Securing our privacy and security online
Cryptographic protocols form the backbone of our online activity, ensuring the privacy and security of our communications, financial transactions, and civic engagement such as voting. Yet the prevalence of individuals connecting to these networks through inadequately secured or compromised devices makes maintaining this security infrastructure a challenge. The SPOOC project, funded by the European Research Council, set out to build theoretical frameworks and practical tools that can validate the security and privacy of online exchanges, even when carried out on untrusted platforms. “Our aim is to secure communications, through the internet, mobile phones – any kind of digital communications,” explains project coordinator Steve Kremer, a researcher at the French National Institute for Research in Digital Science and Technology. “We want to guarantee confidentiality and ensure that when you go online, you are connecting to the correct website and really speaking to the person you intend to speak to.”
Swiss elections
A key step to proving the privacy and security of online communications, says Kremer, is the idea of ‘program equivalence’. This describes a property whereby two programs appear to operate in the same way to an outside observer. Kremer leverages this notion of program equivalence so that online communications are indistinguishable in a similar way in order to model privacy and anonymity. “If we intercept two communications, we should not be able to know if they are coming from the same phone, or coming from two different phones,” he adds. Designing software that can analyse two programs to see if they are equivalent was a central part of the SPOOC project. This work has since been applied in Switzerland in the context of online elections, where operators are required to provide security proofs of their system. Another element of the SPOOC project was to develop tools that could ensure the security, privacy and transparency of protocols that manage voting online. “There are still many things not completely solved,” notes Kremer. “But modern protocols can now guarantee privacy and transparency even if the server collecting votes is dishonest or compromised.” Unfortunately, he points out, high stakes elections present a target worth developing dedicated malware for, making it much harder to guarantee their security. “As soon as you make something digital, it’s very easy to scale up attacks,” says Kremer. “And one thing computers are good at is doing the same thing very quickly and very often.”
Multifactor authentication
The final aspect of the project focussed on partially insecure devices. Typically, organisations use two-factor authentication to ensure online transactions are genuine, putting a human into the loop. The SPOOC project carried out a complete analysis of this system, considering thousands of adversarial scenarios to quantify exactly the limits of two-factor authentication. “I’m happy with what we achieved,” remarks Kremer, adding that there is still a lot of work to do to make this tool more efficient. Kremer and his team have since secured funding from the French National Research Agency to further develop their validation tools. “We plan to make these tools faster and more applicable to real-world protocols,” he concludes. “We’re trying now to put all this theory we’ve developed into practice and develop more fruits from this tree.”
Keywords
SPOOC, cryptographic, automated, security, proofs, protocols, mobile, phones, communications
