Presentation is loading. Please wait.

Presentation is loading. Please wait.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Similar presentations


Presentation on theme: "Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University."— Presentation transcript:

1 Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University of Washington

2 Internet Tracking is Pervasive 2 Alice Bob Tracker User1: UW, CSE, Route to [Alice’s home] User2: SIGCOMM, Hacking, Depression Trackers link user activities to form large user profiles SIGCOMM 2013

3 Implications of Tracking for Users Pros: 3 Cons: Lack of Privacy Personalization Better Security Revenue for Service SIGCOMM 2013

4 Threat Model: Trackers Correlate Unwanted Traffic 4 Alice Bob Tracker User1: UW, CSE, Route to [Alice’s home] User2: SIGCOMM, Hacking, Depression SIGCOMM 2013

5 Goal: Give Users Control over How They are Tracked 5 Alice Bob Tracker User1: UW, CSE User2: Route to [Alice’s home] User3: SIGCOMM, Hacking User4: Depression SIGCOMM 2013

6 Implications of Giving Users Control Pros: 6 Cons: Lack of Privacy Personalization Better Security Revenue for Service SIGCOMM 2013

7 Current Defenses Provide Insufficient Control Current Defenses – Application Layer: Third-party cookie blocking, DoNotTrack – Network Layer: Tor, Proxies Limitations – Coarse-grained – Not cross-layer 7SIGCOMM 2013

8 Outline Motivation / Background Approach: Cross-Layer Pseudonyms System Design – Application-Layer – Network-Layer Implementation and Evaluation Conclusion 8SIGCOMM 2013

9 Trackers Link User Requests Important identifiers for Web tracking: – Application info. (cookie, JS localstorage, Flash) – IP Address 9 Multiple requests are linkable by remote trackers, if they share the same identifiers. Req. 1 (128.208.7.x), header: cookie(…) Req. 2 (128.208.7.x), header: cookie(…) User Tracker SIGCOMM 2013

10 Approach: Pseudonym Abstraction Pseudonym = A set of all identifying features that persist across an activity Allow a user to manage a large number of unlinkable pseudonyms – User can choose which ones are used for which operations. 10 Pseudonym1 IP1 Cookie1 Pseudonym2 IP2 Cookie2 Alice Tracker Medical information Location-related (Alice’s home) SIGCOMM 2013

11 How We Want to Use Pseudonyms 11 Application IP1 Policy Engine Alice OS IP Tracker Pseudonym1 IP1 Cookie1 IP Pseudonym2 IP2 Cookie2 DHCP Routers SIGCOMM 2013 2. Network-Layer Design 1. Application-Layer Design Medical Location

12 Application-Layer Design Application needs to assign different pseudonyms into different activities. – How to use pseudonyms depends on user and application. – APIs are provided to define policies. Policy in Web browsing: a function of the request information and the state of the browser. – Window ID, tab ID, request ID, URL, whether request is going to the first-party, etc. 12SIGCOMM 2013

13 Sample Pseudonym Policies for the Web SIGCOMM 201313 Default: P1 = P2 = P3 Per-Request: P1 != P2 != P3 Per-First Party: P1 = P2 != P3 Article on Politics facebook.com news.com facebook.com P2 P1 P3

14 Sample Pseudonym Policies for the Web SIGCOMM 201314 Default: P1 = P2 = P3 Per-Request: P1 != P2 != P3 Per-First Party: P1 = P2 != P3 Article on Politics facebook.com news.com facebook.com P2 P1 P3

15 Sample Pseudonym Policies for the Web SIGCOMM 201315 Default: P1 = P2 = P3 Per-Request: P1 != P2 != P3 Per-First Party: P1 = P2 != P3 Facebook cannot know the user’s visit to news.com Article on Politics facebook.com news.com facebook.com P2 P1 P3

16 Pseudonyms in Action 16 Application IP1 Policy Engine Alice OS IP Tracker Pseudonym1 IP1 Cookie1 IP Pseudonym2 IP2 Cookie2 DHCP Routers SIGCOMM 2013 2. Network-Layer Design

17 Network-Layer Design Consideration 1.Many IP addresses for an end-host 2.Proper mixing 3.Efficient routing 4.Easy revocation 5.Support for small networks 17SIGCOMM 2013

18 Network-Layer Design Consideration 1.Many IP addresses for an end-host 2.Proper mixing 3.Efficient routing 4.Easy revocation 5.Support for small networks 18SIGCOMM 2013

19 1) IPv6 Allows Many IPs per Host IPv6 Address 128bits 19 Small networks get /64 address space (1.8e19) SIGCOMM 2013

20 2, 3) Symmetric Encryption for Mixing and Routing 20SIGCOMM 2013 Network Prefix To route the packet “within” the network To route the packet “to” the network Networks can use this part as they want IPv6 Address 128bits

21 2, 3) Symmetric Encryption for Mixing and Routing 128bits Network Prefix 21 SubnetHost Pseudonym Network PrefixEncrypted ID EncryptDecrypt Use symmetric-key encryption End-hosts know only encrypted IP addresses Router uses the base addresses to forward packets – By longest-prefix matching with subnet::host, thus, the size of routing table does not change. Base Encrypted SIGCOMM 2013

22 Routing Example 22 Internet ISP ( Prefix :: … ) Prefix Encrypted ID Sub::Host::Pseudo SIGCOMM 2013

23 Outline Motivation / Background Approach: Cross-Layer Pseudonyms System Design – Application-Layer – Network-Layer Implementation and Evaluation Conclusion 23SIGCOMM 2013

24 IPv6 Internet Prototype Implementation 24 Web Browser Policy Engine Alice Web Server IP1 OS IP IPv6 Tunnel Broker Extension Gateway /64 network IP SIGCOMM 2013 function extreme_policy(request, browser) { return request.requestID; }

25 Evaluation Is the policy framework expressive enough? How many pseudonyms are required? Do policies effectively preserve privacy? Are that many pseudonyms feasible? How much overhead in OS and router? SIGCOMM 201325

26 Pseudonym Policy is Expressive 26 NameDescription TrivialEvery request uses the same pseudonym ExtremeEvery request uses different pseudonym Per tab [1]Request from each tab uses different pseudonym Per 1 st -party [2]Based on the connected page (1 st -party)’s domain Time-based [3]Change pseudonym every 10 minutes We could implement all the protection mechanisms from the related work in a cross-layer manner. SIGCOMM 2013 More examples in the paper: Per browsing session, 3 rd -party blocking [1] CookiePie Extension, [2] Milk, Walls et al. HotSec 2012, [3] Tor

27 Privacy Preservation over Policies 27SIGCOMM 2013 10 bits

28 Privacy Preservation over Policies 28SIGCOMM 2013

29 Conclusion Pseudonym abstraction: user control over unlinkable identities. – Provided new network addressing and routing mechanisms that exploit the ample IPv6 address space. – Enabled various policies with expressive policy framework. – Prototyped with an extension for web browser to show the feasibility 29SIGCOMM 2013


Download ppt "Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University."

Similar presentations


Ads by Google