Resilience by Usable Security Workshop Usable Security and Privacy Mensch und Computer 2015 University of Stuttgart September 6, 2015 Dr. Sven Wohlgemuth <[email protected]>
Resilience by Usable Security
Workshop(Usable Security(and Privacy
Mensch(und(Computer(2015
University(of Stuttgart
September(6,(2015
Dr.(Sven(Wohlgemuth
Dr.$Sven$Wohlgemuth
Dr.$Sven$Wohlgemuth Resilience$by$Usable$Security 2
• Diploma(in$computer$science$with$economics$at$University$of$Saarland,$Saarbrücken
(Prof.$B.$Pfitzmann)$(Key$Management$– OO$Design$and Implementation)
• Dr.+Ing. on$Privacy$with$Delegation$of$Rights$at$AlbertLLudwigs University$Freiburg,$(Prof.$Müller)$(Security$and$usability$with$identity$management,$DFG$SPP$Sicherheit &$EU$FIDIS)
• JSPS(&(DAAD(postdoctoral(fellow(on$PrivacyLcompliant$Delegation$of$Personal$Data$at$
National$ Institute$of$Informatics$(NII), Tokyo,$Japan$(Prof.$Echizen)$(Content$Security$Lab)
• Associate(professor(within DataLCentric$Social$Systems$of$Research$Organization$for$
Information$and$Systems$and$NII,$Tokyo,$Japan$(Prof.$Sonehara)$(Transparency for ICT$
Resilience &$JapaneseLEuropean$Institute$for Security)
• Senior(consultant(IT(security(and(project(manager at$Sirrix AG$security$technologies(A.$Alkassar)$(Information$flow control for$Internet$of$Things$and$Cloud$Computing)
• Senior(researcher entrusted$with$Coordinator$and$Community$Manager$of$PersoApp on$
supporting$open$source$software$development$of$secure$and$userLfriendly$Internet$
applications$with$the$German$national$ID$card$funded$by$BMI$at$CASED/TU$Darmstadt$
associated$with$Intel$ICRILSC$(Prof.$Sadeghi)$
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 3
“TEPCO(did(have(a(backup(for(the(emergency(generators:(power(supply(trucks(outfitted(with(highTvoltage(dynamos.(That(afternoon,(emergency(managers(at(TEPCO's(Tokyo(headquarters(sent(11(power(supply(trucks(racing(toward(Fukushima(DaiTichi,(250(km(away.(They(promptly(got(stuck(in(traffic.(The(roads(that(hadn't(been(damaged(by(the(earthquake(or(tsunami(were(clogged(with(residents(fleeing(the(disaster(sites.([...](It(was(after(midnight(when(the(first(power(supply(trucks(began(to(arrive(at(the(site,(creeping(along(cracked(roads.”(
IEEE#Spectrum.#24#Hours#of#Fukushima.#October#31,#2011http://spectrum.ieee.org/energy/nuclear/24DhoursDatDfukushima/0
“Whether(blocked(or(prohibited,(the(local(highly(restricted(road(transport(systems(have(disrupted(various(rescue(and(delivery(activities(in(the(disaster(area.”
ITS#Japan.#March#28,#2011http://www.itsDjp.org/english/its_asia/553/
The2Great2East2Japan2Earthquake
Agenda
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 4
I. Resilience and Secondary Use• Dependencies threatencontrol• Control(by transparency
II. Multilateral(Security• Usage control• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy• From login to control by transparency• Loss(of control
IV. Usable Security• Multilateral(secondary use• Byzantine agreement
I.#Resilience and Secondary Use
Dr.$Sven$Wohlgemuth Resilience$ by$Usable$ Security 5
Resilience:)Predictive risk management to remain in$or return to an$equilibrium
by IT)support in)real4time)with secondary use of personal)information
Public>private$cooperation:$Public$traffic road map
(03/19/2011)
Localization at$Disney$Resort$Tokyo$(08/02/2011)
User$generated content on$Google$Maps (08/02/2011)
Support2by CyberDPhysical Systems
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 6
PAN
Wide(Area(Network
ALLTIP(Network
Cyber2World
CPS(data(platform
Real2World
Sensor(networks
in
Home(
Building(facility
Vehicle(NW
Policy(decision(support(based(on(information(processing
Power(Grid(system,Environment(monitor,Agriculture,(etc.
