a world without pets - · pdf filea world without pets a summary of the presentation given by...

A world without PETs

A summary of the presentation given by Stephan Engberg at the conference 'A Fine Balance 2007'

Stephan Engberg, founder and CEO of Priway has spent the last eight years researching and developing privacy and security enabling systems and mechanisms. He started his presentation by stressing the need for people involved in security and privacy to set aside their previous ways of thinking as digital integration forces us to rethink.

First he suggested a more operational approach to definition of terms. Privacy is security from the point of view of a single stakeholder. In a networked economy, the design of balances are important as - due to interdependence - security of one stakeholder is an illusion unless it also improves security of other stakeholders in cases of breach. Trust is willingness to accept risk in a certain context and as such a growing cost element as risk acceptance continue to drop. A root requirement of a PET is that it breaks the assumption of a zero-sum trade-off by enabling value functionality such as sharing data without compromising on stakeholder security rights and needs in cases of failure.

He then suggested there is no reason to accept losses of privacy – on the contrary individual security and control is the root source of security, innovation and effective society processes – especially government processes. Security deteriorates because identification concentrates risks, creates interdependence and new data vulnerabilities and identity theft. Command controlled models for complex economic systems such as government accumulates inefficiencies as it cannot adapt to the sophisticated needs and requirements of end-customers. Open market innovation deteriorates as attention moves from servicing customer needs to profiling to maximize marketing communication and short-term sales on the expense of overall value creation. An attacker can easily turn a surveillance system into an attack on its purpose exemplified by attaching a bomb triggered by automatic face recognition to a surveillance camera. Surveillance is not part of a security system except as an response to a previous non-invasive mechanisms which have detected a non-responding potential threat.

He pointed towards Government as the critical enabler of privacy and security through the monopoly on the identity structure and regulation of infrastructure. He presented the basics of National ID 2.0 and a Citizen ID Card where root identification is only used to create new keys and identifiers adapted to the specific purpose. By maximizing attention to fall back and the correct distribution of controls, can we protect the increasingly more vulnerable server systems and data bases – as the most critical element of critical infrastructure. Identity has to build in security balances even before a new process even starts in order to maintain security after the transaction. We can no longer protect data in databases, but we can prevent an attacker – internal or external, deliberate or accidental – getting access to utilize the data and keys for attacks elsewhere.

A service provider would have better security and access to better data if an attacker cannot launch or scale an attack based on knowledge in the systems. Data can be shared without establishing risks towards the system owner or end-customer increasing willingness to share. And most importantly value chain attention would be directed towards servicing real and actual customer needs instead of using the continuous profiling for control, persuasion or the use of illegitimate force. In other words, even though a specific entity may prefer lock-in, may desire to control to further selfish objectives or may prefer to be in a position of power over a citizen and such gain a short term gain on the expense of longer term losses – all society interests points

towards the values, needs and possibilities to empower the citizen to pull the value chains for security, efficiency and competitiveness through innovation.

As a simple example to document this is almost always be done, Stephan Engberg, then demonstrated how to maintain security and privacy without the use of trusted third parties even in a Healthcare Emergency situation where the patient is unconscious. It was based on one the many recent PET breakthroughs in the form of RFIDs with built-in end user PET that does not leak identifiers, one-time-only mechanisms and a gradual linkage to first anonymous patient summaries and then gradually to the patient health care file itself. This also provide the basis to securing Healthcare as such as patient controls can be optimized for mutual benefit.

A world without PETs is a world where security, government efficiency and market innovation continue to erode. Data protection cannot compensate for bad security and with good security, data protection and anti-identity theft is build into the root structures. The PET tools are or can be made available, but Government controls the demand. Responsible governments cannot afford or defend not to incorporate PETs as part of critical infrastructure. Research is always needed, but the core problem is the government demand to focus on surveillance and control instead of security and risk mitigation. If the demand-side works, research in outstanding issues will follow.

1

© Priway, Nov, 2007Fine Balance

1

Fine Balance - A world without PETs

Stephan J. EngbergPriway

From Central Command & Control toCitizen Empowerment & Dependability

Strategic Advisory BoardEU ICT Security &

Dependability Taskforcewww.securitytaskforce.euwww.hydra.eu.com

www.priway.com

www.rfidsec.com

.. when bureaucrats erode competitivenessor “why Europe is not making a secure mobile phone?”


2

Agenda - A world without PETs

1. Basic terms & PET Cases

– Cases: Product RFID, Emergency Care & Citizen-controlled Passports

2. Major problems

– Security, Innovation & government efficiency

3. Disarming the conflict – how deep is the rabbit hole?

– Sustainable principles for Identity & Security – top-down principles

4. Designing for Trustworthiness & Innovation

– Distributed Empowerment – Semantic Resolution

Without changing our pattern of thought, we will not be able to solve the problems we created with our current patterns of thought.Albert Einstein

2


3

What is Privacy?

