Skip to main content

Confidentiality-preserving Security Assurance

Periodic Reporting for period 2 - CASCAde (Confidentiality-preserving Security Assurance)

Reporting period: 2019-05-01 to 2020-10-31

CASCAde aims to create a new generation of security assurance, that is, a verifiable statement of security properties. It investigates to what extent one can certify an interconnected dynamically changing system in such a way that one can prove its security properties without disclosing sensitive information about the system's blueprint. For example, tenants of a shared infrastructure might expect of the provider of that infrastructure that they receive assurances that their own resources are separated from other tenants. At the same time, the provider and other tenants have an interest that data of the make-up of the infrastructure as a whole and of tenants’ sub-systems stay confidential.

This is important for society because shared hosting and computing platforms are more and more common, while their security assurances can currently not yet be verified in confidence. In fact, we believe that usable confidentiality-preserving security assurance will trigger a paradigm shift in security and dependability.

The project aims at developing cryptographic tools to certify topologies and graph data structures. It seeks to bind topology certifications to the bare metal of the underlying computer systems, such that the guarantees given are assured for the actual computers in question. It aims at developing methods for certifying large-scale dynamically changing systems to keep up with the ever-expanding infrastructures. Furthermore, CASCAde investigates in an evidence-based fashion how human users relate to complex security assurance and privacy systems as proposed by us and what supports users in trusting such systems.

Specifically, CASCAde set out to answer the following hypotheses:
To evaluate the overall hypothesis, we need to answer specific sub-hypotheses:
1. New cryptographic techniques for graph signatures and proof systems can be developed.
2. We can achieve soundness that holds for graph signatures as well as the represented systems
3. Graph signatures and topology certification scale to large-scale systems
4. The topology certification can accommodate rapidly changing and evolving systems.
5. Confidentiality-preserving security assurance is usable by users and will increase human trust in the overall system
6. Confidentiality-preserving security assurance can offer new approaches to architectural design of dependable and secure system.

They translate into multiple objectives:
1. Cryptography -- to develop primitives to certify and proof properties of graphs.
2. Soundness -- to bind graph signatures to underlying system configurations.
3. Scale and Change -- to perform well in large-scale dynamically changing systems.
4. Usability -- to be trustworthy and usable by end users.
5. Architecture -- to establish an architecture for next-generation security assurance.
6. Prototypes -- to pilot the technique in realistic application scenarios.
Initially, CASCAde focused on creating a new efficient attribute-based credential scheme, that is, a cryptographic tool to prove to verifiers that a user has certain attributes while keeping sensitive information confidential. We shaped this scheme such that it encodes data in a way conducive to representing complex data in an efficient and flexible manner. Thereby, this scheme lays the foundation for a new digital signature scheme that is capable of certifying complex graph data structures. Our investigation continued into creating such a novel digital signature scheme that operates on graph. This comes with a range of procedures to convince another, a verifier, that certain parts of a graph are connected to each other or that they are isolated from each other, that is, there is no connection possible. Thereby, we have created the foundations to certify the topology of an infrastructure, already. We have designed these systems to be especially efficient, such that they can certify systems with thousands of components. Hence, they lay the foundations for great scalability while offering a very expressive solution. We have realized a cryptographic computer library to this effect, a reusable component to build bigger certification and assurance systems. Our tools, thereby, allow providers to prove to verifying users, for instance, that the users’ sub-systems are isolated from others. As another example, they could be used to show that systems are replicated over different countries, to offer assurances that the users’ data are safe in case of natural disaster.

We investigated how different hardware-based attestation systems operate, so called Trusted Platform Modules, short TPMs. These modules come with a capability to attest their status in a privacy-preserving fashion, so called Direct Anonymous Attestation. Here, we considered how the cryptographic protocols on these tamper-proof hardware modules, present in many computers, could gel with our methods to attest the properties of a certified topology.

We have further laid the foundations for the usable security and perceived trustworthiness in the project. We started this investigation from a consideration of the overall state-of-play of user studies in cyber security, hence considering first how the field fares in offering us strong and unshakable foundations in evidence-based methods. In this endeavor, we found a number of weaknesses from how statistical inferences are supported, over how sound the statistical reporting is, to problems in statistical power and publication bias. Ultimately, these investigations taught us what to rely on and what requirements to impose on our own empirical investigations.
From there, we pursued a multi-pronged approach researching how to best measure privacy concern with high fidelity or how different factors such as emotions impact a user’s intention to protect privacy. Finally, we created a complex statistical model to show how multiple factors interplay when it comes to trustworthiness and technology acceptance of privacy technologies, with the example of attribute-based credential schemes. This last step lays the foundations to investigate trustworthiness of confidentiality preserving security assurance.
So far, we created a novel attribute-based credential system which is especially efficient and expressive in its logical proofs over its attributes. This system is founded on an area of cryptography called bilinear maps on elliptic curves. While earlier works along similar lines had some restrictions in how user attributes could be represented, our approach is more versatile. As part of this line of work, we have also created new security requirements for such systems that aim at unifying and strengthening the assurance for such systems.

We created a new digital signature scheme on graph data structures. Whereas an earlier proposal along similar lines had severe restrictions on elements of a graph needing to come from a fixed dictionary, we now unshackled the scheme from such restrictions. Instead, the vertices and edges of the graph can be freely associated with multiple free-form labels. For this kind of a system, we have developed a extensible and flexible cryptographic library.

As key advances over the state of the art of usable security we offered the first large-scale systematic analysis of the privacy concern scale IUIPC, showing some appreciable weaknesses that could undermine empirical work in privacy. Based on a large user-study with a UK-representatively sampled cohort, we created the first latent variable statistical model on perceived trustworthiness and technology acceptance of attribute-based credential systems.