Personal Privacy: Limited Disclosure using Cryptographic Techniques Mark Shaneck Karthikeyan Mahadevan SCLab.

Slides:



Advertisements
Similar presentations
Compliance with Federal Trade Commission’s “Red Flag Rule”
Advertisements

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Protecting Personal Information Guidance for Business.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Security & Encryption Thomas Fenske & Joseph Minter.
Netiquette Rules.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Developing a Records & Information Retention & Disposition Program:
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers Mark Shaneck Karthikeyan Mahadevan Jeff Yongdae Kim.
Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.
Certificate Authority Security Council (CASC) 2015 Consumer Trust Survey.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
FACTS Management Business Solutions For Catholic Schools.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
CPS Acceptable Use Policy Day 2 – Technology Session.
PRIVACY. In pairs Work out a definition of the word PRIVACY that you think makes sense You’ve got about 7 minutes...
Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)
Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.
Notes for Discussion on a Privacy Practice © Joe Cleetus.
Digital Citizenship Project.  The etiquette guidelines that govern behavior when communicating on the internet have become known as netiquette.
1 Gordana Dodig-Crnkovic Department of Computer Science and Engineering Mälardalen University 2003 PROFESSIONAL ETHICS IN SCIENCE AND ENGINEERING CD5590.
7-Oct-15 Threat on personal data Let the user be aware Privacy and protection.
Privacy & Security Online Ivy, Kris & Neil Privacy Threat - Ivy Is Big Brother Watching You? - Kris Identity Theft - Kris Medical Privacy - Neil Children’s.
Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Identity Theft.
2006 SISO Executive Conference Legal Issues in Using Mailing Lists: The CAN-SPAM ACT The Junk Fax Prevention Act The National Do Not Call Registry.
Security, Social and Legal Issues Regarding Software and Internet.
Regulation of Personal Information Sally Brierley & Emma Harvey.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
Protecting Privacy “Most people have figured out by now you can’t do anything on the Web without leaving a record” - Holman W. Jenkins, Jr
Chapter 4 Using Encryption in Cryptographic Protocols & Practices.
Systems that support electronically executed business transactions.
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.
Managing the Information Copyright © Texas Education Agency, All rights reserved.
Watech.wa.gov Records Management In a nutshell. watech.wa.gov What’s a record? A record is anything you create in the course of doing your work – Everything.
Privacy & Confidentiality in Internet Research Jeffrey M. Cohen, Ph.D. Associate Dean, Responsible Conduct of Research Weill Medical College of Cornell.
Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.
ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Systems that support electronically executed business transactions.
Technology can help us: Communicate with others Gather information Share ideas Be entertained Technology has improved our quality of life!
The Medical College of Georgia HIPAA Privacy Rule Orientation.
Top Ten Ways to Protect Privacy Online -Abdul M. Look for privacy policies on Web Sites  Web sites can collect a lot of information about your visit.
Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.
Visibook is instant, simple, and dynamic appointment booking We're headquartered in San Francisco, California "Visibook is awesome. My entire studio was.
Protection of CONSUMER information
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Information Security Session October 24, 2005
Cyber Issues Facing Medical Practice Managers
Red Flags Rule An Introduction County College of Morris
Introduction to Health Privacy
Jadu XForms Professional
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
School of Medicine Orientation Information Security Training
Presentation transcript:

Personal Privacy: Limited Disclosure using Cryptographic Techniques Mark Shaneck Karthikeyan Mahadevan SCLab

What is Privacy Privacy is the expectation that confidential personal information disclosed in a private place will not be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities. Information is interpreted broadly to include facts, images (e.g., photographs, videotapes), and disparaging opinions.

Privacy Invasion – Grocery Store Using a credit card to pay for the groceries The credit card information should be used only for the payment What you buy should never be revealed to anyone. This is a bird’s eye view of the problem. Although not serious please visit for more interesting problems

A quotation “The Home Office caused controversy last year when it attempted to allow a long list of public authorities to access records of individuals' telephone and Internet usage. This "communications data" -- phone numbers and addresses contacted, web sites visited, locations of mobile phones, etc. -- would have been available without any judicial oversight, under the Regulation of Investigatory Powers Act 2000” - London

What is Limited Disclosure California passed a law, SB 27, requiring disclosure to consumers of the kinds of information companies collect and shared about them. [Takes effect from 2005] As the title suggests we want to limit disclosure of personal information In other words I and only I should provide access to my personal information.

Misuse of Personal Information On average, 49% of victims did not know how their information was obtained. Identity Theft 27.3 million Americans have been victims of identity theft in the last five years 67% of identity theft victims - more than 6.5 million victims in the last year - report that existing credit card accounts were misused.

Real Life Examples * Almost 10 months after the World Trade Center attack, a widow found out that an identity clone had been living and working using her husband's information. He had died during the attack. A mother keeps receiving collection notices on her daughter's credit card accounts. Her daughter died 17 years ago. *

Other Scenarios ISP Customer Information Airlines – Passenger Information Medical Databases Of Course “Big – Brother” is omnipotent Personal Privacy on the Internet – is a myth ( beware.html) beware.html

Privacy Policy Yes there is enough literature, documents and other resources on Privacy Policy But how many of us read the privacy agreements? (Has anyone really read EULA?) Policies are really like traffic rules, but we still need a cop to enforce it.

Privacy… KYD’s example: AIDS website P3P (Platform for Privacy Preference) Privacy Tools Other resourceful websites Electronic Frontier Foundation Center for Democracy and Technology

Security in Databases Designing databases with privacy as a central concern – Hippocratic Databases Secure Databases – Executing SQL Queries over Encrypted Databases Encrypted Keyword Search There has a lot of good work done in this area.

Why this talk? For our project we initially decided that we will solve one part of the Hippocratic Databases – Limited Disclosure There is a solution based on P3P for limited disclosure Cryptographic Techniques to provide limited disclosure is the theme of our project

Definitions K p =  i=p to P k i (where P is some system parameter - length of storage agreement) Let h be a hash function: h:{0,1} * => {0,1} m {1} 1 k 0 = k k i = h(k i-1 )

Limited Disclosure - Setup A DB Chooses n = pq (p,q large primes) where p = 2x+1, q = 2y+1 (x, y large primes) Chooses e, d, such that ed = 1 mod  (n) Chooses K p odd. A stores m eK P mod n and K p, n with DB

Limited Disclosure Scheme AB DB rd mod  (n), (rK p ) -1 mod  (n) rd mod  (n) m rK p mod n Computes (m eK p ) rd mod n Computes: (m rK p ) (rK p ) -1 mod n

What everybody knows AB DB Everything, of course N, p, q,  (n), e, d, k, h c, k, n, rd mod  (n) n, rd mod  (n), (rK p ) -1 mod  (n)

Limited Disclosure - Key Update Every night, DB computes: (m eK p ) k p-1 A can now give authorization for some time in the future by computing the proper K p and K p -1 A knows that the data will change, and does not want to give authorization until after the change, but wants to give the authorization token now)

Benefits A is mostly offline (only needed when giving authorization, which can be done beforehand) A keeps DB out of the loop when changing “access control lists” Requires no authorization checking from DB. DB just responds to all queries with the encrypted data. Disables B from checking if cached copy of A’s data is still valid (after expiration of authorization)

Lines of Thought We think that e is used only by the owner of the data, can we keep this as a secret ? Is this scheme secure ? Can we use a symmetric key system ?

Future Work Collaboration attack – Can we avoid this ? Analyze the protocol for any security breaches If possible provide a “Proof of security” Tie this with P3P

Questions.. Suggestions ?