Resilience by Usable Security

Resilience by Usable Security
Workshop(Usable Security(and Privacy
Mensch(und(Computer(2015
University(of Stuttgart
September(6,(2015
Dr.(Sven(Wohlgemuth
<wohlgemuth@acm.org>

Dr.$Sven$Wohlgemuth
Dr.$Sven$Wohlgemuth Resilience$by$Usable$Security 2
• Diploma(in$computer$science$with$economics$at$University$of$Saarland,$Saarbrücken
(Prof.$B.$Pfitzmann)$(Key$Management$– OO$Design$and Implementation)
• Dr.+Ing. on$Privacy$with$Delegation$of$Rights$at$AlbertLLudwigs University$Freiburg,$(Prof.$
Müller)$(Security$and$usability$with$identity$management,$DFG$SPP$Sicherheit &$EU$FIDIS)
• JSPS(&(DAAD(postdoctoral(fellow(on$PrivacyLcompliant$Delegation$of$Personal$Data$at$
National$Institute$of$Informatics$(NII), Tokyo,$Japan$(Prof.$Echizen)$(Content$Security$Lab)
• Associate(professor(within DataLCentric$Social$Systems$of$Research$Organization$for$
Information$and$Systems$and$NII,$Tokyo,$Japan$(Prof.$Sonehara)$(Transparency for ICT$
Resilience &$JapaneseLEuropean$Institute$for Security)
• Senior(consultant(IT(security(and(project(manager at$Sirrix AG$security$technologies
(A.$Alkassar)$(Information$flow control for$Internet$of$Things$and$Cloud$Computing)
• Senior(researcher entrusted$with$Coordinator$and$Community$Manager$of$PersoApp on$
supporting$open$source$software$development$of$secure$and$userLfriendly$Internet$
applications$with$the$German$national$ID$card$funded$by$BMI$at$CASED/TU$Darmstadt$
associated$with$Intel$ICRILSC$(Prof.$Sadeghi)$

Dr.(Sven(Wohlgemuth Resilience(by(Usable(Security 3
“TEPCO(did(have(a(backup(for(the(emergency(generators:(power(supply(trucks(outfitted(
with(highTvoltage(dynamos.(That(afternoon,(emergency(managers(at(TEPCO's(Tokyo(
headquarters(sent(11(power(supply(trucks(racing(toward(Fukushima(DaiTichi,(250(km(away.(
They(promptly(got(stuck(in(traffic.(The(roads(that(hadn't(been(damaged(by(the(earthquake(
or(tsunami(were(clogged(with(residents(fleeing(the(disaster(sites.([...](It(was(after(midnight(
when(the(first(power(supply(trucks(began(to(arrive(at(the(site,(creeping(along(cracked(roads.”(
IEEE#Spectrum.#24#Hours#of#Fukushima.#October#31,#2011
http://spectrum.ieee.org/energy/nuclear/24DhoursDatDfukushima/0
“Whether(blocked(or(prohibited,(the(local(
highly(restricted(road(transport(systems(have(
disrupted(various(rescue(and(delivery(
activities(in(the(disaster(area.”
ITS#Japan.#March#28,#2011
http://www.itsDjp.org/english/its_asia/553/
The2Great2East2Japan2Earthquake

Agenda
I. Resilienceand Secondary Use
• Dependencies threatencontrol
• Control(bytransparency
II. Multilateral(Security
• Usage control
• PrivacyTEnhanced(AAA(A)
III. Big(Data(and Privacy
• From login to control bytransparency
• Loss(ofcontrol
IV. Usable Security
• Multilateral(secondaryuse
• Byzantine agreement

I.#Resilience and Secondary Use
Resilience:)Predictive risk management to remain in$or return to an$equilibrium
by IT)support in)real4time)with secondary use of personal)information
Public>private$cooperation:$
Public$traffic road map
(03/19/2011)
Localization at$Disney$Resort$
Tokyo$(08/02/2011)
User$generated content on$
Google$Maps (08/02/2011)

