Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Serv

1
Towards Accountable Management of
Identity and Privacy
Sticky Policies and Enforceable Tracing Services

• Marco Casassa Mont
• Siani Pearson
• Pete Bramhall
• Trusted Systems Laboratory
• Hewlett-Packard Labs, Bristol, UK
• TrustBus 2003, 2-4 September 2003
• Prague, Czech Republic

2
Presentation Outline

• Setting the Context
• Scenario
• Addressed Problems
• Related Work
• Our Approach
• Discussion
• Conclusions

3
Setting the Context

• Digital Identities and Profiles are relevant to
• enable transactions and interactions on the
  web,
• in many contexts personal, social, business,
• government, etc.
• Privacy Management is a major issue involves
  people,
• organisations, governments, etc.
• Different reactions by people ranging from
  completely
• ignoring the privacy issues to being so
  concerned
• to prevent any web interaction

4
Scenario Multiparty Interactions 1
Multiparty Transaction / Interaction
Services
User
Negotiation of Privacy Policy
Services
Enterprise
Policies
Provision of Identity Profile Data
Data
Identity/ Profile Disclosure
Services
Enterprise
Enterprise
Similar issues in the e-Commerce, Enterprise,
Financial and Government Areas
5
Scenario Multiparty Interactions 2

• Little has been done so far to directly involve
  people
• (or third parties acting on their behalf) in
  the
• management of their privacy
• Users lack control over their personal
  information
• after their initial disclosures
• Organisations, as well, lack control over the
• confidential information they manage on behalf
  of
• their customers, once they disclose it to
  third parties
• It is hard to make organisations accountable

6
Addressed Problems

• Privacy Enforcement
• Accountability of Organizations
• Involvement of People in the Management
• of their Personal Data

7
Related Work 1

• Lot of work done to provide
• Legislative Frameworks for Privacy
• Different legislative approaches example US vs.
  EU
• Privacy and Data Protection laws are hard to
  enforce
• when personal information spreads across
  boundaries
• In general users have little understanding or
• knowledge of privacy laws and their
  implications

8
Related Work 2

• W3C approach on Platform for Privacy Preferences
  
• (P3P) simple policies, point-to-point
  interactions. Little
• control on the fulfilment of these policies
  (at least,
• in the current implementations)
• Liberty Alliance and Microsoft Passport
  Identity and
• Privacy Management based on closed web of
  trust
• and predefined policies

9
Related Work 3

• IBMs work on Enterprise Privacy Authorization
  Language
• (EPAL) and related Privacy Framework
• Association of fine-grained Privacy Policies
  (Sticky Policies)
• to personal data. Enforcement of Privacy
  Polices by the Enterprise
• Current Open Issues
• - Policy Stickiness is not enforceable
• - Too much trust in the enterprise
• - Leakages of personal data can still
  happen
• - Little users involvement.
• The above issues are very hard to address!

10
Our Approach

• About a Privacy and Accountability Model
  encompassing

• Sticky Privacy Policies strongly associated to
  
• Identity Information
• Mechanisms for strong (but not impregnable)
• enforcement of privacy policies
• Mechanisms to increase the Accountability of the
  
• involved parties
• Mechanisms to allow people to be more involved
• in the management of their data (if they want
  to )

11
Privacy and Accountability Model

• Key aspects

• Confidentiality of Data obfuscation of
  confidential data
• Strong Association of Privacy Policies to
  Confidential Data
• - tamper resistant policies associated to
  data.
• - Stickiness guaranteed at least till the first
  disclosure.
• Policy Compliance Check and Enforcement by
  trusted
• Tracing Auditing Authorities (TAAs) and
  Trusted Platforms OSs
• Accountability Management auditing and tracing
  of
• disclosures by TAA (used as evidence)
• User Involvement policy authoring,
  notification, authorization

12
Privacy and Accountability Model 1
?
7
13
Privacy and Accountability Model 2

• Once confidential data is disclosed it can still
  be misused

• Risks Mitigation via
• Audit trail
• Audit logs managed by TAAs can be used as
  Evidence and
• for Forensic Analysis (logging at least the
  first disclosure )
• Trusted Platforms and OSs
• - checking for the Integrity of the Receivers
  environment
• - enforcing part of the Privacy Policies
  directly at
• the OS level. Research and Work in Progress

