210 likes | 350 Views
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments. Yitao Duan and John Canny UC Berkeley. Outline. Background and motivation Existing solutions Our approach Design principles Enforcing scheme Evaluation Conclusion and future work. Ubiquitous Computing.
E N D
Protecting User Data in Ubiquitous Computing: TowardsTrustworthy Environments Yitao Duan and John Canny UC Berkeley
Outline • Background and motivation • Existing solutions • Our approach • Design principles • Enforcing scheme • Evaluation • Conclusion and future work
Ubiquitous Computing • One consequence of Ubicomp • Way more data about us can be gathered (and used). • This is potentially a great thingfor collaborative algorithms • But, it’s potentially a great problem because...
Issues Addressed • Protection of the user data generated and maintained by the environment • Privacy of individuals who use the env. • Ability of legitimate users to make use of data recorded in the environment • Dealing with high-speed streams of data • Trustworthiness of the environments (in progress)
Challenges • Unfamiliar environments • Dynamic and ad hoc and shared • difficult to determine access rights • No central control • High data rate • must be processed in real-time • Collaborative applications
Existing Solutions • Focus on access control • Based on authentication/authorization model (e.g. RBAC) • Require a piece of running code to actively check permissions • Inadequate for ubicomp • Dynamic, distributed, environment • Protecting agent can be bypassed • Completely ignored the untrusted env issue
Our Approach • Not rely on access control • Make data secure by themselves • In line with philosophy in cryptography: • Obscurity is not security • Assume the adversary has access to the communication
Our Principle – Data Discretion Data discretion:Users should always have access to, and control of (recorded or live) information that would be available to them in “real-world” situations. They should not have direct access in other situations. • Matches “real-world” privacy norms • Consistent with emerging legal principles • Users are involved in decisions regarding data about them – users are in control of their data!
Smart room Testbed • Good example of ubicomp environment • RFID tag reader to establish who’s in the room • 4 cameras to record images • Smartborad to log electronic activity
Enforcing Scheme • Assume all data are stored in files that represent short time intervals • Data file is encrypted with a unique secret key
Enforcing Scheme • The secret keys are encrypted with public keys of the people in the room (determined by the tag reader):
Enforcing Scheme • User who were in the room can recover the keys and access the data while they were in the room
Key Embedding • Conceal who and how many users have access • Key set: fixed-length data structure with slots > max number of users in the room hj1(Fi, K1) <Secret Key>K1 hj2 (Fi, K2) … … < Secret Key>K2 hjn (Fi, Km) < Secret Key>K3 < Secret Key>K4
Master Key Escrow • Every encryption key is also encrypted with a master public key. • The master private key is shared by say, 3 people. Any 2 of the 3 can unlock any of the images, but they have to cooperate.
General Access Structure • Equal access may not be appropriate in some applications • Can realize general access structure • Secret-share the secret key among users • Embed the shares in the key set • An example: AND access • r1, r2, … rm-1 {0, 1}l, rm = r1 r2…rm-1ks
Performance Evaluation • Execution Time includes: Encryption (Triple-DES) + Disk I/O • Platform: PIII 900MHz + Linux 2.4.18 Kernel
What We Have Achieved? • A principle that mimics real-world norms • A scheme to enforce it • “Zero-knowledge”: cancels even the number of users who have access • Efficient to deal with real-time data • Economical to be implemented using commodity hardware • Data sharing made safe • The encryption does not hinder collaboration [Canny 02]
Not Enough • The scheme works if the environment is honest • Unfamiliar environments untrusted environments • How can we be sure the system performs the encryption and does not leak data?
Dealing With Untrusted Env – Data Transparency • Data Transparency: Encrypted data recorded or transmitted by a ubicomp system should be easily observable.Where possible, the data itself should demonstrate compliance with stated principles.
Dealing With Untrusted Env – Data Transparency • Data observable, not comprehensible • Obscurity is not security! • Security and privacy based on cryptography, not access control • Makes it easy to verify systems’ compliance with any stated privacy policy
Towards Trustworthy Environments(In Progress) • Trusted computing framework • Assume most components untrusted • Some devices (from 3rd party) more trusted • Exploit the mutual distrust between them to build trusted system • Verification • ZKP to guarantee access right • The demo that the system does what it is supposed to is a ZKP itself • Bit commitment to minimize leakage