Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
17
.11
.201
5
t hom
as
mau
s
Cryptographic Enforcement of Segregation of Duty
● “доверяй, но проверяй”– old russian proverb
“rely yet verify”
● Thomas Maus◉ thomas.maus alumni.uni-karlsruhe.de
● DeepSec 2015
17
.11
.201
5
t hom
as
mau
s
Introduction● started with IT 1979 – school experiment● Computer Science, University of Karlsruhe◉ study + research◉ EISS = European Institute of System Security● 1993: self-employed IT security consultant● some representive talks: ◉ risk analysis + mgmt (DECUS 2003 + others)
◉ eHealth (in)security (21C3+22C3, various others) ◉ crypto-analytic password quality measures (various) ◉ RFID (in)security (various) ◉ Tale Telling Timings (various)
17
.11
.201
5
t hom
as
mau
s
Introduction … ● home-town: Trier◉ situated between Eifel and Hunsrück◉ low population density➜ scarce public transport facilities● hitchhiking?◉ too dangerous …
17
.11
.201
5
t hom
as
mau
s
Introduction … ● IT supported + secured hitchhiking?● objectives:◉ anonymity as far as possible◎ at least strong pseudonymity◎ no tracking◉ crime prevention + prosecution◎ mutually verifiable registration status◎ “on-line” transaction registry◎ tracking of missing persons by police + next of kin◉ coordination + matching of
travel opportunities and wishes◉ integration into public transport system◎ tickets◎ payment of transport providers
17
.11
.201
5
t hom
as
mau
s
Introduction … ● school administration SW of federal state◉ developed by participants of school experiment◉ i.e. mostly by pupils!◉ chosen by proven computer versatility◉ e.g. successful hacking of school computer ;-)● challenge:◉ forestall impeachment of pupil programmer's
graduation diploma◉ build confidence in correctness → reliance
17
.11
.201
5
t hom
as
mau
s
Introductory Conclusions ● multi-lateral security needed● multiple security dimensions◉ “classical”: confidentiality+integrity+availability◉ correctness◉ verifiability / auditability◉ separation of duties◉ non-repudation / proof of volition vs. error◉ privacy◎ transparency + control for subject◎ non-traceability / data minimization◎ robustness against inference and extrapolation◉ …
17
.11
.201
5
t hom
as
mau
s
Example for Illustration:Data Retention
● soft or social Science Fiction◉ “how a technology could transform a society”◉ hard science core = cryptography ◎ ¼ century around: public-key cryptography◎ construct of ideas open for debate◉ soft socio-political outer shell◎ fictional stances of society and various personas◎ only for demonstration purposes◎ suspense of disbelief requested
17
.11
.201
5
t hom
as
mau
s
content
content- ⚜⚜
content- ⚜⚜
content⚜⚜
Visualization ofCryptographic Instruments
● asymmetric keys of cyan persona (Alice)◉ private key◉ public key● asymmetric keys of red persona (Bob) ● usage examples◉ sealed (signed) with red private key◉ encrypted with cyan public key◉ first sealed, then encrypted◉ first encrypted, then sealed◉ typically implicit and invisible: symmetric keys◉ decryption possible by Alice or Bob,
with detached seal by Carol content ⚜⚜
17
.11
.201
5
t hom
as
mau
s
Our fictitious Society:Dramatis Personae
● civil society◉ constitutional democracy◉ politically participating citizens (citoyen)◉ civil rights organisations● investigative authorities◉ police detectives◉ public prosecutor● examining magistrate (=Ermittlungsrichter)● (federal) privacy commissioner● telecommunication service providers
17
.11
.201
5
t hom
as
mau
s
Dramatis Personae:Civil Society
● ultimate democratic sovereign◉ votes + referenda◉ political parties◉ NGOs● objectives◉ active political participation ◉ protect ◎ constitutional democracy◎ fundamental human + civil rights◉ vigilant about◎ panopticon effect◎ correct exercise of office by representatives + officials◉ crime prevention + prosecution
Civil Rights
17
.11
.201
5
t hom
as
mau
s
Dramatis Personae:Investigative Authorities
● obligations◉ crime investigation for prevention + prosecution● conflicting interests◉ fundamental civil rights◎ privacy of correspondence, posts + telecommunications◎ privacy of the home◎ …
● intentions◉ tactical secrecy of investigation◉ earning + keeping public confidence◉ auditability◉ exoneration capabilities● public prosecutor's keys
17
.11
.201
5
t hom
as
mau
s
Dramatis Personae:Examining Magistrate
● obligations◉ individual decisions within legal framework◉ crime investigation ↔ fundamental rights● conflicting interests◉ enable optimal crime investigation◉ protect fundamental civil rights● intentions◉ tactical secrecy of investigation◉ earning + keeping public confidence◉ auditability◉ exoneration capabilities● examining magistrate's keys
17
.11
.201
5
t hom
as
mau
s
Dramatis Personae:Federal Privacy Commissioner
● obligations◉ formal control of disclosure requests◉ official auditing + statistics + reporting◉ investigation + information in special cases:
e.g. medical doctors, lawyers, priests, …◉ official investigation of complaints◉ destruction of own private key in certain cases● intentions◉ protection of fundamental rights within statutes◉ earning + keeping public confidence● federal privacy commissioner's keys
☂
17
.11
.201
5
t hom
as
mau
s
✆
Dramatis Personae:Telecommunication Service Providers
● obligations◉ provide legally required data structures to
investigation authorities● intentions◉ compliance◉ minimal involvement◉ exoneration capabilities ➜ rapid erasure of cleartext connection data ● telecommunication provider's keys
(pars pro toto)
17
.11
.201
5
t hom
as
mau
s
Manifold Imaginable Socio-Political Decisions
● much flexibility needed within framework!● creative leeway + areas of decisions◉ initial data for investigation services?◉ keeper of data?◉ sequence of workflows?◉ veto powers?◉ …
17
.11
.201
5
t hom
as
mau
s
Initial Data forInvestigation Services
● selection of data to be disclosed● general data structure◉ “handle” → “opaque protected data”◉ “handle” =◎ information freely available to investigators◎ not perceived as impairing fundamental rights◉ “opaque protected data” =◎ information pertaining to fundamental rights◎ accessible only via safeguarded procedure○ crypto-enforced ○ segregation of duty○ review + control○ auditability
17
.11
.201
5
t hom
as
mau
s
Initial Data:The “Handle”
● subset of communication data as selector ● example of inappropriate handles◉ (calling id, precise start time, precise end time)◉ (called id, precise start time, precise end time)☢ correlate time stamps → infere speaking parties● dilution of precision / obscuration of handles!◉ protection against inference + extrapolation◉ balanced with specificity● example of diluted handles◉ (calling id, diluted start time, diluted duration)◉ (called id, diluted start time, diluted duration)◉ (diluted location, diluted time period)
17
.11
.201
5
t hom
as
mau
s
Initial Data:The “Handle”
● subset of communication data as selector ● example of inappropriate handles◉ (calling id, precise start time, precise end time)◉ (called id, precise start time, precise end time)☢ correlate time stamps → infere speaking parties● dilution of precision / obscuration of handles!◉ protection against inference + extrapolation◉ balanced with specificity● example of diluted handles◉ (calling id, diluted start time, diluted duration)◉ (called id, diluted start time, diluted duration)◉ (diluted location, diluted time period)
e.g.● per minute● ⌊5 minutes⌋● ⌊¼ hours⌋● …● depending on time-of-day
17
.11
.201
5
t hom
as
mau
s
Initial Data:The “Handle”
● subset of communication data as selector ● example of inappropriate handles◉ (calling id, precise start time, precise end time)◉ (called id, precise start time, precise end time)☢ correlate time stamps → infere speaking parties● dilution of precision / obscuration of handles!◉ protection against inference + extrapolation◉ balanced with specificity● example of diluted handles◉ (calling id, diluted start time, diluted duration)◉ (called id, diluted start time, diluted duration)◉ (diluted location, diluted time period)
e.g.● per minute● {<1, <2, <3, <5, <10, <15, …} minutes
17
.11
.201
5
t hom
as
mau
s
Initial Data:The “Handle”
● subset of communication data as selector ● example of inappropriate handles◉ (calling id, precise start time, precise end time)◉ (called id, precise start time, precise end time)☢ correlate time stamps → infere speaking parties● dilution of precision / obscuration of handles!◉ protection against inference + extrapolation◉ balanced with specificity● example of diluted handles◉ (calling id, diluted start time, diluted duration)◉ (called id, diluted start time, diluted duration)◉ (diluted location, diluted time period)
e.g.● cell base station● precinct● geo coord ⌊arc minute⌋● …● depending on area
17
.11
.201
5
t hom
as
mau
s
Initial Data:“Opaque protected Data”
● anonymous + unique?◉ records of identical individual differ always● pseudonymous? ◉ indirection◎ “handle” → “pseudonym”◎ “pseudonym” → “opaque protected data”◉ pre-inspection or pseudonymous investigation◎ pseudonyms in area AND called in time period◎ which pseudonyms communicated often in time frame◎ …
● a continuum anonymous ↔ pseudonymous!
17
.11
.201
5
t hom
as
mau
s
Initial Data:Degrees of Pseudonymity
● scope of pseudonyms ◉ specific per location (for location requests) ◎ different granularities (≥ location requests) ○ country, state, district, postal code, base station, …
◉ specific per contact (for contact requests) ◎ pseudonyms only constant within conversation pairs◎ … within areas – e. g. Vienna ↔ Graz, Vienna ↔ Salzburg
● durability of pseudonyms◉ pseudonyms change at intervals◉ … change event-driven – e.g. after disclosure● how? e.g.◉ key = HMAC(Nonce(Interval,Provider), conversation)
◉ pseudonym = encrypt(key, Nonce(Subscriber))
17
.11
.201
5
t hom
as
mau
s
Initial Data:Degrees of Pseudonymity
● visibility of pseudonyms◉ investigation services (cleartext)?◉ examining magistrate – opaque for investigators?◉ privacy commissioner?● different pseudonym-levels per persona◉ e. g. short-lived per contact for investigators◉ long-term absolute for examining magistrate
17
.11
.201
5
t hom
as
mau
s
Initial Data:“Opaque protected Data”
● anonymous?⊕ maximum of non-traceability⊖ lots of disclosure requests + effort + delay⊖ many unnecessary disclosures● pseudonymous?⊖ less non-traceability (scalable)⊕ less more specific+promising disclosure requests⊕ minimization of disclosures possible⊕ flexible degrees of pseudonymity⊕ investigations more unbiased⊕ high efficiency● framework accommodates whole continuum
17
.11
.201
5
t hom
as
mau
s
Sketch of Example forDisclosure Procedure
● for sake of simplicity + demonstration:1 representative workflow outline
● fundamental decisions◉ examining magistrate is gatekeeper of process◎ sequencing + veto powers◉ examining magistrate involves in parallel
civil NGOs + federal privacy commissioner◎ parallelizing + distributed veto powers◉ civil NGO decision model variations◎ quorum decisions◎ soft decisions + graded denial
17
.11
.201
5
t hom
as
mau
s
Investigation Phase 1Investigative Authorities
● free access to all
● select relevant records by handle● narrow down by pseudonyms● build disclosure request
handle → pseudonym, ???⚜⚜
?????????
investigator's disclosure request● urgency● reasons for request● optional further selection criteria● set of records to be disclosed● optional tactical secrecy considerations
(what must not or may be disclosed to other parties) ⚜⚜
17
.11
.201
5
t hom
as
mau
s
Investigation Phase 2.1Examining Magistrate
● decrypts + verifies investigators request● decrypts every
● selects data records for disclosure
?????????
PoV Examing Magistrate● decision-relevant infos about caller + callee
(e.g. medical or law office, emergency service, …)● more significant pseudonyms (potentially)
● ⚜⚜???
???
17
.11
.201
5
t hom
as
mau
s
Investigation Phase 2.2Examining Magistrate
● prepares “decision audit record”◉ complete decision grounds (including all facts) ◉ complete investigator's disclosure request● prepares “disclosure decision”
● submits decision …
magistrate's disclosure decision● urgency● decision grounds (as far as tactical secrecy permits)● for all selected records:
⚜⚜
??????
decision audit record ⚜⚜
17
.11
.201
5
t hom
as
mau
s
Investigation Phase 3.1Federal Privacy Commissioner
● decrypts + verifies disclosure decision● decrypts every
● archives decisions for review + verification
☂
PoV Federal Privacy Commissioner● decision-relevant infos about caller + callee
(e.g. medical or law office, emergency service, …)● more significant pseudonyms (potentially)● (individual random key per record) ⚜⚜
???
17
.11
.201
5
t hom
as
mau
s
Investigation Phase 3.2Federal PrivacyCommissioner
● purely formal + automated decisions◉ pseudonyms (potentially)◎ narrow selection by investigator's algorithmic criteria◉ decision-relevant infos◎ verify statutory periods and subscriber criteria◎ trigger specific ○ audit watch-lists○ notifications to specific institutions○ bumping of subscriber Nonces
● keys of approved selected records◉ actually indexed list of either◎ keys◎ denials with justifications
● statistics for periodic reports
☂
⚜⚜
17
.11
.201
5
t hom
as
mau
s
Investigation Phase 4Delegates of Civil Society
● decrypts + verifies disclosure decision● decrypts every
● role of delegates?● many creative possibilities!◉ 1st: as privacy commissioner (but more independent)
◎ purely formal + automated decisions of key disclosure◎ own criteria of reporting◉ more later …
PoV Civil Society● decision-relevant infos about caller + callee
(e.g. medical or law office, emergency service, …)● (individual random key per record) ⚜⚜
???
Civil Rights
⚜⚜
17
.11
.201
5
t hom
as
mau
s
☂
Investigation Phase 5Examining Magistrate
● receives + pairs symmetric keys per record
connection / location / subscriber data ⚜⚜
⨁ = ??????
clearance of innocent bystanders ⚜⚜
● check lock by potential other investigations● order bumping subscriber's Nonce
order of re-pseudonymisation ⚜⚜ ✆
17
.11
.201
5
t hom
as
mau
s
Verification Phase 1Civil Society +Privacy Commissioner
● verification of disclosure requests/decisions◉ after investigation is closed or tried◉ after statutory period◉ individually or jointly by both bodies◉ according audit watch-lists + random sampling● “decision audit record” copies of bodies◉ decrypted by
examining magistrate◉ content verified via detached seal◉ review of complete procedure◉ discrepancies published + officials impeached● verification/initiation of re-pseudonymisation
☂ Civil Rights
decision audit record ⚜⚜
17
.11
.201
5
t hom
as
mau
s
Roles Variants of the Delegates of Civil Society
● more freedom: power of disclosure denial◉ imagine whatever-gate scandal scenario◎ disclosure requests for journalist contacts◎ delegates of civil society may require○ concessions of supervising investigation○ guarantees that investigation is unrelated (→ verification phase!)
● e.g. delegates elected for privacy manifestos◉ voting weight according vote percentages◉ algorithmic defined manifestos (speed of decision!) ◉ possible individual consideration of circumstances● e.g. “examining jurors/assessors” ◉ sworn to secrecy◉ part + PoV of examining magistrate
Civil Rights
17
.11
.201
5
t hom
as
mau
s
Qualified Majority Control of Powers
● quorum decisions◉ ≥ t “pros” out of N delegates◉ secret-sharing / split-key schemes◎ 2/3 quorum: simple approach○ perfect secrecy < threshold t ○ doesn't scale …
◎ Shamir: polynomials, perfect secrecy < threshold◎ Blakley: hyperplanes, “leaks”= pros reduce search space◎ …
● modeling political + negotiable decisions?◉ real-life ≠ mathematical “clear+hard” decisions◉ effectively demonstrating reluctance + renitency?◉ stimulating intended behavior?
Civil Rights
17
.11
.201
5
t hom
as
mau
s
Sketch for “Soft” Decision MakingPreparation Phase
● k random bits (≥key size)● key derivation function◉ with carefully chosen stretching● ECC: correct erasures ◉ intended: quorum q ◉ recover < (1-q)·n missing bits ● split secret to parties◉ according voting weights◉ encrypt with respective
public keys◉ propagate within
opaque records
KDF
✆
random bits
ECC(q=75%)
ECCed bits
part 1 part 2 part m…
part 1 part 2 part m…
17
.11
.201
5
t hom
as
mau
s
Sketch for “Soft” Decision MakingDecision Phase
● each delegates withholds◉ nothing at all◉ part of share◉ complete share● extent of denial ◉ < quorum q bits → efficient key recovery◉ > q bits+some margin → list-decoding (polynominal) ◉ beyond → brute-force = exponential time …● fine-tuned effects of graded denial possible◉ showing raising resistance non-detrimentally◉ gradually slowing disclosure, forcing priorisation● democratic, decentralized mechanism!
part 1 part 2 part m…
Civil Rights
part 2 part m…✘
17
.11
.201
5
t hom
as
mau
s
Thank You for Your Attention!
● Thomas Maus◉ thomas.maus alumni.uni-karlsruhe.de
● Questions?● Discussion …