Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 215 times |
Download: | 2 times |
Towards Accountable Management of
Identity and Privacy: Sticky Policies and Enforceable Tracing
ServicesMarco Casassa Mont Siani PearsonPete Bramhall
Trusted Systems LaboratoryHewlett-Packard Labs, Bristol, UK
TrustBus 2003, 2-4 September 2003
Prague, Czech Republic
page 210/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Presentation Outline
• Setting the Context• Scenario• Addressed Problems• Related Work• Our Approach• Discussion• Conclusions
page 310/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Setting the Context
• Digital Identities and Profiles are relevant to enable transactions and interactions on the web, in many contexts: personal, social, business, government, etc.
• Privacy Management is a major issue: involves people, organisations, governments, etc.
• Different reactions by people: ranging from “completely ignoring the privacy issues” to “being so concerned to prevent any web interaction”
page 410/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Scenario: Multiparty Interactions [1]
User
Enterprise Enterprise
Negotiation ofPrivacy Policy
Provision ofIdentity & Profile
Data
Identity/Profile
Disclosure
Multiparty Transaction / Interaction
Policies Enterprise
Data
Services
Services
Services
Similar issues in the e-Commerce, Enterprise, Financial and Government Areas
page 510/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Scenario: Multiparty Interactions [2]
• Little has been done so far to directly involve people (or third parties acting on their behalf) in the management of their privacy
• Users lack control over their personal information after their initial disclosures
• Organisations, as well, lack control over the confidential information they manage on behalf of their customers, once they disclose it to third parties
• It is hard to make organisations accountable
page 610/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Addressed Problems
• Privacy Enforcement
• Accountability of Organizations
• Involvement of People in the Management of their Personal Data
page 710/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Related Work [1]
• Lot of work done to provide Legislative Frameworks for Privacy
• Different legislative approaches: example US vs. EU
• Privacy and Data Protection laws are hard to enforce when personal information spreads across boundaries
• In general users have little understanding or knowledge of privacy laws and their implications
page 810/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Related Work [2]
• W3C approach on Platform for Privacy Preferences (P3P): simple policies, point-to-point interactions. Little control on the fulfilment of these policies (at least, in the current implementations)
• Liberty Alliance and Microsoft Passport: Identity and Privacy Management based on closed web of trust and predefined policies
page 910/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Related Work [3]
• IBM’s work on Enterprise Privacy Authorization Language (EPAL) and related Privacy Framework
• Association of fine-grained Privacy Policies (Sticky Policies) to personal data. Enforcement of Privacy Polices by the Enterprise • Current Open Issues:
- Policy “Stickiness” is not enforceable; - Too much trust in the enterprise; - Leakages of personal data can still happen; - Little user’s involvement.
• The above issues are very hard to address!
page 10
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Our Approach
About a Privacy and Accountability Model encompassing:
• “Sticky” Privacy Policies strongly associated to Identity Information
• Mechanisms for strong (but not impregnable) enforcement of privacy policies
• Mechanisms to increase the Accountability of the involved parties
• Mechanisms to allow people to be more involved in the management of their data (if they want to …)
page 11
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model
Key aspects: • Confidentiality of Data: obfuscation of confidential data
• Strong Association of Privacy Policies to Confidential Data: - “tamper resistant” policies associated to data.
- “Stickiness” guaranteed at least till the first disclosure.
• Policy Compliance Check and Enforcement: by trusted Tracing & Auditing Authorities (TAAs) and Trusted Platforms + OSs
• Accountability Management: auditing and tracing of disclosures by TAA (used as evidence)
• User Involvement: policy authoring, notification, authorization
page 12
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model [1]
Tracing and Auditing Authorities (TAAs)
? ?
