Post on 18-Dec-2015
Negotiated Privacy
CS551/851CRyptographyApplicationsBistro
Mike McNett30 March 2004
• Stanislaw Jarecki, Pat Lincoln, Vitaly Shmatikov. Negotiated Privacy. • Dawn Xiaodong Song, David Wagner, Adrian Perrig.
Practical Techniques for Searches on Encrypted Data. • Brent R. Waters, Dirk Balfanz, Glenn Durfee, and D. K. Smetters.
Building an Encrypted and Searchable Audit Log.
Negotiated Privacy Necessary?
• World Wide Web Consortium (W3C) Platform for Privacy Preferences (P3P) Project (http://www.w3.org/P3P/)
“The Platform for Privacy Preferences Project (P3P), … is emerging as an industry
standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. … P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see. “
NOTE: 10 February 2004, W3C P3P 1.1 First public Working Draft
Why is it Really Necessary?
“The way to have good and safe government, is not to trust it all to one, but to divide it among the many...[It is] by placing under every one what his own eye may superintend, that all will be done for the best.”
Thomas Jefferson to Joseph Cabell (Feb. 2, 1816)
It’s necessary because Mr. Jefferson said so!
Outline
• Application Areas
• Options for Privacy Management
• What Negotiated Privacy Is
• What Negotiated Privacy Is Not
• Implementation Details
• Limitations
• Conclusion
Application Areas
• Health data (diseases, bio-warfare, epidemics, drug interactions, etc.)
• Banking (money laundering, tax avoidance, etc.)• National security (terrorist tracking, money
transfers, etc.)• Digital media (copies, access rights, etc.)
• Note: Many applications require– Security– Guarantees of privacy
Options for Privacy Management
• Trust the collectors / analysts (people / organizations accessing the data)? IRS, DMV, WalMart
• Trust the users for which the data is about? P3P• Combination of the above?
– Negotiate what is reportable and what isn’t
What Negotiated Privacy Is• Provide personal data escrow of private data by
the subjects of monitoring• Pre-negotiated thresholds (interested parties)• Conditional release: Meet threshold “unlock”
private data• Ensures both accuracy and privacy• Only allows authorized queries (i.e., has a
threshold been met?)
What Negotiated Privacy Is Not
• Private Information Retrieval (PIR)– enforces privacy when data is retrieved
• Digital Cash– enforces privacy of multiple “digital coins”– can’t verify that a user has “too many” coins
• Privacy Preserving Datamining– sanitizes or splits data– can’t control conditions for exposing information
• Searching on Encrypted Data– Allows efficient (secure, but not private) searches– Paper by Song, Wagner, Perrig
“Practical Techniques for Searches on Encrypted Data”
Song, Wagner, Perrig
• Several schemes – Last one supports:– Provable Secrecy (the untrusted server cannot learn anything about
the plaintext given only the ciphertext)
– Controlled Searching (the untrusted server cannot search for a word without the user’s authorization)
– Hidden Queries (the user may ask the untrusted server to search for a secret word without revealing the word to the server)
– Query Isolation (the untrusted server learns nothing more than the search result about the plaintext)
• Note – Negotiated Privacy has “Provable Secrecy” and is only slightly related to “Controlled Searching”
Basic Idea (details later)Example: Database – One record per copied song, per user.
