Privacy in an Electronic World A Lost Cause?

Similar documents
Cryptography for People

IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features

Cryptography 4 Privacy

Cryptographic dimensions of Privacy

Forschungsrichtungen in der IT-Sicherheit

Directions in Security Research

Cryptography 4 People

IBM Identity Mixer. Authentication without identification. Introduction Demo Use Cases Features Overview Deployment

Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

Cryptography 4 People

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Authentication Technology for a Smart eid Infrastructure.

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Most Common Security Threats (cont.)

Key Protection for Endpoint, Cloud and Data Center

COMPUTING FUNDAMENTALS I

CS 161 Computer Security

HOST Authentication Overview ECE 525

PKI Credentialing Handbook

Personal Cybersecurity

Keeping Important Data Safe and Secure Online. Norm Kaufman

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

PYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Security Specification

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Lecture 3 - Passwords and Authentication

System Structure. Steven M. Bellovin December 14,

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

CSE 127: Computer Security Cryptography. Kirill Levchenko

Chapter 6 Network and Internet Security and Privacy

Prof. Christos Xenakis

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Prof. Christos Xenakis

How Secured2 Uses Beyond Encryption Security to Protect Your Data

Authentication. Chapter 2

Google Cloud Platform: Customer Responsibility Matrix. December 2018

User Authentication. Modified By: Dr. Ramzi Saifan

Pass, No Record: An Android Password Manager

Kaspersky Small Office Security 5. Product presentation

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

PKI is Alive and Well: The Symantec Managed PKI Service

The Device Has Left the Building

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

Lecture 3 - Passwords and Authentication

Product Brief. Circles of Trust.

Cyber Security Basics. Presented by Darrel Karbginsky

Syllabus: The syllabus is broadly structured as follows:

Defeating the Secrets of OTP Apps

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Is Password InSecurity Inevitable?

Mobile Devices prioritize User Experience

10 Hidden IT Risks That Might Threaten Your Business

User Authentication. Modified By: Dr. Ramzi Saifan

Secret Sharing, Key Escrow

EMBEDDED ENCRYPTION PLATFORM BENEFIT ANALYSIS

Strong Security Elements for IoT Manufacturing

Operating systems and security - Overview

Operating systems and security - Overview

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Direct Anonymous Attestation

Lecture 14 Passwords and Authentication

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

===============================================================================

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

How NOT To Get Hacked

SEARCH ENGINE OPTIMIZATION ALWAYS, SOMETIMES, NEVER

Outline Key Management CS 239 Computer Security February 9, 2004

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Digital Forensic Science: Ideas, Gaps and the Future. Dr. Joshua I. James

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Dashlane Security Whitepaper

VMware, SQL Server and Encrypting Private Data Townsend Security

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Security Audit What Why

Introduction to Information Security Dr. Rick Jerz

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

Security in NFC Readers

About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

Enova X-Wall MX Frequently Asked Questions FAQs Ver. 4

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

Network Security and Cryptography. December Sample Exam Marking Scheme

Protocol Integration and Implementation Problems

TPM v.s. Embedded Board. James Y

Phoenix: Rebirth of a Cryptographic Password-Hardening Service

Nigori: Storing Secrets in the Cloud. Ben Laurie

Dashlane Security White Paper July 2018

Modern two-factor authentication: Easy. Affordable. Secure.

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Transcription:

InfoSec 2015 Summer School on Information Security Bilbao Privacy in an Electronic World A Lost Cause? Dr. Jan Camenisch Cryptography & Privacy Principal Research Staff Member Member, IBM Academy of Technology jca@zurich.ibm.com @JanCamenisch ibm.biz/jancamenisch

We all have lots of data, and many are personal 2 2015 Information Security Summer School - Bilbao

use them with different devices, store them anywhere and leave collateral data while doing so to make things worse: it's en vogue to let users manage their data :-( 3 2015 Information Security Summer School - Bilbao

...but how can we protect them????? 4 2015 Information Security Summer School - Bilbao