Sensing(&(Actuation((control)
Service(control
Transport(System
human(state
Collection(and(sharing(of(context(and(data
N.#Sonehara,# 2011
d,#d*
Information2Usage Model
......
Dr.(Sven(Wohlgemuth Resilience by Usable Security 7
d
Data(provider/consumer
Data(consumer
Data(consumer/provider
Data(provider
Secondary(usePrimary(use
• Dependencies(occur(at(runTtime(and(threaten(information(processing
d, d*
Information Usage Model
............
Dr. Sven Wohlgemuth Resilience by Usable Security 8
• Problem: Users lose control on their identity
d
Data provider/consumer
Data consumer
Data consumer/provider
Data provider
d, d*
Secondary usePrimary use
• Dependencies occur at run‐time and threaten information processing
Data providerData providerData consumer
/provider
Data consumer Data provider
Dependency:2Users2and IT2System
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 9
10
4842
20
0
10
20
30
40
50
60
Problem1Category1I Problem1Category1II Problem1Category1III Problem1Category1IV
Citations
75%(of identified problems areusability problems with negative(effect
on(user‘s security
• User(has(to(learn(technical(concept
• SigG(digital(signature(client(Signtrust:(“Maloperation”(raises(security(incident
• 7(Internet(user(groups(in(Germany
People(with less security expertise(approx.(70%)(want to delegate
privacy to TTP
• Responsibility:(selfTprotection(or(privacy(by(a(TTP
D.#Gerd# tom Markotten 2004;#G.#Müller#and S.#Wohlgemuth# 2005;#DIVSI#2012
Dependency: Third Party
Dr. Sven Wohlgemuth Resilience by Usable Security 10
Case (a): Passive incident Case (b): Active incident
• Inevitable, not‐modelled dependencies during run‐time
K.W. Hamlen, G. Morrisett, and F.B. Schneider 2006; A. Grusho, N. Grebnev, and E. Timonina 2007; BSI 2015
• For Germany: Indirect attacks on Internet of Things and Cloud Computing
Assumption: Each IT system is secure
d, d*d
Data provider/consumer
Data consumer
Data consumer/provider
Data provider
Data consumer/provder
Data provider/consumer
d, d*
d
Data provider/consumer
Data consumer
Data consumer/provider
Data provider
Data consumer/provder
Data provider/consumer
faultyd, d*
Impossible to TM‐decide on covert dependencies, but statistically
Loss of control by conceptual dependency of compromised TTP
Dependency:2Machine Learning
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 11
Loss(of(control(on(classification
Data(analytics(as(secondary(use(of(personal(information“Faulty”(data(increases(error(rate(of(machine(learning
Supervised machine learning(z.B.(SVM)
Unsupervised machine learning(z.B.(PCA)
d,#d*
......
d
Data%provider/consumer
Data%consumer
Data%consumer/provider
Data%provider
d,#d* d,#d*Data%provider/consumer
Data%consumer/provider
Data%consumer Data%provider
B.#Biggio,# B.#Nelson,# and# P.#Laskov 2012;#L.#Huang,# A.D.#Joseph,# B.#Nelson,# B.I.#Rubenstein,# and#J.#Tygar 2011
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 12
Variety(and(Volume:(Information(flow(from(different(sourcesAggregation(of(anonymized(data(implies(information(leakage
Loss(of(control(on(confidentiality(and(classification
......
d
Data%provider/consumer
Data%consumer
Data%consumer/provider
Data%provider
d,#d*Data%provider/consumer
Dependency:2Aggregation
Bob David
Explicit/friendship
Implicitly assumed friendship
L. Sweeney 2002
C. Jernigan and B. Mistree, 2007
Example:2Google2Photos‘2Classification
Dr.(Sven(Wohlgemuth 13
Control2by2Transparency• Recipient:(Transparency(for(accountability(and(to(restore(information• Sender:(Encryption(to(prevent(information(leakage
Self+protection(depends(on(opposite(security(interests
C.E.#Shannon# #1948,# 1949;#Dolev# and# Yao##1983
Dr.(Sven(Wohlgemuth Resilience by Usable Security 14
......
