Presentation is loading. Please wait.

Presentation is loading. Please wait.

V ANISHING D OCUMENTS I MPACT ON P RIVACY George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council.

Published byMavis Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "V ANISHING D OCUMENTS I MPACT ON P RIVACY George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council."— Presentation transcript:

1 V ANISHING D OCUMENTS I MPACT ON P RIVACY George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council

2 K NIGHTS OF C OLUMBUS Fraternal Benefit Society with 1.7M members United States, Canada, Latin America, Philippines & Poland Membership driven Insures its members and their families Whole life, Term life, Fixed annuities and Long term care products Career Agency System ~1400 agents Fortune 997, ~1.5 B Revenue

3 E PHEMERAL D OCUMENTS Give access – but only for a while Owner’s copies are still valid Correspondent not fully trusted Example: shopping a business plan Intentional forgetting All copies vanish after an interval Correspondent trusted but lazy Example: frank conversation in email, later to be regretted.

4 P ROVIDE ACCESS ONLY FOR A WHILE Encrypt but control key access Correspondent must get key each time (central control) or Key is stored locally for a while for offline use Requires client side container/code that could be attacked. Commercial products in the Digital Rights Management category Subject to legal or technical attacks on key holder

5 I NTENTIONAL F ORGETTING Encrypt but key access removed after a while No action needed by user No retroactive retrieval by adversary Even from storage such as caches, mail routers or backup tapes No one can access after the interval expires even the owner has no access to they key Research project at U. Washington Subject to key capture during the interval Correspondent may copy message during interval

6 V ANISH R ESEARCH P ROJECT University of Washington (Aug 2009) Use cases focus on trusted but lazy correspondents Splits symmetric key into parts Used an open distributed hash table

7 A VOIDING A CENTRALIZED STORE Distributed Hash Tables Used for many P2P applications Academic studies since 2001 Unless refreshed, DHT, times out entries

8 P REPARING A V ANISHING D ATA O BJECT Pick a random symmetric key, K Encrypt the user data locally, yielding C Pick a seed, L, for pseudo random number generation Use L to generate indices in the hash table x 1..x n Divide the key into pieces k 1..k n where m parts are needed to compute the key, K. (Shamir Secret Sharing) put(x i,k i ) for i=1 to n destroys the local copy of the key, Sends {C,L} to correspondent

9 World-Wide DHT H OW V ANISH W ORKS Vanish Encapsulate (data, timeout) Vanish Data Object VDO = {C, L} Secret Sharing (M of N) k1k1 k2k2 kNkN... k3k3 Random indexes k1k1 k2k2 k3k3 kNkN Ann C = E K (data) L K k1k1 k3k3 kNkN k2k2 9 VDO = {C, L} Carla

10 H OW V ANISH W ORKS 10 Vanish Encapsulate (data, timeout) Random indexes Ann C = E K (data) World-Wide DHT Vanish Decapsulate (VDO = {C, L}) data Carla Secret Sharing (M of N)... Random indexes k1k1 k3k3 kNkN data = D K (C) kNkN k3k3 k1k1 LL K Secret Sharing (M of N) X VDO = {C, L} k2k2 k2k2 Vanish Data Object VDO = {C, L}

11 T HE F IREFOX P LUG IN  Implemented as an extension to the GPG plug in  Entirely client side  Shows potential for becoming mainstream

12 A TTACK Defeating Vanish (Sep 2009) Researchers showed feasible to Infiltrate the open DHT Record all keys Originators responded with improvements Use hybrid of open and closed DHT Closed DHT restricts entry of nodes into system

13 E ND OF T ECHNICAL P ART Next section scratches at possible issues from an Enterprise point of view Please suggest your own thoughts.

14 O RGANIZATIONAL D ILEMMAS Lets suppose the vanish ability becomes mainstream What kinds of scenarios can we dream up?

15 L ITIGATION H OLDS Legal framework Stop the clock on document destruction Clearly this prohibits organizations from originating these documents If someone does create a VDO Keys and plaintext gone, but Crypto text is evidence that the document existed What controls can we envision to prevent their use?

16 I NBOUND C OMMUNICATIONS VDO’s could come from ‘outside’ Are there business reasons to allow this? What about going ‘out’ to visit a VDO? Are there cases when a VDO should not be opened? Are there cases when it must be opened?

17 B USINESS U SES Probably few legitimate uses for large commercial enterprises. Customer Service Brand Management Public Safety Attorneys under privilege

18 G OING OUTSIDE TO VIEW Go to a website to view a VDO Does that constitute corporate knowledge? Company uses social networking site Stay in contact with customers for customer service, say Since VDO is mainstream, A user turns it on for ALL communications, thinking that safer But for enterprise, it’s a business transaction So…. Does it need to be ‘imported’ for preservation? Capture the key and ciphertext or just the plaintext?

19 L ETTING VDO S IN Email with a vanishing data object Options: 1. Detect and prevent entry, like spam 2. Allow in, but prevent acquisition of keys, through network policy. 3. Allow in, but decode passing through gateway 4. Allow in with quarantine & special handling Is there a duty to preserve it? For e-Discovery? Would the court consider the unpacked as equivalent? To prove it is equivalent you’d need the key

20 F OR S AFETY, M UST OPEN Suppose clear text subject line contains a threat: “Bomb active. Defuse instructions enclosed” Mail is received but enterprise policies prevent acquisition of key This scenario indicates some sort of handling

21 B RAND B UZZ Corporations sometimes watch what is being said about them in public venues If social network acts as an amplifier/repeater, and the VDOs time out say in 8 hours Watcher scan cycle time would need to be less than the timeout If today a daily scan is adequate, it might need to be every few hours

22 O UTBOUND C OMMUNICATIONS Lying to a customer EE or Agent promises something Controllable on internal equipment/email Employee sends stolen company info User A with enterprise IP goes to sneaky.com Under the cover of HTTPS writes a VDO with internal information User B an investor, foreign power etc, reads info In order to stop Blacklist sneaky.com Terminate SSL at border Intercept & decode, possibly quarantine Prevent anything that appears further encrypted.

23 N OT, P ERHAPS, J ERICHO, B UT Millions of consumer computers Harnessed to provide some privacy Is an example of how The walled garden model of the enterprise May no longer be sufficient

24 R EFERENCES Vanish Self-Destructing Digital Data http://vanish.cs.washington.edu/ http://vanish.cs.washington.edu New Technology to Make Digital Data Self-Destruct http://www.nytimes.com/2009/07/21/science/21crypto.html http://www.nytimes.com/2009/07/21/science/21crypto.html Distributed Hash Tables http://en.wikipedia.org/wiki/Distributed_hash_table http://en.wikipedia.org/wiki/Distributed_hash_table Attack http://z.cs.utexas.edu/users/osa/unvanish/papers/vanish- broken.pdf http://z.cs.utexas.edu/users/osa/unvanish/papers/vanish- broken.pdf Vanishing E-mail and Electronically Stored Information: an E-Discovery Hazard http://www.rlgsc.com/blog/ruminations/vanishing- electronic-data-ediscovery.html http://www.rlgsc.com/blog/ruminations/vanishing- electronic-data-ediscovery.html

Download ppt "V ANISHING D OCUMENTS I MPACT ON P RIVACY George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council."

Similar presentations

Computer Security CIS326 Dr Rachel Shipsey.

Computer Security CIS326 Dr Rachel Shipsey.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Distributed Databases John Ortiz. Lecture 24Distributed Databases2  Distributed Database (DDB) is a collection of interrelated databases interconnected.

Distributed Databases John Ortiz. Lecture 24Distributed Databases2  Distributed Database (DDB) is a collection of interrelated databases interconnected.
Security & Encryption Thomas Fenske & Joseph Minter.

Security & Encryption Thomas Fenske & Joseph Minter.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Netiquette Rules.

Netiquette Rules.
Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu Yoshi Kohno Amit Levy Hank Levy University of Washington.

Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu Yoshi Kohno Amit Levy Hank Levy University of Washington.
S EMINAR A SELF DESTRUCTING DATA SYSTEM BASED ON ACTIVE STORAGE FRAMEWORK ONON P RESENTED BY S HANKAR G ADHVE G UIDED BY P ROF.P RAFUL P ARDHI.

S EMINAR A SELF DESTRUCTING DATA SYSTEM BASED ON ACTIVE STORAGE FRAMEWORK ONON P RESENTED BY S HANKAR G ADHVE G UIDED BY P ROF.P RAFUL P ARDHI.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Similar presentations

Ads by Google