Mobile Adventure Privacy - a Taxonomy Proposal Alf Zugenmaier, DoCoMo Euro-Labs Security and Protection of Information, Brno, 2007
Mobile Adventure
Privacy - a Taxonomy Proposal
Alf Zugenmaier, DoCoMo Euro-LabsSecurity and Protection of Information, Brno, 2007
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
2
Mobile Adventure
What is Security?
• Information Security = CIA +
• Confidentiality• Integrity• Availability
• depends on the fashion of the day
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
3
Mobile Adventure
What is Privacy?
• Wired equivalent privacy (WEP), pretty good privacy (PGP)
• Privacy equal to security?
• Discussions about privacy• Privacy opposite of security?
• Authentication vs. authorization• Privacy orthogonal to security?
• All of the above plus: “No spam please!”• Intention and effect
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
4
Mobile Adventure
Agenda
Information privacy vs information security• Privacy taxonomy • Protecting privacy
– Self protection: anonymity – Cooperative approach
• Incentives• Conclusions
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
6
Mobile Adventure
Taxonomy of Privacy
“He finally got a corner office but I’m not sure he
can handle it.”
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
7
Mobile Adventure
A Taxonomy of Privacy
privacyright to be left alone
“push privacy”freedom from
unwanted communication attention, aka spam
“pull privacy”freedom from
misappropriation of information
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
8
Mobile Adventure
What is Privacy? – Effect
(Graef) Actions should not have social consequences relative to not intended third parties.
Right to privacy– (invented by Warren/Brandeis) freedom from press exposure
– (Geuss) not universal, what for?– (Simmel) keeps actionable options open
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
9
Mobile Adventure
A Taxonomy of Privacy
privacyright to be left alone
“push privacy”no spam
“pull privacy”misappropriated
information
confidentialityagainst 3rd party
avoiding misuse service / resource
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
10
Mobile Adventure
3rd Party Confidentiality
• Content– communications content– data on personal device
• Context– sender / receiver anonymity– location privacy– situation, etc
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
11
Mobile AdventureAvoiding Misuse by Service / Resource
What is necessary to violate privacy?Information must be• perceived (may be indirect)• attributed to entity • remembered• interesting, relevant, accessible,
processible, and acted upon
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
12
Mobile Adventure
Avoiding Misuse by Service / Resource
• Data minimality
– avoids perception
• Anonymity / unlinkability
– no handle for linking
• Oblivion
– no data retention
• Policy
– limited use, data management
increasin
g co
op
eration
of co
mm
un
ication
partn
ers
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
13
Mobile Adventure
Taxonomy of Privacy
privacyright to be left alone
“push privacy”no spam
“pull privacy”misappropriated
information
confidentialityagainst 3rd party
avoiding misuse service / resource
data minimality
anonymity
oblivion
policy
confidentialityof content data
confidentialityof context data
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
14
Mobile Adventure
Taxonomy of Privacy
privacyright to be left alone
“push privacy”no spam
“pull privacy”misappropriated
information
confidentialityagainst 3rd party
avoiding misuse service / resource
data minimality
anonymity
oblivion
policy
confidentialityof content data
confidentialityof context data
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
15
Mobile Adventure
Agenda
Information privacy vs information security Privacy taxonomy• Protecting privacy
– Self protection: anonymity – Cooperative approach
• Incentives• Conclusions
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
16
Mobile Adventure
Self Protection: Anonymity
• Objective of attacker: discover identity of the user who performed an action
• Identity: set of personally identifying information
• Action: a thing done, taking limited time
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
17
Mobile AdventureExample Anonymity Mechanism:Crowds
encrypted request takes random path through crowd
Bob’s serverAlice
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
18
Mobile Adventure
Mobility Scenario
Problem: How can anonymity be provided for mobile users in a client – server scenario?
Server
Server
InternetGateway
action
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
19
Mobile Adventure
User and Terminal Mobility
Server
Server
InternetGateway
action
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
20
Mobile Adventure
FLASCHE – Idea
action
user
device location
attacker is able to localize action
personaldevice
a) identity management
a
b) user‘s mobility
b
c) device‘s mobility
c
d) FLASCHE
d
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
21
Mobile AdventureFLASCHE – Removing Device Identification
MAC IEEE802.11b– random MAC Address (cf. Orava et al.) – loaction: BSSID of access points
IPv6– device specific part of address random (as in
RFC3041)– location: (sub-)network ID– location determination: router solicitation– MAC Address: Neighbor Solicitation
UDP / TCP– random source port
DNS– no DNS entry of mobile device
HTTP– suppress attributes: FROM, REFERER, etc– SSL encryption possible
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
22
Mobile Adventure
Anonymity not Always Possible
• Quote from insurance company
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
23
Mobile Adventure
Anonymity not Always Possible
• Quote from insurance company• Asks for lots of personal information• Fake data may lead to wrong quote • What happens with the information after
rejecting the offer?
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
24
Mobile Adventure
Protection Goal
Control of use of personal data after releasein respect of• Who has access to personal data• What can be done with personal data• What has to be done when using personal
data
defined by Privacy Policy
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
25
Mobile Adventure
Attacker Model Revisited
Previous model:• Totally adversarial• Omnipresent attacker
Insurance Co.
trusted
untrusted
Client
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
26
Mobile Adventure
Attacker Model Revisited
Weakened Model• Not totally adversarial• Outsider attackers • Some co-operation• Some insider attackers
Insurance Co.
untrusted
trusted
trusted
Client
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
27
Mobile Adventure
Problem Statement
• How to ensure data is only given to co-operating entities
• How to ensure adherence to privacy policies
Digital Rights Management!