Support2by CyberDPhysical Systems
PAN
Wide(Area(Network
ALLTIP(Network
Cyber2World
CPS(data(platform
Real2World
Sensor(
networks
in
Home(
Building(facility
Vehicle(NW
Policy(decision(support(
based(on(information(
processing
Power(Grid(system,
Environment(monitor,
Agriculture,(etc.
Sensing(&(
Actuation((control)
Service(
control
Transport(System
human(state
Collection(
and(sharing(
of(context(
and(data
N.#Sonehara,# 2011

d,#d*
Information2Usage Model
......
Dr.(Sven(Wohlgemuth Resilience by Usable Security 7
d
Data(provider
/consumer
Data(consumer
Data(consumer
/provider
Data(provider
Secondary(usePrimary(use
• Dependencies(occur(at(runTtime(and(threaten(information(processing

d, d*
Information Usage Model
............
Dr. Sven Wohlgemuth Resilience by Usable Security 8
• Problem: Users lose control on their identity
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
d, d*
Secondary usePrimary use
• Dependencies occur at run‐time and threaten information processing
Data providerData provider
Data consumer
/provider
Data consumer Data provider

Dependency:2Users2and IT2System
10
48
42
20
0
10
20
30
40
50
60
Problem1Category1I Problem1Category1II Problem1Category1III Problem1Category1IV
Citations
75%(of identified problems are
usability problems with negative(effect
on(user‘s security
• User(has(to(learn(technical(concept
• SigG(digital(signature(client(Signtrust:(
“Maloperation”(raises(security(incident
• 7(Internet(user(groups(in(Germany
People(with less security expertise
(approx.(70%)(want to delegate
privacy to TTP
• Responsibility:(
selfTprotection(or(privacy(by(a(TTP
D.#Gerd# tom Markotten 2004;#G.#Müller#and S.#Wohlgemuth# 2005;#DIVSI#2012

Dependency: Third Party
Case (a): Passive incident Case (b): Active incident
• Inevitable, not‐modelled dependencies during run‐time
K.W. Hamlen, G. Morrisett, and F.B. Schneider 2006; A. Grusho, N. Grebnev, and E. Timonina 2007; BSI 2015
• For Germany: Indirect attacks on Internet of Things and Cloud Computing
Assumption: Each IT system is secure
d, d*
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
Data consumer
/provder
Data provider
/consumer
d, d*
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
Data consumer
/provder
Data provider
/consumer
faulty
d, d*
Impossible to TM‐decide on covert dependencies, but statistically
Loss of control by conceptual dependency of
compromised TTP

Dependency:2Machine Learning
Loss(of(control(on(classification
Data(analytics(as(secondary(use(of(personal(information
“Faulty”(data(increases(error(rate(of(machine(learning
Supervised machine learning
(z.B.(SVM)
Unsupervised machine learning
(z.B.(PCA)
d,#d*
......
d
Data%provider
/consumer
Data%consumer
Data%consumer
/provider
Data%provider
d,#d* d,#d*Data%provider
/consumer
Data%consumer
/provider
Data%consumer Data%provider
B.#Biggio,# B.#Nelson,# and# P.#Laskov 2012;#L.#Huang,# A.D.#Joseph,# B.#Nelson,# B.I.#Rubenstein,# and#J.#Tygar 2011

Variety(and(Volume:(Information(flow(from(different(sources
Aggregation(of(anonymized(data(implies(information(leakage
Loss(of(control(on(confidentiality(and(classification
......
d
Data%provider
/consumer
Data%consumer
Data%consumer
/provider
Data%provider
d,#d*Data%provider
/consumer
Dependency:2Aggregation
Bob David
Explicit/friendship
Implicitly assumed friendship
L. Sweeney 2002
C. Jernigan and B. Mistree, 2007

Example:2Google2Photos‘2Classification
Dr.(Sven(Wohlgemuth 13

Control2by2Transparency
• Recipient:(Transparency(for(accountability(and(to(restore(information
• Sender:(Encryption(to(prevent(information(leakage
Self+protection(depends(on(opposite(security(interests
C.E.#Shannon# #1948,# 1949;#Dolev# and# Yao##1983
......
d
Data%provider
/consumer
Data%consumer
Data%consumer
/provider
Data%provider
d,#d*Data%provider
/consumer

Control2by2Transparency
• Recipient:(Transparency(for(accountability(and(to(restore(information
• Sender:(Encryption(to(prevent(information(leakage
Self+protection(depends(on(opposite(security(interests
C.E.#Shannon# #1948,# 1949;#Dolev# and# Yao##1983

Agenda
• Usage control
• Loss(ofcontrol
IV. Usable Security

II.2Multilateral2Security
Combining opposite security interests by an(equilibrium setting
• Accountability:(Authentic(information(on(information(processing
• Unobservability:(NonTlinkability to(impede(reTidentification
G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013
Accountability
Unobservability
Anonymity
Pseudonymity
Traceability Personal(
information
Privacy

II.2Multilateral2Security
Combining opposite security interests by an(equilibrium setting
• Accountability:(Authentic(information(on(information(processing
• Unobservability:(NonTlinkability to(impede(reTidentification
G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013
Accountability
Unobservability
Usage(control
Control(by(
transparency
Anonymity
Pseudonymity
Traceability
Personal(
information
Personal(
information
Privacy
Privacy

Enforcement:2AAA(A)
Data(consumer/
provider
Data(consumer/
provider
Data(consumer/
provider
1:(Authentication
AAA(A)
service
Open(Internet(standard RFC(2904(AAA(Authorization Framework
d,#d*
2:(Authorization
3:(Accounting
+(Accountability for information exchange via(hidden,(inevitable dependencies
4:(Accountabilityd,#d*
d,#d*

PrivacyDEnhanced2Authentication
Digital( driving(licence?
Dig.(driving
licence
Car?
Car
Erika
Mustermann
543ag
Driving
licence
Erika1Mustermann
Classes:1ABE
Mornewegstr,123
D<642931Darmstadt
Germany
Motorbike
Hans1im1Glück
Harley1Davidson
IP:
Car
543ag
VW1Beetle
Identity(Management:(User+controlled disclosure of personal(information
• Unobservability by anonymousPKI((Partial(identities and cryptographic protocols)
• Accountability by allTorTnothing linking to master identity (PKI(and cryptograpic protocols)
• Revealing(identity(of(cheating(users((PKI(and(cryptographic(protocols)
U.#Jendricke 2003;#A.#Pfitzmann# and M.#Hansen#2010;# J.#Camenisch et#al.#2014

Example:2iManager
CeBIT(2003(Scenario:(Buying an(electronic(railway ticket
Current partial(identity Necessary personal
information
Proposed partial(identity
S.#Wohlgemuth,# U.#Jendricke,# D.#Gerd# tom Markotten,# F.#Dorner,# and G.#Müller# 2003
doITTSoftware(Award(2003(of(German(Federal(State(BadenTWürttemberg

Example:)German)national)ID)Card
• Biometric)authentication)(souvereign)only)
PKI$based*applications*of*German*national*ID*card:
• Electronic*identity
• Electronic)signature
Mutual*authentication*with*option*for*pseudonymity
BSI)TR:03130)Technical)Guideline)eID:Server
Dr.)Sven)Wohlgemuth Resilience)by)Usable)Security 22
PersoApp:*Secure*and*user$friendly*Internet*applications
• Verification)of)certificates)by)eID server)(TTP)
• Open)source)code)at)GoogleCode for)PC)(Java))and)Internet)of)Things)(Android)OS)
• Identification)of)IT)security)vulnerabilities)for)payment)with)REWE)Group
• With)advisory)board)members:)Springer)special)issue)“Security)and)
privacy)in)business)networking”

PrivacyDEnhanced2Authorization
• Decentralized:(NonTlinkable(delegation(of(rights(on(information
• All+or+nothing:(Loss(of control if delegating credentials
Control(by(
Transparency
Control Transparency
Transparency
System(1
DP/DC
System(3
DP/DC
System(2
DP/DC
d,#d* d,# d,#d*
Policy
d
Control
System(4
DP/DC
d,#d*
d,#d*
Policy

PrivacyDEnhanced2Accountability
Transparency
Transparency
Transparency
System 1
DP/DC
System 3
DP/DC
System 2
DP/DC
d, d*
System 4
DP/DC
d, d*
d, d*
System 2
d, d*
System 2
System 3
d, d*
System 2
System 3
System 4
d, d*
System 2
System 3
System 4
System 3
Control
• Hidden(channels:(Information(leakage and modification
• Accountability:(Data(provenance on(information exchange for audit
Impeding nonTauthorized
reTidentification
Unobservability
Misuse(of(d,#d* can(be(detected
Accountability and availability

Privacy‐Enhanced Accounting
Deduction system
Privacy policy
Query: d, d*
Query: identity
Query:
authorization
Result:
Autd,d*
Cryptographic key, certificate, revocation, trust statement, …
…
Logical statement on authentication of d, d* from user‘s view (on a PKI)
Deriving information on
accountability

Agenda
• Usage control
• Loss(ofcontrol
IV. Usable Security

III.2Big2Data2and Privacy
Data(provider
DataTcentric
service
d
Authentication Authentication
Data(consumer
d,#d*
Authorization,(Accounting,(Accountability
Transparency
(PrivacyTenhanced
Authentication(and
Accountability)
Transparency
(PrivacyTenhanced
Authentication(and
Accountability)
Control
(Authorization and
PrivacyTenhanced
Accounting)

Keyword search
File systems
Groupware Databases
Social networking Wiki
Semantic search
Tagging
Reasoning
Smart personal agents
Natural language search
Mashups
Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
Own#figure# based#on#Radar# Networks# &#Nova# Spivack 2007,# E.#Brynjolfsson and# A.#McAfee#2011.
From Login2to Control2by Transparency
Human-machine interaction
Machine-machine interaction
Centralized information processing
Ubiquitous P2P information
processing
(Internet of Things)
Decentralized P2P information
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)

Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
processing
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)

Productivity
Amount.of.data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
processing
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)
Own$figure$ based$on$Radar$ Networks$ &$Nova$ Spivack 2007,$ E.$Brynjolfsson and$ A.$McAfee$2011.
Accounting
Accountability
One-factor
authentication
Multi-factor
authentication
Authorization
Increasing$entropy$
of$auth.information
From Login)to Control)by Transparency

Productivity
Amount(of(data
PC Era
Web 1.0
Web 2.0
Web 3.0
Web 4.0
Desktop
The World Wide Web
The Social Web
The Semantic Web
The Intelligent Web
processing
processing
(Cloud Computing)
... with automatic
decision support
(Cyber-Physical
Systems)
Accounting
Accountability
One-factor
authentication
Multi-factor
authentication
Authorization
Increasing(entropy(
of(auth.information

W.#Wahlster&#G.#Müller.#Placing#Humans#in#the#Feedback#Loop#of#Social#Infrastructures;#NII#
Strategies#on#CyberEPhysical#Systems.#2013
Data$Centric Service
Data$provide
Data=centric
service
d
Data$consumer
d,#d*
Improving$attractivity
Increasing$market$share
Lock=in
Network
Economies$of$scale
G.#Müller,#T.#Eymann,#M.#Kreutzer,#2003
Accountability
Unobservability
Usage2control
Control2by2
transparency
Anonymity
Pseudonymity
Traceability Personal3
information
Privacy

W.#Wahlster &#G.#Müller.#Placing# Humand in#the#Feedback#Loop# of#Social# Infrastructures;#
NII#Strategies# on#CyberDPhysical# Systems.#2013
DataDCentric Service
Data(provide
DataTcentric
service
d
Data(consumer
d,#d*
Improving(attractivity
Increasing(market(share
LockTin
Network
Economies(of(scale
Müller,# Eymann,# Kreutzer,# 2003
Who(am(I?
You are a(dog and your
friend sitting close to
you is a(B/W(dog.
Loss(of control by asymmetric distribution of information
Accountability
Unobservability
Usage2control
Control2by2
transparency
Anonymity
Pseudonymity
Traceability Personal3
information
Privacy

Example:2Privacy2Dashboard
Privacy+Enhanced(
Accountability
• No transparency on(secondary
use
Data+Centric Service
• Transparency(on(information(from(user(
• Transparency on(data
provenance

Agenda
• Usage control
• Loss(ofcontrol
IV. Usable Security
• Byzantine Agreement

IV.$Usable Security
From loss of control
To informational self-determination:0Byzantine Agreement0on0secondary use
Data$provider/
consumer
Data$consumer/
provider
Data$consumer/
consumer
d*
d*
d*
Dr.-Sven-Wohlgemuth Resilience-by-Usable-Security 36
Data$provider
Data,centric
service
d
Data$consumer
d,#d*

Consensus:(Control(by(Sender
Data$consumer/
provider
• Consensus:(Users$agree$on$information
• Authentic(information:(Consensus$by$trusted$users$by$correctness$&$consistency
Data$consumer/
provider
Data$provider
d*
L.%Lamport,%R.%Shostak,%M.%Pease 1982;%M.J.%Fischer,%N.A.%Lynch,%M.S.%Paterson%1985;%M.%Waidner 1991
d*
d*
d*
• Asynchronous(communication: No$consensus$possible,$if$one$user$fails
• Synchronous communication:$Tolerance without cryptography:$t$<$n/3$
faulty processes (with authentic key exchange:$t$<$n/2)
Impossibility results:

Consensus:2SelfDOrganization
• Consensus(on(state transitions within community of distributed,(vulnerable(users
Data(consumer/
provider
Data(consumer/
provider
Data(consumer/
provider
d* … d*
d*
• Users(change(role(during(runTtime((“miner“(checks transactions and gets reward )
S.#Nakamoto 2009
• Provenance by irreversible,(decentralized database with eCoin system

Decentralized Usage Control
• Secondary use of symmetric distribution of personal(security information
PrivacyTEnhanced(
Authorization
… … …
PrivacyTEnhanced
Accountability
PrivacyTEnhanced
Accounting
A A A
• Trust(anchor:(Registered,(nonTlinkableeID (PrivacyTEnhanced(Authentication)
• Acceptable authentic information decreases individual(risk on(loss of control

• UserTcontrol on(identity is threatened by use of privacyTenhanced security
• Unilateral(use leads to loss on(control (nonTusable security)
• Multilateral(control(by(secondary(use(of(personal(security(information((reTuse)
• Decentralized(usage(control(supports(usable(security(by(decreasing(individual(risk
V.2Conclusion
Usable(security(is(informational(self+determination(and(supports(resilience
Accountability
Unobservability
Decentralized4
usage4control
Control4by4
transparency
Anonymity
Pseudonymity
Traceability
Personal3
information
Personal3
information
Privacy
Privacy

Resilience by Usable Security

Recommended

Recommended

More Related Content

Similar to Resilience by Usable Security

Similar to Resilience by Usable Security (20)

More from Sven Wohlgemuth

More from Sven Wohlgemuth (20)

Recently uploaded

Recently uploaded (20)

Resilience by Usable Security