protecting user data in ubiquitous computing: towards trustworthy environments
DESCRIPTION
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments. Yitao Duan and John Canny UC Berkeley. Outline. Background and motivation Existing solutions Our approach Design principles Enforcing scheme Evaluation Conclusion and future work. Ubiquitous Computing. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/1.jpg)
Protecting User Data in Ubiquitous Computing:
TowardsTrustworthy Environments
Yitao Duan and John Canny
UC Berkeley
![Page 2: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/2.jpg)
Outline
• Background and motivation
• Existing solutions
• Our approach– Design principles– Enforcing scheme– Evaluation
• Conclusion and future work
![Page 3: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/3.jpg)
Ubiquitous Computing
• One consequence of Ubicomp – Way more data about us can be gathered
(and used).– This is potentially a great thing
for collaborative algorithms
• But, it’s potentially a great problem because...
![Page 4: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/4.jpg)
Issues Addressed
• Protection of the user data generated and maintained by the environment
• Privacy of individuals who use the env.• Ability of legitimate users to make use of data
recorded in the environment• Dealing with high-speed streams of data• Trustworthiness of the environments (in
progress)
![Page 5: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/5.jpg)
Challenges
• Unfamiliar environments
• Dynamic and ad hoc and shared– difficult to determine access rights
• No central control
• High data rate – must be processed in real-time
• Collaborative applications
![Page 6: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/6.jpg)
Existing Solutions
• Focus on access control• Based on authentication/authorization
model (e.g. RBAC)• Require a piece of running code to
actively check permissions • Inadequate for ubicomp
– Dynamic, distributed, environment– Protecting agent can be bypassed– Completely ignored the untrusted env issue
![Page 7: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/7.jpg)
Our Approach
• Not rely on access control
• Make data secure by themselves
• In line with philosophy in cryptography:– Obscurity is not security– Assume the adversary has access to the
communication
![Page 8: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/8.jpg)
Our Principle – Data Discretion
Data discretion: Users should always have access to, and control of (recorded or live) information that would be available to them in “real-world” situations. They should not have direct access in other situations.
• Matches “real-world” privacy norms
• Consistent with emerging legal principles
• Users are involved in decisions regarding data about them – users are in control of their data!
![Page 9: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/9.jpg)
Smart room Testbed• Good example of ubicomp environment• RFID tag reader to establish who’s in the room• 4 cameras to record images• Smartborad to log electronic activity
![Page 10: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/10.jpg)
Enforcing Scheme
• Assume all data are stored in files that represent short time intervals
• Data file is encrypted with a unique secret key
![Page 11: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/11.jpg)
Enforcing Scheme
• The secret keys are encrypted with public keys of the people in the room (determined by the tag reader):
![Page 12: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/12.jpg)
Enforcing Scheme
• User who were in the room can recover the keys and access the data while they were in the room
![Page 13: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/13.jpg)
Key Embedding• Conceal who and how many users have access• Key set: fixed-length data structure with slots >
max number of users in the room
<Secret Key>K1
< Secret Key>K2
< Secret Key>K3
< Secret Key>K4
hj1 (Fi, K1)hj2 (Fi, K2)
… …hjn (Fi, Km)
![Page 14: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/14.jpg)
Master Key Escrow
• Every encryption key is also encrypted with a master public key.
• The master private key is shared by say, 3 people. Any 2 of the 3 can unlock any of the images, but they have to cooperate.
![Page 15: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/15.jpg)
General Access Structure
• Equal access may not be appropriate in some applications
• Can realize general access structure– Secret-share the secret key among users– Embed the shares in the key set
• An example: AND access– r1, r2, … rm-1 {0, 1}l, rm = r1 r2…rm-1ks
![Page 16: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/16.jpg)
System Throughput
0
0.5
1
1.5
2
2.5
1 10 100 1000 10000
File Size (KB)
Th
rou
gh
pu
t (M
Bp
s)
Execution Time includes: Encryption (Triple-DES) + Disk I/O Platform: PIII 900MHz + Linux 2.4.18 Kernel
Performance Evaluation
![Page 17: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/17.jpg)
What We Have Achieved?
• A principle that mimics real-world norms• A scheme to enforce it
– “Zero-knowledge”: cancels even the number of users who have access
– Efficient to deal with real-time data– Economical to be implemented using
commodity hardware
• Data sharing made safe– The encryption does not hinder
collaboration [Canny 02]
![Page 18: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/18.jpg)
Not Enough
• The scheme works if the environment is honest
• Unfamiliar environments untrusted environments
• How can we be sure the system performs the encryption and does not leak data?
![Page 19: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/19.jpg)
Dealing With Untrusted Env – Data Transparency
• Data Transparency: Encrypted data recorded or transmitted by a ubicomp system should be easily observable.Where possible, the data itself should demonstrate compliance with stated principles.
![Page 20: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/20.jpg)
Dealing With Untrusted Env – Data Transparency
• Data observable, not comprehensible – Obscurity is not security!
• Security and privacy based on cryptography, not access control
• Makes it easy to verify systems’ compliance with any stated privacy policy
![Page 21: Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments](https://reader036.vdocuments.site/reader036/viewer/2022062409/56814dec550346895dbb5c09/html5/thumbnails/21.jpg)
Towards Trustworthy Environments (In Progress)
• Trusted computing framework– Assume most components untrusted– Some devices (from 3rd party) more trusted– Exploit the mutual distrust between them to
build trusted system
• Verification– ZKP to guarantee access right
• The demo that the system does what it is supposed to is a ZKP itself
– Bit commitment to minimize leakage