Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Serv - PowerPoint PPT Presentation

Loading...

PPT – Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Serv PowerPoint presentation | free to download - id: d4cf-OWQ5N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Serv

Description:

Tagged Operating Systems (OSs) ... The TA can leverage TCG and Tagged-OS to make sure ... Joint usage of Tagged-OS and TCG to create Trust Domains. ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 37
Provided by: hpl5
Learn more at: http://www.hpl.hp.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Serv


1
Towards Accountable Management of
Identity and Privacy
Sticky Policies and Enforceable Tracing Services
  • Marco Casassa Mont
  • Siani Pearson
  • Pete Bramhall
  • Trusted Systems Laboratory
  • Hewlett-Packard Labs, Bristol, UK
  • TrustBus 2003, 2-4 September 2003
  • Prague, Czech Republic

2
Presentation Outline
  • Setting the Context
  • Scenario
  • Addressed Problems
  • Related Work
  • Our Approach
  • Discussion
  • Conclusions

3
Setting the Context
  • Digital Identities and Profiles are relevant to
  • enable transactions and interactions on the
    web,
  • in many contexts personal, social, business,
  • government, etc.
  • Privacy Management is a major issue involves
    people,
  • organisations, governments, etc.
  • Different reactions by people ranging from
    completely
  • ignoring the privacy issues to being so
    concerned
  • to prevent any web interaction

4
Scenario Multiparty Interactions 1
Multiparty Transaction / Interaction
Services
User
Negotiation of Privacy Policy
Services
Enterprise
Policies
Provision of Identity Profile Data
Data
Identity/ Profile Disclosure
Services
Enterprise
Enterprise
Similar issues in the e-Commerce, Enterprise,
Financial and Government Areas
5
Scenario Multiparty Interactions 2
  • Little has been done so far to directly involve
    people
  • (or third parties acting on their behalf) in
    the
  • management of their privacy
  • Users lack control over their personal
    information
  • after their initial disclosures
  • Organisations, as well, lack control over the
  • confidential information they manage on behalf
    of
  • their customers, once they disclose it to
    third parties
  • It is hard to make organisations accountable

6
Addressed Problems
  • Privacy Enforcement
  • Accountability of Organizations
  • Involvement of People in the Management
  • of their Personal Data

7
Related Work 1
  • Lot of work done to provide
  • Legislative Frameworks for Privacy
  • Different legislative approaches example US vs.
    EU
  • Privacy and Data Protection laws are hard to
    enforce
  • when personal information spreads across
    boundaries
  • In general users have little understanding or
  • knowledge of privacy laws and their
    implications

8
Related Work 2
  • W3C approach on Platform for Privacy Preferences
  • (P3P) simple policies, point-to-point
    interactions. Little
  • control on the fulfilment of these policies
    (at least,
  • in the current implementations)
  • Liberty Alliance and Microsoft Passport
    Identity and
  • Privacy Management based on closed web of
    trust
  • and predefined policies

9
Related Work 3
  • IBMs work on Enterprise Privacy Authorization
    Language
  • (EPAL) and related Privacy Framework
  • Association of fine-grained Privacy Policies
    (Sticky Policies)
  • to personal data. Enforcement of Privacy
    Polices by the Enterprise
  • Current Open Issues
  • - Policy Stickiness is not enforceable
  • - Too much trust in the enterprise
  • - Leakages of personal data can still
    happen
  • - Little users involvement.
  • The above issues are very hard to address!

10
Our Approach
  • About a Privacy and Accountability Model
    encompassing
  • Sticky Privacy Policies strongly associated to
  • Identity Information
  • Mechanisms for strong (but not impregnable)
  • enforcement of privacy policies
  • Mechanisms to increase the Accountability of the
  • involved parties
  • Mechanisms to allow people to be more involved
  • in the management of their data (if they want
    to )

11
Privacy and Accountability Model
  • Key aspects
  • Confidentiality of Data obfuscation of
    confidential data
  • Strong Association of Privacy Policies to
    Confidential Data
  • - tamper resistant policies associated to
    data.
  • - Stickiness guaranteed at least till the first
    disclosure.
  • Policy Compliance Check and Enforcement by
    trusted
  • Tracing Auditing Authorities (TAAs) and
    Trusted Platforms OSs
  • Accountability Management auditing and tracing
    of
  • disclosures by TAA (used as evidence)
  • User Involvement policy authoring,
    notification, authorization

12
Privacy and Accountability Model 1
?
7
13
Privacy and Accountability Model 2
  • Once confidential data is disclosed it can still
    be misused
  • Risks Mitigation via
  • Audit trail
  • Audit logs managed by TAAs can be used as
    Evidence and
  • for Forensic Analysis (logging at least the
    first disclosure )
  • Trusted Platforms and OSs
  • - checking for the Integrity of the Receivers
    environment
  • - enforcing part of the Privacy Policies
    directly at
  • the OS level. Research and Work in Progress

14
Privacy and Accountability Model
Technical Aspects 1
  • A technical implementation of our Privacy and
    Accountability Model leverages three key
    technologies
  • Identifier-based Encryption (IBE)
  • Trusted Platforms (TCG was TCPA, etc.)
  • Tagged Operating Systems (OSs)

15
What is Identifier-based Encryption (IBE)?
  • It is an Emerging Cryptography Technology
  • Based on a Three-Player Model Sender, Receiver,
    Trust Authority (Trusted Third Party)
  • Same Strength of RSA
  • Different Approaches Quadratic Residuosity, Weil
    Pairing, Tate Pairing
  • SW Library and Technology available at HP
    Laboratories

16
IBE Core Properties
  • 1st Property any kind of string (or Sequence
    of Bytes) can be used as an IBE Encryption Key
    for example a Role, an e-Mail Address, a Picture,
    a Disclosure Time, Terms and Conditions,
  • a Privacy Policy
  • 2nd Property the generation of IBE Decryption
    Keys can be postponed in time, even long time
    after the generation of the correspondent IBE
    Encryption Key
  • 3rd Property reliance on at least a Trust
    Authority (Trusted Third Party) for the
    generation of IBE Decryption Key

17
IBE Three-Player Model
18
Privacy and Accountability Model
Technical Aspects 2
  • A technical implementation of our Privacy and
    Accountability Model leverages three key
    Technologies
  • Identifier-based Encryption (IBE)
  • Trusted Platforms (TCG was TCPA, etc.)
  • Tagged Operating Systems (OSs)

19
Trusted Platforms
  • A trusted platform provides hardware mechanisms
    (TPM) and tools to check for the integrity of
    computer platforms and their installed software
    (locally and remotely)
  • TCG (was TCPA) and Microsoft NGSCB initiatives
  • http//www.trustedcomputing.org
  • http//www.microsoft.com/ngscb
  • HP and HP Laboratories are directly involved in
    the TCG initiative

TPM
20
Privacy and Accountability Model
Technical Aspects 3
  • A technical implementation of our Privacy and
    Accountability Model leverages three key
    Technologies
  • Identifier-based Encryption (IBE)
  • Trusted Platforms (TCG was TCPA, etc.)
  • Tagged Operating Systems (OSs)

21
Tagged Operating Systems
  • A tagged Operating System
  • (OS) provides mechanisms and
  • tools to associate low level labels
  • to data and directly enforce and
  • manage them at the OS level.
  • The stickiness of a label to
  • the content, not to the content
  • holder (such as a file), ensures that
  • even when the data is copied
  • around the label follows it as well.
  • Labels can be associated
  • (at the OS level) to low level
  • Privacy Policies (rules),
  • directly enforced by the OS.
  • Rules dictate constraints on copies of
  • data, data transmissions, etc.

Policy File in Internal Format
Control Enforcement
Tagged Data
Decision
Policy evaluation engine
Flow causing operation
yes, no, more checks
22
Privacy and Accountability Model
Technical Aspects 4
GAP
GAP
23
High-level System Architecture
  • Based on the IBE Model
  • Privacy Policies are
  • represented as
  • IBE Encryption Keys
  • Confidential data is
  • encrypted with IBE
  • encryption keys
  • IBE encryption keys
  • stick with the encrypted
  • data (at least till the first
  • de-obfuscation of the data )
  • The Tracing and Auditing
  • Authority is an (IBE based)
  • Trust Authority.
  • Leveraging Trusted Platforms and

24
Sticky Privacy Policies
Example of high-level Sticky Policy (XML format)
Reference to TA(s)
Constraints/ Obligations
Platform Constraint
Actions (User Involvement)
IBE encryption keys can define any kind of
privacy constraints or terms and conditions to be
deployed and enforced at different levels of
abstractions (application/service, OS, platform)
25
Enforcement of Sticky Privacy Policies
Enterprise 1
Personal Data
Policy Engine
Sticky Privacy Policies
Enterprise 2
Enforcement via Trust Authority

Policy Engine
Enforcement By Trusted Platforms and Tagged
OS (Work in Progress)
Policy Engine
Trust Authority (TA)
26
Policy Enforcement by Trust Authority
  • Soft policy enforcement TA still
  • relies on the receiver to take care of the
  • data privacy, once data is disclosed
  • The TA interprets Privacy Policies via a Policy
    Engine
  • The TA makes sure that the Privacy Policies are
    satisfied
  • before issuing the IBE decryption key
  • Multiple TAs can be used, each of them
    specialised in
  • doing specific checks (easy with IBE-based
    approach )
  • Users can be notified or asked for
    authorization, if
  • the Privacy Policies require it (User
    Involvement)
  • Audit of disclosures, at least the first time
  • The TA can leverage TCG and Tagged-OS to make
    sure
  • that part of the policy enforcement is done
    upfront

Enterprise 1
Enterprise 2
Trust Authority (TA)
27
Policy Enforcement by Trusted Platforms
  • Stronger Enforcement of part of the privacy
    policies
  • (low level policies)
  • TCG integrity checking mechanisms checks for
  • platform trustworthiness along with
  • its SW and HW integrity. Cross boundaries
  • integrity checking on the platforms of the
    involved parties
  • To be effective, a widespread usage of
  • trusted platforms is required. At least all
    the
  • platforms involved in the task of processing
  • confidential data should be checked.
  • Some of them might not be exposed externally.
  • ? Too strong requirements for the time being
  • ? Limits on the kinds of HW and SW checks
  • Joint usage of Tagged-OS and TCG to create Trust
    Domains.
  • TCG to check upfront the integrity of the
    combined system.
  • Tagged-OS to enforce privacy policies directly
    at the OS level

Enterprise 1
Trust Domain
Enterprise 2
Trust Authority (TAA)
Research and Work in Progress
28
Accountability Management
  • Confidential data is encrypted
  • at least the first time the requestors
  • need to interact with the Tracing
  • and Auditing Authorities (TAAs)
  • Auditing and Logging of data disclosures
  • carried on by TAAs (at least the first time)
  • Multiple TAAs can be used to mitigate trust
    issues.
  • Users can run their own TAAs
  • Usage of Audit Logs as Evidence and
  • for Forensic Analysis
  • Research in progress at HP Labs on
  • tamper-resistant audit systems

Enterprise 1
Enterprise 2
Trust Authorities (TAAs)
29
Discussion
  • The usage of trusted third parties to mediate
    interactions and encryption
  • for confidentiality are not new
  • The potential added value of our approach
    consists of
  • The mechanisms to associate Sticky Privacy
    Policies to confidential data
  • via IBE (lightweight cryptography
    mechanism)
  • The active interaction model we introduced
  • The combined usage of TCG, Tagged OS and Trust
    Authorities for integrity
  • checking and policy enforcement
  • Other cryptography mechanisms could be used but
    the IBE model fits very well
  • at the client and server sites
  • Open issues
  • Our policy enforcement is strong, but not
    impregnable (risks vs. costs?)
  • Adequacy of Trusted Platforms/Tagged OS to be
    verified
  • Potential complexity of our solution. To be
    fully prototyped and tested
  • Research in progress

30
Current and Future Work
  • IBE technology is available. HP Labs have
    implemented a fast and optimised
  • version of the IBE cryptography libraries
  • We have simple implementations of
  • - a TA service
  • - add-ins for authoring and management of
    privacy policies
  • - a policy-based engine
  • TPM chips and TCG-based PCs are available on the
    market
  • We have a working prototype of the Tagged OS
  • We have a working prototype of a non-repudiable,
    tamper resistant Auditing
  • and Logging System.
  • Next steps testing the suitability of our
    approach in real contexts

31
Conclusions
  • It is important to protect peoples privacy on
    the Internet, increase
  • accountability and allow people to be more
    involved (if they care)
  • Despite laws, legislations and technical
    attempts to solve this problem,
  • at moment there are no solutions to address
    the whole set of involved issues
  • We described our approach to provide a strong
    but not impregnable
  • enforcement of privacy policies, more
    accountability and more user involvement
  • We presented a technical solution that leverages
    IBE (sticky policies and
  • auditing services), Tagged-OS (low level
    sticky policy) and TCG (trust
  • and integrity checking)
  • There are open issues our research is in
    progress

32
Backup Slides
RSA and IBE Cryptography Models
33
RSA Model
34
IBE Model 1
35
IBE Model 2
36
(No Transcript)
About PowerShow.com