Resilience by Usable Security

Download PDF
25 downloads 6013 Views 6MB Size Report
Comment
Mensch(und(Computer(2015 .... SigG(digital(signature(client(Signtrust:( ... For Germany: Indirect attacks on Internet of Things and Cloud Computing.
Resilience by Usable Security Workshop(Usable Security(and Privacy Mensch(und(Computer(2015 University(of Stuttgart September(6,(2015 Dr.(Sven(Wohlgemuth

Dr.$Sven$Wohlgemuth • Diploma(in$computer$science$with$economics$at$University$of$Saarland,$Saarbrücken (Prof.$B.$Pfitzmann)$(Key$Management$– OO$Design$and Implementation) • Dr.+Ing. on$Privacy$with$Delegation$of$Rights$at$AlbertLLudwigs University$Freiburg,$(Prof.$ Müller)$(Security$and$usability$with$identity$management,$DFG$SPP$Sicherheit &$EU$FIDIS) • JSPS(&(DAAD(postdoctoral(fellow(on$PrivacyLcompliant$Delegation$of$Personal$Data$at$ National$Institute$of$Informatics$(NII), Tokyo,$Japan$(Prof.$Echizen)$(Content$Security$Lab) • Associate(professor(within DataLCentric$Social$Systems$of$Research$Organization$for$ Information$and$Systems$and$NII,$Tokyo,$Japan$(Prof.$Sonehara)$(Transparency for ICT$ Resilience &$JapaneseLEuropean$Institute$for Security) • Senior(consultant(IT(security(and(project(manager at$Sirrix AG$security$technologies (A.$Alkassar)$(Information$flow control for$Internet$of$Things$and$Cloud$Computing) • Senior(researcher entrusted$with$Coordinator$and$Community$Manager$of$PersoApp on$ supporting$open$source$software$development$of$secure$and$userLfriendly$Internet$ applications$with$the$German$national$ID$card$funded$by$BMI$at$CASED/TU$Darmstadt$ associated$with$Intel$ICRILSC$(Prof.$Sadeghi)$

Dr.$Sven$Wohlgemuth

Resilience$by$Usable$Security

2

The2Great2East2Japan2Earthquake “Whether(blocked(or(prohibited,(the(local( highly(restricted(road(transport(systems(have( disrupted(various(rescue(and(delivery( activities(in(the(disaster(area.” ITS#Japan.#March#28,#2011 http://www.itsDjp.org/english/its_asia/553/ “TEPCO(did(have(a(backup(for(the(emergency(generators:(power(supply(trucks(outfitted( with(highTvoltage(dynamos.(That(afternoon,(emergency(managers(at(TEPCO's(Tokyo( headquarters(sent(11(power(supply(trucks(racing(toward(Fukushima(DaiTichi,(250(km(away.( They(promptly(got(stuck(in(traffic.(The(roads(that(hadn't(been(damaged(by(the(earthquake( or(tsunami(were(clogged(with(residents(fleeing(the(disaster(sites.([...](It(was(after(midnight( when(the(first(power(supply(trucks(began(to(arrive(at(the(site,(creeping(along(cracked(roads.”( IEEE#Spectrum.#24#Hours#of#Fukushima.#October#31,#2011 http://spectrum.ieee.org/energy/nuclear/24DhoursDatDfukushima/0

Dr.(Sven(Wohlgemuth

Resilience( by(Usable( Security

3

Agenda I.

II.

Resilience and Secondary Use

• Dependencies threaten control • Control(by transparency

Multilateral(Security

• Usage control • PrivacyTEnhanced(AAA(A)

III. Big(Data(and Privacy

• From login to control by transparency • Loss(of control

IV. Usable Security

• Multilateral(secondary use • Byzantine agreement

Dr.(Sven(Wohlgemuth

Resilience( by(Usable( Security

4

I.#Resilience and Secondary Use Resilience:)Predictive risk management to remain in$or return to an$equilibrium by IT)support in)real4time)with secondary use of personal)information Public>private$cooperation:$ Public$traffic road map (03/19/2011)

Dr.$Sven$Wohlgemuth

Localization at$Disney$Resort$ Tokyo$(08/02/2011)

Resilience$ by$Usable$ Security

User$generated content on$ Google$Maps (08/02/2011)

5

Support2by CyberDPhysical Systems Cyber2World

Policy(decision(support( based(on(information( processing CPS(data(platform

Real2World

Service( control

Transport(System Vehicle(NW Building(facility

Collection( and(sharing( of(context( and(data ALLTIP(Network Wide(Area(Network Dr.(Sven(Wohlgemuth

Home(

Sensor( networks in Sensing(&( Power(Grid(system, Actuation((control)Environment(monitor, Agriculture,(etc. PAN human(state

Resilience( by(Usable( Security

N.#Sonehara,# 2011

6

Information2Usage Model Primary(use

Secondary(use

...

... Data(consumer

Data(provider

d

d,#d*

Data(provider /consumer

Data(consumer /provider

• Dependencies(occur(at(runTtime(and(threaten(information(processing Dr.(Sven(Wohlgemuth

Resilience by Usable Security

7

Information Usage Model Primary use

Secondary use

...

