Cryptographic Techniques for Reconciling Utility with Privacy in Computer Systems

* Summary of project objectives.

The RECUP project dealt with the inherent antagonism between utility and privacy in the access of computer services and the processing of digital data. To illustrate the problem we tackled consider the following scenario. There are two parties, say Alice and Bob, and Bob wishes to obtain a certain service from Alice. Prior to delivering the service, Alice wants to make sure that Bob is eligible for receiving service. Alice will challenge Bob to present a set of credentials that attest to this fact. Bob may counter challenge to authenticate his status with a different set of credentials. When the negotiation produces a set of credentials that both Alice and Bob agree on, Bob will present them and Alice will deliver the service requested, assuming the credentials are valid.

The above general scenario is ubiquitous in the way services are delivered and data are accessed and processed in information systems. Some concrete examples that instantiate the above process in everyday activities, include the case when Bob accesses his bank account online with Alice playing the role of the Bank’s server or when Bob checks out a company laptop to work from home and wishes to access sensitive company information.

The problem in the above setting arises from the mutual mistrust between Alice and Bob. Indeed, Alice runs the risk of delivering sensitive data or granting access to a restricted service to a party claiming to be Bob but is instead an impersonator that has acquired a set of Bob’s credentials unlawfully. Similarly Bob runs the risk of authenticating himself to Alice that is either impersonated or turned malicious and her purpose is to steal Bob’s credentials or record the usage of Bob with the service and use it in some way against his interests. The above mistrust applies even to the setting when Alice and Bob themselves are not malicious as the channel they use to communicate may be subverted (e.g. it may allow for a "man-in-the-middle" attack).

In line with the above, the fundamental objective of RECUP was to provide cryptographic solutions for the above setting. The major challenge is that due to mistrust, Alice and Bob have a conflict of interest. Bob's interests are in maintaining the full utility and functionality of the service while maximizing his privacy, i.e. revealing as little as possible to the system regarding his identity and the way he is using the service. In constrast to that, Alice's interests are in ensuring proper authentication and compliance to usage agreement so she prefers to know as much as possible regarding Bob and the way he is utilizing the service delivered.

* Conclusions

We engaged in the development of security models and new encryption and authentication protocols that offer fine-grain privacy-preserving controls. The cryptographic techniques that we focused can be used to provide much more effective key-management methods than a simplistic "all-or-nothing" approach. According to our research plan we focused on diverse authentication and encryption privacy-preserving operations such as aggregation of private data in distributed systems and distributed authentication with multiple servers. We performed experiments and validated our performance claims.

We developed new formal models and protocols for various operations including encryption and authentication. Our formal modeling focused on all basic cryptographic operations in the setting of an attacker that tampers with the internal state of the primitive. We studied and developed algorithms that achieve "at-most once" semantics, i.e. they restrict the number of times a certain abstract operation is to be performed by a set of entities that operates distributedly in the presence of an adversary that can schedule their actions adversarially. We studied the problem of privacy-preserving aggregation of distributed data. To enable a privacy-preserving operation we developed a technique called Secure In-network processing of Exact SUM queries (SIES). SIES is particularly lightweight (it relies on inexpensive hash operations and modular additions/multiplications), and features small bandwidth consumption. We performed experiments and implemented instantiations of our basic primitive.

We developed a new distributed password-based authenticated key exchange protocol. This was the first round-optimal scheme, requiring just one message from user to server, and from server to user, and that works in the password-only setting where users do not have access to an authenticated public key. Our single-round protocol works for arbitrary number of servers and security thresholds and has no public-key infrastructure requirements for any party (clients or servers) and no requirement for inter-server communication. This result paves the way for providing very efficient password protected services of various types for users that are highly mobile and employ a variety of devices.

* Socio-economic impacts

An information management system that incorporates the techniques developed will have no need for leak-prone cleartext databases of sensitive information and it will be capable of recovering effectively from key exposure incidents. Furthermore, such a system will provide some data control even after disclosure so that compliance to usage agreements and conformance to proper access policies can be enforced and maintained. The project served as a bridge between theoretical cryptographic investigations and applied computer security practices with respect to access control, data management and data flow control. The results of the proposed research activity were widely disseminated and the developed cryptographic technology has been made available for public use. With the completion of the project a technology transfer effort is underway and the password-based authenticated key exchange protocol that was developed in collaboration with IBM research and University of California is currently considered for integration to related products and services.