Database
User
User Artist Song
xxxxxxx xxxxxxx xxxxxxx
Analyst
ServiceProvider1. Escrow (e.g., Make one
Copy of Song)
3. Issue Receipt, orRequest Disclosure
2. Validate Escrow
4. Report Activity, t5. if P(t) then
give Receipt
PKI / Magistrate
6. Validate and- Provide Service, or- Deny Service
Details
• Reference: http://www.math.clemson.edu/faculty/Gao/crypto_mod/node4.html
Details• Required “tools” / data:
– asymmetric key system (x = private; y = public = g, gx)– activity t (plaintext)– predicate P(t)– core(t) = part of the data that determines value of P(t)– s = fresh random element in Gq
– personal data escrow [t]x = (tag, c, Encs{t}, k) where• tag = hx where h = hash(core(t)) where deterministically
hashes into Gq
• c = sx
• k = threshold value
• SigKM(U,y)• SigKA[t]x
Protects against Malicious UserProtects against Malicious Analyst / Provider
Details
Database
User Artist Song
xxxxxxx xxxxxxx xxxxxx
xxxxxxx xxxxxxx xxxxxx
xxxxxxx xxxxxxx xxxxxx
xxxxxxx xxxxxxx xxxxxx
Analyst7. Send SigKA[t]x, or
Request Disclosure
PKI / Magistrate
1. g,y
2. Verify U knows x (e.g., Schnorr Auth)
3.SigKM(U,y)
4. Generate Escrow [t]x:tag = hx
where h = hash(core(t))s = fresh random element in Gq
hash s into keyspace and thenEncs{t}
c = sx
k = threshold value
6. Validate Escrow: - Escrow freshness- If |tag| < k-1 then issue receipt- Else user must disclose other
records w/same tag
5. Send [t]x
ServiceProvider
User
Details
Database
User
Analyst7. Issue Receipt, or
Request Disclosure 6. Validate Escrow
PKI / Magistrate1. g,y
5. Send [t]x
2. Verify U knows x (e.g., Schnorr Auth)
3. SigKM(U,y)
8. Report Activity tif P(t) then give s, SigKA([t]x), SigKM(U,y) and proof (tag=hx, c=sx, and y=gx)
9. Verify signaturesVerify identity is UVerify t matches activityVerify reported k is correct for this activityCompute h = hash(core(t))Verify proof information (tag=hx, c=sx, y=gx)
10.Provide Service, orDeny Service
ServiceProvider
User Artist Song
xxxxxxx xxxxxxx xxxxxx
xxxxxxx xxxxxxx xxxxxx
xxxxxxx xxxxxxx xxxxxx
xxxxxxx xxxxxxx xxxxxx
User
User Artist Song
xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx
More Details
• Disclosure:– When count(tag) ≥ k-1– Not automatic – must request U to disclose– Only disclose escrows with same relevant tag– A gives U all relevant escrows for U to open– U opens all [t]x by:
• s = (c)1/x
• t = Encs{t}• h = hash(core(t))
– For each [t]x, send to A: h, s, SigKM(U,y), and proof that tag = hx, c=sx, and y=gx
• A learns U and t• Lemma 4:
– A will know the number of other reportable activities by U– Doesn’t leak to A the plaintext of other activities of U
User Artist Song
D Evans Britney Spears Toxic
D Evans Britney Spears Toxic
D Evans Britney Spears Toxic
D Evans Britney Spears Toxic
Limitations• Social, legal, etc. questions• Upfront threshold & query negotiations are required• Query limitations – dynamic queries are difficult
(impossible??)• Can’t do “group” thresholds (since all must have
same tag)• No automatic disclosure of records (but could go to
magistrate, if necessary)• U gets escrow, but decides not to get served • Can’t completely stop impersonations (use
biometrics??)• Doesn’t stop threats due to collusion among entities
Conclusion
• Good initial move towards supporting reasonable negotiated privacy
• Provides unique functionality for niche applications
• Don’t ask Dave for copies of his music
Outline
• Practical Techniques for Searches on Encrypted Data
• Building an Encrypted and Searchable Audit Log
Goals
• Provable Security– Untrusted server learns nothing about the plaintext
given only ciphertext
• Controlled Searching– Untrusted server cannot perform the search without
user authorization
• Hidden Queries– Untrusted server does not know the query
• Query Isolation– Untrusted server does not learn more than the search
results
Basic Scheme Encryption
iii
i
ikii
l
l
l
TWC
k
SFST
SSS
W,WW
W,WW
i
server trustedaon storedkey secret some is
bits m of range ith thefunction w ompseudorand theis F
)(
cipher stream using generated valuesompseudorand areS
each bits m-n
each bitsn ...
