Towards Privacy, Security & Trust in ICT Services

Jovan Golić

Open PST AL Workshop, Trento, Nov. 2014

• Cyber security can generally be considered as information/data security in cyberspace

• In practice, it is resp. related to offensive and defensive techniques that can be used for performing attacks or defences

• Defensive techniques can be attack-based (e.g. anti-malware signature-based techniques or security patches against SW vulnerabilities) or generic (e.g. anomaly-based/behaviour-based techniques); the latter are more effective against unknown attacks and less effective against known attacks

• Techniques include traffic or event monitoring, data analytics, attack detection and prevention (gateways, firewalls, IDS/IPS), tracking, tracing, incident management & emergency response, information sharing (SOCs and CERTs), security policies, and risk management

• Attacks can aim at DoS/DDoS, fraud, malfunctioning, physical damage (cyber physical systems), defamation, data theft, terrorism, cyberwar; they appear to evolve exponentially!

• Current situation and trends are unsatisfactory!

Cyber Security

• Data integrity – data received/retrieved in original form • via secret tag for detection of unauthorized changes

• Data confidentiality – data intelligible only to desired entities • via secret reversible transformation of data

• Data availability – data available on request • via redundancy, dynamic testing, recovery

• Entity authentication and identification – of entities (e.g., persons, organizations, things) creating, sending, receiving, or retrieving data • via verification of real-world physical/logical attributes and time of

communication, authentication protocols• Security is relative to attacks – types, objectives, impact, scale• Security is relative to attackers – skills, sophistication, resources• Security has a cost – widespread usage reduces the costs and enables

security-by-design• Security as a business opportunity rather than an obstacle

Data Security

• Data privacy is about the security of personal data and of any sensitive data regarding citizens, private or public companies, institutions, and organizations (e.g., IoT data, industrial secrets)

• Data privacy is also about the user’s control of sensitive data according to the minimality principle

• Minimality principle: Sensitive data should be controlled by the user during the whole lifecycle and disclosed to the lowest possible extent for a minimum period of time only to entities and for purposes authorized by the user. Ideally, this principle should guide the balance between data disclosure and usability. Rarely applied in practice.

• One reason is massive user profiling by online service providers, since user data has market value. Another reason is the surveillance and lawful interception by government agencies and law enforcement authorities to help detect and monitor social threats, and detect, track, and investigate criminal or terrorist activities.

• Alert: Massive user profiling becomes massive citizen profiling if identity attributes are associated with user profiles

Data Privacy - 1

• Protect data privacy against insider attacks: traceable system administrator interventions, integrity of logs and audit trails, strong authentication, shared access & control, separation of duties

• Privacy paradigm shift: • Enforce the minimality principle • Support data privacy by practical advanced cryptographic

techniques, including privacy-preserving data mining and profiling, secure multiparty computation, practical homomorphicencryption, secret sharing, threshold cryptography, anonymization, anonymity protocols, anonymous credentials, attribute-based encryption, format- and syntax-preserving encryption, searchable encryption, end-to-end encryption, and SW obfuscation, in addition to traditional techniques

• Address accountability by techniques for revocable anonymity• Protection of sensitive data requires privacy-aware security

platforms and mechanisms in both software and hardware• N.B. Data protection laws depend on physical location of data!

Data Privacy - 2

• Level of confidence that a product or service or process in digital world is functioning accordingly – relative, conditional, time dependent

• Has a subjective component and an objective component, which can be called trustworthiness

• Best practices and reputation are fundamental• The problem is that data security is complex, relative,

conditional, difficult to verify• Trust + Distrust + Uncertainty = 1• Increase trust directly or by decreasing distrust or uncertainty• Factors: policies and agreements, liability, reputation, best practices,

assurance levels, technical and technological assurance, transparence, verifiability, auditing, cost-effective certification, information sharing, awareness, knowledge

Digital Trust

• Mission: Support users and businesses in protecting their digital assets and transactions, promoting robust and safe products and services that realize data privacy and security

• Privacy: Security & User’s Control of sensitive data• Minimality principle: Disclose sensitive data to a minimum extent• Misconception 1: Address cyber security by counteracting attacks

and SOCs/CERTs only• Misconception 2: Cyber security is possible without privacy• Strategy: Address cyber security and privacy proactively, by deploying

trustworthy and transparent innovative technologies bridging the gaps between available techniques and practice; promote «security & privacy by design» paradigm; raise social awareness

• Priorities 2014-2016:• Privacy-aware federated ID management & strong authentication• Data privacy in online/mobile applications, services & communications• Protection against malicious software & intrusion detection/prevention on

computing devices, especially on mobile platforms

EIT ICT Labs Action Line forPrivacy, Security & Trust

• Standardized cryptographic algorithms and protocols used for data security are subject to public scrutiny and trustworthy

• Many proprietary ones turned out to be weak after being exposed• Software products (operating systems, middleware,

applications) are frequently proprietary and obfuscated; trustworthiness w.r.t. data security is then not well anchored

• SW and SW updates can be authenticated/certified by digital signatures issued by using trusted public keys

• Reduce SW vulnerabilities by applying security by design: develop SW by using static and/or dynamic formal methods

• In particular, apply formal methods for analyzing the isolation and other security properties of hypervisor SW supporting virtual machines, essential for cloud services

• Untrusted applications can be separated from the trusted ones, by using trusted execution environment or virtualization

• Detection of malicious applications and intrusions on end-point devices, especially mobile, is not sufficiently effective!

Software Security

• ICT system can be secure on SW level, but insecure on HW level • Strong HW platforms and architectures (including self-checking

circuits) are important, especially w.r.t. sophisticated attackers• Transparent and auditable HW fabrication facilities are

preferable, but difficult to implement• HW devices connected to the cloud (IoT), such as smart meters and

various sensors, especially if they generate sensitive data, need to be strongly authenticated/identified by using cryptographic keys and/or chip templates such as Physical Unclonable Functions (PUFs)

• Such devices should better be run on open or standardized OS guided by the simplicity and security principles

• Secure key generation & management (HSM, secure element)• Usage of HW security tokens (HST) for strong user-to-HST-to-

cloud authentication; the same HST for multiple keys• HW/SW implementations of cryptographic algorithms and protocols

running on sensitive data should be resistant to side-channel attacks

Hardware Security

• ICT business at risk: The worldwide ICT security technology and services market is growing more than 11% annually, to reach €92 billion in 2017. By 2020, it is estimated that €440 billion of the added value is at risk if the leveraged data are not appropriately protected.

• Significant market opportunities: Market share of European companies in industry solutions for data security and privacy (≈16.5%) is lagging behind their global ICT market share (≈25%).

• This is possibly due to fragmented national regulations and government control, as cyber security and privacy are considered to be matters of national security and safety. European technology solutions in this area potentially have a comparative advantage with respect to trustworthiness.

• In after-Snowden era, enterprises, institutions, and organizations hesitate to send their sensitive data to the cloud. This implies that the business opportunities for deploying innovative solutions offering higher assurance for data privacy are significant.

Business Opportunities

• User profiling for personalized services, targeted advertising• Social networks • E-commerce and e-payment• E-government and e-signatures• E-voting, e-polls, and e-democracy• E-health and wellbeing• Smart spaces, smart cities & communities• Cyber-physical systems• Connected vehicles, mobility• Smart energy• Cloud computing and storage• Personal data management• Intellectual property licensing• Internet of things• Big data analytics

Applications

Priority 1: Privacy-aware Federated ID Management & Strong Authentication

Widely adopted and deployed innovative solutions for secure and privacy-aware federated e-authentication and e-identification of physical or logical entities (e.g., persons, organizations, things, services) via online or wireless communications will create a basis for more secure, authentic and trustworthy products

and services, cross-nationally and nationally a springboard for trusted personal data management more trust among people and organizations in Europe without violating the privacy of users as citizens!Build on existing cross-border projects and initiatives, e.g.,

STORK, ABC4Trust, FutureID, GBA, OneAPI, EEMA, Kantara, FIDO; ID federation requires trust frameworksN.B. Single sign-on and federated e-ID facilitate user or

citizen profiling via linking!

E-Identification Tokens - Proposal

Digital ID or e-ID is a digital description of the identity IDPhysical identifiers in ID need to be verified physically by trusted

ID provider; may include biometric/chip templates ID credential is a piece of information needed for verifying ID in

real time remotely, by an e-authentication protocol: includes IDand keys (PINs/passwords, cryptographic keys) for remoteauthentication; needs to be stored securely in a HW e-ID token(USB key, secure element in mobile device such as SIM-card) e-ID token contains: Biometric template and PIN for local 2-factor user authenticationMultiplicity of digital IDs containing (minimal) sets of user attributesMultiplicity of locally randomly generated cryptographic keys

(preferably private/public key pairs) for strong remote authenticationMultiplicity of public-key certificates binding IDs to public keys and

issued by trusted ID provider; can be derived from original public-keycertificates issued by CAs (e.g., government), by extracting theattributes and renewing the private/public key pairs

For unlinkability, use anonymous attribute-based credentials

Priority 2: Data Privacy in Online or Mobile Applications, Services & CommunicationsData privacy essentially means that user controls usage

of related sensitive data during its whole life cycle, with the minimality principle guiding the balance with usabilityNot only personal data, but also industrial secrets!Privacy = security & control of sensitive data Data are easy to copy Support by legislation or regulation is necessary, but is

difficult to correctly implement in practice Current practice is unsatisfactory, especially for ordinary

people and with respect to sophisticated adversaries!Paradigm promoted: support data privacy by validated

technical & technological means wherever practically possible, in addition to transparent, human-understandable, and machine-readable privacy policies

Privacy in Cloud Services

Use local storage and computation for sensitive data wherever possible Take into account the fact that data protection laws

depend on physical location of dataProtect sensitive data against insider attacksVerify security properties of hypervisor for virtualizationUse distributed databases and servers, with secret sharing

and secure multiparty computationEncrypt sensitive data at rest by standard and advanced

cryptographic techniques (attribute-based and searchable encryption, format/syntax-preserving encryption)Apply practical homomorphic encryption for performing

operations on encrypted sensitive dataUse trusted HSMs for storing cryptographic keys and

performing operations over sensitive dataUse cost-effective certification & auditing proceduresApply virtual monitoring and intrusion detection/prevention

Priority 3: Protection against Malware & Intrusion Detection/prevention on (Mobile) Computing DevicesPrivacy-preserving intrusion detection & prevention and

protection against malicious software (malware) on end-point computing devices (e.g., smartphone, tablet, PC) is an aspect of cyber security and privacy of ever increasing importance, especially in mobile scenariosSmart mobile devices typically contain both personal data and

sensitive business-related dataMalicious or potentially dangerous apps for mobile devices

rapidly multiply and evolveExisting solutions are partial and fragmented and do not appear

to be sufficiently effective, especially with respect to sophisticated attackers and on mobile platformsApply behavior-based malware detection, kernel integrity

checks, sandboxing, virtualization, combined client-server apps inspection, anti-fraud monitoring