Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research.

Published byLea Newbury Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research."— Presentation transcript:

1 1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 ravi.sandhu@utsa.edu www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact! CS 6393 Lecture 7

2 © Ravi Sandhu 2 World-Leading Research with Real-World Impact! Privacy versus Security PrivacySecurity I think this is wrong

3 © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Privacy versus Security Security Privacy My preferred view

4 © Ravi Sandhu 4 World-Leading Research with Real-World Impact! Privacy versus Security Privacy Security But I could be persuaded to take this view

5 © Ravi Sandhu 5 World-Leading Research with Real-World Impact! Security Objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose

6 © Ravi Sandhu 6 World-Leading Research with Real-World Impact! Security Objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose Privacy includes limits on collection and retention Privacy includes recourse to correct and consequently recourse to access Privacy includes rights to see who has accessed your privacy sensitive information

7  Your nation state  Other nation states  Employer  Service provider  Friends  Family  Enemies  Media  Criminals  … © Ravi Sandhu 7 World-Leading Research with Real-World Impact! Attackers aka Adversaries

8  Overall fragmented and slow to catch up with rapid technological change  Privacy in the workplace is sharply limited  Some US laws  FCRA (Fair Credit Reporting Act), 1970, enforced by FTC  FERPA (Family Educational Rights and Privacy Act), 1974  IRS Disclosure Laws, 1976  VPPA (Video Privacy Protection Act, 1988  HIPAA (Health Insurance Portability and Accountability Act), 1996  A failed standard  P3P (Platform for Privacy Preferences) from W3C © Ravi Sandhu 8 World-Leading Research with Real-World Impact! Laws, Regulations and Standards

9 © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Identity as Attributes

10 © Ravi Sandhu 10 World-Leading Research with Real-World Impact! X.509 PKI: Identity Centric, Off-Line VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY HOLDER PUBLIC KEY INFO ATTRIBUTES SIGNATURE Identity Certificate Attribute Certificate

11  Privacy friendly  Certificate issuer is not involved and therefore not aware when a user receives service from a relying party UNLESS  Certificate revocation needs to be verified in real-time  Privacy unfriendly  Identity is central  Attributes strongly linked through identity  Attributes pre-packaged into certificates © Ravi Sandhu 11 World-Leading Research with Real-World Impact! X.509 Characteristics

12 © Ravi Sandhu 12 World-Leading Research with Real-World Impact! Microsoft SSO (1990’s) Knows which relying parties are being accessed Decides which attributes to release to which relying party

13 © Ravi Sandhu 13 World-Leading Research with Real-World Impact! Microsoft Infocard Identity Ecosystem (2000’s) Identity Provider knows when security tokens are requested BUT does not necessarily know specific relying party User decides which attributes to release to which relying party

14  Single private key  Multiple unlinkable public keys, generated by the user from the single private key  “A credential issued to one public key can be (repeatedly) transformed into a credential that’s valid on another public key of the same user. Moreover, the transformed credential can contain a selected subset of the attributes in the original credential.”  “Transformed credentials are unlinkable. That is, for two transformed credentials with disjoint sets of revealed attributes, you can’t tell whether they originated from the same credential or different credentials.”  “Instead of revealing attribute values, users can choose to merely reveal that some predicate over the attributes holds.”  “Private credentials also let users provide attributes in verifiably encrypted form to the relying party, so that they’re available only to a dedicated trusted third party.” © Ravi Sandhu 14 World-Leading Research with Real-World Impact! Private Credentials

15 1.An application should be designed so that only the minimal amount of (personal) information gets revealed to each party that is necessary for the party to perform its task. 2.Users need to be able to understand and control the usage of the information they have released. 3.All information related to users must be encrypted, both at rest and in transit. © Ravi Sandhu 15 World-Leading Research with Real-World Impact! Camenisch’s Privacy Principles

16 1.The first type of mechanism is concerned with providing privacy at the network layer, to ensure that communication channels can be established without revealing identifying information such as IP addresses. 2.Once such communication has been established, the second type of mechanism comes into play. They allow users to reveal only information that is necessary for the task at hand. 3.The third category are mechanisms that implement special purpose applications. © Ravi Sandhu 16 World-Leading Research with Real-World Impact! Camenisch’s Mechanism Hierarchy

17 © Ravi Sandhu 17 World-Leading Research with Real-World Impact! 3 Media Items

Download ppt "1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,

© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,

1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,
Secure Communication Architectures.

Secure Communication Architectures.
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.

Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013

1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
1 Grand Challenges in Data Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair

1 Grand Challenges in Data Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair
1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, 2013 © Ravi Sandhu.

1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, © Ravi Sandhu.
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.

1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, 2013 © Ravi.

1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, © Ravi.
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.

1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015

1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 9-1.

Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Similar presentations

Ads by Google