1 / 42

Privacy Management for Identity Information: It Is Not Just a Matter of Authorization

Privacy Management for Identity Information: It Is Not Just a Matter of Authorization. Marco Casassa Mont marco_casassa-mont@hp.com Trusted Systems Laboratory Hewlett-Packard Labs, Bristol, UK TERENA meeting, 20 November 2003 Malaga, Spain. Presentation Outline. Setting the Context

dani
Download Presentation

Privacy Management for Identity Information: It Is Not Just a Matter of Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy Management for Identity Information:It Is Not Just a Matter of Authorization Marco Casassa Mont marco_casassa-mont@hp.com Trusted Systems Laboratory Hewlett-Packard Labs, Bristol, UK TERENA meeting, 20 November 2003 Malaga, Spain

  2. Presentation Outline • Setting the Context • Scenario • Addressed Problems • Related Work • Our Approach • Discussion • Conclusions ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  3. Setting the Context Digital Identities and Profiles are relevant to enable transactions and interactions on the web, in many contexts: personal, social, business, government, etc. Privacy Management is a major issue: involves people, organisations, governments, etc. Different reactions by people: ranging from “completely ignoring the privacy issues” to “being so concerned to prevent any web interaction” ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  4. Services Services Finance Government Services What is Important? Multiparty Transaction / Interaction User Negotiation of Privacy Policy Services Policies Provision of Identity & Profile Data Data Identity/ Profile Disclosure User Specification Enterprise Enterprise Enforcement Accountability ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  5. What is Important? • Little has been done so far to directly involve people • (or third parties acting on their behalf) in the • management of their privacy • Users lack control over their personal information • after their initial disclosures • Organisations, as well, lack control over the • confidential information they manage on behalf of • their customers, once they disclose it to third parties • It is hard to make organisations accountable ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  6. Key Issues PrivacyEnforcement Accountability of Organizations Involvement of People in the Management of their Personal Data ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  7. Related Work: Legal Frameworks • Lot of work done to provide • Legislative Frameworks for Privacy: • EU Data Protection Laws, US Laws (HIPAA, • COPPA, etc.), Safe Harbour, etc. • http://www.privacyinternational.org/survey/phr2003/ • Different legislative approaches: example US vs. EU • Privacy and Data Protection laws are hard to enforce • when personal information spreads across boundaries • In general users have little understanding or • knowledge of privacy laws and their implications ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  8. Related Work: W3C P3P, MS Passport, LA • W3C approach on Platform for Privacy Preferences • (P3P): simple policies, point-to-point interactions. Little • control on the fulfilment of these policies (at least, • in the current implementations) • Liberty Alliance and Microsoft Passport: Identity and • Privacy Management mainly based on closed • web of trust and predefined policies. • Liberty Alliance: ID-WSF/PPEL ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  9. Related Work: EPAL • IBM’s work on Enterprise Privacy Authorization Language • (EPAL) and related Privacy Framework • Association of fine-grained Privacy Policies (Sticky Policies) • to personal data. Enforcement of Privacy Polices by the Enterprise Id data policies Policy Enforcement User Id and Policy Repositories Services Enterprise ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  10. Related Work: EPAL 1.1 Specification http://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/index.html ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  11. Related Work: EPAL – Open Issues • Open Issues: • - The “Stickiness” of policies is not enforceable; • - Too much trust in the enterprise; • - Leakages of personal data can still happen; • - Little user’s involvement: the association of policies to • Identity Information happens at the enterprise site … • - Complexity • - Privacy management is not just a matter of Authorization … ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  12. Our Approach Privacy and Accountability Model encompassing: • “Sticky” Privacy Policies strongly associated to • Identity Information • Mechanisms for strong (but not impregnable) • enforcement of privacy policies • Mechanisms to increase the Accountability of the • involved parties • Mechanisms to allow people to bemore involved • in the management of their data (if they want to …) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  13. Privacy and Accountability Model User Enterprise User DB P Transaction User Involvement Enforcement Tracing and Audit Authority Accountable?Transparency Evidence Policy Compliance ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  14. Multiparty Transaction / Interaction Enterprise User Enterprise Services Negotiation of Privacy Policy 1 Services 6 Policies Sticky Policies Enterprise 8 Data Obfuscated Data + Sticky Privacy Policies 2 Services 6 Checking for Integrity and Trustworthiness of Remote Environment Obfuscated Data + Sticky Privacy Policies 3 Request for Disclosure of Data + Sticky Privacy Policies + Credentials ? 4 Decryption Key (if Authorised) 5 Tracing and Auditing Authorities (TAAs) Request for Authorization or Notification Privacy and Accountability Model [1] ? 