Topics in Computer Security: Introduction: PETs and TETs
Simone Fischer-Hübner
Overview
I. Introduction to PrivacyII. Introduction to PETsIII. Transparency Enhancing ToolsIV. Anonymous Communication
Technologies & TORV. Private Information Retrieval
I. Introduction to Privacy:Privacy Dimensions
Informational self-determination
Spatial privacy
Basic Privacy principles (implemented in EU-Directive 95/46/EC)
Legitimisation by law, informed consent (Art. 7 EU Directive)
Data minimisation and avoidance (Art. 6 I c, Art. 7)
Purpose specification and purpose binding (Art. 6 I b)• ”Non-sensitive” data do not exist !
Example for Purpose Misuse
Lidl Video Monitoring Scandal
Basic privacy principles (II)
Transparency, rights of data subjects
Supervision (Art. 28) and Sanctions (Art.24)
Requirement of security mechanisms (Art.17)
EU Directive 2002/58/EC on privacy and electronic communications
Location data other than Traffic data (Art.9): May only be processed when made anonymous, or
with the informed consent of the user/subscriber
Where consent has been obtained, the user/subscriber must still have possibility of temporarily refusing the processing of location data
Privacy Challenges of Emerging Technologies...
Global networks, cookies, webbugs, spyware,...
LBS Ambient Intelligence, RFID Biometrics...
Privacy Risks of Social Networks - Facebook
Intimate personal details about social contacts, personal life, etc.
Not only accessible by ”friends”
The Internet never forgets completely....
Privacy Risks of Social Networks – Facebook (II)
Privacy Risks of Social Networks – Facebook Beacons
II. Introduction to PETsNeed for Privacy-Enhancing Technologies
Law alone is not sufficient for protecting privacy in our Network Society
PETs needed for implementing Law PETs for empowering users to
exercise their rights
Classifications of PETs1. PETs for minimizing/ avoiding personal data (-> Art. 6 I c., e. EU Directive 95/46/EC) (providing Anonymity, Pseudonymity, Unobservability, Unlinkability) At communication level:
• Mix nets• Onion Routing, TOR• DC nets• Crowds
At application level:• Anonymous Ecash• Private Information Retrieval• Anonymous Credentials
2. PETs for the safeguarding of lawful processing (-> Art. 17 EU Directive 95/46/EC)
• P3P• Privacy policy languages• Transparency Enhancing Tools (TETs)
3. Combination of 1 & 2• Privacy-enhanced Identity Management
III. Transparency Enhancing ToolsDirective 95/46/EC - Transparency
Art. 6: personal data must be processed fairly and lawfully Recital No. 38: data subject must be given accurate and full
information Art. 10/11: Controller must provide Information
the identity of the controller / representative the purposes of the processing any further information (recipients, replies obligatory or voluntary,
consequences of failure to reply, existence of the right of access / to rectify the data)
Art. 12 (a): Right of access (get information from controller about e.g. data processing, purpose, recipients, etc.).
Art 12 (b): Right to rectification, blocking deletion. Art. 14: ensure that data subjects are aware of the existence of
the right to object e.g. data processing for direct marketing
Flash Eurobarometer 2003 Survey
37% of companies said they systematically provide data subjects with the identity of the data controller
46% said they always informed data subjects of the purpose for which the data would be used
42% of EU citizens are aware that those collecting personal information are obliged to provide individuals with certain information (such as at least their identity and the purpose of the data collection)
Transparency Enhancing Tools:Example: “Data Track” in PRIME
Advanced search
Transparency: ”Data Track” providing:
User side-DB with user-friendly search function for transaction records (incl. data, pseudonyms, credentials, timestamp, policy)
Online-Functions for exercising rights
Online Functions for Exercising Rights
Problem: Users do not know their privacy rights and do not exercise them
Can Online Functions help to overcome this threshold and raise trust ?
