240 likes | 342 Views
Vanishing Documents Impact on Privacy. George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council. Knights of Columbus. Fraternal Benefit Society with 1.7M members United States, Canada, Latin America, Philippines & Poland Membership driven
E N D
Vanishing DocumentsImpact on Privacy George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council
Knights of Columbus • Fraternal Benefit Society with 1.7M members • United States, Canada, Latin America, Philippines & Poland • Membership driven • Insures its members and their families • Whole life, Term life, Fixed annuities and Long term care products • Career Agency System ~1400 agents • Fortune 997, ~1.5 B Revenue
Ephemeral Documents • Give access – but only for a while • Owner’s copies are still valid • Correspondent not fully trusted • Example: shopping a business plan • Intentional forgetting • All copies vanish after an interval • Correspondent trusted but lazy • Example: frank conversation in email, later to be regretted.
Provide access only for a while • Encrypt but control key access • Correspondent must get key each time (central control) • or • Key is stored locally for a while for offline use • Requires client side container/code that could be attacked. • Commercial products in the Digital Rights Management category • Subject to legal or technical attacks on key holder
Intentional Forgetting • Encrypt but key access removed after a while • No action needed by user • No retroactive retrieval by adversary • Even from storage such as caches, mail routers or backup tapes • No one can access after the interval expires • even the owner has no access to they key • Research project at U. Washington • Subject to key capture during the interval • Correspondent may copy message during interval
Vanish Research Project • University of Washington (Aug 2009) • Use cases focus on trusted but lazy correspondents • Splits symmetric key into parts • Used an open distributed hash table
Avoiding a centralized store • Distributed Hash Tables • Used for many P2P applications • Academic studies since 2001 • Unless refreshed, DHT, times out entries
Preparing a Vanishing Data Object • Pick a random symmetric key, K • Encrypt the user data locally, yielding C • Pick a seed, L, for pseudo random number generation • Use L to generate indices in the hash table x1..xn • Divide the key into pieces k1..kn where m parts are needed to compute the key, K. (Shamir Secret Sharing) • put(xi,ki) for i=1 to n • destroys the local copy of the key, • Sends {C,L} to correspondent
How Vanish Works Ann Carla VDO = {C, L} Vanish Data Object VDO = {C, L} Encapsulate (data, timeout) Vanish L kN k3 Random indexes k1 k1 Secret Sharing (M of N) World-Wide DHT k2 k2 K k2 k3 k3 . . . k1 kN kN C = EK(data)
How Vanish Works Ann Carla VDO = {C, L} Encapsulate (data, timeout) Vanish Data Object VDO = {C, L} Decapsulate (VDO = {C, L}) data Vanish L L Vanish kN kN k3 k3 Random indexes Random indexes Secret Sharing (M of N) Secret Sharing (M of N) World-Wide DHT X K k2 k2 . . . k1 k1 C = EK(data) data = DK(C)
The Firefox Plug in • Implemented as an extension to the GPG plug in • Entirely client side • Shows potential for becoming mainstream
Attack • Defeating Vanish (Sep 2009) • Researchers showed feasible to • Infiltrate the open DHT • Record all keys • Originators responded with improvements • Use hybrid of open and closed DHT • Closed DHT restricts entry of nodes into system
End of Technical Part • Next section scratches at possible issues from an Enterprise point of view • Please suggest your own thoughts.
Organizational Dilemmas • Lets suppose the vanish ability becomes mainstream • What kinds of scenarios can we dream up?
Litigation Holds • Legal framework • Stop the clock on document destruction • Clearly this prohibits organizations from originating these documents • If someone does create a VDO • Keys and plaintext gone, but • Crypto text is evidence that the document existed • What controls can we envision to prevent their use?
Inbound Communications • VDO’s could come from ‘outside’ • Are there business reasons to allow this? • What about going ‘out’ to visit a VDO? • Are there cases when a VDO should not be opened? • Are there cases when it must be opened?
Business Uses • Probably few legitimate uses for large commercial enterprises. • Customer Service • Brand Management • Public Safety • Attorneys under privilege
Going outside to view • Go to a website to view a VDO • Does that constitute corporate knowledge? • Company uses social networking site • Stay in contact with customers for customer service, say • Since VDO is mainstream, • A user turns it on for ALL communications, thinking that safer • But for enterprise, it’s a business transaction • So…. • Does it need to be ‘imported’ for preservation? • Capture the key and ciphertext or just the plaintext?
Letting VDOs in • Email with a vanishing data object • Options: • Detect and prevent entry, like spam • Allow in, but prevent acquisition of keys, through network policy. • Allow in, but decode passing through gateway • Allow in with quarantine & special handling • Is there a duty to preserve it? • For e-Discovery? • Would the court consider the unpacked as equivalent? • To prove it is equivalent you’d need the key
For Safety, Must open • Suppose clear text subject line contains a threat: • “Bomb active. Defuse instructions enclosed” • Mail is received but enterprise policies prevent acquisition of key • This scenario indicates some sort of handling
Brand Buzz • Corporations sometimes watch what is being said about them in public venues • If social network acts as an amplifier/repeater, and the VDOs time out say in 8 hours • Watcher scan cycle time would need to be less than the timeout • If today a daily scan is adequate, it might need to be every few hours
Outbound Communications • Lying to a customer • EE or Agent promises something • Controllable on internal equipment/email • Employee sends stolen company info • User A with enterprise IP goes to sneaky.com • Under the cover of HTTPS writes a VDO with internal information • User B an investor, foreign power etc, reads info • In order to stop • Blacklist sneaky.com • Terminate SSL at border • Intercept & decode, possibly quarantine • Prevent anything that appears further encrypted.
Not, Perhaps, Jericho, But • Millions of consumer computers • Harnessed to provide some privacy • Is an example of how • The walled garden model of the enterprise • May no longer be sufficient
References • Vanish Self-Destructing Digital Data http://vanish.cs.washington.edu/ • New Technology to Make Digital Data Self-Destructhttp://www.nytimes.com/2009/07/21/science/21crypto.html • Distributed Hash Tables http://en.wikipedia.org/wiki/Distributed_hash_table • Attack http://z.cs.utexas.edu/users/osa/unvanish/papers/vanish-broken.pdf • Vanishing E-mail and Electronically Stored Information: an E-Discovery Hazard http://www.rlgsc.com/blog/ruminations/vanishing-electronic-data-ediscovery.html