14
Privacy and Accountability Model
Technical Aspects 1

• A technical implementation of our Privacy and
  Accountability Model leverages three key
  technologies

• Identifier-based Encryption (IBE)
• Trusted Platforms (TCG was TCPA, etc.)
• Tagged Operating Systems (OSs)

15
What is Identifier-based Encryption (IBE)?

• It is an Emerging Cryptography Technology
• Based on a Three-Player Model Sender, Receiver,
  Trust Authority (Trusted Third Party)
• Same Strength of RSA
• Different Approaches Quadratic Residuosity, Weil
  Pairing, Tate Pairing
• SW Library and Technology available at HP
  Laboratories

16
IBE Core Properties

• 1st Property any kind of string (or Sequence
  of Bytes) can be used as an IBE Encryption Key
  for example a Role, an e-Mail Address, a Picture,
  a Disclosure Time, Terms and Conditions,
• a Privacy Policy
• 2nd Property the generation of IBE Decryption
  Keys can be postponed in time, even long time
  after the generation of the correspondent IBE
  Encryption Key
• 3rd Property reliance on at least a Trust
  Authority (Trusted Third Party) for the
  generation of IBE Decryption Key

17
IBE Three-Player Model
18
Privacy and Accountability Model
Technical Aspects 2

• A technical implementation of our Privacy and
  Accountability Model leverages three key
  Technologies

• Identifier-based Encryption (IBE)
• Trusted Platforms (TCG was TCPA, etc.)
• Tagged Operating Systems (OSs)

19
Trusted Platforms

• A trusted platform provides hardware mechanisms
  (TPM) and tools to check for the integrity of
  computer platforms and their installed software
  (locally and remotely)
• TCG (was TCPA) and Microsoft NGSCB initiatives
• http//www.trustedcomputing.org
• http//www.microsoft.com/ngscb
• HP and HP Laboratories are directly involved in
  the TCG initiative

TPM
20
Privacy and Accountability Model
Technical Aspects 3

• A technical implementation of our Privacy and
  Accountability Model leverages three key
  Technologies

• Identifier-based Encryption (IBE)
• Trusted Platforms (TCG was TCPA, etc.)
• Tagged Operating Systems (OSs)

21
Tagged Operating Systems

• A tagged Operating System
• (OS) provides mechanisms and
• tools to associate low level labels
• to data and directly enforce and
• manage them at the OS level.
• The stickiness of a label to
• the content, not to the content
• holder (such as a file), ensures that
• even when the data is copied
• around the label follows it as well.
• Labels can be associated
• (at the OS level) to low level
• Privacy Policies (rules),
• directly enforced by the OS.
• Rules dictate constraints on copies of
• data, data transmissions, etc.

Policy File in Internal Format
Control Enforcement
Tagged Data
Decision
Policy evaluation engine
Flow causing operation
yes, no, more checks
22
Privacy and Accountability Model
Technical Aspects 4
GAP
GAP
23
High-level System Architecture

• Based on the IBE Model
• Privacy Policies are
• represented as
• IBE Encryption Keys
• Confidential data is
• encrypted with IBE
• encryption keys
• IBE encryption keys
• stick with the encrypted
• data (at least till the first
• de-obfuscation of the data )
• The Tracing and Auditing
• Authority is an (IBE based)
• Trust Authority.
• Leveraging Trusted Platforms and

24
Sticky Privacy Policies
Example of high-level Sticky Policy (XML format)
Reference to TA(s)
Constraints/ Obligations
Platform Constraint
Actions (User Involvement)
IBE encryption keys can define any kind of
privacy constraints or terms and conditions to be
deployed and enforced at different levels of
abstractions (application/service, OS, platform)
25
Enforcement of Sticky Privacy Policies
Enterprise 1
Personal Data
Policy Engine
Sticky Privacy Policies
Enterprise 2
Enforcement via Trust Authority

Policy Engine
Enforcement By Trusted Platforms and Tagged
OS (Work in Progress)
Policy Engine
Trust Authority (TA)
26
Policy Enforcement by Trust Authority