Privacy is security from the point of view of a single stakeholder

Multi-stakeholderBalance is needed

in transactions.

Risk MinimisationPurpose specification

and revokability.

Application Specific

Context determine Security requirements.


4

What is Trust?

the amount of Risk willingly acceptedin a given context

Trust ::

Citizens make subjective rational choices

Price / RiskLoss of control

Product / ServiceComfort / values

Nobody ”wants surveillance” - they want bad guys caught, butnobody likes to be controlled

3


5

What is a PET?

A Privacy Enhancing technology or PET

is a technology or system

enabling citizen security and control

that breaks the assumption of zero-sum trade-offs

Freedom vs. Security, Sharing vs. Privacy

A PET will make Pareto improvements

E.g. facilitate data sharing.

value creation or mitigate risks

without creating interdependance

and accumulating threats

to citizens and systems


6

Security/Privacy NOT Zero-sumPriway Identity Model

Security forCitizen

Security againstCitizen

Weak Security

Virtual

Identities(Trust Enabling)‏

Identification

Tracea

billity

Anonymity

Non-Identified

Non-T

race

abill

ity

Identified

√ Fallback Security√ Privacy & Trust√ Enforcing Rights

√ Mutual Trust√ Crime prevention√ Semantic Id

4


7

Application DeviceRFIDReader

Even in devices without power PET Security for Passive RFID

Store DTagainst replaySS Shared Secret

Datestamp as nonce : DT One-time-pad shield : RSK XOR F(DT XOR SS) ‏‏ ‏‏Validation : G(RK XOR SS) ‏‏ ‏‏

Response : H(RSK XOR SS XOR DT) ‏‏ ‏‏

SS Shared SecretRSK Random Key

F, G and H Pseudo-random functions

• In most secure implementation

– Zeroknowledge Random Oracle

– Validation response – G - can be 1 bit

• In Silent / Secure Modes

– Transfer of EXCLUSIVE control to owner

– Firewall is on (stealth)‏

– 128 bit shared plus 128 bit session secret

– Attacker cannot learn persistent identifiers

– No need to trust readers

• Implemented to full compatibility with HF - ISO 14443 and ISO 15693 – dual implementation

• Multiple keys, support context-specific id

• Key to security in low-computational devices:

– Even if an extremely powerful attacker could

theoretically analyse all possible key

combinations through brute force

– Attacker still need to test all – RFID SLOW !!!

– Multiple fallbacks, e.g. change keys


8

Value Chain - RFID 2.0 with PETs

Value

Chain

PointOf Sales

Product

ManufacturerProduction

Public Mode

Point of SOA ServicesProduct Id = URL

Privacy ModePrivacy Mode

One-timeCategory Information

Recycling

Zero-leak interactions

Mobile /

Home Usage

Auto-Id with optionalauthenticity verification

Stealth with exclusiveOwner Control

One context

Available: E.g. RFIDsec – security protocol published

Transfer ofControl

5


9

Special Case - One-time-onlyHealthcare Emergency / disaster

Stepwise RFID-based one-time-only EHR linkage

Unconscious userRFID with Zeroleak™

Medic / AmbulanceAnywhere in the

world

Emergency Care PET Infrastructure

Service

Domestic connection to

Healthcare files

Local Hospital

2. Firewall wake-upGroup key plus one-time specific key

3.One-time-onlyData-ref (+ auth) Decryption key

1. Request help

4. Request Profile

6. Establish connection to home & relatives

7. Establish connection / ID

5. Emergency profile (anonymous)‏8. In transport

treatment

Relatives

6a. InformRelatives

Emergency Care Server learns NOTHING – no identifers no data

Mediq get anonymous patient profile – not linkable, one-time only

Identifier & Key to EHR stored with patient – Supports PET EHR !!


10

RFID can support person IdSecuring RFID in Passports

(User control of activation & passport revocation)‏

User Device 1st GenOn-card biometrics

“Zero-knowledge” protocolRFID Owner key + Data Decryption

key

Border ControlPassport

RFID with Zeroleak™Encrypted data segment4. Request Data

3. Session decryption key(to public key)‏

2. Activate + temporarysession decryption key

1. Establish ContextPresent Public keyRequest Authentication

5. Re-encrypted Data

Passport lockdown built-inNo exchange of

non-revokable biometrics

needed – VISA can be added as blinded certificate

6


11

Distrust

More identification

Collection ofPersonal Data

More ”Security”

Growing ”Risk Premium”

More ”ab”useof personal data

More CrimeIdentity Theft

More and largerSecurity Failures

Pervasive surveillanceAnd abuse of surveillance“Criminals can do everythinggovernment can do”

BusinessSilosId asProperty

Identification CredentialsE.g. biometrics spoofing.More Identity Theft andReverse burden of proof

Non-trustworthy

Risk accumulation

Failure of Critical

infrastructure

Root problemIdentificationcreate risk !

Problem # 1 - Security erode


12

Problem # 1.1 The Security Gap

Central Command & Control

Digital Integration

Security

Risks

Growing Threats & failuresDamaging Trust

Requiring COMPENSATION

Increasing threats

Added protection

With digital integration risks accumulate

Many transactions with small perceived

risks accumulate to huge threats

7


13

Problem #1.2 - Living at Gunpoint

CASE: Surveillance Smart Bombs

Assume deployment of

Radio-update

• A series of small RFID-bombs• Attached to passive RF-reader• Located at fashionable locations• Close to normal RFID-reader• Triggers updated via FM-radio• Proximity-triggered by target

Busines case – Bombs for hireHighly scalable business model, bombs dispersed in majorCities near parliaments. We will get your man in 10 days.

NEW – Bluetooth or Face Recognition versiontapping into any camera & advertising sign.


14

Problem # 2

PETs critical for innovation

Consumer

Distributor

Manufacturer

Retailer

Supply Push

Profile marketing

Cross-context data

Collection and use

Who ”own” customer?

Demand Pull

Mass customisation

Demand-driven innovation

versus

Servicing Needs

Purpose-specific sharing

Value network sourcing

9-9.9 out of 10

new products fail

Customer force focus

on actual needs

& gradual improvements

PET worldSurveillance societý

8


15

Problem #3 Walled Fortress

PETs critical for efficiency

Firewall, Access Control (getting weaker)‏

Government focus on Centralisation

Security But ALSO EfficiencyEroding !

Government services & private sector suffer increasingly from

Planned Economy Syndroms accumulating inefficiencies.

Workforce run faster but are doing the wrong things wrong.

A danish analysis suggest that danish public sector productivity has fallen 25% behind private sector productivity over only 15 years

WHY? No needs-driven innovation mechanisms to allocate & adapt

No fallback

No drivers


16

Fine Balances - why PET?

Anarchic

Totalitarian

Market

(Liberal)‏Collective

(Socialist)‏

Fascism Communism

FundamentalismEgocentrism

Integration is pushing

towards the extremes

9


17

Fine Balances

Efficiency& Innovation

EqualityDriven by needs

Fascism Communism

FundamentalismEgocentrism

Freedom withAccountability

Freedom& Security

Trust &Accountability


18

Empowerment & Fallback security Key to National Id trustworthiness

Anonymity Identification

Risks growCrime/fraudId Theft etc.

Interdependance

National ID 2.0

CommerceGovernment

Risks grow Crime/fraudLack of traces

10


19

Open Metropolis – free flow

Profile & Channel Mgt

Citizen

Portals

Client-sideIdentity Mgt

Optional Delegation

Outsourced

��

Purpose-specific encryption of key and sensitive data

E.g. DOCTOR know client-side more than server application

Distribute the data keys Client-side

Free to share in contextRequire consent or action to link across

The design task is how to structure data, keys and processes.


20

eGovernment id model

Identitymodel

E.g. UK should

Move straight to

National Id 2.0

Citizen Demand Pull

Trust-focused

eGovernment

Single Id

Unstructured

Scandinavia

Structured

Scandinavian Challenge: Move from Single National Id

To Context id

UK, Germany

US

Multi-Id

General Challenge:Damand Pull Effectivisation

AND security

11


21

Successfull PETs

• Cash

• GPS

• Asymmetric encryption

• Proxies/NAT

• C/O addresses / mailbox

• Bearer tokens/tickets

Etc.

• Democratic election – BIGGEST Success

Problem:

GOVERNMENT is not promoting

SECURITY but only surveillance

and centralisation.

Therefore PETs mostly get

deployed in versions empowering

the bad guys


22

Security Tools available

Available or soon available• Anonymous Credentials

– Certified profile & attribute data

– E.g. Credentica

• Identity metasystem

– Heterogeneous id environment

– E.g. Microsoft

• Private Biometrics & Biometric encryption

– Client-side Biometrics

– E.g. readers on card

• Anonymisers

– Mixnets / onion routing

– E.g. TOR, ANON

• Hardware-traceability

– Verifiable accountability

– E.g. TCG

”Privacy Highway” inventions • Secure RFID with PET

– RFID with privacy control

– Anti-counterfeiting & Anti-theft

• Non-linkable Digital Payment

– Anti-counterfeit, Anti-theft,

– Anti-laundering, Credit, additional

• Citizen Id Cards - Anti-Identity Theft

– Create & manage new ids to context

– Traceable & accountable to Root Id

– Privacy Authentication

– Instant revocation

– Id Accountability negotiation

• Other

– Receiver-controlled Communication

– Indirect means to e.g. control Cameras

– GRID Context Security

12


23

Priway Identity ModelPET Roadmap

Security forIndividual

Security againstCitizen

Tracea

billity

Non-IdentifiedNon

-Tra

ceab

illity

Identified

HumanRecognition

Photo Id National Id 1.0

Biometrics ID & Surveillance

Revokable

Biometrics

National Id2.0

PGP

HumanRecognition

Basic Internet

Mixnets

PETs

with anti-crime

PETs

Government block here

Central Command &

Control Paradigm fail

to recognice needs

Government block

market by promoting

& buying surveillance


24

Strategi Advisory Boardon Biometrics -> Citizen control

For instance biometrics is problematic for use for authentication as the ”secret key” is not secret, revocable or unique – biometrics can be spoofed and victims of identity theft cannot get a new set of biometrics, and using several spoofable biometrics can merely create more ”fake security”.

Empowerment considerations involve ensuring that the use of biometrics is Identity

and key management is based on easily and securely revocable keys such as privacy biometrics (integration of biometrics characteristics in mobile tamper-resistant reader-devices) or bio-cryptography (integration of biometrics characteristics in revocable cryptography keys) while enabling the use of a plurality of identity schemes. Indeed, Empowerment and dependability are not achievable if control is always with someone else and attacks commit identity theft based on faking biometric credentials.

Source: www.securitytaskforce.org - Recommendations, p. 14

13


25

User-controlled Biometrics

1. Root Identity

2. Context Identity

3. Identity Recognition

4. Identity Revocation

User control of Device & Channel Management

User-controlled ONLY !!!! On-card Biometrics authenticationPossible Biometric Encryption

Government can revoke Root IdentityCitizen can revoke context id & devices

On-card Biometrics authentication

Prevent terrorist dual enrolment

Enable Vitness relocation & police Undercover

NEVER collect non-revokable biometrics

Only use to create


26

Semantic Resolution of Security

EnrolmentAuthentication

Negative CredentialsPositive Credentials

DynamicSecurity Resolution

and negotiation towards

Application Risk Profile

AccountabilitySemanticIdentity

Virtualisation

www.hydra.eu.com

Incl dynamic reponses to external alertsE.g terrorthreat

Id negotiated and customised to contextCan be recognised / reused

No need for surveillance until specific

threat do not respond to requests using

Non-invasive means

14


27

Dynamic Security Escalation

Least invasive means by default

Normal Heightened Critical

Biometric Id & Surveillance(last resort) ‏

National Id(Singular Id)‏

Trusted Id(Trusted party)‏

Trustworthy Id(Transaction Accountable)‏

Credential Id(specific credential proofs) ‏

Local Id(anonymous handle)‏

Check against Negative credentials(each provide proof NOT on a fugitive-list) ‏

Threat Status


28

The Security Gap eliminated

with Citizen Empowerment

Digital IntegrationIntegration

Security

Risks

Increasing threats

Added protection

Choices are independentand security is separated from service interests.Model is transparent.

15


29

Summation

• The Command & Control Paradigm will increasingly fail

– PETs needed for security, innovation & efficiency

– Single national Id is the security PROBLEM damaging economy

– PETs has to be supported already in ID Cards – Citizen Id

• We need BOTH stronger traceability AND empowerment

– Always use revocable biometrics only - critical

– Purpose-specific Id, Open Semantic resolution & interoperability

– User devices facilitating trust in Id & key management

• To make effective, innovative & trustworthy Balances

– Design as if there is no trust -> Trustworthy

– National Id is only a platform for Context Id -> Free Flow Data

– Empower Citizens to pull Digital Value Chains -> Drive value

WHY IS EUROPE NOT MAKING A SECURE MOBILE PHONE?


30

Questions?

Without changing our pattern of thought, we will not be able to solve the problems we created with our current patterns of thought.Albert Einstein

Stephan J. EngbergPriway

Security in context.. because the alternative is not an option

From Central Command & Control toCitizen Empowerment & Dependability

Use non-invasive mechanisms maintaining post-transaction balances.

Only activate Surveillance when a specific threat is detected

a world without pets - · pdf filea world without pets a summary of the presentation given by...

Documents