Issues to be addressed at the user side
Authentication for digital identity – not straight forward if pseudonyms were used
Access request should not reveal more than known by service provider
Issues to be addressed by service side Service side automated response
support needed Laws might need to be updated to allow
Online requests (e.g. in Sweden the PUL only provides the right to access data once in a year)
Service side transparency and accountability tools need to be privacy-enhanced
Example: E-Government Transparency Service: MyPage/MinSide
Provides full Transparency, but could also be used as a perfect profiling tool
Accountability vs. Privacy
For transparency of data use/accountability: ”Policy-aware” transaction logs needed, which however contain personal data about users and data subjects
Appropriate protection schems for logs needed (access control, pseudonymisation,...)
IV. Anonymous Communication TechnologiesDefinitions - Anonymity
Anonymity: The state of being not identifiable within a set of subjects (e.g. set of senders or recipients), the anonymity set
Source: Pfitzmann/Hansen
Definitions - Unobservability
Unobservability ensures that a user may use a resource or service without others being able to observe that the resource or service is being used
Source: Pfitzmann/Hansen
Definitions - Unlinkability
Unlinkability of two or more items (e.g., subjects, messages, events): Within the system, from the attacker’s
perspective, these items are no more or less related after the attacker’s observation than they were before
Unlinkability of sender and recipient (relationship anonymity): It is untraceable who is communicating with
whom
Definitions - Pseudonymity
Pseudonymity is the use of pseudonyms as IDs
Pseudonymity allows to provide both privacy protection and accountability
Person pseudonym
Rolepseudonym
Relationship pseudonym
Role-relationship pseudonym
Transaction pseudonym
LINKABILITy
Source: Pfitzmann/Hansen
Definitions - Pseudonymity (cont.)
Source: Pfitzmann/Hansen
Mix-nets (Chaum, 1981)
A2, r1 A3, r2 Bob, r3, msg K3 K2 K1
Mix 1
Mix 2
Mix 3
AliceBob
A3, r2 Bob, r3, msg K3 K2
Bob, r3, msg K3
msg
Ki: public key of Mixi, ri: random number, Ai: address of Mixi
Functionality of a Mix Server (Mixi)
Inp
ut
Mess
age
Mi
Discard repeated messages
Collect messages in batch or pool
Sufficient messages from many senders ?
Change outlook *)
Reorder
Outp
ut
Mess
ag
e M
i+1
to M
ixi+
1
Message DB M I X i
*) decrypts Mi = EKi[Ai+1, ri, Mi+1] with the private key of
Mixi,
ignores random number ri,
obtains address Ai+1 and encrypted Mi+1
Why are random numbers needed ?
If no random number ri is used :
Mixi
E Ki(M, Ai+1 ) M
E Ki (M, Ai+1) = ?
Mixi+1
Address(Mixi+1) = Ai+1
Sender Anonymity with Mix-nets
Sender (Alice) chooses Mix-Sequence Mix1, ….., Mixn, Mixn+1
Mixn+1 = recipient
Ai (i =1..n+1): address of Mixi
Ki (i=1..n+1): public key of Mixi
zi: random bit stringsM: message for recipientMi: message that Mixi will receive
Sender prepares her message:Mn+1 = EKn+1 (M)
Mi = EKi (zi, Ai+1, Mi+1) for i=1…n
and sends M1 to Mix1
Sender Anonymity with Mix-nets (cont.)
Mix
1
Mix
2
Mix
3
Each Mixi decrypts:
EKi(zi, Ai+1, Mi+1) -> Ai+1: address of next Mix
Mi+1: EKi+1(zi+1, Ai+2, Mi+2),
encoded message for Mixi+1
zi: random string, to be discarded
and forwards Mi+1 to Mixi+1
Sender (Alice)
Ek1(z1, A2, M2) Ekn+1(M)
Recipient (Bob)
Recipient Anonymity with Mix- nets
Mix1Mix
2
Mixm
Recipient Bob chooses Mix-Sequence Mix1, ….., Mixm
and creates anonymous return address RA:
Rm+1 = e
Rj = Ekj(cj, Aj+1, Rj+1) for j=1..m
RA = (c0, A1, R1)
e : label of return address
cj: symmetric key, used by Mixj to encode message on the return path
Aj (j =1..m): address of Mixj
kj (j=1..m): public key of Mixj
zj: random bit strings
Recipient Bob sends RA anonymously to Sender Alice:Ekm(zm, Am-1,Ekm-1(…EK1(z1,A0,RA)..)) RA
Bob
Sender Alice
Recipient anonymity with Mix- nets (cont.)
