Cryptographic Enforcement of Segregation of Duty , - - PowerPoint PPT Presentation
Cryptographic Enforcement of Segregation of Duty , old russian proverb rely yet verify 17.11.2015 thomas maus DeepSec 2015 Thomas Maus thomas.maus alumni.uni-karlsruhe.de
17.11.2015 thomas maus
Cryptographic Enforcement of Segregation of Duty
– old russian proverb
“rely yet verify”
◉ thomas.maus alumni.uni-karlsruhe.de
17.11.2015 thomas maus
Introduction
◉ study + research ◉ EISS = European Institute of System Security
◉ risk analysis + mgmt (DECUS 2003 + others) ◉ eHealth (in)security (21C3+22C3, various others) ◉ crypto-analytic password quality measures (various) ◉ RFID (in)security (various) ◉ Tale Telling Timings (various)
17.11.2015 thomas maus
Introduction …
◉ situated between Eifel and Hunsrück ◉ low population density ➜ scarce public transport facilities
◉ too dangerous …
17.11.2015 thomas maus
Introduction …
◉ anonymity as far as possible
◎
at least strong pseudonymity
◎
no tracking
◉ crime prevention + prosecution
◎
mutually verifiable registration status
◎
“on-line” transaction registry
◎
tracking of missing persons by police + next of kin
◉ coordination + matching of
travel opportunities and wishes
◉ integration into public transport system
◎
tickets
◎
payment of transport providers
17.11.2015 thomas maus
Introduction …
◉ developed by participants of school experiment ◉ i.e. mostly by pupils! ◉ chosen by proven computer versatility ◉ e.g. successful hacking of school computer ;-)
◉ forestall impeachment of pupil programmer's
graduation diploma
◉ build confidence in correctness → reliance
17.11.2015 thomas maus
Introductory Conclusions
◉ “classical”: confidentiality+integrity+availability ◉ correctness ◉ verifiability / auditability ◉ separation of duties ◉ non-repudation / proof of volition vs. error ◉ privacy
◎
transparency + control for subject
◎
non-traceability / data minimization
◎
robustness against inference and extrapolation
◉ …
17.11.2015 thomas maus
Example for Illustration: Data Retention
◉ “how a technology could transform a society” ◉ hard science core = cryptography
◎
¼ century around: public-key cryptography
◎
construct of ideas open for debate
◉ soft socio-political outer shell
◎
fictional stances of society and various personas
◎
◎
suspense of disbelief requested
17.11.2015 thomas maus
content content-
⚜ ⚜
content-
⚜ ⚜
content⚜
⚜
Visualization of Cryptographic Instruments
◉ private key ◉ public key
◉ sealed (signed) with red private key ◉ encrypted with cyan public key ◉ first sealed, then encrypted ◉ first encrypted, then sealed ◉ typically implicit and invisible: symmetric keys ◉ decryption possible by Alice or Bob,
with detached seal by Carol
content
⚜ ⚜
17.11.2015 thomas maus
Our fictitious Society: Dramatis Personae
◉ constitutional democracy ◉ politically participating citizens (citoyen) ◉ civil rights organisations
◉ police detectives ◉ public prosecutor
17.11.2015 thomas maus
Dramatis Personae: Civil Society
◉ votes + referenda ◉ political parties ◉ NGOs
◉ active political participation ◉ protect
◎
constitutional democracy
◎
fundamental human + civil rights
◉ vigilant about
◎
panopticon effect
◎
correct exercise of office by representatives + officials
◉ crime prevention + prosecution
Civil Rights
17.11.2015 thomas maus
Dramatis Personae: Investigative Authorities
◉ crime investigation for prevention + prosecution
◉ fundamental civil rights
◎
privacy of correspondence, posts + telecommunications
◎
privacy of the home
◎
…
◉ tactical secrecy of investigation ◉ earning + keeping public confidence ◉ auditability ◉ exoneration capabilities
17.11.2015 thomas maus
Dramatis Personae: Examining Magistrate
◉ individual decisions within legal framework ◉ crime investigation ↔ fundamental rights
◉ enable optimal crime investigation ◉ protect fundamental civil rights
◉ tactical secrecy of investigation ◉ earning + keeping public confidence ◉ auditability ◉ exoneration capabilities
17.11.2015 thomas maus
Dramatis Personae: Federal Privacy Commissioner
◉ formal control of disclosure requests ◉ official auditing + statistics + reporting ◉ investigation + information in special cases:
e.g. medical doctors, lawyers, priests, …
◉ official investigation of complaints ◉ destruction of own private key in certain cases
◉ protection of fundamental rights within statutes ◉ earning + keeping public confidence
17.11.2015 thomas maus
✆
Dramatis Personae: Telecommunication Service Providers
◉ provide legally required data structures to