7 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  15. Privacy and Accountability Model [2] • Once confidential data is disclosed it can still be misused … • Risks Mitigation via: • Audit trail: • Audit logs managed by TAAs can be used as Evidence and • for Forensic Analysis (logging at least the first disclosure …) • Trusted Platforms and OSs: • - checking for the Integrity of the Receivers’ environment • - enforcing part of the Privacy Policies directly at • the OS level. Research and Work in Progress … ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  16. Privacy and Accountability Model: Technical Aspects [1] A technical implementation of our Privacy and Accountability Model leverages three key technologies: • Identifier-based Encryption (IBE) • Trusted Platforms (TCG was TCPA, etc.) • Tagged Operating Systems (OSs) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  17. What is Identifier-based Encryption (IBE)? • It is an Emerging Cryptography Technology • Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) • Same Strength of RSA • Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing … • SW Library and Technology available at HP Laboratories ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  18. IBE Core Properties • 1st Property: any kind of “string” (or Sequence of Bytes) can be used as an IBE Encryption Key: for example a Role, an e-Mail Address, a Picture, a Disclosure Time, Terms and Conditions, a Privacy Policy … • 2nd Property: the generation of IBE Decryption Keys can be postponed in time, even long time after the generation of the correspondent IBE Encryption Key • 3rd Property: reliance on at least a Trust Authority (Trusted Third Party) for the generation of IBE Decryption Key ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  19. Alice Bob 4 3 2 5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority. 2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 5 6 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message = {E(msg, N, encryption key)} 6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation. Trust Authority 1 1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N 4. Alice Sends the encrypted Message to Bob, along with the Encryption Key IBE Three-Player Model ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  20. How Does IBE Fit in Our Model? User Enterprise Get decrypt Key,e Choose e Encrypt Encrypted Msg Decrypt Msg Msg Profile Enterprise mustSatisfy Policy PrivacyPolicy Public details TAA – Enforces Policy Compute public details Audit Generate Decryption Key Secrets s ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  21. Privacy and Accountability Model: Technical Aspects [2] A technical implementation of our Privacy and Accountability Model leverages three key Technologies: • Identifier-based Encryption (IBE) • Trusted Platforms (TCG was TCPA, etc.) • Tagged Operating Systems (OSs) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  22. Trusted Platforms • A trusted platform provides hardware mechanisms (TPM), protected storage and tools to check for the integrity of computer platforms and their installed software (locally and remotely) • TCG (was TCPA) and Microsoft NGSCB initiatives: http://www.trustedcomputing.org http://www.microsoft.com/ngscb • HP and HP Laboratories are directly involved in the TCG initiative TPM ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  23. Trusted Platforms - TCG Server Root of Trust Apps OS Bios User ID Issuer Query Status Measures Boot, OSand APP loading ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  24. Privacy and Accountability Model: Technical Aspects [3] A technical implementation of our Privacy and Accountability Model leverages three key Technologies: • Identifier-based Encryption (IBE) • Trusted Platforms (TCG was TCPA, etc.) • Tagged Operating Systems (OSs) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  25. Policy Creation and Translation System policies created in dflow compiler Tagged Operating Systems • A tagged Operating System (OS) provides mechanisms and tools to associate low level labels to data and directly enforce and manage them at the OS level. • The “stickiness” of a label to the content, not to the content holder (such as a file), ensures that even when the data is copied around the label follows it as well. • Labels can be associated (at the OS level) to low level Privacy Policies (rules), directly enforced by the OS. Rules dictate constraints on: copies of data, data transmissions, etc. • A working prototype is available at HP Laboratories, Bristol. Policy File in Internal Format Control Enforcement Tagged Data Decision Policy evaluation engine Flow causing operation yes, no, more checks ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  26. Tagged Operating Systems Tagged OS Data Tagged Datafollowed throughmemory Tagged Kernel Function PEP Policy – internal allow – external encrypt with policy PolicyTagOperation(Destination) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  27. Technologies Addressed Problems Our Privacy and Accountability Framework (IBE, TAAs, etc.) • - (High level) Stickiness of Privacy Policies • User Involvement • Accountability Management • - Enforcement of Aspects of Privacy Policy Tagged OSs - (Low level) Stickiness of Privacy Policies - Enforcement of Aspects of Privacy Policy Trusted Platforms (TCG …) • (Low level) Source of Trust and • HW/SW integrity checking Privacy and Accountability Model: Technical Aspects [4] GAP GAP ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  28. Control Flow TAA Enterprise Server Request for IBE decryption Key Keys IBE Encrypt Key = Privacy Policy Apps Tagged OS Bios Context, Id, Purpose Check Policy Dataflow Policies User ID Check Machine Status Record Request (Log) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  29. High-level System Architecture • Based on the IBE Model • Privacy Policies are • represented as • “IBE Encryption Keys” • Confidential data is • encrypted with IBE • encryption keys • IBE encryption keys • “stick” with the encrypted • data (at least till the first • de-obfuscation of the data …) • The “Tracing and Auditing • Authority” is an (IBE based) • Trust Authority. • Leveraging Trusted Platforms and • Tagged OS for enforcing aspects • of Privacy Policies • (Work in Progress…) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  30. Sticky Privacy Policies Example of high-level