6
User Enterprise
Multiparty Transaction / Interaction
Policies
Enterprise
Data
Services
Services
Services
Enterprise
Negotiation ofPrivacy Policy1
Obfuscated Data+
Sticky PrivacyPolicies
StickyPolicies
2
Request for Disclosure of Data+
Sticky Privacy Policies+
Credentials
3Checking forIntegrity and
Trustworthiness ofRemote Environment
4
Request for Authorizationor
Notification
5
Decryption Key(if Authorised)
6
7
Obfuscated Data+
Sticky PrivacyPolicies
8
page 13
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model [2]
• Once confidential data is disclosed it can still be misused …• Risks Mitigation via:
• Audit trail: Audit logs managed by TAAs can be used as Evidence and for Forensic Analysis (logging at least the first disclosure …)
• Trusted Platforms and OSs: - checking for the Integrity of the Receivers’ environment - enforcing part of the Privacy Policies directly at the OS level. Research and Work in Progress …
page 14
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model: Technical Aspects [1]
• Identifier-based Encryption (IBE)
• Trusted Platforms (TCG was TCPA, etc.)
• Tagged Operating Systems (OSs)
A technical implementation of our Privacy and Accountability Model leverages three key technologies:
page 15
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
What is Identifier-based Encryption (IBE)?
• It is an Emerging Cryptography Technology
• Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party)
• Same Strength of RSA
• Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing …
• SW Library and Technology available at HP Laboratories
page 16
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
IBE Core Properties
• 1st Property: any kind of “string” (or Sequence of Bytes) can be used as an IBE Encryption Key: for example a Role, an e-Mail Address, a Picture, a Disclosure Time, Terms and Conditions,
a Privacy Policy …
• 2nd Property: the generation of IBE Decryption Keys can be postponed in time, even long time after the generation of the correspondent IBE Encryption Key
• 3rd Property: reliance on at least a Trust Authority (Trusted Third Party) for the generation of IBE Decryption Key
page 17
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
IBE Three-Player Model
AliceAlice
Trust Authority
Trust Authority
BobBob
3. Alice chooses an appropriate Encryption
Key. She encrypts the message:
Encrypted message
= {E(msg, N, encryption key)}
32. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source
2
1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N
1
4. Alice Sends the encrypted Message to Bob, along with the Encryption Key
4
5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority.
5
6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation.
6
page 18
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model: Technical Aspects [2]
A technical implementation of our Privacy and Accountability Model leverages three key Technologies:
• Identifier-based Encryption (IBE)
• Trusted Platforms (TCG was TCPA, etc.)
• Tagged Operating Systems (OSs)
page 19
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Trusted Platforms
• A trusted platform provides hardware mechanisms (TPM) and tools to check for the integrity of computer platforms and their installed software (locally and remotely)
• TCG (was TCPA) and Microsoft NGSCB initiatives: http://www.trustedcomputing.org
http://www.microsoft.com/ngscb • HP and HP Laboratories are directly involved in the TCG
initiative
TPM
page 20
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model: Technical Aspects [3]
A technical implementation of our Privacy and Accountability Model leverages three key Technologies:
• Identifier-based Encryption (IBE)
• Trusted Platforms (TCG was TCPA, etc.)
• Tagged Operating Systems (OSs)
page 21
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Policy Creation and Translation System
policies created in dflow
compiler
Policy evaluati
on engine
Tagged Data
Flow causing
operationyes, no, more checks
Decision
Control Enforcement
Policy
File in
Internal
Format
• A tagged Operating System (OS) provides mechanisms and tools to associate low level labels to data and directly enforce and manage them at the OS level.
• The “stickiness” of a label to the content, not to the content holder (such as a file), ensures that even when the data is copied around the label follows it as well.
• Labels can be associated (at the OS level) to low level Privacy Policies (rules), directly enforced by the OS. Rules dictate constraints on: copies of data, data transmissions, etc.
• A working prototype is available at HP Laboratories, Bristol.