investigation authorities
◉ compliance ◉ minimal involvement ◉ exoneration capabilities ➜ rapid erasure of cleartext connection data
(pars pro toto)
17.11.2015 thomas maus
Manifold Imaginable Socio-Political Decisions
◉ initial data for investigation services? ◉ keeper of data? ◉ sequence of workflows? ◉ veto powers? ◉ …
17.11.2015 thomas maus
Initial Data for Investigation Services
◉ “handle” → “opaque protected data” ◉ “handle” =
◎
information freely available to investigators
◎
not perceived as impairing fundamental rights
◉ “opaque protected data” =
◎
information pertaining to fundamental rights
◎
accessible only via safeguarded procedure
○
crypto-enforced
○
segregation of duty
○
review + control
○
auditability
17.11.2015 thomas maus
Initial Data: The “Handle”
◉ (calling id, precise start time, precise end time) ◉ (called id, precise start time, precise end time) ☢ correlate time stamps → infere speaking parties
◉ protection against inference + extrapolation ◉ balanced with specificity
◉ (calling id, diluted start time, diluted duration) ◉ (called id, diluted start time, diluted duration) ◉ (diluted location, diluted time period)
17.11.2015 thomas maus
Initial Data: The “Handle”
◉ (calling id, precise start time, precise end time) ◉ (called id, precise start time, precise end time) ☢ correlate time stamps → infere speaking parties
◉ protection against inference + extrapolation ◉ balanced with specificity
◉ (calling id, diluted start time, diluted duration) ◉ (called id, diluted start time, diluted duration) ◉ (diluted location, diluted time period)
e.g.
17.11.2015 thomas maus
Initial Data: The “Handle”
◉ (calling id, precise start time, precise end time) ◉ (called id, precise start time, precise end time) ☢ correlate time stamps → infere speaking parties
◉ protection against inference + extrapolation ◉ balanced with specificity
◉ (calling id, diluted start time, diluted duration) ◉ (called id, diluted start time, diluted duration) ◉ (diluted location, diluted time period)
e.g.
17.11.2015 thomas maus
Initial Data: The “Handle”
◉ (calling id, precise start time, precise end time) ◉ (called id, precise start time, precise end time) ☢ correlate time stamps → infere speaking parties
◉ protection against inference + extrapolation ◉ balanced with specificity
◉ (calling id, diluted start time, diluted duration) ◉ (called id, diluted start time, diluted duration) ◉ (diluted location, diluted time period)
e.g.
17.11.2015 thomas maus
Initial Data: “Opaque protected Data”
◉ records of identical individual differ always
◉ indirection
◎
“handle” → “pseudonym”
◎
“pseudonym” → “opaque protected data”
◉ pre-inspection or pseudonymous investigation
◎
pseudonyms in area AND called in time period
◎
which pseudonyms communicated often in time frame
◎
…
17.11.2015 thomas maus
Initial Data: Degrees of Pseudonymity
◉ specific per location (for location requests)
◎
different granularities (≥ location requests)
○
country, state, district, postal code, base station, …
◉ specific per contact (for contact requests)
◎
pseudonyms only constant within conversation pairs
◎
… within areas – e. g. Vienna ↔ Graz, Vienna ↔ Salzburg
◉ pseudonyms change at intervals ◉ … change event-driven – e.g. after disclosure
◉ key = HMAC(Nonce(Interval,Provider), conversation) ◉ pseudonym = encrypt(key, Nonce(Subscriber))
17.11.2015 thomas maus
Initial Data: Degrees of Pseudonymity
◉ investigation services (cleartext)? ◉ examining magistrate – opaque for investigators? ◉ privacy commissioner?
◉ e. g. short-lived per contact for investigators ◉ long-term absolute for examining magistrate
17.11.2015 thomas maus
Initial Data: “Opaque protected Data”
⊕ maximum of non-traceability ⊖ lots of disclosure requests + effort + delay ⊖ many unnecessary disclosures
⊖ less non-traceability (scalable) ⊕ less more specific+promising disclosure requests ⊕ minimization of disclosures possible ⊕ flexible degrees of pseudonymity ⊕ investigations more unbiased ⊕ high efficiency
17.11.2015 thomas maus
Sketch of Example for Disclosure Procedure
1 representative workflow outline
◉ examining magistrate is gatekeeper of process
◎
sequencing + veto powers
◉ examining magistrate involves in parallel
civil NGOs + federal privacy commissioner
◎
parallelizing + distributed veto powers
◉ civil NGO decision model variations
◎
quorum decisions
◎
soft decisions + graded denial
17.11.2015 thomas maus
Investigation Phase 1 Investigative Authorities
handle → pseudonym, ???
⚜ ⚜
??? ??? ???
investigator's disclosure request
(what must not or may be disclosed to other parties)
⚜ ⚜
17.11.2015 thomas maus
Investigation Phase 2.1 Examining Magistrate
??? ??? ???
PoV Examing Magistrate
(e.g. medical or law office, emergency service, …)
⚜
??? ???
17.11.2015 thomas maus
Investigation Phase 2.2 Examining Magistrate
◉ complete decision grounds (including all facts) ◉ complete investigator's disclosure request
magistrate's disclosure decision
⚜ ⚜
??? ??? decision audit record
⚜ ⚜
17.11.2015 thomas maus
Investigation Phase 3.1 Federal Privacy Commissioner
PoV Federal Privacy Commissioner
(e.g. medical or law office, emergency service, …)
⚜ ⚜
???
17.11.2015 thomas maus
Investigation Phase 3.2 Federal Privacy Commissioner
◉ pseudonyms (potentially)
◎
narrow selection by investigator's algorithmic criteria
◉ decision-relevant infos
◎
verify statutory periods and subscriber criteria
◎
trigger specific
○
audit watch-lists
○
notifications to specific institutions
○
bumping of subscriber Nonces
◉ actually indexed list of either
◎
keys
◎
denials with justifications
⚜ ⚜
17.11.2015 thomas maus
Investigation Phase 4 Delegates of Civil Society
◉ 1st: as privacy commissioner (but more independent)
◎
purely formal + automated decisions of key disclosure
◎
◉ more later …
PoV Civil Society
(e.g. medical or law office, emergency service, …)
⚜ ⚜
???
Civil Rights
⚜ ⚜
17.11.2015 thomas maus
Investigation Phase 5 Examining Magistrate
connection / location / subscriber data
⚜ ⚜
⨁ = ??? ???
clearance of innocent bystanders
⚜ ⚜
⚜ ⚜
✆
17.11.2015 thomas maus
Verification Phase 1 Civil Society + Privacy Commissioner
◉ after investigation is closed or tried ◉ after statutory period ◉ individually or jointly by both bodies ◉ according audit watch-lists + random sampling
◉ decrypted by
examining magistrate
◉ content verified via detached seal ◉ review of complete procedure ◉ discrepancies published + officials impeached
Civil Rights
decision audit record
⚜ ⚜
17.11.2015 thomas maus
Roles Variants of the Delegates of Civil Society
◉ imagine whatever-gate scandal scenario
◎
disclosure requests for journalist contacts
◎
delegates of civil society may require
○
concessions of supervising investigation
○
guarantees that investigation is unrelated (→ verification phase!)
◉ voting weight according vote percentages ◉ algorithmic defined manifestos (speed of decision!) ◉ possible individual consideration of circumstances
◉ sworn to secrecy ◉ part + PoV of examining magistrate
Civil Rights
17.11.2015 thomas maus
Qualified Majority Control of Powers
◉ ≥ t “pros” out of N delegates ◉ secret-sharing / split-key schemes
◎
2/3 quorum: simple approach
○
perfect secrecy < threshold t
○
doesn't scale …
◎
Shamir: polynomials, perfect secrecy < threshold
◎
Blakley: hyperplanes, “leaks”= pros reduce search space
◎
…
◉ real-life ≠ mathematical “clear+hard” decisions ◉ effectively demonstrating reluctance + renitency? ◉ stimulating intended behavior?
Civil Rights
17.11.2015 thomas maus
Sketch for “Soft” Decision Making Preparation Phase
◉ with carefully chosen stretching
◉ intended: quorum q ◉ recover < (1-q)·n missing bits
◉ according voting weights ◉ encrypt with respective
public keys
◉ propagate within
KDF
✆
random bits
ECC(q=75%)
ECCed bits part 1 part 2 part m
…
part 1 part 2 part m
…
17.11.2015 thomas maus
Sketch for “Soft” Decision Making Decision Phase
◉ nothing at all ◉ part of share ◉ complete share
◉ < quorum q bits → efficient key recovery ◉ > q bits+some margin → list-decoding (polynominal) ◉ beyond → brute-force = exponential time …
◉ showing raising resistance non-detrimentally ◉ gradually slowing disclosure, forcing priorisation
part 1 part 2 part m
…
Civil Rights
part 2 part m
… ✘
17.11.2015 thomas maus
Thank You for Your Attention!
◉ thomas.maus alumni.uni-karlsruhe.de