Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

Size: px

Start display at page:

Download "Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich"

Mervyn Sanders
6 years ago
Views:

1 Privacy-Enhancing Technologies & Applications to ehealth Dr. Anja Lehmann IBM Research Zurich

IBM Research Zurich IBM Research founded in 1945 employees: 3,000 12 research labs on six continents IBM Research Zurich founded in 1956 more than 45 nationalities Nobel Laureates: 4 1986 in Physics

2 IBM Research Zurich IBM Research founded in 1945 employees: 3, research labs on six continents IBM Research Zurich founded in 1956 more than 45 nationalities Nobel Laureates: in Physics by Heinrich Rohrer & Gerd Binnig 1987 in Physics by Alex Müller & Georg Bednorz research areas: Science & Technology Industry and Cloud Solutions Cloud & Computing Infrastructure Cognitive Computing & Computational Sciences Anja Lehmann IBM Research Zurich

3 IBM Research Zurich Cognitive Computing & Computational Sciences next generation cognitive systems and technologies big data, HPC, secure information management computational sciences Security & Privacy group 13 people: researchers, PostDocs, PhD students, software engineers focus: privacy-enhancing technologies, provable security This talk: why does privacy matter? what are the risks/limitations of current technologies? what measures exist to enhance privacy & security? Anja Lehmann IBM Research Zurich

4 Why does privacy matter? storage is becoming increasingly cheaper store by default e.g., intelligence agencies, Google Street View with wireless traffic, Apple location history once data is released, it can no longer be controlled can be copied & distributed different pieces can be linked and profiles be made data mining more efficient not just trend detection, even prediction, e.g., flu pandemics correlation with illegal criteria, e.g., race, religion networks and systems badly protected feature creep, security comes last, if at all security breaches happen almost every day 4 Anja Lehmann IBM Research Zurich

5 Why does privacy matter? it is far too easy to collect & to loose data! what are the risks if personal data is lost? embarrassment, blackmailing, identity theft, discrimination security risk: data must be protected accordingly basic protection techniques: reveal only data that is minimally necessary avoid globally unique personal identifiers strongly protect aquired (personal) data 5 Anja Lehmann IBM Research Zurich

6 avoid globally unique (personal) identifiers & linkability 6 Anja Lehmann IBM Research Zurich

7 Data Exchange how to keep & exchange related data maintained by different entities? Doctor A Health Insurance Doctor B Hospital Pharma Company Welfare Center 7 Anja Lehmann IBM Research Zurich

8 Data Exchange Global Identifier user data is associated with globally unique identifier e.g., insurance ID, social security number Doctor A ID Alice.1210 Bob.0411 Carol.2503 Data Hospital ID Bob.0411 Carol.2503 Dave.1906 Data 8 Anja Lehmann IBM Research Zurich

9 Data Exchange Global Identifier user data is associated with globally unique identifier e.g., insurance ID, social security number different entities can easily share & link related data records Doctor A ID Data Alice.1210 Bob.0411 Record of Bob.0411? Carol.2503 Hospital ID Data Bob.0411 Carol.2503 Dave Anja Lehmann IBM Research Zurich

10 Data Exchange Global Identifier user data is associated with globally unique identifier e.g., insurance ID, social security number different entities can easily share & link related data records Doctor A ID Data Alice.1210 Bob.0411 Record of Bob.0411? Carol simple data exchange no control about data exchange if records are lost, pieces can be linked together data has high-value requires strong protection 10 Anja Lehmann IBM Research Zurich Hospital ID Bob.0411 Carol.2503 Dave.1906 Data

11 Data Exchange Global Identifier user data is associated with globally unique identifier e.g., insurance ID, social security number different entities can easily share & link related data records Doctor A ID Data # # Record of #247495? # random yet global identifiers not much better linkability allows re-identification similar problem: anonymization of data sets e.g., Netflix challenge, credit card transactions + simple data exchange no control about data exchange if records are lost, pieces can be linked together data has high-value requires strong protection 11 Anja Lehmann IBM Research Zurich Hospital ID # # # Data

12 Data Exchange Pseudonyms & Trusted Central Authority central authority derives independent entity-local identifiers from unique identifer user data is associated with (unlinkable) entity-local identifiers aka pseudonyms Doctor A ID Data Central Authority ID ID-A ID-H Hba02 P89dy 912uj Alice.1210 Hba02 7twnG Bob.0411 P89dy ML3m5 Carol uj sd7ab Dave G3wx y2b4m Hospital ID ML3m5 Data sd7ab y2b4m 12 Anja Lehmann IBM Research Zurich

13 Data Exchange Pseudonyms & Trusted Central Authority central authority derives independent entity-local identifiers from unique identifer user data is associated with (unlinkable) entity-local identifiers aka pseudonyms only CA can link & convert pseudonyms central hub for data exchange ID ID-A ID-H Alice.1210 Hba02 7twnG Bob.0411 P89dy ML3m5 Carol uj sd7ab Dave G3wx y2b4m Central Authority Record of P89dy? Record of ML3m5? Doctor A Hospital ID Hba02 P89dy 912uj ID ML3m5 Data Data sd7ab y2b4m 13 Anja Lehmann IBM Research Zurich

14 Data Exchange Pseudonyms & Trusted Central Authority central authority derives independent entity-local identifiers from unique identifer user data is associated with (unlinkable) entity-local identifiers aka pseudonyms only CA can link & convert pseudonyms central hub for data exchange ID ID-A ID-H Alice.1210 Hba02 7twnG Bob.0411 P89dy ML3m5 Carol uj sd7ab Dave G3wx y2b4m Central Authority + control about data exchange Record of P89dy? Record of ML3m5? + if records are lost, pieces cannot be linked together + user can monitor (& control) data flow central authority learns all request & knows all correlations 14 Anja Lehmann IBM Research Zurich Doctor A Hospital ID Hba02 P89dy 912uj ID ML3m5 sd7ab y2b4m Data Data

15 ideally: no party should know the correlation of all pseudonym 15 Anja Lehmann IBM Research Zurich

16 Data Exchange Pseudonyms & Central Authority central authority & entities jointly derive pseudonyms from unique identifers entities do not learn unique identifiers, CA does not learn the pseudonyms user data is associated with pseudonyms Doctor A ID Data Hba02 ID Central Authority P89dy 912uj Alice.1210 Bob.0411 Carol.2503 Dave.1906 Hospital ID Data ML3m5 sd7ab y2b4m 16 Anja Lehmann IBM Research Zurich

17 Data Exchange Pseudonyms & Central Authority central authority & entities jointly derive pseudonyms from unique identifers entities do not learn unique identifiers, CA does not learn the pseudonyms user data is associated with pseudonyms only CA can link & convert identifiers but does so in a blind way ID Alice.1210 Bob.0411 Central Authority Record of P89dy? Record of P89dy? blind conversion Record of P89dy? Record of P89dy? Doctor A Record of P89dy? blind conversion request unblinding conversion response Record of ML3m5? ID Hba02 P89dy 912uj Data Carol.2503 Dave.1906 Hospital ID Data ML3m5 sd7ab y2b4m 17 Anja Lehmann IBM Research Zurich

18 Data Exchange Pseudonyms & Central Authority central authority & entities jointly derive pseudonyms from unique identifers entities do not learn unique identifiers, CA does not learn the pseudonyms user data is associated with pseudonyms only CA can link & convert identifiers but does so in a blind way ID Alice.1210 Bob.0411 Carol.2503 Dave.1906 Central Authority Record of P89dy? Record of P89dy? blind conversion + control about data exchange Record of P89dy? Record of P89dy? + if records are lost, pieces cannot be linked together + central authority does not learn request (can not even tell if requests are for the same user) + central authority can not link data itself 18 Anja Lehmann IBM Research Zurich Doctor A Record of P89dy? blind conversion request unblinding conversion response Record of ML3m5? Hospital ID Hba02 P89dy 912uj ID ML3m5 sd7ab y2b4m Data Data

19 Summary if data contains personal identifying information high value for data thieves privacy risk for users security risk for data holder: data requires strong protection standard pseudonymization doesn't help re-identification via linkability basic protection techniques: reveal only data that is minimally necessary avoid globally unique personal identifiers strongly protect aquired (personal) data 19 Anja Lehmann IBM Research Zurich

20 Summary if data contains personal identifying information high value for data thieves privacy risk for users security risk for data holder: data requires strong protection standard pseudonymization doesn't help re-identification via linkability basic protection techniques: reveal only data that is minimally necessary privacy-enhancing yet strong authentication anonymous/pseudonymous consultations, e.g., online chat with a psychologist online consultation with IBM Watson pilot at swedish school for anonymous consultation avoid globally unique personal identifiers strongly protect aquired (personal) data 20 Anja Lehmann IBM Research Zurich

21 Summary if data contains personal identifying information high value for data thieves privacy risk for users security risk for data holder: data requires strong protection standard pseudonymization doesn't help re-identification via linkability basic protection techniques: reveal only data that is minimally necessary avoid globally unique personal identifiers strongly protect aquired (personal) data privacy-enhancing yet strong authentication anonymous/pseudonymous consultations, e.g., online chat with a psychologist online consultation with IBM Watson pilot at swedish school for anonymous consultation virtual trusted hardware how to secure confidential data on mobile devices challenge: security vs. convenience protection with user password (usually very insecure) & key server(s) jointly derive strong key split-key approach: loosing device loosing data 21 Anja Lehmann IBM Research Zurich

22 privacy-enhancing yet strong authentication or how to reveal only the data that is minimally necessary 22 Anja Lehmann IBM Research Zurich

23 Strong Authentication Motivation I'd like to get some health consultation! Sure, if you have valid insurance. Online Health Service 23 Anja Lehmann IBM Research Zurich

24 Strong Authentication Motivation Name Alice Doe Date of Birth Dec 12, 1998 Address 7 Waterdrive City 8003 Zurich Insurance SWICA Main ID # Expiry Date Jan 4, 2016 digital certificate / credential Alice Online Health Service 24 Anja Lehmann IBM Research Zurich

25 Strong Authentication Motivation Alice Online Health Service digital certificates for strong authentication 25 Anja Lehmann IBM Research Zurich

26 Strong Authentication Motivation This is a privacy and security problem! identity theft profiling discrimination Aha, you are Alice Doe born on Dec 12, Waterdrive CH 8003 Zurich SWICA insured ID # Expires Jan 4, 2016 Alice Online Health Service digital certificates for strong authentication 26 Anja Lehmann IBM Research Zurich

27 Privacy-Enhancing Credentials solve this. When Alice authenticates to the Online Health Service, all the service learns is that Alice and no more. has a valid insurance Sure, if you have valid insurance. Online Health Service 27 Anja Lehmann IBM Research Zurich

Expiry Date Jan 4, 2016 Alice Online Health Service privacy-enhancing

28 Privacy-Enhancing Credentials Name Alice Doe Date of Birth Dec 12, 1998 Address 7 Waterdrive City 8003 Zurich Insurance SWICA Main ID # Expiry Date Jan 4, 2016 Alice Online Health Service privacy-enhancing credential for strong yet privacy-enhancing authentication 28 Anja Lehmann IBM Research Zurich

29 Privacy-Enhancing Credentials privacy-enhancing credentials allow derivation of authentication tokens pseudonymous/anonymous authentication selective attribute disclosure Name Alice Doe Date of Birth Dec 12, 1998 Address 7 Waterdrive City 8003 Zurich Insurance SWICA Main ID # Expiry Date > today Alice valid subscription Online Health Service 29 Anja Lehmann IBM Research Zurich

30 Privacy-Enhancing Credentials privacy-enhancing credentials allow derivation of authentication tokens pseudonymous/anonymous authentication selective attribute disclosure Thanks, you have valid insurance. Alice Online Health Service 30 Anja Lehmann IBM Research Zurich

Privacy-Enhancing Credentials privacy-enhancing credentials allow derivation of authentication tokens pseudonymous/anonymous authentication selective attribute disclosure Name Alice Doe Date of Birth

31 Privacy-Enhancing Credentials privacy-enhancing credentials allow derivation of authentication tokens pseudonymous/anonymous authentication selective attribute disclosure Name Alice Doe Date of Birth Dec 12, 1998 Address 7 Waterdrive City 8003 Zurich Insurance SWICA Main ID # Expiry Date > today =? Alice valid subscription Online Health Service user can derive unlinkable token with different pseudonyms if unlinkability is desired or re-authenticate under already established pseudonym 31 Anja Lehmann IBM Research Zurich

32 Privacy-Enhancing Credentials Use Cases anonymous/pseudonymous consultations with specialists, e.g., online chat with a psychologist online consultation with IBM Watson not just theory: pilot at swedish school for anonymous consultation anonymous access to high-value data bases, e.g., DNA databases who accesses which data at which time can reveal sensitive information about the users (their research strategy, habits, etc.) 32 Anja Lehmann IBM Research Zurich

33 Privacy-Enhancing Credentials & Oblivious Transfer anonymous/pseudonymous consultations with specialists, e.g., online chat with a psychologist online consultation with IBM Watson not just theory: pilot at swedish school for anonymous consultation anonymous access to high-value data bases, e.g., DNA databases who accesses which data at which time can reveal sensitive information about the users (their research strategy, habits, etc.) oblivious data transfer / private information retrieval: user can access data base gets only data he has authorization for data base does not learn who the user is (but is ensured he has acess rights) & what data the user is fetching 33 Anja Lehmann IBM Research Zurich

