Personal Privacy: Limited Disclosure using Cryptographic Techniques - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Personal Privacy: Limited Disclosure using Cryptographic Techniques

Description:

Airlines Passenger Information. Medical Databases. Of Course 'Big Brother' is omnipotent ... Electronic Frontier Foundation www.eff.org. Center for ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 22
Provided by: csU86
Category:

less

Transcript and Presenter's Notes

Title: Personal Privacy: Limited Disclosure using Cryptographic Techniques


1
Personal Privacy Limited Disclosure using
Cryptographic Techniques
  • Mark Shaneck
  • Karthikeyan Mahadevan
  • SCLab

2
What is Privacy
  • Privacy is the expectation that confidential
    personal information disclosed in a private place
    will not be disclosed to third parties, when that
    disclosure would cause either embarrassment or
    emotional distress to a person of reasonable
    sensitivities.
  • Information is interpreted broadly to include
    facts, images (e.g., photographs, videotapes),
    and disparaging opinions.

3
Privacy Invasion Grocery Store
  • Using a credit card to pay for the groceries
  • The credit card information should be used only
    for the payment
  • What you buy should never be revealed to anyone.
  • This is a birds eye view of the problem.
    Although not serious please visit
    http//www.rbs2.com/privacy.htm for more
    interesting problems

4
A quotation
  • The Home Office caused controversy last year
    when it attempted to allow a long list of public
    authorities to access records of individuals'
    telephone and Internet usage. This
    "communications data" -- phone numbers and e-mail
    addresses contacted, web sites visited, locations
    of mobile phones, etc. -- would have been
    available without any judicial oversight, under
    the Regulation of Investigatory Powers Act 2000
    - London

5
What is Limited Disclosure
  • California passed a law, SB 27, requiring
    disclosure to consumers of the kinds of
    information companies collect and shared about
    them. Takes effect from 2005
  • As the title suggests we want to limit disclosure
    of personal information
  • In other words I and only I should provide access
    to my personal information.

6
Misuse of Personal Information
  • On average, 49 of victims did not know how their
    information was obtained.
  • Identity Theft
  • 27.3 million Americans have been victims of
    identity theft in the last five years
  • 67 of identity theft victims - more than 6.5
    million victims in the last year - report that
    existing credit card accounts were misused.
  • www.idtheftcenter.com

7
Real Life Examples
  • Almost 10 months after the World Trade Center
    attack, a widow found out that an identity clone
    had been living and working using her husband's
    information.
  • He had died during the attack.
  • A mother keeps receiving collection notices on
    her daughter's credit card accounts.
  • Her daughter died 17 years ago.

http//www.idtheftcenter.org/vg117.shtml
8
Other Scenarios
  • ISP Customer Information
  • Airlines Passenger Information
  • Medical Databases
  • Of Course Big Brother is omnipotent
  • Personal Privacy on the Internet is a myth
    (http//www.epic.org/reports/surfer-beware.html)

9
Privacy Policy
  • Yes there is enough literature, documents and
    other resources on Privacy Policy
  • But how many of us read the privacy agreements?
    (Has anyone really read EULA?)
  • Policies are really like traffic rules, but we
    still need a cop to enforce it.

10
Privacy
  • KYDs example AIDS website
  • P3P (Platform for Privacy Preference)
  • Privacy Tools
  • http//www.epic.org/privacy/tools.html
  • Other resourceful websites
  • Electronic Frontier Foundation www.eff.org
  • Center for Democracy and Technology www.cdt.org

11
Security in Databases
  • Designing databases with privacy as a central
    concern Hippocratic Databases
  • Secure Databases Executing SQL Queries over
    Encrypted Databases
  • Encrypted Keyword Search
  • There has a lot of good work done in this area.

12
Why this talk?
  • For our project we initially decided that we will
    solve one part of the Hippocratic Databases
    Limited Disclosure
  • There is a solution based on P3P for limited
    disclosure
  • Cryptographic Techniques to provide limited
    disclosure is the theme of our project

13
Definitions
  • Kp Pip to P ki (where P is some system
    parameter - length of storage agreement)
  • Let h be a hash function h0,1 gt
    0,1m11
  • k0 k
  • ki h(ki-1)

14
Limited Disclosure - Setup
  • Chooses n pq (p,q large primes) where p
    2x1, q 2y1 (x, y large primes)
  • Chooses e, d, such that ed 1 mod f(n)
  • Chooses Kp odd.
  • A stores meKP mod n and Kp, n with DB

A
DB
15
Limited Disclosure Scheme
Computes (mrKp)(rKp)-1 mod n
A
B
DB
Computes (meKp)rd mod n
16
What everybody knows
Everything, of course N, p, q, f(n), e, d, k, h
n, rd mod f(n), (rKp)-1 mod f(n)
A
B
DB
c, k, n, rd mod f(n)
17
Limited Disclosure - Key Update
  • Every night, DB computes (meKp)kp-1
  • A can now give authorization for some time in the
    future by computing the proper Kp and Kp-1
  • A knows that the data will change, and does not
    want to give authorization until after the
    change, but wants to give the authorization token
    now)

18
Benefits
  • A is mostly offline (only needed when giving
    authorization, which can be done beforehand)
  • A keeps DB out of the loop when changing access
    control lists
  • Requires no authorization checking from DB. DB
    just responds to all queries with the encrypted
    data.
  • Disables B from checking if cached copy of As
    data is still valid (after expiration of
    authorization)

19
Lines of Thought
  • We think that e is used only by the owner of the
    data, can we keep this as a secret ?
  • Is this scheme secure ?
  • Can we use a symmetric key system ?

20
Future Work
  • Collaboration attack Can we avoid this ?
  • Analyze the protocol for any security breaches
  • If possible provide a Proof of security
  • Tie this with P3P

21
Questions .. Suggestions ?
Write a Comment
User Comments (0)
About PowerShow.com