Sticky Policy (XML format): Reference to TA(s) Constraints/ Obligations Platform Constraint Actions (User Involvement) IBE encryption keys can define any kind of privacy constraints or terms and conditions to be deployed and enforced at different levels of abstractions (application/service, OS, platform) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  31. Tagged OS Tagged OS Tagged OS TCG TCG TCG TCG TCG TCG Enforcement of Sticky Privacy Policies Enterprise 1 Personal Data Policy Engine Sticky Privacy Policies Enterprise 2 Enforcement via Trust Authority + Policy Engine Enforcement By Trusted Platforms and Tagged OS (Work in Progress) Policy Engine Trust Authority (TA) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  32. Discussion • The usage of “trusted third parties” to mediate interactions and encryption • for confidentiality are not new • The potential added value of our approach consists of: • The mechanisms to associate “Sticky” Privacy Policies to confidential data • via IBE (lightweight cryptography mechanism); • The “active” interaction model we introduced • The combined usage of TCG, Tagged OS and Trust Authorities for integrity checking and policy enforcement • Other cryptography mechanisms could be used but the IBE model fits very well • at the client and server sites • Open issues: • Our policy enforcement is strong, but not impregnable (risks vs. costs?) • Adequacy of Trusted Platforms/Tagged OS to be verified • Potential complexity of our solution. To be fully prototyped and tested • Research in progress … ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  33. Current and Future Work • IBE technology is available. HP Labs have implemented a fast and optimised • version of the IBE cryptography libraries • We have simple implementations of: • - a TA service • - add-ins for authoring and management of privacy policies • - a policy-based engine • TPM chips and TCG-based PCs are available on the market • We have a working prototype of the Tagged OS • We have a working prototype of a non-repudiable, tamper resistant Auditing • and Logging System. • Next steps: testing the suitability of our approach in real contexts … ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  34. Conclusions • Privacy Languages do not solve the Privacy Management problem • Privacy is not just a matter of Authorization • Need to Focus on Enforcement and Accountability • Presented a model for accountable management of private identity data • User gains more control • Aided by (their) third party • Audit of legitimate requests • Shared with the user • Checks on enforcement mechanisms • Linked to TAA • Enterprise is accountable for use and enforcement • Links to policy based enforcement ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  35. Backup Slides RSA and IBE Cryptography Models ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  36. Msg encrypt e and N published Encrypted Msg Compute N = p*q Compute d&e Keep d secret decrypt N and d Secrets p&q Msg RSA Model ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  37. Encrypt Encrypted Msg Decrypt Msg Msg Public details E D Compute public details Compute Key pairs Secrets s IBE Model [1] ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  38. Get decrypt Key,e Choose e Encrypt Encrypted Msg Decrypt Msg Msg Public details Compute public details Generate Decryption Key Secrets s IBE Model [2] ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  39. Privacy Policies Privacy Policies Policy Enforcement by Trust Authority • “Soft” policy enforcement: TA still • relies on the receiver to take care of the • data privacy, once data is disclosed … • The TA interprets Privacy Policies via a Policy Engine • The TA makes sure that the Privacy Policies are satisfied • before issuing the IBE decryption key • Multiple TAs can be used, each of them specialised in • doing specific checks (easy with IBE-based approach …) • Users can be notified or asked for authorization, if • the Privacy Policies require it (User Involvement) • Audit of disclosures, at least the first time … • The TA can leverage TCG and Tagged-OS to make sure • that part of the policy enforcement is done upfront … Enterprise 1 Enterprise 2 Trust Authority (TA) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  40. Privacy Policies Tagged OS Tagged OS Tagged OS Tagged OS Tagged OS Tagged OS TCG TCG TCG TCG TCG TCG Policy Enforcement by Trusted Platforms • Stronger Enforcement of part of the privacy policies • (low level policies) • TCG integrity checking mechanisms checks for • platform trustworthiness along with • its SW and HW integrity. Cross boundaries • integrity checking on the platforms of the involved parties • To be effective, a widespread usage of • trusted platforms is required. At least all the • platforms involved in the task of processing • confidential data should be checked. • Some of them might not be exposed externally. •  Too strong requirements for the time being … •  Limits on the kinds of HW and SW checks … • Joint usage of Tagged-OS and TCG to create Trust Domains. • TCG to check upfront the integrity of the “combined” system. • Tagged-OS to enforce privacy policies directly at the OS level: • disallow copies data, sending data only to specific IP addresses, etc. Enterprise 1 Trust Domain Enterprise 2 Trust Authority (TAA) Research and Work in Progress … ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

  41. Privacy Policies Privacy Policies Accountability Management • Confidential data is encrypted: • at least the first time the requestors • need to interact with the Tracing • and Auditing Authorities (TAAs) • Auditing and Logging of data disclosures • carried on by TAAs (at least the first time) • Multiple TAAs can be used to mitigate trust issues. • Users can run their own TAAs • Usage of Audit Logs as Evidence and • for Forensic Analysis • Research in progress at HP Labs on • tamper-resistant audit systems Enterprise 1 Enterprise 2 Trust Authorities (TAAs) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK

More Related