1 / 24

Vanishing Documents Impact on Privacy

Vanishing Documents Impact on Privacy. George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council. Knights of Columbus. Fraternal Benefit Society with 1.7M members United States, Canada, Latin America, Philippines & Poland Membership driven

nariko
Download Presentation

Vanishing Documents Impact on Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vanishing DocumentsImpact on Privacy George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council

  2. Knights of Columbus • Fraternal Benefit Society with 1.7M members • United States, Canada, Latin America, Philippines & Poland • Membership driven • Insures its members and their families • Whole life, Term life, Fixed annuities and Long term care products • Career Agency System ~1400 agents • Fortune 997, ~1.5 B Revenue

  3. Ephemeral Documents • Give access – but only for a while • Owner’s copies are still valid • Correspondent not fully trusted • Example: shopping a business plan • Intentional forgetting • All copies vanish after an interval • Correspondent trusted but lazy • Example: frank conversation in email, later to be regretted.

  4. Provide access only for a while • Encrypt but control key access • Correspondent must get key each time (central control) • or • Key is stored locally for a while for offline use • Requires client side container/code that could be attacked. • Commercial products in the Digital Rights Management category • Subject to legal or technical attacks on key holder

  5. Intentional Forgetting • Encrypt but key access removed after a while • No action needed by user • No retroactive retrieval by adversary • Even from storage such as caches, mail routers or backup tapes • No one can access after the interval expires • even the owner has no access to they key • Research project at U. Washington • Subject to key capture during the interval • Correspondent may copy message during interval

  6. Vanish Research Project • University of Washington (Aug 2009) • Use cases focus on trusted but lazy correspondents • Splits symmetric key into parts • Used an open distributed hash table

  7. Avoiding a centralized store • Distributed Hash Tables • Used for many P2P applications • Academic studies since 2001 • Unless refreshed, DHT, times out entries

  8. Preparing a Vanishing Data Object • Pick a random symmetric key, K • Encrypt the user data locally, yielding C • Pick a seed, L, for pseudo random number generation • Use L to generate indices in the hash table x1..xn • Divide the key into pieces k1..kn where m parts are needed to compute the key, K. (Shamir Secret Sharing) • put(xi,ki) for i=1 to n • destroys the local copy of the key, • Sends {C,L} to correspondent

  9. How Vanish Works Ann Carla VDO = {C, L} Vanish Data Object VDO = {C, L} Encapsulate (data, timeout) Vanish L kN k3 Random indexes k1 k1 Secret Sharing (M of N) World-Wide DHT k2 k2 K k2 k3 k3 . . . k1 kN kN C = EK(data)

  10. How Vanish Works Ann Carla VDO = {C, L} Encapsulate (data, timeout) Vanish Data Object VDO = {C, L} Decapsulate (VDO = {C, L}) data Vanish L L Vanish kN kN k3 k3 Random indexes Random indexes Secret Sharing (M of N) Secret Sharing (M of N) World-Wide DHT X K k2 k2 . . . k1 k1 C = EK(data) data = DK(C)

  11. The Firefox Plug in • Implemented as an extension to the GPG plug in • Entirely client side • Shows potential for becoming mainstream

  12. Attack • Defeating Vanish (Sep 2009) • Researchers showed feasible to • Infiltrate the open DHT • Record all keys • Originators responded with improvements • Use hybrid of open and closed DHT • Closed DHT restricts entry of nodes into system

  13. End of Technical Part • Next section scratches at possible issues from an Enterprise point of view • Please suggest your own thoughts.

  14. Organizational Dilemmas • Lets suppose the vanish ability becomes mainstream • What kinds of scenarios can we dream up?

  15. Litigation Holds • Legal framework • Stop the clock on document destruction • Clearly this prohibits organizations from originating these documents • If someone does create a VDO • Keys and plaintext gone, but • Crypto text is evidence that the document existed • What controls can we envision to prevent their use?

  16. Inbound Communications • VDO’s could come from ‘outside’ • Are there business reasons to allow this? • What about going ‘out’ to visit a VDO? • Are there cases when a VDO should not be opened? • Are there cases when it must be opened?

  17. Business Uses • Probably few legitimate uses for large commercial enterprises. • Customer Service • Brand Management • Public Safety • Attorneys under privilege

  18. Going outside to view • Go to a website to view a VDO • Does that constitute corporate knowledge? • Company uses social networking site • Stay in contact with customers for customer service, say • Since VDO is mainstream, • A user turns it on for ALL communications, thinking that safer • But for enterprise, it’s a business transaction • So…. • Does it need to be ‘imported’ for preservation? • Capture the key and ciphertext or just the plaintext?

  19. Letting VDOs in • Email with a vanishing data object • Options: • Detect and prevent entry, like spam • Allow in, but prevent acquisition of keys, through network policy. • Allow in, but decode passing through gateway • Allow in with quarantine & special handling • Is there a duty to preserve it? • For e-Discovery? • Would the court consider the unpacked as equivalent? • To prove it is equivalent you’d need the key

  20. For Safety, Must open • Suppose clear text subject line contains a threat: • “Bomb active. Defuse instructions enclosed” • Mail is received but enterprise policies prevent acquisition of key • This scenario indicates some sort of handling

  21. Brand Buzz • Corporations sometimes watch what is being said about them in public venues • If social network acts as an amplifier/repeater, and the VDOs time out say in 8 hours • Watcher scan cycle time would need to be less than the timeout • If today a daily scan is adequate, it might need to be every few hours

  22. Outbound Communications • Lying to a customer • EE or Agent promises something • Controllable on internal equipment/email • Employee sends stolen company info • User A with enterprise IP goes to sneaky.com • Under the cover of HTTPS writes a VDO with internal information • User B an investor, foreign power etc, reads info • In order to stop • Blacklist sneaky.com • Terminate SSL at border • Intercept & decode, possibly quarantine • Prevent anything that appears further encrypted.

  23. Not, Perhaps, Jericho, But • Millions of consumer computers • Harnessed to provide some privacy • Is an example of how • The walled garden model of the enterprise • May no longer be sufficient

  24. References • Vanish Self-Destructing Digital Data http://vanish.cs.washington.edu/ • New Technology to Make Digital Data Self-Destructhttp://www.nytimes.com/2009/07/21/science/21crypto.html • Distributed Hash Tables http://en.wikipedia.org/wiki/Distributed_hash_table • Attack http://z.cs.utexas.edu/users/osa/unvanish/papers/vanish-broken.pdf • Vanishing E-mail and Electronically Stored Information: an E-Discovery Hazard http://www.rlgsc.com/blog/ruminations/vanishing-electronic-data-ediscovery.html

More Related