34 How to protect confidential data? 34 Anja Lehmann IBM Research Zurich

35 Motivation How to store confidential data without assuming trusted user storage? challenge: mobile devices can get lost/stolen 35 Anja Lehmann IBM Research Zurich

36 How to protect sensitive data on a mobile device? user password pwd pwd psswrd123 sensitive data plaintext ciphertext solution? device encrypts data under password-derived key 36 Anja Lehmann IBM Research Zurich

37 How to protect sensitive data on a mobile device? user password pwd pwd psswrd123 sensitive data plaintext ciphertext solution? device encrypts data under password-derived key 37 Anja Lehmann IBM Research Zurich

38 How to protect sensitive data on a mobile device? user password pwd pwd psswrd123 sensitive data plaintext ciphertext solution? device encrypts data under password-derived key 38 Anja Lehmann IBM Research Zurich

39 How to protect sensitive data on a mobile device? solution? device encrypts data under password-derived key device only stores encrypted data, but not the encryption key 39 Anja Lehmann IBM Research Zurich

40 How to protect sensitive data on a mobile device? user password pwd' pwd' psswrd123 ciphertext plaintext solution? device encrypts data under password-derived key device only stores encrypted data, but not the encryption key to decrypt data, reconstruct key from password 40 Anja Lehmann IBM Research Zurich

41 How to protect sensitive data on a mobile device? what happens if device gets lost/stolen? adversary only learns the encrypted data 41 Anja Lehmann IBM Research Zurich

42 How to protect sensitive data on a mobile device? password password123 psswrd123 password password123 psswrd123 what happens if device gets lost/stolen? ciphertext plaintext adversary only learns the encrypted data but he can try to reconstruct key by guessing the password problem: offline attacks (dictionary attack, brute-force) 16-char passwords ~ 1 billion possibilities vs. GPUs test billions/second to get reasonable security, passwords must be long, random values inconvenient to use & hard to memorize 42 Anja Lehmann IBM Research Zurich

43 How to protect sensitive data on a mobile device? challenge: how can we get a strong cryptographic key from a weak password? without having offline attacks if device is lost solution: involve a key server & two-factor authentication towards server 43 Anja Lehmann IBM Research Zurich

44 How to protect sensitive data on a mobile device? user password pwd device secret S server 44 Anja Lehmann IBM Research Zurich

server solution: two-factor authentication based on user

45 How to protect sensitive data on a mobile device? user password pwd pwd device secret S h = Hash(S,pwd) h server solution: two-factor authentication based on user password and device secret pwd 1 pwd 2 45 Anja Lehmann IBM Research Zurich

46 How to protect sensitive data on a mobile device? user password pwd pwd device secret S h = Hash(S,pwd) h, server solution: two-factor authentication based on user password and device secret server chooses & stores random encryption key (i.e., independent of pwd or h!) 46 Anja Lehmann IBM Research Zurich

47 How to protect sensitive data on a mobile device? user password pwd device secret S h, device does not store encryption key or any password-derived data server solution: two-factor authentication based on user password and device secret server chooses & stores random encryption key (i.e., independent of pwd or h!) 47 Anja Lehmann IBM Research Zurich

48 How to protect sensitive data on a mobile device? user password pwd' pwd' device secret S h' = Hash(S,pwd') h' = h? h, server solution: two-factor authentication based on user password and device secret server chooses & stores random encryption key (i.e., independent of pwd or h!) online password verification to retrieve encryption key 48 Anja Lehmann IBM Research Zurich

49 How to protect sensitive data on a mobile device? user password pwd' pwd' device secret S h' = Hash(S,pwd') h' = h? h, server solution: two-factor authentication based on user password and device secret server chooses & stores random encryption key (i.e., independent of pwd or h!) online password verification to retrieve encryption key 49 Anja Lehmann IBM Research Zurich

50 How to protect sensitive data on a mobile device? password password123 psswrd123 device secret S h* = Hash(S,pwd*) h* = h? wrong password h, blocks verification after too many failed attempts server what happens if device gets lost/stolen? adversary must retrieve decryption key from server server will recognize suspicious behaviour and block account offline attacks don't work anymore 50 Anja Lehmann IBM Research Zurich

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving