Privacy-preserving seamless digital infrastructures - why, what, how and when, Kristian Gjøsteen,...

Privacy-preserving seamless digitalinfrastructures– why, what, how and when

Kristian Gjøsteen

Department of Mathematical Sciences

VERDIKT conference, April 26, 2012

www.ntnu.no Kristian Gjøsteen, Privacy-preserving seamless digital infrastructures

2

Contents

Why?

What?

How?

When?


3

Privacy-Preserving Seamless DigitalInfrastructures

Funded by VERDIKT from 2008 to 2011.

One PhD student and one post.doc.

Department of Mathematical Sciences and Department ofTelematics at NTNU.

The cryptography group at Aarhus University, Denmark.


4

Recent Privacy Compromises— One specific person’s tax return was shown to many.

— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and

journalists.— Bank employees used celebrity bank account transcripts as

entertainment.— For years, bank employees sold celebrity account transcripts

to the Norwegian gossip magazine Se og Hør.— Deutsche Telecom used their mobile phone network to track

journalists’ movements.


4

Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.

— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and






4

Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.

— HP stole the phone records of HP board members andjournalists.

— Bank employees used celebrity bank account transcripts asentertainment.

— For years, bank employees sold celebrity account transcriptsto the Norwegian gossip magazine Se og Hør.

— Deutsche Telecom used their mobile phone network to trackjournalists’ movements.


4

Recent Privacy Compromises— One specific person’s tax return was shown to many.— Tracking users of a GSM network.— Eavesdropping on a GSM network.— HP stole the phone records of HP board members and

journalists.

— Bank employees used celebrity bank account transcripts asentertainment.




4



entertainment.




4




to the Norwegian gossip magazine Se og Hør.



4







5

A Solution?Often, the problem is insecurely stored data. The obvious solutionis to stop storing the data.

Unfortunately, the EU data retention directive says that if the data isgenerated, it must be stored. Storing data securely is expensive.

It would anyway not prevent Deutsche Telecom from attacking theirusers.


6

SeamlessPeople want privacy.

People are not prepared to pay for privacy.

— How much privacy is achievable without increasing user-visiblecomplexity?


7

Preserving PrivacyPrivacy for mobile communication is:— Nobody knows what I am saying.— Nobody knows who I am talking to.— Nobody knows where I am.

Today’s systems efficiently provide little or no privacy.

There are cryptographic schemes that provide almost perfectprivacy, but they are expensive and complicated.

— We need a trade-off.


8

Fundamental IdeaA fundamental idea in cryptographic research is to distributecomputation and knowledge among several parties.

Done correctly we can tolerate if some – but not all – parties aremalicious.


9

Anonymous Key AgreementAnonymous key agreement may be a solution.

We have: One or more networks of radio towers, willing to talk tophones near them.

Idea: Every time a user moves, he anonymously agrees on a keywith a new radio tower. Once the key is established, it can be usedfor secure communication.

Note: If the user is communicating while moving, traffic analysisalone will usually allow an attacker to trace the user.


10

Anonymous Key Agreement ISignatures, group signatures and Diffie-Hellman.

User Networkgx

gy , sign(. . . )

groupsign(. . . )

But: § Group signatures are expensive. § Anyone with a radio canforce the network to do a lot of work. § Where do we send the billfor data usage?


11

Today’s Mobile CommunicationsWe have three separate mobile networks in Norway.

We have ∞ virtual operators and resellers.

We can reuse the business model! The GSM networks no longersell network access directly. Instead, they sell capacity to virtualoperators (service providers in our terminology).

— The network provides connectivity.— The service provider sends the bill.


12

Anonymous Key Agreement IIPublic key encryption.

User Network S. Prov.S, c = {U,n1}ekS c

k , c′ = {N,n1,n2, k}kUSc′

{k ′,n2, . . . }k n2

ok

But: § A malicious service provider can do anything at the time ofkey agreement. § Anyone with a radio can force a service providerto do a lot of work.


13

Anonymous Key Agreement IIIPublic key encryption and Diffie-Hellman.

User Network S. Prov.S,gx , c = {U,n1}ekS c

k , c′ = {N,n1,n2, k}kUSc′,gy

{n2, . . . }k n2

ok

But: § A malicious service provider can do anything at the time ofkey agreement. § Anyone with a radio can force a service providerto do a lot of work.


14

Anonymous Key Agreement IVPublic key encryption, Diffie-Hellman and a signature.

User Network S. Prov.S,gx , c = {U,n1}ekS c

k , c′ = {N,n1,n2, k}kUSc′,gy

{n2, . . . }k n2

ok{. . . }skN

But: § Anyone with a radio can force a service provider to do a lotof work.


15

Anonymous Key Agreement VIdentity tokens, Diffie-Hellman and a signature.

User Network S. Prov.S,T = {U}kS ,g

x T ,n1

c = {T ,N,n1,n2}kUSc

n1

gy , {. . . }skN

{n2, . . . }gxy n2

ok

But: § Identity tokens allow a tracing DoS-attack.


16

Anonymous Key Agreement VIIdentity tokens.

User Network S. Prov.S,T = {U}kS T ,n1

k , c = {T ,N,n1,n2, k}kUSc

{k ′,n1,n2}k n2

ok

But: § A malicious service provider can do anything at the time ofkey agreement. § Identity tokens allow a tracing DoS-attack.


17

Anonymous So What?Different key agreement protocols have different securityproperties. What happens when you build upon this base?


18

Tomorrow’s NFC Payment SystemsPrivacy for electronic payment is:— Nobody knows where I am spending my money.

Today, electronic payment methods let the bank know where Ispend my money. Merchants can often tell when I make repeatpurchases.

New mobile phones can use near field communication to talk to amerchants’ point-of-sale systems.

— NFC payment systems could be made privacy-preserving,especially if we have a privacy-preserving mobile network.


19

Anonymous PaymentBlind signatures, privacy-preserving communication and NFC.

UserBank Merchantpay

chrequest(ch, . . . )

issue signature

ch, signature

The merchant doesn’t know who you are, the bank doesn’t knowwhere you shop.


20

Cryptographic Security ProofsTheoretical work:— We needed an improved model for cryptographic security

proofs.— We have studied one approach to machine-verifiable proofs.


21

E-valg 2011We have contributed to the design and analysis of thecryptosystem underlying the 2011 trial of internet voting in Norway.

— This is a seamless digital infrastructure just like the previousexamples. It was deployed and worked very well.


22

When?— Not gonna happen.

Our work will not change mobile phone networks or paymentinfrastructures. But thanks to our work and E-valg 2011, we knowthat it is possible to do better.

There’s no excuse not to do better for new infrastructures.


Privacy-preserving seamless digital infrastructures - why, what, how and when, Kristian Gjøsteen,...

Technology

Transcript of Privacy-preserving seamless digital infrastructures - why, what, how and when, Kristian Gjøsteen,...