Tagged Operating Systems
page 22
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Privacy and Accountability Model: Technical Aspects [4]
- (High level) Stickiness of Privacy Policies - User Involvement- Accountability Management- Enforcement of Aspects of Privacy Policy
Addressed Problems
- (Low level) Source of Trust and HW/SW integrity checking
- (Low level) Stickiness of Privacy Policies - Enforcement of Aspects of Privacy Policy
Technologies
Trusted Platforms (TCG …)
Tagged OSs
Our Privacy and Accountability Framework
(IBE, TAAs, etc.)
GAP
GAP
page 23
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
High-level System Architecture
LocalIdentity and ProfileInformation
Browser
Plug-in
Comm.Module
Policy Engine
IBE CryptoModule
CredentialDatabase
IBECryptoModule
Tamper Resistant Storage
Tracing Auditing Module
User siteReceiver Site(s)
Trust Authority(s)[Tracing and Auditing Authorities]
Obfuscated Data Package +
Sticky Privacy Policies
IBE DecryptionKey
Request for IBE Decryption Key:<Disclosure Policies (Sticky Privacy Policies) and credentials>
Notifications andAuthorizations
1
24 3
Disclosure Monitoring/Control
Disclosure Monitoring/Control
Disclosure Monitoring/Control Customers
Database
service
Comm. Module
Policy Engine
Tagged OS + TPM
Tagged OS + TPM
PolicyDeployment
PolicyDeployment
• Based on the IBE Model
• Privacy Policies are represented as “IBE Encryption Keys”
• Confidential data is encrypted with IBE encryption keys
• IBE encryption keys “stick” with the encrypted data (at least till the first de-obfuscation of the data …)
• The “Tracing and Auditing Authority” is an (IBE based) Trust Authority.
• Leveraging Trusted Platforms and Tagged OS for enforcing aspects of Privacy Policies (Work in Progress…)
page 24
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Sticky Privacy Policies
Example of high-level Sticky Policy (XML format):<sticky policy> // disclosure policy – IBE encryption key <attribute> name of the identity or profile attribute </attribute> <Trust Authority> address and location of the Trust Authority </Trust Authority> <owner> //reference name – IBE encryption key <reference name> pseudonym1 </reference name> //encrypted call back address by using user’s reference name <owner’s details> encrypted call back address <owner’s details> </owner> <validity> expiration date </validity> <constraint> X.509_authentication_required </constraint> <constraint> allow_sharing_of_data </constraint> <constraint> // Simple constraint on remote platform required_remote_TCG_trusted_platform </constraint> <action> notify_owner </action> </sticky policy>
Reference to TA(s)
Constraints/Obligations
Platform Constraint
Actions(User Involvement)
IBE encryption keys can define any kind of privacy constraints or terms and conditions tobe deployed and enforced at different levels of abstractions (application/service, OS, platform)
page 25
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Enforcement of Sticky Privacy Policies
TCGTagged OS
TCG
Trust Authority (TA)
TCGTagged OS
TCG
TCGTagged OS
TCG
Enterprise 1
Enterprise 2
Policy Engine
Enforcement viaTrust Authority
Enforcement By Trusted Platforms andTagged OS(Work in Progress)
Personal Data
Sticky
Privacy Policies
Policy Engine
Policy Engine+
page 26
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Policy Enforcement by Trust Authority
• “Soft” policy enforcement: TA still relies on the receiver to take care of the data privacy, once data is disclosed …
• The TA interprets Privacy Policies via a Policy Engine
• The TA makes sure that the Privacy Policies are satisfied before issuing the IBE decryption key
• Multiple TAs can be used, each of them specialised in doing specific checks (easy with IBE-based approach …)
• Users can be notified or asked for authorization, if the Privacy Policies require it (User Involvement)
• Audit of disclosures, at least the first time …
•The TA can leverage TCG and Tagged-OS to make sure that part of the policy enforcement is done upfront …
Enterprise 2
Enterprise 1
Trust Authority (TA)
Privacy
Policies Privacy
Policies
page 27
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Policy Enforcement by Trusted Platforms
• Stronger Enforcement of part of the privacy policies (low level policies)
• TCG integrity checking mechanisms checks for platform trustworthiness along with its SW and HW integrity. Cross boundaries integrity checking on the platforms of the involved parties
• To be effective, a widespread usage of trusted platforms is required. At least all the platforms involved in the task of processing confidential data should be checked. Some of them might not be exposed externally. Too strong requirements for the time being … Limits on the kinds of HW and SW checks …
• Joint usage of Tagged-OS and TCG to create Trust Domains. TCG to check upfront the integrity of the “combined” system. Tagged-OS to enforce privacy policies directly at the OS level: disallow copies data, sending data only to specific IP addresses, etc.