... Data consumer

Data provider

d

d, d* d, d*

Data provider Data provider /consumer

Data consumer /provider

• Dependencies occur at run‐time and threaten information processing • Problem: Users lose control on their identity Dr. Sven Wohlgemuth

Resilience by Usable Security

8

Dependency:2Users2and IT2System •

User(has(to(learn(technical(concept

• 7(Internet(user(groups(in(Germany



SigG(digital(signature(client(Signtrust:( “Maloperation”(raises(security(incident

• Responsibility:( selfTprotection(or(privacy(by(a(TTP

60 48

Citations

50

42

40 30 20

20 10

10 0 Problem1Category1I Problem1Category1II Problem1Category1III Problem1Category1IV

75%(of identified problems are usability problems with negative(effect on(user‘s security

People(with less security expertise (approx.(70%)(want to delegate privacy to TTP D.#Gerd# tom Markotten 2004;#G.#Müller#and S.#Wohlgemuth# 2005;#DIVSI#2012

Dr.(Sven(Wohlgemuth

Resilience( by(Usable( Security

9

Dependency: Third Party Assumption: Each IT system is secure Data consumer

Data consumer

Data provider

d

d

d, d* Data consumer /provider

Data provider /consumer

Data provider

Data provider /consumer

faulty d, d*

Data consumer /provider

Loss of control by conceptual dependency of  compromised TTP Data consumer /provder

Data consumer /provder

d, d* Data provider /consumer

Data provider /consumer

Case (a): Passive incident

Case (b): Active incident

• Inevitable, not‐modelled dependencies during run‐time • For Germany: Indirect attacks on Internet of Things and Cloud Computing Impossible to TM‐decide on covert dependencies, but statistically K.W. Hamlen, G. Morrisett, and F.B. Schneider 2006; A. Grusho, N. Grebnev, and E. Timonina 2007; BSI 2015

Dr. Sven Wohlgemuth

Resilience by Usable Security

10

...

... Data%consumer

d Data%provider Data%provider /consumer /consumer

Data%provider

d,#d*

Dependency:2Machine Learning

d,#d* d,#d*

Data%consumer /provider

Data(analytics(as(secondary(use(of(personal(information “Faulty”(data(increases(error(rate(of(machine(learning Supervised machine learning (z.B.(SVM)

Unsupervised machine learning (z.B.(PCA)

B.#Biggio,# B.#Nelson,# and# P.#Laskov 2012;#L.#Huang,# A.D.#Joseph,# B.#Nelson,# B.I.#Rubenstein,# and#J.#Tygar 2011

Loss(of(control(on(classification Dr.(Sven(Wohlgemuth

Resilience( by(Usable( Security

11

...

... Data%consumer

d

Dependency:2Aggregation

Data%provider Data%provider /consumer /consumer

Data%provider

d,#d*

Data%consumer /provider

Variety(and(Volume:(Information(flow(from(different(sources Aggregation(of(anonymized(data(implies(information(leakage Explicit/friendship Bob

David Implicitly assumed friendship

L. Sweeney 2002 C. Jernigan and B. Mistree, 2007

Loss(of(control(on(confidentiality(and(classification Dr.(Sven(Wohlgemuth

Resilience( by(Usable( Security

12

Example:2Google2Photos‘2Classification

Dr.(Sven(Wohlgemuth

13

Control2by2Transparency • Recipient:(Transparency(for(accountability(and(to(restore(information • Sender:(Encryption(to(prevent(information(leakage

...

... Data%consumer

d Data%provider Data%provider /consumer /consumer

Data%provider

d,#d*

Data%consumer /provider C.E.#Shannon# #1948,# 1949;#Dolev# and# Yao##1983

Self+protection(depends(on(opposite(security(interests Dr.(Sven(Wohlgemuth

Resilience by Usable Security

14

Control2by2Transparency • Recipient:(Transparency(for(accountability(and(to(restore(information • Sender:(Encryption(to(prevent(information(leakage

C.E.#Shannon# #1948,# 1949;#Dolev# and# Yao##1983

Self+protection(depends(on(opposite(security(interests Dr.(Sven(Wohlgemuth

Resilience by Usable Security

15

Agenda I.

II.

Resilience and Secondary Use

• Dependencies threaten control • Control(by transparency

Multilateral(Security

• Usage control • PrivacyTEnhanced(AAA(A)

III. Big(Data(and Privacy

• From login to control by transparency • Loss(of control

IV. Usable Security

• Multilateral(secondary use • Byzantine agreement

Dr.(Sven(Wohlgemuth

Resilience( by(Usable( Security

16

II.2Multilateral2Security Combining opposite security interests by an(equilibrium setting • Accountability:(Authentic(information(on(information(processing • Unobservability:(NonTlinkability to(impede(reTidentification Accountability

Traceability

Personal( information

Pseudonymity Unobservability

Privacy

Anonymity

G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013

Dr.(Sven(Wohlgemuth

Resilience by Usable Security

17

II.2Multilateral2Security Combining opposite security interests by an(equilibrium setting • Accountability:(Authentic(information(on(information(processing • Unobservability:(NonTlinkability to(impede(reTidentification Accountability

Privacy

Traceability

Control(by( transparency Pseudonymity Unobservability

Privacy

Personal( information Personal( information

Anonymity Usage(control G.#Müller,# K.#Rannenberg and A.#Pfitzmann 1996;#I.#Echizen,# G.#Müller,# R.#Sasaki,#and A#Min#Tjoa,# 2013

Dr.(Sven(Wohlgemuth

Resilience by Usable Security

18

Enforcement:2AAA(A) Open(Internet(standard RFC(2904(AAA(Authorization Framework +(Accountability for information exchange via(hidden,(inevitable dependencies

1:(Authentication 2:(Authorization 3:(Accounting 4:(Accountability

Data(consumer/ provider

d,#d*

Data(consumer/ provider

Dr.(Sven(Wohlgemuth

d,#d*

d,#d* AAA(A) service Resilience( by(Usable( Security

Data(consumer/ provider

19

PrivacyDEnhanced2Authentication Driving licence Erika1Mustermann Classes:1ABE Mornewegstr,123 D