... rdsencrypt wo want toWe
,
i
..., ,2,1
,2 , 1
,2 , 1
Basic Scheme Search and Decryption
• To Search:
• To Decrypt:
m. increasingby reduced
becan but possible, are positives false ofNumber requester. theto
sent isdocument theand occursmatch then theequal, are they If
)( whether checks and
computesserver entry theeach For
server unstrusted the to , Send
,1,1 nmni
mnik
ii
i
TTF
TWC
kW
i
)(, and ),( compute ,S Determine i ikiiik SFSCWSFii
Basic Scheme IssuesBad:
1:
2:
Good:
3:
4:
criteria.search controlled the violatingkey word,any for
search y toopportunitan server untrusted thegiving
,in lies scheme basic with theproblem The ik
.operationscipher block
andcipher stream )( requiresit so key words, of
number in thelinear issearch theperform to timeThe
nO
key word. about the nothing learnsit , knownot
doesserver untrusted the wherepositions At the
ik
query.search theknowsserver untrusted The
Controlled Searching
• How do we decrypt now?• The issue of hiding search queries is still unresolved.
(W).f and given isserver untrusted the:search To
).( Now, random.at uniformly chosen key secret a with keyed
}1,0{K:ffunction ompseudorand new a introduce we that,do To
. word the tokey the tie wesearching, controlled perform To
i
'
k
*F
W
Wfk
K
Wk
iki
F
ii
Hidden Searches
• The problem with decryption still remains
server. untrusted
the to)( and )( Send :search To
)(, where ,)(
. wordeencrypt th wesearches,hidden for allow To
'''
''
ikiik
ikiiiiiiki
WEkWE
SFSTTXCWEX
W
i
Solving Decryption Problem
.)( and compute , Determine :decrypt To
).( ,,)( :send search, To
.)( compute and retrieve tociphertext
eit with th XOR , findcan webecause decryptioneasy an for allows
but scheme, theofsecurity thereducenot does changes above theMaking
part.first theoffunction theasonly key thecomputecan Then,
bits. m has second theand bits has part first The
parts. twointo )(Wbreak weproblem, decryption thesolve To
'
'''
'
''
,1
i
ikiimn
iii
ikiiiiki
ikii
i
i
ii
ki
LfkSCLS
LfkRLWEX
LfkL
S
k
RmnL
EX
Scheme Conclusions
• “Efficient” encryption, decryption, search that take O(n) number of block cipher and stream cipher operations
• Provable security with controlled searching, hidden queries, query isolation
• Possible support for composed queries• Possible support for varied-length words
– Padding with fixed length blocks– Variable length words (store the length)
Reasons to Encrypt Audit Logs
• Log may be stored at not completely trusted (secure) site
• To prevent tampering with the log
• To restrict access to the log– Allow only access to certain parts of the log– Allow only certain entities to access the log
Characteristics of a Secure Audit Log
• Temper Resistant– Guarantee that only the authorized entity can create
entries and once created, entries cannot be altered
• Verifiable– Allow verification that all entries are present and has
not been altered
• Searchable with data access control– Allow log to be “efficiently” searched only by
authorized entities
Notation and Setup
))((n informatioion verificat- -
searchingfor used be o t
,..., key wordsabout n informatio - ,..., -
mperingprevent ta torecord previous ofhash - )( -
key a with string of encryption - )( -
:contains recordaudit Each
..., , , RecordsAudit
orInvestigat
..., , , secrets t Creates -
Agent EscrowAudit
LogsAudit t
1
10
21
ii
baww
i
iiik
i
n
t
RHV
wwcc
RH
kmmE
R
RRR
SSS
ba
i
Symmetric Key Scheme
• H – pseudorandom function keyed with S• S – secret key for this log chosen by the
escrow agent• flag – constant bit string of length l.
nk
iiaiisi
k
n
cccrmE
kflagbcrHbwHa
mE
www
i
..., , , , ),( tesServer wri 3.