d
Data%provider/consumer
Data%consumer
Data%consumer/provider
Data%provider
d,#d*Data%provider/consumer
Control2by2Transparency• Recipient:(Transparency(for(accountability(and(to(restore(information• Sender:(Encryption(to(prevent(information(leakage
Self+protection(depends(on(opposite(security(interests
C.E.#Shannon# #1948,# 1949;#Dolev# and# Yao##1983
Dr.(Sven(Wohlgemuth Resilience by Usable Security 15
Agenda
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 16
I. Resilience and Secondary Use• Dependencies threatencontrol• Control(by transparency
II. Multilateral(Security• Usage control• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy• From login to control by transparency• Loss(of control
IV. Usable Security• Multilateral(secondary use• Byzantine agreement
II.2Multilateral2SecurityCombining opposite security interests by an(equilibrium setting• Accountability:(Authentic(information(on(information(processing• Unobservability:(NonTlinkability to(impede(reTidentification
G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013
Dr.(Sven(Wohlgemuth Resilience by Usable Security 17
Accountability
UnobservabilityAnonymity
Pseudonymity
Traceability Personal(information
Privacy
II.2Multilateral2SecurityCombining opposite security interests by an(equilibrium setting• Accountability:(Authentic(information(on(information(processing• Unobservability:(NonTlinkability to(impede(reTidentification
G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013
Dr.(Sven(Wohlgemuth Resilience by Usable Security 18
Accountability
Unobservability
Usage(control
Control(by(transparency
Anonymity
Pseudonymity
Traceability
Personal(information
Personal(information
Privacy
Privacy
Enforcement:2AAA(A)
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 19
Data(consumer/provider
Data(consumer/provider
Data(consumer/provider
1:(Authentication
AAA(A)service
Open(Internet(standard RFC(2904(AAA(Authorization Framework
d,#d*
2:(Authorization3:(Accounting
+(Accountability for information exchange via(hidden,(inevitable dependencies
4:(Accountabilityd,#d*
d,#d*
PrivacyDEnhanced2Authentication
Digital( driving(licence?
Dig.(drivinglicence
Car?
Car
ErikaMustermann
543ag
Drivinglicence
Erika1MustermannClasses:1ABEMornewegstr,123D<642931DarmstadtGermany
Motorbike
Hans1im1Glück
Harley1DavidsonIP:
Car
543ag
VW1Beetle
Identity(Management:(User+controlled disclosure of personal(information
• Unobservability by anonymousPKI((Partial(identities and cryptographic protocols)
• Accountability by allTorTnothing linking to master identity (PKI(and cryptograpic protocols)
• Revealing(identity(of(cheating(users((PKI(and(cryptographic(protocols)
U.#Jendricke 2003;#A.#Pfitzmann# and M.#Hansen#2010;# J.#Camenisch et#al.#2014
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 20
Example:2iManagerCeBIT(2003(Scenario:(Buying an(electronic(railway ticket
Current partial(identity Necessary personalinformation
Proposed partial(identity
S.#Wohlgemuth,# U.#Jendricke,# D.#Gerd# tom Markotten,# F.#Dorner,# and G.#Müller# 2003
doITTSoftware(Award(2003(of(German(Federal(State(BadenTWürttemberg
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 21
Example:)German)national)ID)Card
• Biometric)authentication)(souvereign)only)PKI$based*applications*of*German*national*ID*card:
• Electronic*identity• Electronic)signature
Mutual*authentication*with*option*for*pseudonymity
BSI)TR:03130)Technical)Guideline)eID:Server
Dr.)Sven)Wohlgemuth Resilience)by)Usable)Security 22
PersoApp:*Secure*and*user$friendly*Internet*applications
• Verification)of)certificates)by)eID server)(TTP)
• Open)source)code)at)GoogleCode for)PC)(Java))and)Internet)of)Things)(Android)OS)
• Identification)of)IT)security)vulnerabilities)for)payment)with)REWE)Group
• With)advisory)board)members:)Springer)special) issue)“Security)and)privacy)in)business) networking”
PrivacyDEnhanced2Authorization
• Decentralized:(NonTlinkable(delegation(of(rights(on(information• All+or+nothing:(Loss(of control if delegating credentials
Control(by(Transparency
Control Transparency
Transparency
System(1DP/DC
System(3DP/DC
System(2DP/DC
d,#d* d,# d,#d*
Policy
d
Control
System(4DP/DC
d,#d*
d,#d*
Policy
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 23
PrivacyDEnhanced2Accountability
Transparency
Transparency
Transparency
System 1DP/DC
System 3DP/DC
System 2DP/DCd, d*
System 4DP/DC
d, d*
d, d*
System 2d, d*
System 2System 3
d, d*
System 2System 3System 4
d, d*System 2System 3System 4System 3
Control
• Hidden(channels:( Information(leakage and modification• Accountability:(Data(provenance on(information exchange for audit
Impeding nonTauthorizedreTidentificationUnobservability
Misuse(of(d,#d* can(be(detectedAccountability and availability
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 24
Privacy‐Enhanced Accounting
Deduction system
Privacy policy
Query: d, d*
Query: identity
Query:authorization
Result:Autd,d*
Cryptographic key, certificate, revocation, trust statement, …
…
Logical statement on authentication of d, d* from user‘s view (on a PKI)
Deriving information on accountability
Dr. Sven Wohlgemuth Resilience by Usable Security 25
Agenda
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 26
I. Resilience and Secondary Use• Dependencies threatencontrol• Control(by transparency
II. Multilateral(Security• Usage control• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy• From login to control by transparency• Loss(of control
IV. Usable Security• Multilateral(secondary use• Byzantine agreement
III.2Big2Data2and Privacy
Data(provider
DataTcentricservice
d
Authentication Authentication
Data(consumer
d,#d*
Authorization,(Accounting,(AccountabilityTransparency
(PrivacyTenhancedAuthentication(andAccountability)
Transparency
(PrivacyTenhancedAuthentication(andAccountability)
Control
(Authorization andPrivacyTenhanced
Accounting)
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 27
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 28
Keyword search
File systems
Groupware Databases
Social networking Wiki
Semantic search
Tagging
Reasoning
Smart personal agents
Natural language search
Mashups
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
From Login2to Control2by Transparency
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information processing
(Internet of Things)
Decentralized P2P information processing
(Cloud Computing)
... with automatic decision support(Cyber-Physical
Systems)
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 29
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information processing
(Internet of Things)
Decentralized P2P information processing
(Cloud Computing)
... with automatic decision support(Cyber-Physical
Systems)
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
From Login2to Control2by Transparency
Dr.$Sven$Wohlgemuth Resilience$ by$Usable$ Security 30
Productivity
Amount.of.data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information processing
(Internet of Things)
Decentralized P2P information processing
(Cloud Computing)
... with automatic decision support(Cyber-Physical
Systems)
Own$figure$ based$on$Radar$ Networks$ &$Nova$ Spivack 2007,$ E.$Brynjolfsson and$ A.$McAfee$2011.
Accounting
Accountability
One-factorauthentication
Multi-factorauthentication
Authorization
Increasing$entropy$of$auth.information
From Login)to Control)by Transparency
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 31
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information processing
(Internet of Things)
Decentralized P2P information processing
(Cloud Computing)
... with automatic decision support(Cyber-Physical
Systems)
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
Accounting
Accountability
One-factorauthentication
Multi-factorauthentication
Authorization
Increasing(entropy(of(auth.information
From Login2to Control2by Transparency
Dr.$Sven$Wohlgemuth Resilience$by$Usable$Security 32
W.#Wahlster&#G.#Müller.#Placing#Humans#in#the#Feedback#Loop#of#Social#Infrastructures;#NII#Strategies#on#CyberEPhysical#Systems.#2013
Data$Centric Service
Data$provide
Data=centricservice
d
Data$consumer
d,#d*
Improving$attractivity
Increasing$market$share
Lock=in
Network
Economies$of$scale
G.#Müller,#T.#Eymann,#M.#Kreutzer,#2003
Accountability
Unobservability
Usage2control
Control2by2transparency
Anonymity
Pseudonymity
Traceability Personal3information
Privacy
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 33
W.#Wahlster &#G.#Müller.#Placing# Humand in#the#Feedback#Loop# of#Social# Infrastructures;#NII#Strategies# on#CyberDPhysical# Systems.#2013
DataDCentric Service
Data(provide
DataTcentricservice
d
Data(consumer
d,#d*
Improving(attractivity
Increasing(market(share
LockTin
Network
Economies(of(scale
Müller,# Eymann,# Kreutzer,# 2003
Who(am(I?
