View
296
Download
0
Tags:
Embed Size (px)
DESCRIPTION
VERDIKT conference 2012.
Citation preview
Privacy-preserving seamless digitalinfrastructures– why, what, how and when
Kristian Gjøsteen
Department of Mathematical Sciences
VERDIKT conference, April 26, 2012
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
2
Contents
Why?
What?
How?
When?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
3
Privacy-Preserving Seamless DigitalInfrastructures
Funded by VERDIKT from 2008 to 2011.
One PhD student and one post.doc.
Department of Mathematical Sciences and Department ofTelematics at NTNU.
The cryptography group at Aarhus University, Denmark.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.
— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and
journalists.— Bank employees used celebrity bank account transcripts as
entertainment.— For years, bank employees sold celebrity account transcripts
to the Norwegian gossip magazine Se og Hør.— Deutsche Telecom used their mobile phone network to track
journalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.
— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and
journalists.— Bank employees used celebrity bank account transcripts as
entertainment.— For years, bank employees sold celebrity account transcripts
to the Norwegian gossip magazine Se og Hør.— Deutsche Telecom used their mobile phone network to track
journalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.
— HP stole the phone records of HP board members andjournalists.
— Bank employees used celebrity bank account transcripts asentertainment.
— For years, bank employees sold celebrity account transcriptsto the Norwegian gossip magazine Se og Hør.
— Deutsche Telecom used their mobile phone network to trackjournalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and
journalists.
— Bank employees used celebrity bank account transcripts asentertainment.
— For years, bank employees sold celebrity account transcriptsto the Norwegian gossip magazine Se og Hør.
— Deutsche Telecom used their mobile phone network to trackjournalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and
journalists.— Bank employees used celebrity bank account transcripts as
entertainment.
— For years, bank employees sold celebrity account transcriptsto the Norwegian gossip magazine Se og Hør.
— Deutsche Telecom used their mobile phone network to trackjournalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and
journalists.— Bank employees used celebrity bank account transcripts as
entertainment.— For years, bank employees sold celebrity account transcripts
to the Norwegian gossip magazine Se og Hør.
— Deutsche Telecom used their mobile phone network to trackjournalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
4
Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and
journalists.— Bank employees used celebrity bank account transcripts as
entertainment.— For years, bank employees sold celebrity account transcripts
to the Norwegian gossip magazine Se og Hør.— Deutsche Telecom used their mobile phone network to track
journalists’ movements.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
5
A Solution?Often, the problem is insecurely stored data. The obvious solutionis to stop storing the data.
Unfortunately, the EU data retention directive says that if the data isgenerated, it must be stored. Storing data securely is expensive.
It would anyway not prevent Deutsche Telecom from attacking theirusers.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
6
SeamlessPeople want privacy.
People are not prepared to pay for privacy.
— How much privacy is achievable without increasing user-visiblecomplexity?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
7
Preserving PrivacyPrivacy for mobile communication is:— Nobody knows what I am saying.— Nobody knows who I am talking to.— Nobody knows where I am.
Today’s systems efficiently provide little or no privacy.
There are cryptographic schemes that provide almost perfectprivacy, but they are expensive and complicated.
— We need a trade-off.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
8
Fundamental IdeaA fundamental idea in cryptographic research is to distributecomputation and knowledge among several parties.
Done correctly we can tolerate if some – but not all – parties aremalicious.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
9
Anonymous Key AgreementAnonymous key agreement may be a solution.
We have: One or more networks of radio towers, willing to talk tophones near them.
Idea: Every time a user moves, he anonymously agrees on a keywith a new radio tower. Once the key is established, it can be usedfor secure communication.
Note: If the user is communicating while moving, traffic analysisalone will usually allow an attacker to trace the user.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
10
Anonymous Key Agreement ISignatures, group signatures and Diffie-Hellman.
User Networkgx
gy , sign(. . . )
groupsign(. . . )
But: § Group signatures are expensive. § Anyone with a radio canforce the network to do a lot of work. § Where do we send the billfor data usage?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
11
Today’s Mobile CommunicationsWe have three separate mobile networks in Norway.
We have ∞ virtual operators and resellers.
We can reuse the business model! The GSM networks no longersell network access directly. Instead, they sell capacity to virtualoperators (service providers in our terminology).
— The network provides connectivity.— The service provider sends the bill.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
12
Anonymous Key Agreement IIPublic key encryption.
User Network S. Prov.S, c = {U,n1}ekS c
k , c′ = {N,n1,n2, k}kUSc′
{k ′,n2, . . . }k n2
ok
But: § A malicious service provider can do anything at the time ofkey agreement. § Anyone with a radio can force a service providerto do a lot of work.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
13
Anonymous Key Agreement IIIPublic key encryption and Diffie-Hellman.
User Network S. Prov.S,gx , c = {U,n1}ekS c
k , c′ = {N,n1,n2, k}kUSc′,gy
{n2, . . . }k n2
ok
But: § A malicious service provider can do anything at the time ofkey agreement. § Anyone with a radio can force a service providerto do a lot of work.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
14
Anonymous Key Agreement IVPublic key encryption, Diffie-Hellman and a signature.
User Network S. Prov.S,gx , c = {U,n1}ekS c
k , c′ = {N,n1,n2, k}kUSc′,gy
{n2, . . . }k n2
ok{. . . }skN
But: § Anyone with a radio can force a service provider to do a lotof work.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
15
Anonymous Key Agreement VIdentity tokens, Diffie-Hellman and a signature.
User Network S. Prov.S,T = {U}kS ,g
x T ,n1
c = {T ,N,n1,n2}kUSc
n1
gy , {. . . }skN
{n2, . . . }gxy n2
ok
But: § Identity tokens allow a tracing DoS-attack.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
16
Anonymous Key Agreement VIIdentity tokens.
User Network S. Prov.S,T = {U}kS T ,n1
k , c = {T ,N,n1,n2, k}kUSc
{k ′,n1,n2}k n2
ok
But: § A malicious service provider can do anything at the time ofkey agreement. § Identity tokens allow a tracing DoS-attack.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
17
Anonymous So What?Different key agreement protocols have different securityproperties. What happens when you build upon this base?
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
18
Tomorrow’s NFC Payment SystemsPrivacy for electronic payment is:— Nobody knows where I am spending my money.
Today, electronic payment methods let the bank know where Ispend my money. Merchants can often tell when I make repeatpurchases.
New mobile phones can use near field communication to talk to amerchants’ point-of-sale systems.
— NFC payment systems could be made privacy-preserving,especially if we have a privacy-preserving mobile network.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
19
Anonymous PaymentBlind signatures, privacy-preserving communication and NFC.
UserBank Merchantpay
chrequest(ch, . . . )
issue signature
ch, signature
The merchant doesn’t know who you are, the bank doesn’t knowwhere you shop.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
20
Cryptographic Security ProofsTheoretical work:— We needed an improved model for cryptographic security
proofs.— We have studied one approach to machine-verifiable proofs.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
21
E-valg 2011We have contributed to the design and analysis of thecryptosystem underlying the 2011 trial of internet voting in Norway.
— This is a seamless digital infrastructure just like the previousexamples. It was deployed and worked very well.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures
22
When?— Not gonna happen.
Our work will not change mobile phone networks or paymentinfrastructures. But thanks to our work and E-valg 2011, we knowthat it is possible to do better.
There’s no excuse not to do better for new infrastructures.
www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures