Skip to main content
European Commission logo
English English
CORDIS - EU research results
CORDIS
CORDIS Web 30th anniversary CORDIS Web 30th anniversary

Confidentiality-preserving Security Assurance

Periodic Reporting for period 4 - CASCAde (Confidentiality-preserving Security Assurance)

Reporting period: 2022-05-01 to 2023-05-31

CASCAde aims to create a new generation of security assurance, that is, a verifiable statement of security properties. It investigates to what extent one can certify an interconnected dynamically changing system in such a way that one can prove its security properties without disclosing sensitive information about the system's blueprint. For example, tenants of a shared infrastructure might expect of the provider of that infrastructure that they receive assurances that their own resources are separated from other tenants. At the same time, the provider and other tenants have an interest that data of the make-up of the infrastructure as a whole and of tenants’ sub-systems stay confidential.

This is important for society because shared hosting and computing platforms are more and more common, while their security assurances can currently not yet be verified in confidence. In fact, we believe that usable confidentiality-preserving security assurance will trigger a paradigm shift in security and dependability.

The project aims at developing cryptographic tools to certify topologies and graph data structures. It seeks to bind topology certifications to the bare metal of the underlying computer systems, such that the guarantees given are assured for the actual computers in question. It aims at developing methods for certifying large-scale dynamically changing systems to keep up with the ever-expanding infrastructures. Furthermore, CASCAde investigates in an evidence-based fashion how human users relate to complex security assurance and privacy systems as proposed by us and what supports users in trusting such systems.

Specifically, CASCAde set out to answer the following hypotheses:
To evaluate the overall hypothesis, we need to answer specific sub-hypotheses:
1. New cryptographic techniques for graph signatures and proof systems can be developed.
2. We can achieve soundness that holds for graph signatures as well as the represented systems
3. Graph signatures and topology certification scale to large-scale systems
4. The topology certification can accommodate rapidly changing and evolving systems.
5. Confidentiality-preserving security assurance is usable by users and will increase human trust in the overall system
6. Confidentiality-preserving security assurance can offer new approaches to architectural design of dependable and secure system.

They translate into multiple objectives:
1. Cryptography -- to develop primitives to certify and proof properties of graphs.
2. Soundness -- to bind graph signatures to underlying system configurations.
3. Scale and Change -- to perform well in large-scale dynamically changing systems.
4. Usability -- to be trustworthy and usable by end users.
5. Architecture -- to establish an architecture for next-generation security assurance.
6. Prototypes -- to pilot the technique in realistic application scenarios.
Initially, CASCAde created a new efficient attribute-based credential scheme, that is, a cryptographic tool to prove to verifiers that a user has certain attributes while keeping sensitive information confidential. We shaped this scheme such that it encodes data in a way conducive to representing complex data in an efficient and flexible manner. Thereby, this scheme laid the foundation for a new elliptic-curve digital signature scheme that is capable of efficiently certifying complex graph data structures. This scheme comes with a range of procedures to convince another, a verifier, that certain parts of a graph are connected to one another or that they are isolated from one another, that is, there is no connection possible. Thereby, we have created the foundations to certify the topology of an infrastructure. We have developed an extensible and flexible open-source cryptographic library for graph signatures called GSL, a reusable component to build more complex certification and security assurance systems.

We investigated how different hardware-based attestation systems operate, so called Trusted Platform Modules, short TPMs. These modules come with a capability to attest their status in a privacy-preserving fashion, so called Direct Anonymous Attestation. In this area, we established cryptographic protocols and a topology attestation system, called Topographia, which enables the certification and proof of topologies in zero-knowledge, while binding these endeavours to the presence of the TPMs. This approach offers verifiers the guarantee that the actual system has not been changed to deviate from its certification.

We have laid the foundations for the usable security and perceived trustworthiness in the project. We started this investigation from a consideration of the overall state-of-play of user studies in cyber security, hence considering first how the field fares in offering us strong and unshakable foundations in evidence-based methods. In this endeavor, we found a number of weaknesses from how statistical inferences are supported, over how sound the statistical reporting is and problems in statistical power and publication bias, to strength of evidence. Ultimately, these investigations taught us what to rely on and what requirements to impose on our own empirical investigations. We further offered guidance to the community how to pursue socio-technical studies with the end in mind, that is, how to plan for authoritative results.

We pursued a multi-pronged approach researching how to most validly/reliably measure privacy concern with high fidelity or how different factors such as emotions impact a user’s intention to protect privacy. Finally, we created a comprehensive statistical model to show how multiple factors interplay when it comes to trustworthiness and technology acceptance of privacy technologies, with the example of attribute-based credential schemes. This last step lays the foundations to investigate trustworthiness of confidentiality-preserving security assurance as well as other privacy-enhancing technologies.
We created a novel attribute-based credential system which is especially efficient and expressive in its logical proofs over attributes. This system is founded on an area of cryptography called bilinear maps on elliptic curves. While earlier works along similar lines had restrictions in how user attributes could be represented, our new approach is more versatile.

We created a new digital signature scheme on graph data structures. Whereas earlier proposals had severe restrictions on elements of a graph needing to come from a fixed dictionary, we now unshackled the scheme from such constraints. Instead, the vertices and edges of the graph can be associated freely with multiple free-form labels.

We established the first system for graph-signature-based topology attestation bound to trusted hardware. It enables the certification of, for example, virtualized infrastructures, and the zero-knowledge proof of security properties to verifiers.

In usable security, we offered the first large-scale systematic analysis of the privacy concern scale IUIPC, showing some appreciable weaknesses that could undermine empirical work in privacy research. Based on a large user-study with a UK-representatively sampled cohort, we created the first latent-variable statistical model on perceived trustworthiness and technology acceptance of attribute-based credential systems, which in turn lays the foundations for other such models in the field.
CASCAde work packages and deliverables on graph signature software