Houston, we have a problem! ᄅ 5 2015 Information Security Summer School - Bilbao

Houston, we have a problem! ᄅ Buzz Aldrin's footprints are still up there (Robin Wilton) 6 2015 Information Security Summer School - Bilbao

Computers don't forget! Data storage ever cheaper store by default also collateral collection, surveillance cameras, Google Street View with wireless traffic, Apple location history,...! Data mining ever better self-training algorithms cleverer than their designers not just trend detection, even prediction, e.g., flu pandemics, ad clicks, purchases, what about health insurance, criminal behavior?! The world as we know it Humans forget most things too quickly Paper collects dust in drawers We build apps with the paper-based world in mind :-( if it works it works security too often still an afterthought implementors too often have no crypto education 7 2015 Information Security Summer School - Bilbao

Where's all my data? The ways of data are hard to understand! Devices, operating systems, & apps are getting more complex and intertwined Mashups, Ad networks Not visible to users, and experts Data processing changes constantly! And the cloud makes it worse... Processing machines can be moved around w/out borders Far too easy to lose (control over) data and to collect data! 8 2015 Information Security Summer School - Bilbao

You have no privacy, get over it...?!? The NSA has all our data anyway I have nothing to hide!! Huge security problem! Millions of hacked passwords (100'000 followers $115-2013) Stolen identities ($150-2005, $15-2009, $5 2013)! Difficult to put figures down Credit card fraud Spam & marketing Manipulating stock ratings, etc.. (Industrial) espionage! We know secret services can do it easily, but they are not the only ones but this is not about homeland security and there are limits to the degree of protection that one can achieve! last but not least: data are the new money, so they need to be protected! 9 2015 Information Security Summer School - Bilbao

Privacy a lost case? No, but we need paradigm shift & build stuff for the moon rather than the sandy beach! 10 2015 Information Security Summer School - Bilbao

What does that mean?! Apply Data Minimization Privacy & Security by Design Require (users to reveal) only the data that are really needed Do not design with the sandy beach beach in mind! Encrypt every bit Data should never ever be in the clear process it in the encrypted domain still need to manage keys carefully Needs to support switching of cryptographic algorithms symmetric key crypto gets broken at times beware of quantum computers! Attach usage & access control policy to every bit enforce need to know honest but curious probably good enough 11 2015 Information Security Summer School - Bilbao

What does it mean: the electronic gap! Strong security requires strong cryptographic authentication! Humans rarely can remember cryptographic keys let alone compute with them! From Humans to Keys the electronic gap Smart cards, HW tokens: a nuisance! Passwords: are dead?! Biometrics: cannot change them, too easily fooled?? 12 2015 Information Security Summer School - Bilbao

What does that mean? We do have the technology/crypto, but it is hardly used! Deemed too expensive! Too hard to manage all the keys, fear of loosing keys! Protecting data is considered futile! Often required by law, but these are w/out teeth! Debate about legality of encryption V2.0 On the positive side! Importance of security and privacy increasingly recognized! Laws are revised 13 2015 Information Security Summer School - Bilbao

Cryptography to the Aid 14 2015 Information Security Summer School - Bilbao

I. Human Computer Authentication Done Right PW PW correct? Password-based cryptography Off-line vs on-line attacks Solution: distributed password verification Done s.t. no info depends solely on password Must work even for short passwords (mobile) 15 2015 Information Security Summer School - Bilbao

The problem with passwords password salted PW hash correct? correct? correct? correct? correct? correct? correct!!! Passwords are symmetric and get lost too often! Password (hashes) useless against offline attacks Human-memorizable passwords are inherently weak NIST: 16-character passwords have 30 bits of entropy 1 billion possibilities Rig of 25 GPUs tests 350 billion possibilities / second, so 3ms for 16 chars 60% of LinkedIn passwords cracked within 24h! More expensive hash functions provide very little help only increases verification time as well does not work for short passwords such as pins etc! Single-server solutions inherently vulnerable to offline attacks Server / administrator / hacker can always guess & test 16 2015 Information Security Summer School - Bilbao

