1 / 21

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments. Yitao Duan and John Canny UC Berkeley. Outline. Background and motivation Existing solutions Our approach Design principles Enforcing scheme Evaluation Conclusion and future work. Ubiquitous Computing.

lanza
Download Presentation

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting User Data in Ubiquitous Computing: TowardsTrustworthy Environments Yitao Duan and John Canny UC Berkeley

  2. Outline • Background and motivation • Existing solutions • Our approach • Design principles • Enforcing scheme • Evaluation • Conclusion and future work

  3. Ubiquitous Computing • One consequence of Ubicomp • Way more data about us can be gathered (and used). • This is potentially a great thingfor collaborative algorithms • But, it’s potentially a great problem because...

  4. Issues Addressed • Protection of the user data generated and maintained by the environment • Privacy of individuals who use the env. • Ability of legitimate users to make use of data recorded in the environment • Dealing with high-speed streams of data • Trustworthiness of the environments (in progress)

  5. Challenges • Unfamiliar environments • Dynamic and ad hoc and shared • difficult to determine access rights • No central control • High data rate • must be processed in real-time • Collaborative applications

  6. Existing Solutions • Focus on access control • Based on authentication/authorization model (e.g. RBAC) • Require a piece of running code to actively check permissions • Inadequate for ubicomp • Dynamic, distributed, environment • Protecting agent can be bypassed • Completely ignored the untrusted env issue

  7. Our Approach • Not rely on access control • Make data secure by themselves • In line with philosophy in cryptography: • Obscurity is not security • Assume the adversary has access to the communication

  8. Our Principle – Data Discretion Data discretion:Users should always have access to, and control of (recorded or live) information that would be available to them in “real-world” situations. They should not have direct access in other situations. • Matches “real-world” privacy norms • Consistent with emerging legal principles • Users are involved in decisions regarding data about them – users are in control of their data!

  9. Smart room Testbed • Good example of ubicomp environment • RFID tag reader to establish who’s in the room • 4 cameras to record images • Smartborad to log electronic activity

  10. Enforcing Scheme • Assume all data are stored in files that represent short time intervals • Data file is encrypted with a unique secret key

  11. Enforcing Scheme • The secret keys are encrypted with public keys of the people in the room (determined by the tag reader):

  12. Enforcing Scheme • User who were in the room can recover the keys and access the data while they were in the room

  13. Key Embedding • Conceal who and how many users have access • Key set: fixed-length data structure with slots > max number of users in the room hj1(Fi, K1) <Secret Key>K1 hj2 (Fi, K2) … … < Secret Key>K2 hjn (Fi, Km) < Secret Key>K3 < Secret Key>K4

  14. Master Key Escrow • Every encryption key is also encrypted with a master public key. • The master private key is shared by say, 3 people. Any 2 of the 3 can unlock any of the images, but they have to cooperate.

  15. General Access Structure • Equal access may not be appropriate in some applications • Can realize general access structure • Secret-share the secret key among users • Embed the shares in the key set • An example: AND access • r1, r2, … rm-1 {0, 1}l, rm = r1 r2…rm-1ks

  16. Performance Evaluation • Execution Time includes: Encryption (Triple-DES) + Disk I/O • Platform: PIII 900MHz + Linux 2.4.18 Kernel

  17. What We Have Achieved? • A principle that mimics real-world norms • A scheme to enforce it • “Zero-knowledge”: cancels even the number of users who have access • Efficient to deal with real-time data • Economical to be implemented using commodity hardware • Data sharing made safe • The encryption does not hinder collaboration [Canny 02]

  18. Not Enough • The scheme works if the environment is honest • Unfamiliar environments  untrusted environments • How can we be sure the system performs the encryption and does not leak data?

  19. Dealing With Untrusted Env – Data Transparency • Data Transparency: Encrypted data recorded or transmitted by a ubicomp system should be easily observable.Where possible, the data itself should demonstrate compliance with stated principles.

  20. Dealing With Untrusted Env – Data Transparency • Data observable, not comprehensible • Obscurity is not security! • Security and privacy based on cryptography, not access control • Makes it easy to verify systems’ compliance with any stated privacy policy

  21. Towards Trustworthy Environments(In Progress) • Trusted computing framework • Assume most components untrusted • Some devices (from 3rd party) more trusted • Exploit the mutual distrust between them to build trusted system • Verification • ZKP to guarantee access right • The demo that the system does what it is supposed to is a ZKP itself • Bit commitment to minimize leakage

More Related