Mix1
Mix2
Mix3
Sender Alice replies:
Each Mixj receives: cj-1(…c0(M)..), Rj,
decrypts: Rj = Ekj(cj, Aj+1, Rj+1) -> (cj, Aj+1, Rj+1),
forwards: cj(cj-1(…c0(M)…)), Rj+1 to Mixj+1
Label e indicates Bob which c0,..,cm he has to use to decrypt M
c0(M), R1
Bob
cm(cm-1(…c0(M)…)),e
Two-Way Anonymous Conversation
Existing Mix-based systems for HTTP (real-time)
Simple Proxies Anonymizer.com ProxyMate.com
Mix-based Systems considering traffic analysis: Onion Routing (Naval Research Center) TOR (Free Haven project) JAP (TU Dresden, ”Mix Cascade”)
Onion Routing Onion = Object with layers of public key encryption to
produce anonymous bi-directional virtual circuit between communication partners and to distribute symmetric keys
Initiator's proxy constructs “forward onion” which encapsulates a route to the responder
(Faster) symmetric encryption for data communication via the circuit
ZY
XU
ZY
X ZY Z
Forward Onion for route W-X-Y-Z:
Each node N receives (PKN = public key of node N): {exp-time, next-hop, Ff, Kf, Fb, Kb, payload} PKN exp-time: expiration time next_hop: next routing node (Ff, Kf) : function / key pair for symmetric encryption of data
moving forward in the virtual circuit (Fb, Kb) : function/key pair for symmetric encryption of data
moving backwards in the virtual circuit payload: another onion (or null for responder´s proxy)
X exp-timex, Y, Ffx, Kfx, Fbx, Kbx
Y exp-timey, Z, Ffy, Kfy, Fby, Kby,
Z exp_timez, NULL, Ffz, Kfz, Fbz, Kbz, PADDING
Onion Routing- Building up virtual circuit
Create command accompanied by Onion: If node receives onion, it peels off one layer, keeps
forward/backward encryption keys, it chooses a virtual circuit (vc) identifier and sends create command+ vc identifier + (rest of) onion to next hop.
It stores the vc identifier it receives and the one that it sent out as a pair.
Until circuit is destroyed -> whenever it receives data on one connection, it sends it off to the other
Forward encryption is applied to data moving in the forward direction, backward encryption is applied in the backward direction
Example: Virtual Circuit with Onion Routing
Send data by the use of send command:Data sent by the initiator is ”pre-encrypted” prepeatedly by his proxy.If W received data sent back by last Z, it applies the inverse of the backward cryptographic operations (outermost first).
Onion Routing - Review Functionality:
Hiding of routing information in connection oriented communication relations
Nested public key encryption for building up virtual circuit
Expiration_time field reduces costs of replay detection
Dummy traffic between Mixes (Onion Routers) Limitations:
First/Last-Hop Attacks by Timing correlations Message length (No. of cells sent over circuit)
TOR (2nd Generation Onion Router)
First Step TOR client obtains a list of TOR nodes from a directory
server Directory servers maintain list of which onion routers are
up, their locations, current keys, exit policies, etc.
Directory server
TOR client
TOR circuit setup Client proxy establishes key + circuit with Onion
Router 1
TOR client
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1
Proxy tunnels through that circuit to extend to Onion Router 2
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router
2 Etc.
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR circuit setup Client proxy establishes key + circuit with Onion Router 1 Proxy tunnels through that circuit to extend to Onion Router 2 Etc. Client applications connect and communicate over TOR circuit
TOR client proxy
TOR: Building up a two-hop circuit and fetching a web page
Alice Link is TLS-encrypted OR 1
OR 2
Link is TLS-encrypted Web siteUnencrypted
Create c1, E (g
x1)Created c1, g y1, H(K1)Relay c1 {Extend, OR2, E (g
x2)}
Relay c1 {Extended, g y2, H(K2)}
Relay c1 {{Begin <website<:80}}
Relay c1 {{Connected}}
Relay c1 {{Data, HTTP Get...}}
Relay c1 {{Data, (response)}}
Create c2, E (g
x2)Created c2, g y2, H(K2)
Relay c2 {Begin <website<:80}
Relay c2 {Connected}
Relay c2 {Data, HTTP Get...}
Relay c2 {Data, (response)}
(TCP handshake)
HTTP Get...
