You have something to hide

Sandro Etalle

Outline

• Two Episodes• Privacy in Context• The Chair• The Aim• The Reality Check• Some Projects (if time allows)

Episode 1: Arnold

www.geenstijl.nl (1)

• ... Nee pisventjes. .... Daar worden we een beetje ziek van zelfs. Gelukkig wisten we de hoofddader te achterhalen. Bij deze, lafbek Ixxx xxxx (spiegeltje) (Alle info) , je bent er gloeiend bij! Veel succes de komende dagen op school, op straat, in de kroeg en op familiefeestjes...

• “Dat deze gasten mogen branden in brandend braambos, en nog veel erger.”

Episode 2

Topic & Issues

• Topic: Privacy– Secret data, policy compliance etc.

• Issues– Accountability– Quantitative Privacy Management

Privacy in Context

“if you have nothing to hide you have nothing to fear”

• Skips over the problem by attacking first.

• Is altogether wrong.

The Arguments in Favor

• “huge (security) benefits”– “Stop terrorism”

• “small privacy loss”– only few people have access to the data– (if you have nothing to hide) no-one is

going to really look at your record.

“huge (security) benefits”

• Don’t want to get into this.• See Blog of Bruce Schneier.

“small privacy loss (1)”

• “few people have access to the data”

• trained? • accountable?

• Power balance

“Personal data for 650,000

customers vanishes into thin air”

http://www.theregister.co.uk/2008/01/18/jc_penney_customer_data_lost/

“small privacy loss (2)”

• “(if you have nothing to hide) no-one is going to look at your record.– clerks are not really overpaid– Hackers– Governments

An altogether wrong start

• Experience hath shewn, that even under the best forms of government those entrusted with power have, in time, and by slow operations, perverted it into tyranny. Thomas Jefferson (1743 – 1823)

• “a crime can always be found”

• The mere fact that the data is there, and potentially accessible is a problem.

Indeed

• Definition: “Privacy is the ability to lie about yourself and get away with it”

– Bob Blakley– chief scientist for Security and Privacy at

IBM Tivoli Software

• Corollary: “if you have nothing hidden, you have no privacy”.

Two issues

• Private information– Should be collected/used/etc moderately

• Misuse should be discovered – Power balance issue

• Challenges @ TU/e: – Quantitative Privacy Management– Accountability

Quantitative Privacy Management

• “privacy is being eroded”– Measure it!

• Guaranteeing graceful degradation– Normal in critical infrastructures– Why not for personal Data?

• EHR?

– (also) an architectural challenge.

Part 2: the security chair

The Security Chair

• Started 1/10/2007• SEC is financed by CeDICT, the Centre

for Dependable ICT Systems, one of the centres of excellence of the 3TU Federation of Technical Universities of the Netherlands.

The Security Group• Prof. dr. Sandro Etalle

– Trust management & policies for mobile systems

– Protocol verification, – Intrusion detection, – Risk Management

• Prof. dr. Bart Jacobs 0.2 FTE– Software Security– Cybercryme

• Dr. Jerry den Hartog– Smartcards. Security and

formal methods

• Dr. Nicola Zannone– Access Control

• Vacancy– Embedded Systems Security

• Dr. Fred Spiessens – Trust management

• Dr. Lu – smartcards, side-channels

attacks• Dr. Vacancy

• PhD– Daniel Trivellato

• trust management– Bruno Pontes Soares Rocha

• security of mobile devices– Jing Pan:

• Side channels attacks – Gabriel George Popa– 2/3 more

A technical group working at

technical + non-technical problems

EIPSI

Security (informatica) + Coding and Crypto (wiskunde) =

30 people by the end of 2008.The largest technical security group of NL

Teaching

• Kerckhoffs Security Master– Twente – Nijmegen– Eindhoven

Projects

• TAS3: EU IP– WP leaders

• Poseidon– ESI – Thales

• S-mobile– With VU Amsterdam

• PEARL– Leaders, with RU & TUD

• PinpasJC– With RU

The research dream in a nutshell

The middle ages of compliance control

• Confidential data,– medical record, – RFID data, …

• Policy enforcement– Data should not be disclosed to unauthorized

users• How? Nowadays: DRM, Access Control

– preventive– No control outside the walls– One security domain: no x-organization

• In case of more domains– Lawyers & Auditors

Towards A Posteriori Compliance Control

• Setting: a number of different security domains, – different authorities,– different policies– different policy enforcement

systems

• Goal: policy enforcement– data should be used, & distributed

according to policies

• How: by detecting infringements.

The Idea

• Audit Based Compliance Control– users are responsible.– auditing authorities to detect misuse.

• Does not prevent misuse – actions can always be executed.– A posteriori, an authority can ask for justification – The user submits a proof that justifies the action.

• Architecture– Some degree of trustworthiness

26

27

Technical Challenges

• Access Control:– Security monitor: should this action be

allowed?• A Posteriori Compliance Control

– Auditor: is this observable indicating an infringement?

• {observables} => decision• Depends on the architecture

– User: is this policy the right one?• Authority problem

Reality

Accountability

Logging

Privacy

The role trade-off

Privacy Accountability

PrivateCitizen Manager

Clerk Head of the Army

CEO

30

Summarizing

• A Posteriori Compliance Control – Alternative to access control– Not yet feasible, but this will change

• Salient Features– Notion of observable– Authority problem

Poseidon

• “radar traces concerning boats in the west side of the theatre may be seen only by officers of ally Y or Z with a special clearance”

PEARL

• Privacy Enhancing security Architecture for RFID Labels– Specification & enforcement of privacy

policies– Across domains

• STW/Sentinels– With RUN, Delft– Philips TNO

Trusted Architecture for Securely Shared Services

TopicsTrust management

Information Protection

Workflows

Privacy, Legal

Authentication

Application AreasHealthcare

Employability

FP7 Integrated Project, 1 Jan 2008 - 31 Dec 201118 Partners: KU Leuven, SAP, Oracle, TU/e, ...

S-mobile

• Security of Services on Mobile Systems– Only games endorsed by

ProvacyPreserving.com should access my calendar.

– This applet should not cost me more than 3EUR per week.

• Matching• Trust

• STW/Sentinels, – with VU, Philips, TNO

PINPAS Java CardProgram Inferred Power-Analysis in Software for Java Card

Trend: Security relies on smartcards– bank&cash cards, SIM, biometric passport

Threat: side channel attacks– Passive; timing, power consumption, ...– Active, fault attacks; power glitch, card tear, ...

Goal: Predict and Prevent vulnerabilities– Software simulation (predict)– Coding guidelines (avoid)– Program analysis tools (detect)

Initial Results:– Simulation tool, JavaCard compliance tests, verification

security properties w.r.t. faults

Research at: case-studies by:

Questions?