• Soft policy enforcement TA still
• relies on the receiver to take care of the
• data privacy, once data is disclosed
• The TA interprets Privacy Policies via a Policy
  Engine
• The TA makes sure that the Privacy Policies are
  satisfied
• before issuing the IBE decryption key
• Multiple TAs can be used, each of them
  specialised in
• doing specific checks (easy with IBE-based
  approach )
• Users can be notified or asked for
  authorization, if
• the Privacy Policies require it (User
  Involvement)
• Audit of disclosures, at least the first time
• The TA can leverage TCG and Tagged-OS to make
  sure
• that part of the policy enforcement is done
  upfront

Enterprise 1
Enterprise 2
Trust Authority (TA)
27
Policy Enforcement by Trusted Platforms

• Stronger Enforcement of part of the privacy
  policies
• (low level policies)
• TCG integrity checking mechanisms checks for
• platform trustworthiness along with
• its SW and HW integrity. Cross boundaries
• integrity checking on the platforms of the
  involved parties
• To be effective, a widespread usage of
• trusted platforms is required. At least all
  the
• platforms involved in the task of processing
• confidential data should be checked.
• Some of them might not be exposed externally.
• ? Too strong requirements for the time being
  
• ? Limits on the kinds of HW and SW checks
• Joint usage of Tagged-OS and TCG to create Trust
  Domains.
• TCG to check upfront the integrity of the
  combined system.
• Tagged-OS to enforce privacy policies directly
  at the OS level

Enterprise 1
Trust Domain
Enterprise 2
Trust Authority (TAA)
Research and Work in Progress
28
Accountability Management

• Confidential data is encrypted
• at least the first time the requestors
• need to interact with the Tracing
• and Auditing Authorities (TAAs)
• Auditing and Logging of data disclosures
• carried on by TAAs (at least the first time)
• Multiple TAAs can be used to mitigate trust
  issues.
• Users can run their own TAAs
• Usage of Audit Logs as Evidence and
• for Forensic Analysis
• Research in progress at HP Labs on
• tamper-resistant audit systems

Enterprise 1
Enterprise 2
Trust Authorities (TAAs)
29
Discussion

• The usage of trusted third parties to mediate
  interactions and encryption
• for confidentiality are not new
• The potential added value of our approach
  consists of
• The mechanisms to associate Sticky Privacy
  Policies to confidential data
• via IBE (lightweight cryptography
  mechanism)
• The active interaction model we introduced
• The combined usage of TCG, Tagged OS and Trust
  Authorities for integrity
• checking and policy enforcement
• Other cryptography mechanisms could be used but
  the IBE model fits very well
• at the client and server sites
• Open issues
• Our policy enforcement is strong, but not
  impregnable (risks vs. costs?)
• Adequacy of Trusted Platforms/Tagged OS to be
  verified
• Potential complexity of our solution. To be
  fully prototyped and tested
• Research in progress

30
Current and Future Work

• IBE technology is available. HP Labs have
  implemented a fast and optimised
• version of the IBE cryptography libraries
• We have simple implementations of
• - a TA service
• - add-ins for authoring and management of
  privacy policies
• - a policy-based engine
• TPM chips and TCG-based PCs are available on the
  market
• We have a working prototype of the Tagged OS
• We have a working prototype of a non-repudiable,
  tamper resistant Auditing
• and Logging System.
• Next steps testing the suitability of our
  approach in real contexts

31
Conclusions

• It is important to protect peoples privacy on
  the Internet, increase
• accountability and allow people to be more
  involved (if they care)
• Despite laws, legislations and technical
  attempts to solve this problem,
• at moment there are no solutions to address
  the whole set of involved issues
• We described our approach to provide a strong
  but not impregnable
• enforcement of privacy policies, more
  accountability and more user involvement
• We presented a technical solution that leverages
  IBE (sticky policies and
• auditing services), Tagged-OS (low level
  sticky policy) and TCG (trust
• and integrity checking)
• There are open issues our research is in
  progress

32
Backup Slides
RSA and IBE Cryptography Models
33
RSA Model
34
IBE Model 1
35
IBE Model 2
36
(No Transcript)