Thursday, February 24, 2011

Privacy preserving cryptographic protocols

This weeks read was about privacy preserving cryptographic protocols.

The common definition of privacy in the cryptographic community limits the information that is leaked by the distributed computation to be the information that can be learned from the designated output of the computation (Benny Pinkas, HP Labs).

This chapter discusses differing protocol frameworks used to achieve this privacy. In Acquisti el al’s:Digital Privacy their definition is a computational function of outputs that are distributed among different participants during online collaboration.

The chapter notes a couple of platforms are in place today that have the goal to provide a privacy-preserving protocol for any possible function:
Secure Multiparty Computation (SMC)
Secure Function Evaluation (SFE)
and goes on to say that it may seem like an impossible task, but general results show that any function that is computable in polynomial time can be computed with polynomial communication.

The chapter goes on to discuss how privacy preserving cryptographic protocols can be applied to differing situations:
Database querying
Distributed voting
Bidding and auctions
Data mining

The Data mining or data warehousing kind of caught my attention because I had to write a white paper on it when it first appeared on the IT table. It was suppose to be the way of the future for storing and locating data quickly and easily. At that time privacy issues were not looked at closely as systems were not as integrated as they are today. Data mining and warehousing fell into the privacy conundrum with the advancements in technology and the widely integrated system structure in place today. It is interesting to see how this is handled by SMC and SFE to provide privacy security.
A couple of approaches were mentioned: Sanitizing Data before making it available and the use of technologies mentioned in the chapter, benchmarking and forecasting, contract negotiations, and rational selfish participants along with the introduction by Lindel-Pinkas method where two parties build a decision tree without either party learning anything about the other.

Monday, February 21, 2011

EM835 Weekly Reading This week from Acquisti et al, Digital Privacy

Uncircumventable Enforcement of privacy via cryptographic Obfuscation

What is it
Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In a programming context, it means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscatoris sometimes used to convert a straight-forward program into one that works the same way but is much harder to understand.

Basically it is hiding information in plain sight inside computer code or digital data
(or as Bruce Lee might say)The art of hiding without hiding

Brief History
1976 –Diffieand Hellman produced paper on public key cryptology introducing the first public known public key cryptosystem
Gates open letter to hobbyists leads to the first use of obfuscation for copy protection and digital rights management
1986 –Malware’s use of obfuscation is introduced:
Viral Legerdemain -first piece of malware that attempted to conceal its existence
Cascade virus -first piece of malware to use encryption to scramble its contents
Oligomorphism1990 -could change static decryptors
Polymorphism1991 -a method of radically changing how malware conceals itself,
The Mutation Engine 1992 -first ever polymorphic toolkit to enabled neophyte virus
programmers to link their code to an MtE-generated polymorphic object and extend a
normal non-obfuscated virus into a highly polymorphic one
2001 –Study of cryptic obfuscation began:
Virtual black box security which guarantees no other feasible way to access stored passwords


Security in the beginning was weak and easily broken then came Cryptographic Obfuscation
which was a Stronger security; better than DRM

Digital Rights Management
Most commonly used for protecting data from unauthorized usage but has dismal track

Recreational use - International Obfuscated C Code Contests

Obfuscation to Digital PrivacyUsages ;
Protecting Database privacy via Digital Rights Management (DRM), but is weak, easily
broken, okay for blocking a casual hacker
Can introduce serious security vulnerabilities
Cryptographic obfuscation
Providing technological support
As a Virtual Black Box
Real strength –guarantees no other feasible way to access a stored password
But still can be reversed engineered

Obfuscation for Access Control
Provides Point Function Obfuscation: a function that produces a special output from a single
input which may be thought of as a key or password
ex: Password hashing procedure -UNIX

Obfuscation for Group PrivacyPrivacy be enforced by allowing a record to be retrievable only if user can name it precisely
Group Privacy Policy has tradeoffs between Privacy and Utility
More research needed to look into using Heuristic methods to improve efficiency

Wednesday, February 2, 2011

EM835 reading Beautiful Security - Chapter 6

I had an interesting read this week in the book Beautiful Security by Andy Oram and John Viega. The chapter I had to read and discuss was on Securing Online Advertising. It bought out some interesting and frightful information.
Users are the most direct for online advertising attacks with Malvertisements, malware, and exploit-laden banner ads.
Ex. Free Ringtones, or quizzes like, Do you know whose lips these are? These seem harmless, but can hold malware that can be installed onto your computer to collect personal information.
Advertisers themselves are victims by being overcharged by ad networks. Then using them as a doorway to your computer as they instill different cost rate schemes to the advertisers like:
CPM – Cost Per Thousand Impressions
CPC – Cost Per Click
CPA – Cost per Action
What can be done to stop this?
· Be aware of what you are about to click on. Ads that offer something too good to be true are great hiding places for malware insertion programs.
· Federal Trade Commission (FTC) and European Consumer Commissioner have been tracking down, uncovering, and handing out fines to those who create and use this form of advertising.