Title: Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Serv
1Towards Accountable Management of
Identity and Privacy
Sticky Policies and Enforceable Tracing Services
- Marco Casassa Mont
- Siani Pearson
- Pete Bramhall
- Trusted Systems Laboratory
- Hewlett-Packard Labs, Bristol, UK
- TrustBus 2003, 2-4 September 2003
- Prague, Czech Republic
2Presentation Outline
- Setting the Context
- Scenario
- Addressed Problems
- Related Work
- Our Approach
- Discussion
- Conclusions
3Setting the Context
- Digital Identities and Profiles are relevant to
- enable transactions and interactions on the
web, - in many contexts personal, social, business,
- government, etc.
- Privacy Management is a major issue involves
people, - organisations, governments, etc.
- Different reactions by people ranging from
completely - ignoring the privacy issues to being so
concerned - to prevent any web interaction
4Scenario Multiparty Interactions 1
Multiparty Transaction / Interaction
Services
User
Negotiation of Privacy Policy
Services
Enterprise
Policies
Provision of Identity Profile Data
Data
Identity/ Profile Disclosure
Services
Enterprise
Enterprise
Similar issues in the e-Commerce, Enterprise,
Financial and Government Areas
5Scenario Multiparty Interactions 2
- Little has been done so far to directly involve
people - (or third parties acting on their behalf) in
the - management of their privacy
- Users lack control over their personal
information - after their initial disclosures
- Organisations, as well, lack control over the
- confidential information they manage on behalf
of - their customers, once they disclose it to
third parties - It is hard to make organisations accountable
6Addressed Problems
- Privacy Enforcement
- Accountability of Organizations
- Involvement of People in the Management
- of their Personal Data
7Related Work 1
- Lot of work done to provide
- Legislative Frameworks for Privacy
- Different legislative approaches example US vs.
EU - Privacy and Data Protection laws are hard to
enforce - when personal information spreads across
boundaries - In general users have little understanding or
- knowledge of privacy laws and their
implications
8Related Work 2
- W3C approach on Platform for Privacy Preferences
- (P3P) simple policies, point-to-point
interactions. Little - control on the fulfilment of these policies
(at least, - in the current implementations)
- Liberty Alliance and Microsoft Passport
Identity and - Privacy Management based on closed web of
trust - and predefined policies
9Related Work 3
- IBMs work on Enterprise Privacy Authorization
Language - (EPAL) and related Privacy Framework
- Association of fine-grained Privacy Policies
(Sticky Policies) - to personal data. Enforcement of Privacy
Polices by the Enterprise -
- Current Open Issues
- - Policy Stickiness is not enforceable
- - Too much trust in the enterprise
- - Leakages of personal data can still
happen - - Little users involvement.
- The above issues are very hard to address!
10Our Approach
- About a Privacy and Accountability Model
encompassing -
- Sticky Privacy Policies strongly associated to
- Identity Information
- Mechanisms for strong (but not impregnable)
- enforcement of privacy policies
- Mechanisms to increase the Accountability of the
- involved parties
- Mechanisms to allow people to be more involved
- in the management of their data (if they want
to )
11Privacy and Accountability Model
- Confidentiality of Data obfuscation of
confidential data - Strong Association of Privacy Policies to
Confidential Data - - tamper resistant policies associated to
data. - - Stickiness guaranteed at least till the first
disclosure. - Policy Compliance Check and Enforcement by
trusted - Tracing Auditing Authorities (TAAs) and
Trusted Platforms OSs - Accountability Management auditing and tracing
of - disclosures by TAA (used as evidence)
- User Involvement policy authoring,
notification, authorization
12Privacy and Accountability Model 1
?
7
13Privacy and Accountability Model 2
- Once confidential data is disclosed it can still
be misused
- Risks Mitigation via
- Audit trail
- Audit logs managed by TAAs can be used as
Evidence and - for Forensic Analysis (logging at least the
first disclosure ) - Trusted Platforms and OSs
- - checking for the Integrity of the Receivers
environment - - enforcing part of the Privacy Policies
directly at - the OS level. Research and Work in Progress
14Privacy and Accountability Model
Technical Aspects 1
- A technical implementation of our Privacy and
Accountability Model leverages three key
technologies
- Identifier-based Encryption (IBE)
- Trusted Platforms (TCG was TCPA, etc.)
- Tagged Operating Systems (OSs)
15What is Identifier-based Encryption (IBE)?
- It is an Emerging Cryptography Technology
- Based on a Three-Player Model Sender, Receiver,
Trust Authority (Trusted Third Party) - Same Strength of RSA
- Different Approaches Quadratic Residuosity, Weil
Pairing, Tate Pairing - SW Library and Technology available at HP
Laboratories
16IBE Core Properties
- 1st Property any kind of string (or Sequence
of Bytes) can be used as an IBE Encryption Key
for example a Role, an e-Mail Address, a Picture,
a Disclosure Time, Terms and Conditions, - a Privacy Policy
- 2nd Property the generation of IBE Decryption
Keys can be postponed in time, even long time
after the generation of the correspondent IBE
Encryption Key - 3rd Property reliance on at least a Trust
Authority (Trusted Third Party) for the
generation of IBE Decryption Key
17IBE Three-Player Model
18Privacy and Accountability Model
Technical Aspects 2
- A technical implementation of our Privacy and
Accountability Model leverages three key
Technologies
- Identifier-based Encryption (IBE)
- Trusted Platforms (TCG was TCPA, etc.)
- Tagged Operating Systems (OSs)
19Trusted Platforms
- A trusted platform provides hardware mechanisms
(TPM) and tools to check for the integrity of
computer platforms and their installed software
(locally and remotely) - TCG (was TCPA) and Microsoft NGSCB initiatives
- http//www.trustedcomputing.org
- http//www.microsoft.com/ngscb
-
- HP and HP Laboratories are directly involved in
the TCG initiative
TPM
20Privacy and Accountability Model
Technical Aspects 3
- A technical implementation of our Privacy and
Accountability Model leverages three key
Technologies
- Identifier-based Encryption (IBE)
- Trusted Platforms (TCG was TCPA, etc.)
- Tagged Operating Systems (OSs)
21Tagged Operating Systems
- A tagged Operating System
- (OS) provides mechanisms and
- tools to associate low level labels
- to data and directly enforce and
- manage them at the OS level.
- The stickiness of a label to
- the content, not to the content
- holder (such as a file), ensures that
- even when the data is copied
- around the label follows it as well.
- Labels can be associated
- (at the OS level) to low level
- Privacy Policies (rules),
- directly enforced by the OS.
- Rules dictate constraints on copies of
- data, data transmissions, etc.
Policy File in Internal Format
Control Enforcement
Tagged Data
Decision
Policy evaluation engine
Flow causing operation
yes, no, more checks
22Privacy and Accountability Model
Technical Aspects 4
GAP
GAP
23High-level System Architecture
- Based on the IBE Model
- Privacy Policies are
- represented as
- IBE Encryption Keys
- Confidential data is
- encrypted with IBE
- encryption keys
- IBE encryption keys
- stick with the encrypted
- data (at least till the first
- de-obfuscation of the data )
- The Tracing and Auditing
- Authority is an (IBE based)
- Trust Authority.
- Leveraging Trusted Platforms and
24Sticky Privacy Policies
Example of high-level Sticky Policy (XML format)
Reference to TA(s)
Constraints/ Obligations
Platform Constraint
Actions (User Involvement)
IBE encryption keys can define any kind of
privacy constraints or terms and conditions to be
deployed and enforced at different levels of
abstractions (application/service, OS, platform)
25Enforcement of Sticky Privacy Policies
Enterprise 1
Personal Data
Policy Engine
Sticky Privacy Policies
Enterprise 2
Enforcement via Trust Authority
Policy Engine
Enforcement By Trusted Platforms and Tagged
OS (Work in Progress)
Policy Engine
Trust Authority (TA)
26Policy Enforcement by Trust Authority
- Soft policy enforcement TA still
- relies on the receiver to take care of the
- data privacy, once data is disclosed
- The TA interprets Privacy Policies via a Policy
Engine - The TA makes sure that the Privacy Policies are
satisfied - before issuing the IBE decryption key
- Multiple TAs can be used, each of them
specialised in - doing specific checks (easy with IBE-based
approach ) - Users can be notified or asked for
authorization, if - the Privacy Policies require it (User
Involvement) - Audit of disclosures, at least the first time
- The TA can leverage TCG and Tagged-OS to make
sure - that part of the policy enforcement is done
upfront
Enterprise 1
Enterprise 2
Trust Authority (TA)
27Policy Enforcement by Trusted Platforms
- Stronger Enforcement of part of the privacy
policies - (low level policies)
- TCG integrity checking mechanisms checks for
- platform trustworthiness along with
- its SW and HW integrity. Cross boundaries
- integrity checking on the platforms of the
involved parties - To be effective, a widespread usage of
- trusted platforms is required. At least all
the - platforms involved in the task of processing
- confidential data should be checked.
- Some of them might not be exposed externally.
- ? Too strong requirements for the time being
- ? Limits on the kinds of HW and SW checks
- Joint usage of Tagged-OS and TCG to create Trust
Domains. - TCG to check upfront the integrity of the
combined system. - Tagged-OS to enforce privacy policies directly
at the OS level
Enterprise 1
Trust Domain
Enterprise 2
Trust Authority (TAA)
Research and Work in Progress
28Accountability Management
- Confidential data is encrypted
- at least the first time the requestors
- need to interact with the Tracing
- and Auditing Authorities (TAAs)
- Auditing and Logging of data disclosures
- carried on by TAAs (at least the first time)
- Multiple TAAs can be used to mitigate trust
issues. - Users can run their own TAAs
- Usage of Audit Logs as Evidence and
- for Forensic Analysis
- Research in progress at HP Labs on
- tamper-resistant audit systems
Enterprise 1
Enterprise 2
Trust Authorities (TAAs)
29Discussion
- The usage of trusted third parties to mediate
interactions and encryption - for confidentiality are not new
- The potential added value of our approach
consists of - The mechanisms to associate Sticky Privacy
Policies to confidential data - via IBE (lightweight cryptography
mechanism) - The active interaction model we introduced
- The combined usage of TCG, Tagged OS and Trust
Authorities for integrity - checking and policy enforcement
- Other cryptography mechanisms could be used but
the IBE model fits very well - at the client and server sites
- Open issues
- Our policy enforcement is strong, but not
impregnable (risks vs. costs?) - Adequacy of Trusted Platforms/Tagged OS to be
verified - Potential complexity of our solution. To be
fully prototyped and tested - Research in progress
30Current and Future Work
- IBE technology is available. HP Labs have
implemented a fast and optimised - version of the IBE cryptography libraries
- We have simple implementations of
- - a TA service
- - add-ins for authoring and management of
privacy policies - - a policy-based engine
- TPM chips and TCG-based PCs are available on the
market - We have a working prototype of the Tagged OS
-
- We have a working prototype of a non-repudiable,
tamper resistant Auditing - and Logging System.
- Next steps testing the suitability of our
approach in real contexts
31Conclusions
- It is important to protect peoples privacy on
the Internet, increase - accountability and allow people to be more
involved (if they care) - Despite laws, legislations and technical
attempts to solve this problem, - at moment there are no solutions to address
the whole set of involved issues - We described our approach to provide a strong
but not impregnable - enforcement of privacy policies, more
accountability and more user involvement - We presented a technical solution that leverages
IBE (sticky policies and - auditing services), Tagged-OS (low level
sticky policy) and TCG (trust - and integrity checking)
- There are open issues our research is in
progress
32Backup Slides
RSA and IBE Cryptography Models
33RSA Model
34IBE Model 1
35IBE Model 2
36(No Transcript)