1 / 17

What TC Can and Can’t Do

What TC Can and Can’t Do. Guarantee that EK is safe Yes because it is stored in and used by hw only No because it can be obtained if someone has physical access but this can be detected by user or remote system (tamper bit is set in TPM) Guarantee that no keys can be compromised

morse
Download Presentation

What TC Can and Can’t Do

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What TC Can and Can’t Do • Guarantee that EK is safe • Yes because it is stored in and used by hw only • No because it can be obtained if someone has physical access but this can be detected by user or remote system (tamper bit is set in TPM) • Guarantee that no keys can be compromised • No, keys that go to OS and are used by sw can still be compromised • Guarantee that applications cannot be changed or compromised • No, I can only detect compromise by comparing hashes of apps in hw

  2. What TC Can and Can’t Do • Guarantee that no rootkits can reside on the system • No, but we can detect compromise by comparing hashes of OS files in hw • Guarantee that applications cannot interfere with each other • Yes, due to OS separation • Guarantee data safety on disk • Yes, we can encrypt data separately for each virtual system and we can encrypt the whole disk • No, because encryption happens in sw

  3. Privacy

  4. What is Privacy? • Privacy is about PII • It is primarily a policy issue • Privacy is an issue of user education • Make sure users are aware of the potential use of the information they provide • Give the user control • Privacy is a security issue • Security is needed to implement the policy

  5. Security v. Privacy • Sometimes conflicting • Many security technologies depend on identification • Many approaches to privacy depend on hiding one’s identity • Sometimes supportive • Privacy depends on protecting PII (personally identifiable information) • Poor security makes it more difficult to protect such information

  6. Debate on Attribution • How much low level information should be kept to help track down cyber attacks • Such information can be used to breach privacy assurances • How long can such data be kept

  7. Privacy is Not the Only Concern • Business Concerns • Disclosing Information we think of as privacy-related can divulge business plans • Mergers • Product plans • Investigations • Some “private” information is used for authentication • SSN • Credit card numbers

  8. You Are Being Tracked • Location • From IP address • From Cell Phones • From RFID • Interests, Purchase History, Political/Religious Affiliations • From RFID • From transaction details • From network and server traces

  9. You Are Being Tracked • Associates • From network, phone, email records • From location based information • Health Information • From Purchases • From location based information • From web history

  10. Why Should You Care? • Aren’t the only ones that need to be concerned about privacy the ones that are doing things that they shouldn’t? • Consider the following: • Use of information outside original context • Certain information may be omitted • Implications may be mis-represented • Inference of data that is sensitive • Data can be used for manipulation

  11. Aggregation of Data • Consider whether it is safe to release information in aggregate • Such information is presumably no longer personally identifiable • But given partial information, it is sometimes possible to derive other information by combining it with the aggregated data.

  12. Anonymization of Data • Consider whether it is safe to release information that has been stripped of so called personal identifiers • Such information is presumably no longer personally identifiable • What is important is not just anonymity, but linkability • If I can link multiple queries, I might be able to infer the identity of the person issuing the query through one query, at which point, all anonymity is lost

  13. Traffic Analysis • Even when specifics of communication are hidden, the mere knowledge of communication between parties provides useful information to an adversary • E.g. pending mergers or acquisitions • Relationships between entities • Created visibility of the structure of an organizations • Allows some inference about interests

  14. Information for Traffic Analysis • Lists of the web sites you visit • Email logs • Phone records • Perhaps you expose the linkages through web sites like linked in • Consider what information remains in the clear when you design security protocols

  15. Network Trace Sharing • Researchers need network data • To validate their solutions • To mine and understand trends • Sharing network data creates necessary diversity • Enables generalization of results • Creates a lot of privacy concerns • Very few public traffic trace archives(CAIDA, WIDE, LBNL, ITA, PREDICT, CRAWDAD, MIT DARPA)

  16. Sanitization • Remove or obscure (anonymize) sensitive data • Remove packet contents and application headers • Anonymize IP addresses • Positional - anonymize in order of appearance. Inconsistent and lose information about networks • Cryptographic - anonymize by encrypting with a key. Consistent but still lose information about networks. • Prefix-preserving - cryptographic approach is applied to portions of IP separately to preserve network information. • Sanitization loses a lot of data - application headers, contents, IP addresses • This is acceptable for some research but not for all • Sanitized data still has sensitive information

  17. Attack Classes • Passive attacker • Observe publicly released trace • Use some public or private auxiliary information to infer private data • Active attacker • Insert traffic during trace collection • Identify this traffic later in public trace • This creates an auxiliary information channel • Can learn what method was used to obscure private data • Can verify presence or absence of data items with same/similar values in other records • Provider cannot identify injected traffic • Covert channel problem

More Related