(response)
Legend:E(x): RSA encryption{X}: AES encryptioncN: a circuit ID
TOR - Review Some improvemnets in comparision with Onion
Routing: Perfect forward secrecy Resistant to replay attacks Many TCP streams can share one circuit Seperation of ”protocol cleaning” from anonymity:
Standard SOCKS proxy interface (instead of having a seperate application proxy for each application)
Content filtering via Privoxy Directory servers Variable exit policies End-to-end integrity checking Hidden services
Still vulnerable to end-to-end timing and size correlations
Private Information Retrieval (PIR)
Privacy for the item of interest: Allows a user to retrieve an item from a
database/news server without revealing which item he is interested in
Application example: patent database
Simple (but expensive) solution: Download all database entries and
make local selection
Enhanced PIR solution – Cooper/Birman 1995
t+1 servers with identical databases (composed of m cells each) are queried
To each database an m-bit vector is sent, where each bit represents a cell in the database. If the bit is 1, the corresponing cell is selected, otherwise not.
If the pth cell should be read, the t+1 query vectors are created acoording to the following scheme:
t query vectors are random bit vectors of length m Create the t+1st vector by exclusive-oring the t random bit
vectors and then flipping the pth bit (in order to read cell p) This will create a set of t+1 bit-vectors that, when exclusive-ored
together, will yield the bit-vector Ip:
0 if j <> pIp[j] =
1 if j= p
0 1 0 0 0 0 0........0p
PIR – Example of Sample Bit-Vectors for t=3, p=1
0 1(=p) 2 3 4 6 m-10 1 1 0 1 0 0
1 1 0 1 1 0 1
1 1 1 1 0 00 1
0 1 0 0 0 0 0
........
........
........
........
0 0 0 0 0 0 0........
7
0
1
0
1
11
Vector
V1
V2
V3
V1
V2 V3
V4
flip
p
0 1 0 0 0 0 0........0V1
V2
V3
pV4
IP=
PIR- Bit-Vector Protocol
][1][
11
iMriV ][
1][2
2
iMriV ][
1][1
1
iMriV
tt
Client Server 1 Server 2 Server t+1
Step 1. Choose V1, V2, ...Vt+1 such that Ip=
V1 V2 V3... Vt+1
Step 2.
Step 3. answer =
121 ... trrr
Communication of bit vectors and responses must be encrypted
...........
PIR - Review Protection goal: Unlinkability of a user and
an item of interest Security: If each of the bits in the t random
bit vectors are set to 1 with probability ½ then an attacker who has access to at most t of the requests/responses associated with the bit-vectors will gain no information about which cell the client is reading
Updates are complex: Changes/Adding new messages must take place simultanously
Repetition
Repetition: Diffie-Hellman Key exchange
Global Public Elements:q: prime number: < q and is a primitive root of q
[If is a primitive root of prime number p, then the numbers: mod p, 2 mod p,…, p-1 mod p are distinct and are a permutation of {1..p-1}.
For any integer b<p, primitive root of prime number p, one can find
unique exponent i (discrete logarithm), such that b= i mod p, 0≤ i ≤ (p-1)
For larger primes, calculating discrete logarithms is considered as practically infeasible ]
Diffie-Hellman Key Exchange
K = XA XB mod q
q: prime number, : primitive root of q
Some Literature Andreas Pfitzmann et al. ”Communication Privacy”, in:
Aquisti et al. (Eds.), Digital Privacy – Theory, Technologies, and Practices, Auerbach Publications, 2008
TOR: Anonymity Online, http://www.torproject.org/ Roger Dingledine, Nick Mathewson, Paul Syverson, TOR:
The Second-Generation Onion Router, Proceedings of the 13th Usenix Security Symposium, August 2004, http://www.torproject.org/svn/trunk/doc/design-paper/tor-design.pdf
David Cooper, Kenneth Birman, ”Preserving Privacy in a Network of Mobile Computers”, Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, May 1995.