What information is relevant to privacy?
– “any information relating to an identified or identifiable natural person […]; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (EU Directive 95/46/EC, Art. 2 (a)).
• Some privacy-enhancing approaches:
– Anonymity (or pseudonymity) –disconnection from PII
– Unlinkability –cannot be easily linked to PII
– Avoidance of re-identification (subjects or their devices cannot be re-identified with the assistance of other datasets
– Support for confidentiality
• Other privacy requirements:
– Notice & choice
OECD Privacy Guidelines (1980)
• Openness• Data quality principle• Purpose specification principle• Use limitation principle• Security safeguards principle• Openness principle• Individual participation• Accountability
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 11
Privacy, Security, Interoperability & Trust
Establishment
• In trusted environments, more information is disclosed & shared
– Enhanced privacy requirements may apply
• In high security environments, incomplete disclosure may not be permitted
– Privacy requirements may be different
• Interoperability among systems and networks make it imperative to provide information about networks, devices, and users
– Higher level approaches to privacy are required
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 12
Some Methods to Enhance Privacy
• Use of dynamic or pseudonymous identifiers – GSM & successors, DHCP, IPv6
• Unlink cryptographic keys and credentials, to limit cryptographic associations between identifiers– TPM1.2 & ISO/IEC equivalent
• Substitute complete disclosure (identification) with positive verification– Research projects
• Protect data in transit and at rest– Wi-Fi, WiMax, secure application protocols, many other examples
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 13
Some examples
• DHCP, IPv6 (IETF)
• GSM (ETSI)
• Trusted Computing (TCG)
• Services: SAML (OASIS)
• Pre-standards research: verification versus identification (Prime, PrimeLife; Open TC)
• Data encryption examples are not included as this approach is very common
• These are representative examples; many more are available
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 14
DHCP Address –Dynamic/Pseudonymous ID
• Dynamic IP addresses– Assigned by a DHCP (Dynamic Host Configuration) server; change according to policy.
– Same structure as static IP addresses
• Implementation weakness: in many situations, DHCP addresses do not have to be actively re-rented– DHCP address may last as long as the device (PC or router) remains on• In this case, DHCP provides limited privacy protection
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 15
IPv6 Privacy: Dynamic Identification
• Privacy extensions for stateless address configuration
– Nodes use stateless auto-configuration to generate addresses combining network prefixes and interface identifiers. Static IDs (e.g. MAC addresses) are substituted with derivations
– Addresses change over time, making it harder to re-identify devices involved in transactions
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 16
Mobile Phone IDs (GSM):
Dynamic/Pseudonymous ID• Equipment
– GSM, e.g., uses 15 digit International Mobile Equipment Identity (IMEI) number (e.g. 35-209900-176148-1 ) embedded by manufacturer
– IMEI is used for processing or blocking phone connections• Identifies device only.
• Subscriber– SIM card has IMSI (International Mobile Subscriber Identifier)– Used for carrying-out subscriber-specific services
• IMSI is also stored in HLR (Home Location Register) file on the network
• Used for subscriber identification
– Real IMSI is sent as rarely as possible, and is substituted with randomly generated TMSI (temporary parameter)
• IMEI and IMSI together are used to enable security features in mobile networks
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 17
TPM Objects & Key Hierarchy: Unlinking the Keys
Dynam
ically
Lo
aded
Pers
iste
ntly S
tore
d
Endorsement Key
Storage Root Key
AttributesOwner
Migratable
Storage Key
Migratable
Protected
Data
Migratable
Signing Key
Non-Migratable
Storage Key
Migratable
Storage Key
Non-Migratable
Signing Key
Non-Migratable
Protected Data
Attestation ID
Key
No direct or cryptographic association between EK and AIK
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 18
SAML – pseudonymous IDs, varying levels of disclosure, encryption of
confidential components
• Standard Assertion Markup Language
– Authentication, single sign-on
• Privacy friendly features in v.2.0
– Support for pseudonyms and pseudonymous Id managements
– Metadata supports variable level of disclosure of trust data
– Components or complete assertions may be encrypted
– Mechanisms permitting porviders to communicate privacy policy
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 19
Minimal Disclosure Work: Pre-Standard
• Frequently, it is not important to identify an individual or device, but rather to verify the current status of the authorization
– E.g., ability to use some Internet services (13 or older), ability to access internal networks (authorized device in good standing), attestation request/reply
• Examples:
– Direct Anonymous Attestation protocol in TCG
– Property based attestation work (several institutions)
– Zero-sum & group signature authentication (Prime, PrimeLife)
4th ETSI Security Workshop January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 20
Conclusions
Main points, future directions
4th ETSI Security Workshop, January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 21
AlwaysAlways consider privacy requirements for security/related standardsconsider privacy requirements for security/related standards
Use Use a varietya variety of available technologiesof available technologies to ensure privacy to ensure privacy
Compensate for older standards lacking privacy protectionCompensate for older standards lacking privacy protection
Adopt Adopt comprehensive comprehensive approach matching todayapproach matching today’’s computing environments computing environment
Weak authentication & ID systemsWeak authentication & ID systems
Level of Level of
AdoptionAdoptionIssueIssue
Use a combination of approaches to ensure the best coverage for privacy features
Privacy as a Necessary Part of Security & Other Standards
Common New
4th ETSI Security Workshop January 2009
Copyright © 2009 Intel Corporation. All rights reserved. 22
Questions?
Thank you!