Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University.

Published byThomasine Ross Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University."— Presentation transcript:

1 Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University

2 Introduction Today, personal data is typically stored electronically But systems at distinct organizations have no way to communicate with each other ID

3 SSNName… 123-45-6789Alice 111-22-3333Bob PatientIDName… X1234John X7890Bob SSNName… 12-34-5555Cathy 111-22-3333Robert General Hospital Acme Food and Drug Special Treatment Clinic, Inc. Legacy databases System Model (Each stored at at a data owner)

4 Example Query Drug interaction check at pharmacy –A pharmacist is dispensing a drug, doesn’t know what else the patient may be taking –Patient’s medical record is stored at primary care provider and various specialists Is it safe for the patient to take this drug?

5 Guarantees Data privacy –E.g. pharmacist receives yes/no answer, not the underlying data Query privacy –E.g. hospital does not learn which drug is currently being dispensed Anonymous communication –E.g. hospital and pharmacy do not learn each other’s identities

6 Anonymous Communication Onion skin routing –Providers P i –Encryption function E –Public keys K Pi Example: –Reference to patient 34 at Provider 2 routed through provider Provider 1

7 Requirements “Locate” remote records –Translate a real-world identifier (name, SSN, DOB...) into a data handle, an onion skin route that can be used to communicate with the providers where the data owners Execute the desired query –Use data handles to perform a privacy-preserving query

8 Global Search Mechanism Search for user with SSN 343-56-7878 Hierarchy of provider groups –Each group has a designated contact who tracks its membership

9 Bloom Filters SSN 1 = 987-65-4321 hash 1 (SSN 1 ) = 2 hash 2 (SSN 1 ) = 4 hash 3 (SSN 1 ) = 8 000000000000 01234567891011 1 1 1 M = 12 K = 3 SSN 2 = 112-33-4455 hash 1 (SSN 2 ) = 3 hash 2 (SSN 2 ) = 10 hash 3 (SSN 2 ) = 8 1 1 1 SSN 3 = 444-88-2222 hash 1 (SSN 3 ) = 4 hash 2 (SSN 3 ) = 3 hash 3 (SSN 3 ) = 8 ? ? ? 111 SSN 3 = 444-88-2222 hash 1 (SSN 3 ) = 4 hash 2 (SSN 3 ) = 3 hash 3 (SSN 3 ) = 8 ? ? ? 0 1 1 Insert SSN 1 Does a record for SSN 3 exist? No! Insert SSN 2 Yes. (false positive!)

10 Using False Positives

11 Adjust Bloom filter parameters for desired trade-off between privacy and performance

12 General HospitalAcme Food and Drug Random Intermediary Query Execution Prescription record with name/address stripped Record access request Yes/no answer Drug interaction query All messages are sent anonymously using a MIX The hospital does not learn the nature of the query The pharmacy does not learn which other drugs the patient is taking The random intermediary cannot do anything nefarious with the data it has received, since that data is out of context Example: A pharmacy checking for drug interactions

13 SELECT EXISTS ( SELECT * FROM conflicts CROSS JOIN nonces INNER JOIN remote(drug_history) ON nonces.nonce = drug_history.nonce WHERE conflicts.drug = drug_history.drug ); query_table drugnonce A____Ω(34) A____Ω(56) B____Ω(34) B____Ω(56) Query to find drug interactions Query formulated at the pharmacy: nonces nonce Ω(34) Ω(56) conflicts drug A____ B____

14 mix_host Split query: data gathering drug_history noncedrug 34A____ SEND ( SELECT nonce,drug FROM drug_history WHERE drug_history.nonce = Ω(34) ); Query sent to the data owner(s):

15 SELECT EXISTS ( SELECT * FROM query_table INNER JOIN drug_history ON query_table.nonce = drug_history.nonce WHERE conflicts.drug = drug_history.drug ); Split query: joining Query executed at the third-party MIX host: result exists 1 drug_history noncedrug 34A____ query_table drugnonce A____Ω(34) A____Ω(56) B____Ω(34) B____Ω(56)

16 Pharmacy mix_host_1 (on hospital’s behalf) mix_host_2 (on other pharmacy’s behalf) Answering the query (no conflict here) YES Is there a conflict? result exists 1 result exists 0 (conflict found)

17 Conclusion and Future Work Selective sharing of personal information across distributed databases –Data privacy –Query privacy –Anonymous communication Working on: how to enforce a policy on which data may be revealed to whom Also: how to prevent data mining attacks?

Download ppt "Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University."

Similar presentations

Interactive lesson about operating system

Interactive lesson about operating system
Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
+ HEALTH INSURANCE: UNDERSTANDING YOUR COVERAGE Navigator Name Blank County Extension UGA Health Navigators.

+ HEALTH INSURANCE: UNDERSTANDING YOUR COVERAGE Navigator Name Blank County Extension UGA Health Navigators.
CS3771 Today: deadlock detection and election algorithms  Previous class Event ordering in distributed systems Various approaches for Mutual Exclusion.

CS3771 Today: deadlock detection and election algorithms  Previous class Event ordering in distributed systems Various approaches for Mutual Exclusion.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Peer-to-Peer Distributed Search. Peer-to-Peer Networks A pure peer-to-peer network is a collection of nodes or peers that: 1.Are autonomous: participants.

Peer-to-Peer Distributed Search. Peer-to-Peer Networks A pure peer-to-peer network is a collection of nodes or peers that: 1.Are autonomous: participants.
GEPIR What is it? How does it work? Welcome! This is a short introduction to the Global Electronic Party Information Registry – GEPIR for short.

GEPIR What is it? How does it work? Welcome! This is a short introduction to the Global Electronic Party Information Registry – GEPIR for short.
EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries Technical Aspects Peter Beck JOANNEUM RESEARCH, Austria.

EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries Technical Aspects Peter Beck JOANNEUM RESEARCH, Austria.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.

Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.
Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Gnutella, Freenet and Peer to Peer Networks By Norman Eng Steven Hnatko George Papadopoulos.

Gnutella, Freenet and Peer to Peer Networks By Norman Eng Steven Hnatko George Papadopoulos.
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Similar presentations

Ads by Google