Monday, February 21, 2011

EM835 Weekly Reading This week from Acquisti et al, Digital Privacy

Uncircumventable Enforcement of privacy via cryptographic Obfuscation

What is it
Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In a programming context, it means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscatoris sometimes used to convert a straight-forward program into one that works the same way but is much harder to understand.

Basically it is hiding information in plain sight inside computer code or digital data
(or as Bruce Lee might say)The art of hiding without hiding

Brief History
1976 –Diffieand Hellman produced paper on public key cryptology introducing the first public known public key cryptosystem
Gates open letter to hobbyists leads to the first use of obfuscation for copy protection and digital rights management
1986 –Malware’s use of obfuscation is introduced:
Viral Legerdemain -first piece of malware that attempted to conceal its existence
Cascade virus -first piece of malware to use encryption to scramble its contents
Oligomorphism1990 -could change static decryptors
Polymorphism1991 -a method of radically changing how malware conceals itself,
The Mutation Engine 1992 -first ever polymorphic toolkit to enabled neophyte virus
programmers to link their code to an MtE-generated polymorphic object and extend a
normal non-obfuscated virus into a highly polymorphic one
2001 –Study of cryptic obfuscation began:
Virtual black box security which guarantees no other feasible way to access stored passwords


Security in the beginning was weak and easily broken then came Cryptographic Obfuscation
which was a Stronger security; better than DRM

Digital Rights Management
Most commonly used for protecting data from unauthorized usage but has dismal track

Recreational use - International Obfuscated C Code Contests

Obfuscation to Digital PrivacyUsages ;
Protecting Database privacy via Digital Rights Management (DRM), but is weak, easily
broken, okay for blocking a casual hacker
Can introduce serious security vulnerabilities
Cryptographic obfuscation
Providing technological support
As a Virtual Black Box
Real strength –guarantees no other feasible way to access a stored password
But still can be reversed engineered

Obfuscation for Access Control
Provides Point Function Obfuscation: a function that produces a special output from a single
input which may be thought of as a key or password
ex: Password hashing procedure -UNIX

Obfuscation for Group PrivacyPrivacy be enforced by allowing a record to be retrievable only if user can name it precisely
Group Privacy Policy has tradeoffs between Privacy and Utility
More research needed to look into using Heuristic methods to improve efficiency

No comments:

Post a Comment