Solution: distributed password protocols Basic idea: multi-server password verification protocols split password for verification no server alone can test password no piece of information depends on password E= Enc X (p) X 1 E' = Enc X (1/p') E = Enc X (p/p') E' E' p' = p? Dec X (E') = 1? E=Enc X (p) Off-line attacks no longer possible! X 2 On-line attacks detectable and handleable (throttling) 17 2015 Information Security Summer School - Bilbao

Many different protocols [CLN'12,CLLN'14,CEN'15] Extensions: Servers could send key share to user if p=p': password to strong crypto key Many servers Asymmetric setting: user device plus one server (or many server) PW Password verification Password protected decryption of stored data (hard disk etc) Password-protect joint signing... Virtual Smart Card/Security Token 18 2015 Information Security Summer School - Bilbao

II. Data Minimizing Authorization & Authentication w/ ABCs (Public Verification Key) Are you > 12?! Service provider tells user what attribute are required! User transforms credentials into a token with just these attributes! Service provider can verify token w.r.t. issuers' verification keys More on this: www.zurich.ibm.com/idemix and later today 19 2015 Information Security Summer School - Bilbao

III. Protecting our information using keys Encrypt and Authenticate Users (to Users):! Technology available (mostly) Storage (Hard disk encryption, encrypted volumes) Transmission (Email, SSL/Browsers, ) Instant messaging, depends on implementation! But more research is needed PKI/CA problematic (Diginotar) need better approaches Dealing with keys still hard for users need apps & better solutions Backup & syncing between the devices could use the cloud, but that reveals tons of co-lateral information use our own cloud / router 20 2015 Information Security Summer School - Bilbao

III. Protecting our information using keys Encrypt and Authentication Users to Service Providers! Authentication still username & password :-( And still gets broken Alternatives available (c.f. slides before) FIDO Identity Mixer :-)! Encryption (e.g., user documents stored on servers) Mostly out of control of user but solvable with std crypto & key mgmt Often password based (linked to authentication) Encrypt and Authentication Devices (IoT)! The Good: Browser, VPNs,! The Bad: (or rather research topics ;-) Hardly any device to device authentication VPN not flexible enough need to know basis Washing machine does not need access to my music Music player does not need access to my health record 21 2015 Information Security Summer School - Bilbao

IV. Securing the Cloud data f(data) First of all: cloud is (also) a deployment model! Virtual machines! Software as services! Allows for easier composition and deployment of services 22 2015 Information Security Summer School - Bilbao

IV. Securing the Cloud Secure computation in the cloud (and your servers)! Fully homomorphic encryption works only for rather small comp.! Multiparty computation secret share data distributed computation can compile programs! Open research multi-party protocols revisited (honest but curious w/ auditability) key management (protection, distribution, updates) (oblivious) security services (justifiable & minimal TTPs) data f(data) 23 2015 Information Security Summer School - Bilbao

Further Research Needed!! Securing the infrastructure & IoT ad-hoc establishment of secure authentication and communication audit-ability & privacy (where is my information, crime traces) security services, e.g., better CA, oblivious TTPs, anon. routing,!usability HCI Infrastructure (setup, use, changes by end users)! Provably secure protocols Properly modeling protocols (UC, realistic attacks models,...) Verifiable security proofs Retaining efficiency 24 2015 Information Security Summer School - Bilbao

Further Research Needed!! Quantum Computers Lots of new crypto needed still Build apps algorithm agnostic! Towards a secure information society Society gets shaped by quickly changing technology Consequences are hard to grasp yet We must inform and engage in a dialog 25 2015 Information Security Summer School - Bilbao

Conclusion Let engage in some rocket science!! Much of the needed technology exists! need to use them & build apps for the moon! and make apps usable & secure for end users Thank you! jca@zurich.ibm.com @JanCamenisch ibm.biz/jancamenisch 26 2015 Information Security Summer School - Bilbao

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback