FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

Pattern-based Representation ofPrivacy Enhancing Technologies as Early Aspects

Rene Meis Maritta Heisel

University of Duisburg-Essen, Duisburg, Germany

September 7, 2017

1/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

Operationalization of Privacy RequirementsProblem Statement

SecurityUnlinkability

TransparencyIntervenability

Privacy

UsabilityPerformance

Costs...

Non-functionalFunctional

Data CollectionData Storage

Data ProcessingData Transfer

Requirements

Privacy Enhancing Technologies (PETs)

EncryptionData AnonymizationAnonymity Systems

Access ControlPolicy and feedback tools

...

Requirements Engineer

??

?1.

2.3.

Driving questions

1. How to find PETs operationalizingthe needed privacy requirements?

2. How to select among differentPETs addressing the privacy needs?

3. How to integrate PETs into thefunctional requirements?

2/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

Operationalization of Privacy RequirementsSolution Strategy: PET Patterns

Problem

1. How to find PETs operationalizing the needed privacy requirements?

2. How to select among different PETs addressing the privacy needs?

SolutionPET patterns containing:

• Solution provided by the PET

• Context of applicability

• Problem addressed

• PET’s impact on privacy andnon-functional requirements

• Application examples

Consumers: Requirements Engineers

Name

Related Patterns

Motivation Examples

ContextProblem

Solution

ForcesBenefitsLiabilities

Pro

ble

m S

pac

e

Solutio

n Space

3/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

Operationalization of Privacy RequirementsSolution Strategy: Aspect-Oriented Requirements Engineering

Problem

3. How to integrate PETs into the functional requirements?

SolutionAspect-Oriented Requirements Engineering

• Privacy Requirements are cross-cutting

• PETs can be described independently ofthe application scenario

• Cross-cutting concerns are extracted inAORE and expressed mostlyindependently from the functionalitythey cross-cut

• Join points specify how aspects can beintegrated (weaved) into otherfunctionalities

Data Collection

Data Storage

Data Processing

Data Transfer

Intervenability

Tra

nsparency

Unlinka

bility

Security

4/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based Credentials1

Problem Space – Motivation, Context and Problem

Name Attribute-Based Credentials, Privacy-ABCs

Motivation A cigarette vending machine shall sell cigarettes only to adults,without identifying individuals or linking purchases.

Context/Problem A machine manages user requests for accessing a specificresource providing a service. Users’ requests contain personalinformation (PI) or at least information about PI. This informationneeds to be checked for authenticity and legitimacy, while minimal PIis revealed.

Provide ServiceBase Machine

User

Resource

U!{requestResource}BM!{provideResource}

R!{provideService}BM!{requestService}

{requestResource}

{provideService}Base MachineUser Resource

ref

requestResource

Before behavior

sd Relevant problem behavior

ref After behavior

1based on ABC4Trust deliverables (http://abc4trust.eu)5/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsProblem Space – Privacy Forces

Privacy Forces

Confidentiality Only proofs that PI has certain properties is needed,the actual PI shall not be disclosed

Integrity The provided information shall be authentic andcorrect

Anonymity/Data unlinkability The service provider shall not be able to link thecollected data to the user or to data from otherinteractions.

Collection information Users shall be informed about the PI that is collected

6/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsProblem Space – General Forces

General Forces

End-user friendliness needs to be balanced with degree of privacyprotection needed

Performance needs to be balanced with degree of privacyprotection needed

Costs needs to be balanced with degree of privacyprotection needed

Abuse of PET It shall not be possible to get access to the serviceby providing incorrect data

Revocation It may be wished to re-identify an individual user inspecific cases

7/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsSolution Space – Solution – General Overview and Assumptions

SolutionGeneral Overview

User

Base MachineResource

User Agent

Credentials

Verifier Machine

Issuer

Presentation Policy

Presentation Token

Credential Specification

Issuer Parameters

Issuance Key

Used Presentation

Token

Verifier

Assumptions about User, User Agent, and Issuer

8/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsSolution Space – Solution – Aspects

Aspects 1. Provide presentation policy to User Agent

2. Verify received presentation token

3. Store used presentation token

Base MachineUser Agent CredentialSpecification

IssuerParameters

VerifierMachine

PresentationPolicy

sd Verification

fwdRequestResourceverifyRequest

get_presentationPolicies

presentationPolicies

get_credentialSpecification

credentialSpecification

get_issuerParameters

issuerParametersverificationResult

Presentation policy received

Presentation token received

9/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsSolution Space – Solution – Weaving and Base Problems

Weaving

Base MachineUser AgentUser CredentialSpecification

IssuerParameters

Used Presen-tation TokensResource Verifier

MachinePresentation

Policy

ref

requestResource

Before behavior

refsd Provide presentation policy

ref sd Verification

refsd Store used presentation token

opt

sd Privacy-ABCs' aspects weaved

alt

[verification successful]

refAfter behavior

Base Problems inlcude the definition of the presentation policy10/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsSolution Space – Privacy Consequences

Privacy Consequences

Benefits Liabilities

Confidentiality Proofs about credentials’ proper-ties can be generated

Presentation policy has to re-quest only minimal PI

Integrity Credentials cannot be modified,presentation tokens can only becreated based on credentials

Necessary changes of the creden-tials require a revocation of oldcredentials

Anonymity/Data unlinka-bility

Presentation tokens are not link-able to their user or other tokens

The information contained in thepresentation token could allow tocreate links

Collection In-formation

The presentation policy specifieswhich PI is collected

Verifiers still need to informabout the purpose of PI collec-tion if this is necessary

11/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsSolution Space – General Consequences

General Consequences

Benefits Liabilities

End-userfriendliness

Positive if an existing ABC infras-tructure is used

User friendliness strongly dependson the user agent

Performance - A higher response time is ex-pected

Costs Relative low if an existing ABCinfrastructure is used

High if an own ABC infrastruc-ture is set up and maintained

Abuse of PET Corrupted tokens can be detectedand issuer guarantees correctness

If the software-to-be can be mis-used, it is hardly possible to iden-tify the malicious user

Revocation - Revocation is not supported, butextensions including revocationexist

12/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

PET Pattern Example: Attribute-Based CredentialsSolution Space – Examples and Related Patterns

Examples Instantiation for cigarette vending machine:

Cigarette Dispenser

Customer

eID Card

German State

Cigarette VendingMachine

Verifier Machine

Presentation Policy

Presentation Token

Credential Specification

Issuer Parameters

Issuance Key

Used Presentation

Token

Credentials

Vending MachineCompany

Related Patterns Privacy-ABCs with Revocation Authority, Privacy-ABCs withInspector

13/14

FoMSESS 17

Maritta Heisel

Motivation

Patterns

AORE

ABC PETPattern

Problem Space

Solution Space

Conclusion

Conclusion

Contributions

1. Pattern format for the presentation of PETsAddressing:

• How to find PETs operationalizing the needed privacy requirements?• How to select among different PETs addressing the privacy needs?

2. Description of PETs as early aspectsAddressing:

• How to integrate PETs into the functional requirements?

3. PET pattern for Attribute-Based Credentials based on the ABC4Trust project2

Future directions

• Creation of a (machine-readable) library of PET patterns

• Adding explicit references to threats that are mitigated by a PET

2https://abc4trust.eu14/14