FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
Pattern-based Representation ofPrivacy Enhancing Technologies as Early Aspects
Rene Meis Maritta Heisel
University of Duisburg-Essen, Duisburg, Germany
September 7, 2017
1/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
Operationalization of Privacy RequirementsProblem Statement
SecurityUnlinkability
TransparencyIntervenability
Privacy
UsabilityPerformance
Costs...
Non-functionalFunctional
Data CollectionData Storage
Data ProcessingData Transfer
Requirements
Privacy Enhancing Technologies (PETs)
EncryptionData AnonymizationAnonymity Systems
Access ControlPolicy and feedback tools
...
Requirements Engineer
??
?1.
2.3.
Driving questions
1. How to find PETs operationalizingthe needed privacy requirements?
2. How to select among differentPETs addressing the privacy needs?
3. How to integrate PETs into thefunctional requirements?
2/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
Operationalization of Privacy RequirementsSolution Strategy: PET Patterns
Problem
1. How to find PETs operationalizing the needed privacy requirements?
2. How to select among different PETs addressing the privacy needs?
SolutionPET patterns containing:
• Solution provided by the PET
• Context of applicability
• Problem addressed
• PET’s impact on privacy andnon-functional requirements
• Application examples
Consumers: Requirements Engineers
Name
Related Patterns
Motivation Examples
ContextProblem
Solution
ForcesBenefitsLiabilities
Pro
ble
m S
pac
e
Solutio
n Space
3/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
Operationalization of Privacy RequirementsSolution Strategy: Aspect-Oriented Requirements Engineering
Problem
3. How to integrate PETs into the functional requirements?
SolutionAspect-Oriented Requirements Engineering
• Privacy Requirements are cross-cutting
• PETs can be described independently ofthe application scenario
• Cross-cutting concerns are extracted inAORE and expressed mostlyindependently from the functionalitythey cross-cut
• Join points specify how aspects can beintegrated (weaved) into otherfunctionalities
Data Collection
Data Storage
Data Processing
Data Transfer
Intervenability
Tra
nsparency
Unlinka
bility
Security
4/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based Credentials1
Problem Space – Motivation, Context and Problem
Name Attribute-Based Credentials, Privacy-ABCs
Motivation A cigarette vending machine shall sell cigarettes only to adults,without identifying individuals or linking purchases.
Context/Problem A machine manages user requests for accessing a specificresource providing a service. Users’ requests contain personalinformation (PI) or at least information about PI. This informationneeds to be checked for authenticity and legitimacy, while minimal PIis revealed.
Provide ServiceBase Machine
User
Resource
U!{requestResource}BM!{provideResource}
R!{provideService}BM!{requestService}
{requestResource}
{provideService}Base MachineUser Resource
ref
requestResource
Before behavior
sd Relevant problem behavior
ref After behavior
1based on ABC4Trust deliverables (http://abc4trust.eu)5/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsProblem Space – Privacy Forces
Privacy Forces
Confidentiality Only proofs that PI has certain properties is needed,the actual PI shall not be disclosed
Integrity The provided information shall be authentic andcorrect
Anonymity/Data unlinkability The service provider shall not be able to link thecollected data to the user or to data from otherinteractions.
Collection information Users shall be informed about the PI that is collected
6/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsProblem Space – General Forces
General Forces
End-user friendliness needs to be balanced with degree of privacyprotection needed
Performance needs to be balanced with degree of privacyprotection needed
Costs needs to be balanced with degree of privacyprotection needed
Abuse of PET It shall not be possible to get access to the serviceby providing incorrect data
Revocation It may be wished to re-identify an individual user inspecific cases
7/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsSolution Space – Solution – General Overview and Assumptions
SolutionGeneral Overview
User
Base MachineResource
User Agent
Credentials
Verifier Machine
Issuer
Presentation Policy
Presentation Token
Credential Specification
Issuer Parameters
Issuance Key
Used Presentation
Token
Verifier
Assumptions about User, User Agent, and Issuer
8/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsSolution Space – Solution – Aspects
Aspects 1. Provide presentation policy to User Agent
2. Verify received presentation token
3. Store used presentation token
Base MachineUser Agent CredentialSpecification
IssuerParameters
VerifierMachine
PresentationPolicy
sd Verification
fwdRequestResourceverifyRequest
get_presentationPolicies
presentationPolicies
get_credentialSpecification
credentialSpecification
get_issuerParameters
issuerParametersverificationResult
Presentation policy received
Presentation token received
9/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsSolution Space – Solution – Weaving and Base Problems
Weaving
Base MachineUser AgentUser CredentialSpecification
IssuerParameters
Used Presen-tation TokensResource Verifier
MachinePresentation
Policy
ref
requestResource
Before behavior
refsd Provide presentation policy
ref sd Verification
refsd Store used presentation token
opt
sd Privacy-ABCs' aspects weaved
alt
[verification successful]
refAfter behavior
Base Problems inlcude the definition of the presentation policy10/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsSolution Space – Privacy Consequences
Privacy Consequences
Benefits Liabilities
Confidentiality Proofs about credentials’ proper-ties can be generated
Presentation policy has to re-quest only minimal PI
Integrity Credentials cannot be modified,presentation tokens can only becreated based on credentials
Necessary changes of the creden-tials require a revocation of oldcredentials
Anonymity/Data unlinka-bility
Presentation tokens are not link-able to their user or other tokens
The information contained in thepresentation token could allow tocreate links
Collection In-formation
The presentation policy specifieswhich PI is collected
Verifiers still need to informabout the purpose of PI collec-tion if this is necessary
11/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsSolution Space – General Consequences
General Consequences
Benefits Liabilities
End-userfriendliness
Positive if an existing ABC infras-tructure is used
User friendliness strongly dependson the user agent
Performance - A higher response time is ex-pected
Costs Relative low if an existing ABCinfrastructure is used
High if an own ABC infrastruc-ture is set up and maintained
Abuse of PET Corrupted tokens can be detectedand issuer guarantees correctness
If the software-to-be can be mis-used, it is hardly possible to iden-tify the malicious user
Revocation - Revocation is not supported, butextensions including revocationexist
12/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
PET Pattern Example: Attribute-Based CredentialsSolution Space – Examples and Related Patterns
Examples Instantiation for cigarette vending machine:
Cigarette Dispenser
Customer
eID Card
German State
Cigarette VendingMachine
Verifier Machine
Presentation Policy
Presentation Token
Credential Specification
Issuer Parameters
Issuance Key
Used Presentation
Token
Credentials
Vending MachineCompany
Related Patterns Privacy-ABCs with Revocation Authority, Privacy-ABCs withInspector
13/14
FoMSESS 17
Maritta Heisel
Motivation
Patterns
AORE
ABC PETPattern
Problem Space
Solution Space
Conclusion
Conclusion
Contributions
1. Pattern format for the presentation of PETsAddressing:
• How to find PETs operationalizing the needed privacy requirements?• How to select among different PETs addressing the privacy needs?
2. Description of PETs as early aspectsAddressing:
• How to integrate PETs into the functional requirements?
3. PET pattern for Attribute-Based Credentials based on the ABC4Trust project2
Future directions
• Creation of a (machine-readable) library of PET patterns
• Adding explicit references to threats that are mitigated by a PET
2https://abc4trust.eu14/14