, ),( ),(
computes andlength fixed ofr string random a choosesServer 2.
)( computes andk key random a choosesServer 1.
..., , , key words with mEncrypt :Want
21
21
Search and Decryption• To search for all entries with keyword w:
• To decrypt: ???
positive? false aencounter weifWhat
.decrypt and
,key extract then flag, match the bits first theIf .
,)( computesor investigat thej, login entry each For
.jserver logfor capabilitysearch theis )( where
)( ..., ),( ),(
:orinvestigatan for capabilitysearch a constructs Escrow
)(
21
m
klcbvalue
brH
wH
wHwHwHD
iii
iwH
S
SSSw
jS
j
t
Issues and Problems
• flag size and possibility of false positives• Capabilities for different key words appear
random• Adversary may be is able to learn S which is
known to the server• Updating keys requires constant connection to
the escrow agent + numerous keys management problem + high search time
• STORE AS LITTLE SECRET INFORMATION ON THE SERVER AS POSSIBLE
Identity Based Encryption
• Identity Based Encryption allows arbitrary strings to be used as public keys
• Master secret key stored with a trusted escrow agent allows generation of a private key after the public key has been selected
IBE Setup and Key generation• Setup:
• Key generation:
011,021
2211
221
10
21
where),,,,,( :parameters System
secretmaster :
functions hiccryptograp two}1,0{: and }1,0{:
mapbilinear "admissable" :
ofgenerator arbitrary an :
q and p orders prime large of groups two: ,
sPPPPeGGqpP
Zs
GHGH
GGGe
GP
GG
q
n
.key public toingcorrespondkey Private :)(s 1 wwHdw
IBE Encryption and Decryption• Encryption
• Decryption
qr
w
ww
w
n
ZrgHmrPc
PQeg
GwHQ
wm
random afor )(, )3
),( )2
)( 1)
compute ,key public with }1,0{encrypt To
20
1
11
msPwHeHgHm
rPwsHeHgHmrPdeHgHm
gHmrPc
UdeHVm
dVUc
rrw
rww
rw
rw
w
w
))),((())((
))),((())(()),(())((
)(, :Note
)),((
compute key, private as using ,decrypt To
0122
0122022
20
2
Asymmetric Scheme using IBE• To encrypt:
• To search:
• To decrypt: ???
nk
i
ii
k
n
cccmE
w
kflagcw
mE
www
..., , , ),( tesServer wri 3.
key public as with IBE using
, of computesserver ,each For 2.
)( computes andk key random a choosesServer 1.
..., , , key words with mEncrypt :Want
21
21
. decrypts and extracts he are, they If
flag. are bits first theif checks and each decryptsor Investigat
.for search agent to escrow thefrom getsor investigat The
mk
lc
wd
i
w
Comments on the IBE Scheme
• Note:• Each server stores only public parameters• Compromising the server does not allow
attacker to search the data• Possible to separate the search and
decryption by encrypting the key using some other public key (requires an extra access to the escrow agent for decryption)
• A drawback: Tremendous increase in computation time
.get cannot holdingor investigatAn 'ww dd
Scheme Optimizations• Pairing Reuse
• Indexing
• Randomness Reuse
.for searches futurefor speedup leconsiderab producing twice,
pairing thecompute toneedt don' we,every for cachingBy
w
wgw
n time.computatio reducing keys, ingcorrespond with numbersentry
encrypt we, key wordeach For encrypt. toneed wewords
key ofnumber thereducing blocks, into entries log groupcan We
w
pairing. one calculate toneedonly webecause
timedecryption theincreaselly substantia would
whichentry,each for random one use alsocan We r