Embed Size (px)
Citation preview
Privacy in Online Social Networks
Sonia Jahid
Department of Computer ScienceUniversity of Illinois at Urbana-Champaign
March 10, 2011
www.soniajahid.com
3
• Statistics• Privacy Issues• Research on Online Social Network security and
privacy– flyByNight– Persona– EASiER– NOYB
Outline
4
Facebook Case:• More than 500 million active users• 50% of active users log on to Facebook in any given day• Average user has 130 friends• People spend over 700 billion minutes per month on
Facebook• There are over 900 million objects that people interact
with • Average user is connected to 80 community pages, groups
and events• Average user creates 90 pieces of content each month• More than 30 billion pieces of content shared each
month.
Statistics
[1] [2] [3]
5
• Information leak by the Online Social Network (OSN)– Intentional
• “You’ve Been Poked by University Police”• “More Advertising Issues on Facebook”
– Accidental• “Facebook Revealed Private Email Addresses Last Night”• “Facebook suspends app that permitted peephole”
• Attacks– Spam– Phishing
• Oversharing• Stalking
Privacy Issues
60% users trust their friends18% users trust the provider6% users trust strangers
[4, 5, 6, 7, 8, 9]
6
• Isn’t privacy protected by policies?– Privacy policy changes over time– Confusing!– Leads to unwanted information leak to users!
Privacy Policies
[10]
Research on Privacy in OSN
Today’s Focus
Cryptography
flyByNight: Mitigating the Privacy Risks of Social Networking
Matthew M. Lucas, Nikita BorisovWPES, October 2008
8
9
• A facebook application designed to encrypt and decrypt data with an aim to mitigate privacy risks in social networks.
• Primary goal:– Hide information transferred through the OSN from the provider and the
application server.
• Key idea:– Encrypt sensitive data using JavaScript on the client side and send the
cipher text to intended parties, i.e., facebook friends.– Uses
• El-Gamal encryption• Proxy Cryptography
Overview
10
• Initialization– Client generates Public/Private key pair, password– Client transfers encrypted private key to flyByNight server, and saves in key Database
• Send Data:– Client encrypts private data M with friends’ PK, and tags the encrypted data with friends’ ID, saves
encrypted data in message Database on flyByNight server
• Receive Data:– Client decrypts private key with password, decrypts M with the private key
Architecture
11
• User encrypts the data• User gives the ciphertext to a proxy• User generates a key for the proxy, and for the
friend• Proxy transforms the ciphertext for an intended
party using El-Gamal encryption
One-to-Many Communication
12
• One encryption per recipient• A partial solution
Discussion
Persona: An Online Social Network with User-Defined Privacy
Randy Baden, Adam Bender, Neil Spring, Bobby Bhattacharjee
SIGCOMM 2009
13
14
• A new architecture for OSN that provides privacy– Encryption, Distributed Storage
• Key Idea:– Defines social relationships by attribute-key assignment– Encrypts data once for an attribute policy– Provides confidentiality through various cryptographic
mechanisms– Stores user information in distributed storage– Provides OSN functionality as services
Overview
Cryptography (Background on Attribute-based Encryption)
15
1
Professor OR (RA AND Security)
Professor OR (RA AND Security)
1
• Message1 can be viewed by – Professor OR (RA AND Security)Professor OR (RA AND Security)
Professor OR (RA AND Security)
SKSarah
Attribute: Professor, Architecture
SKSam
Attribute:RA, Networking
1
1
PK
MSKKey Authority
PK
16
• Symmetric Keys (AES) – Data Encryption
• Attribute-based Encryption (CPABE) – Distribute the AES keys for groups– Distribute RSA keys for group identities
• Asymmetric (RSA) keys– Distribute attribute-secret key
• Idea:– Generate Attribute Secret Key for U1:
ASK1
– Encrypt ASK1 with PK1 - EncPK1(ASK1)
– Enc(M, K), ABE(K, policy, APK)
U1:
• Decrypt EncPK1(ASK1) with her RSA private key to get ASK1
• Use ASK1 to get K from ABE(K, policy, APK)
• Use K to get M from Enc(M,K)
Cryptography
friend, neighbor
colleague, neighbor
friend
A.APK
17
• Data storage– Stored/retrieved through get/put– No authentication for get
• Functionalities like wall, profile provided through a multiple reader/writer application– Users register for application– Users add ACL to the application
page– Application page contains
metadata, i.e., references to data
• Encryption/Decryption done at client side using browser extension
Architecture
Storage Service
Application Server(Wall)
Post (data)ref
Post (ref)
authenticate
Alice posts on Bob’s wall
18
• Persona does not support efficient revocation– Have to rekey rest of the group just to revoke one
user from the group
• Though it says distributed storage, physically it is implemented on the same server
Discussion
EASiER: Encryption-based Access Control in Social Networks with Efficient Revocation
Sonia Jahid, Prateek Mittal, and Nikita Borisov
ASIACCS, March 2011 (to appear)
19
20
• An ABE scheme to enhance privacy in OSN with support for efficient revocation
• Supports complete or partial relationship revocation
• Primary Goal:– Support efficient revocation in ABE for OSN for fine-grained access
control
• Key Idea:– Social relationships defined using attribute keys– Introduces a minimally trusted proxy– Rekeys the proxy each time some key is revoked
Overview
21
Architecture
21
(SK1) (SK2) (SK3)
u1 u2 u3
KeyProxy (Revoke u1, u2)
Proxy
Modified CTcomponent
CTcomponent
PK, MK
1 AND Colleague
Neighbor
OR
Friend
22
• Revoked users can not decrypt future data, and even past data assuming they do not store data.
• EASiER efficiently supports the fine-grained access control in existing OSNs
• EASiER can be used in any domain that implements ABE
• EASiER does not support access delegation• The proxy has to forget old key
Discussion
NOYB: Privacy in Online Social Networks
Saikat Guha, Kevin Tang, and Paul Francis
WOSN 2008
23
24
• An architecture where user data is scattered and public, and a collection of other users’ data
• Key Idea:– Encrypt user data such that the ciphertext follows
semantic and statistical properties of legitimate data– Allow the service provider to work on ciphertext
Overview
25
• Uses out of band channel for key management
• User data is divided into atoms
• Atoms of similar type constitute a dictionary
• Atoms are replaced with other atoms from the dictionary
Architecture
(Alice, F, 26) (Bob, M, 30)
(Alice, F) (26) (Bob, M) (30)
(Alice, F, 27) (Bob, M, 26)
(Carol, F, 27)
(Carol, F) (27)
26
• Hiding in the crowd
• Needs character level substitution for unique values, e.g., email addresses
Discussion
27
• Online Social Networks need more privacy aware architecture
• Lot of research work on OSN security and privacy• Privacy aware works include– Cryptography– Programming language-based access control
enforcement– Decentralization of OSN
Conclusion
Online Social Network in Real Life
28
1. Facebook Statistics2. Facebook Statistics, Stats & Facts For 20113. Infographic: Twitter Statistics, Facts & Figures4. EDITORIAL: You've been poked by University police5. More Advertising Issues on Facebook6. Facebook Revealed Private Email Addresses Last Night7. Facebook suspends app that permitted peephole8. Social phishing, T. N. Jagatic, N. A. Johnson, M. Jakobsson9. Imagined
Communities: Awareness, Information Sharing, and Privacy on the Facebook,” Alessandro Acquisti and Ralph Gross. PET, 2006
10. Facebook's Eroding Privacy Policy: A Timeline
References