You are a(dog and yourfriend sitting close toyou is a(B/W(dog.
Loss(of control by asymmetric distribution of information
Accountability
Unobservability
Usage2control
Control2by2transparency
Anonymity
Pseudonymity
Traceability Personal3information
Privacy
Example:2Privacy2Dashboard
Privacy+Enhanced(Accountability
• No transparency on(secondaryuse
Data+Centric Service• Transparency(on(information(from(user(
• Transparency on(dataprovenance
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 34
Agenda
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 35
I. Resilience and Secondary Use• Dependencies threatencontrol• Control(by transparency
II. Multilateral(Security• Usage control• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy• From login to control by transparency• Loss(of control
IV. Usable Security• Multilateral(secondary use• ByzantineAgreement
IV.$Usable SecurityFrom loss of control
To informational self-determination:0Byzantine Agreement0on0secondary use
Data$provider/consumer
Data$consumer/provider
Data$consumer/consumer
d*
d*
d*
Dr.-Sven-Wohlgemuth Resilience- by-Usable- Security 36
Data$provider
Data,centricserviced
Data$consumer
d,#d*
Consensus:(Control(by(Sender
Data$consumer/
provider
• Consensus:(Users$agree$on$information
• Authentic(information:(Consensus$by$trusted$users$by$correctness$&$consistency
Data$consumer/
provider
Data$provider
d*
L.%Lamport,%R.%Shostak,%M.%Pease 1982;%M.J.%Fischer,%N.A.%Lynch,%M.S.%Paterson%1985;%M.%Waidner 1991
d*
d*
d*
• Asynchronous(communication: No$consensus$possible,$if$one$user$fails• Synchronous communication:$Tolerance without cryptography:$t$<$n/3$
faulty processes (with authentic key exchange:$t$<$n/2)
Impossibility results:
Dr.$Sven$Wohlgemuth Resilience$by$Usable$Security 37
Consensus:2SelfDOrganization• Consensus(on(state transitions within community of distributed,(vulnerable(users
Data(consumer/provider
Data(consumer/provider
Data(consumer/provider
d* … d*
d*
• Users(change(role(during(runTtime((“miner“(checks transactions and gets reward )
S.#Nakamoto 2009
• Provenance by irreversible,(decentralized database with eCoin system
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 38
Decentralized Usage Control• Secondary use of symmetric distribution of personal(security information
PrivacyTEnhanced(Authorization
… … …
PrivacyTEnhancedAccountability
PrivacyTEnhancedAccounting
A A A
• Trust(anchor:(Registered,(nonTlinkableeID (PrivacyTEnhanced(Authentication)
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 39
• Acceptable authentic information decreases individual(risk on(loss of control
• UserTcontrol on(identity is threatened by use of privacyTenhanced security
• Unilateral(use leads to loss on(control (nonTusable security)
• Multilateral(control(by(secondary(use(of(personal(security(information((reTuse)
• Decentralized(usage(control(supports(usable(security(by(decreasing(individual(risk
V.2Conclusion
Dr.(Sven(Wohlgemuth Resilience( by(Usable( Security 40
Usable(security(is(informational(self+determination(and(supports( resilience
Accountability
UnobservabilityDecentralized4usage4control
Control4by4transparency
Anonymity
Pseudonymity
Traceability
Personal3informationPersonal3
information
Privacy
Privacy