Enterprise 2
Tagged OS
TCGTagged OS
TCG
Enterprise 1
Trust Authority (TAA)
Tagged OS
TCGTagged OS
TCG
Tagged OS
TCGTagged OS
TCG
Privacy
Policies
Research and Work in Progress …
Trust Domain
page 28
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Accountability Management
• Confidential data is encrypted: at least the first time the requestors need to interact with the Tracing and Auditing Authorities (TAAs)
• Auditing and Logging of data disclosures carried on by TAAs (at least the first time)
• Multiple TAAs can be used to mitigate trust issues. Users can run their own TAAs
• Usage of Audit Logs as Evidence and for Forensic Analysis
• Research in progress at HP Labs on tamper-resistant audit systems
Enterprise 2
Enterprise 1
Trust Authorities (TAAs)
Privacy
Policies
Privacy
Policies
page 29
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Discussion
• The usage of “trusted third parties” to mediate interactions and encryption for confidentiality are not new
• The potential added value of our approach consists of: The mechanisms to associate “Sticky” Privacy Policies to confidential data via IBE (lightweight cryptography mechanism); The “active” interaction model we introduced The combined usage of TCG, Tagged OS and Trust Authorities for integrity checking and policy enforcement
• Other cryptography mechanisms could be used but the IBE model fits
very well at the client and server sites
• Open issues: Our policy enforcement is strong, but not impregnable (risks vs. costs?) Adequacy of Trusted Platforms/Tagged OS to be verified Potential complexity of our solution. To be fully prototyped and tested
• Research in progress …
page 30
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Current and Future Work
• IBE technology is available. HP Labs have implemented a fast and optimised version of the IBE cryptography libraries
• We have simple implementations of: - a TA service - add-ins for authoring and management of privacy policies - a policy-based engine
• TPM chips and TCG-based PCs are available on the market
• We have a working prototype of the Tagged OS • We have a working prototype of a non-repudiable, tamper resistant Auditing and Logging System.
• Next steps: testing the suitability of our approach in real contexts …
page 31
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Conclusions
• It is important to protect people’s privacy on the Internet, increase accountability and allow people to be more involved (if they care)
• Despite laws, legislations and technical attempts to solve this problem, at moment there are no solutions to address the whole set of involved issues
• We described our approach to provide a strong but not impregnable enforcement of privacy policies, more accountability and more user involvement
• We presented a technical solution that leverages IBE (sticky policies and auditing services), Tagged-OS (low level sticky policy) and TCG (trust and integrity checking)
• There are open issues: our research is in progress …
page 32
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
Backup Slides
RSA and IBE
Cryptography Models
page 33
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
RSA Model
Secrets p&q
Compute d&eKeep d secret
Compute N = p*q
encrypt
decryptN and d
e and Npublished
page 34
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
IBE Model [1]
Publicdetails
E D
Encrypt Decrypt
Secrets s
Compute publicdetails Compute
Key pairs
page 35
10/06/06 Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK يح
IBE Model [2]
Publicdetails
Encrypt Decrypt
Secrets s
Compute publicdetails Generate
Decryption Key
Choose eGet decrypt
Key,e