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
28
Mobile AdventureDigital Rights Management for Enforcement of Privacy Policies
• Digital rights management (DRM) and protection of personal data are mirror images
• Both regulate use of data after release– DRM licenses– privacy policies
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
29
Mobile Adventure
DRM Key Features
• License attached to data– defines terms of use
• Encryption / key management– prevents attacks on data
• Attestation– ensures trusted computing base (TCB)– prevents attacks on software
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
30
Mobile Adventure
License Description
• XRML license:– grant
• principal• right• resource• condition
– issuer• signature• time of issuance
• Privacy policy 5-tuple:– role– action– data type– purpose– obligation
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
31
Mobile Adventure
Example: Obligation
• Obligation: delete all data on terminal after use
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
32
Mobile Adventure
Trusted Computing Base (TCB)
BSD-Veriexec Kernel (TCB)
temporary (RAMdisk)chroot environment
signed environmentw/ printer device
signed environmentw/o printer device
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
33
Mobile Adventure
Attesting the Application
• Application hashed on start• Socket wrapper performs application
attestation
communication
kernelapplication
Security wrapper
• Measurement• Attestation of Application
TLS protected communication
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
34
Mobile Adventure
Microsoft IRM
• Microsoft framework for digital rights management
• Used in Outlook and Office• Uses XRML 1.2• Software based attestation• SDK available
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
35
Mobile Adventure
Negotiating Privacy Policy
privacy policy
verifyencrypt personal dataattach SIL
transmit data and SILclient
Insurance Co.
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
36
Mobile Adventure
Problems with Delegation
client
Insurance Co.
Known OffendersDatabase
Who decides about delegation to whom and when?
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
37
Mobile AdventurePossible Approach: Privacy Preserving Sandbox
• Attestation of sandbox instead of application• Sandbox disallows permanent storage• Only DRM-protected communication
sandbox
application
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
38
Mobile Adventure
Comparison of Approaches
Veriexec TPM IRM
Enforcement chaperoning applicationapplication or
sandbox
Security Kernel + key Hardware + OS IRM framework
Attestationkernel +
main moduleOS + wrapper +
application
IRM framework + application /
sandbox
Policy simple complex complex
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
39
Mobile Adventure
Agenda
Information privacy vs information security Privacy taxonomy Protecting privacy
Self protection: anonymity Cooperative approach
• Incentives• Conclusions
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
40
Mobile Adventure
Incentives
• Security– Self protection often possible– Own trade-off security vs. convenience
• Privacy– Self protection often not possible– Reliance on others (goodwill, laws)
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
41
Mobile Adventure
Example
Almost 1000 hitsfor AXIS camerasAlmost none with access control 06/2005UPDATE 05/2007: 12000 hits
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
45
Mobile Adventure
Incentives
• Non-adherence to security may breach other persons privacy
• Example webcameras
• Example Tk Maxx credit card database hack (46 million records exposed)
• Feedback loop:– Security: direct, operator suffers– Privacy: indirect, customers suffer
And it is hard to even get sufficient security awareness!
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
46
Mobile Adventure
Interest in Privacy
Push privacy• Most people affected high democratic
interest
Pull privacy• Experiment at HP Labs (Huberman et al.)• Reverse second price auction for personal
information• High value: Information that deviates from
perceived norm
• Most people don’t deviate from norm little democratic interest in pull privacy
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
47
Mobile AdventureTranslating Privacy for Corporations
Spam spam• Productivity wasted sorting incoming mail
Personal data company data• Intellectual property• Copyright and licenses
Requires institutional, legal, organizational, and technical safeguards
Sufficient economic interest
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
48
Mobile Adventure
Conclusion
• Information privacy needs the semantic layer
• Limited self protection mechanisms• Co-operation necessary• Incentives usually external
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
52
Mobile AdventureFLASCHE – Removing Device Identification
MAC IEEE802.11b– random MAC Address (cf. Orava et al.) – loaction: BSSID of access points
IPv6– device specific part of address random (as in
RFC3041)– location: (sub-)network ID– location determination: router solicitation– MAC Address: Neighbor Solicitation
UDP / TCP– random source port
DNS– no DNS entry of mobile device
HTTP– suppress attributes: FROM, REFERER, etc– SSL encryption possible
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
53
Mobile Adventure
FLASCHE – Design
socket API wrappersocket API wrapper
DNSresolver
DNSresolver
servicediscovery
servicediscoverybrowserbrowser identity
manager
identitymanager
socket APIsocket API
TCP/UDPTCP/UDP
……
……
hardwarehardware
IP address per interface
virtual network interface man
agem
ent p
lane
loca
t ion
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
54
Mobile Adventure
Protocol
personalWebserver
NetBSD with veriexec
browser inenvironment withclient certificate
external database
1. initiate connection(TLS)
2. environment finger- print verification
3. license (includesclient certificate)
5. HTTPS with browserand client certificate
6. personal data
4. set up chroot environment
8. delete environment
(7. external communication)
chaperone module
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
55
Mobile Adventure
Securing the TCB
• Introduction of hardware root of trust (Trusted Physical Module, Core Root of Trust for Measurement)
• Extension of TCB during startup• Measured hash values of software chained
and stored in TPM registers
CRTMboot block
TPM
Firmware OS Loader AppApp
App
OS
© 2007 by DoCoMo Communications Laboratories
Europe GmbH
56
Mobile Adventure
Application Manifest
• Recipient application has to match application manifest defined in license
• Extension of TCB: attesting a valid known application to initial TCB via application manifest
• License can specify compatible applications
TCB TCB
ApplicationManifest