Enabling Data Confidentiality with Public Blockchains

Blockchain technology is apt to facilitate the automation of multi-party cooperations among various players in a decentralized setting, especially in cases where trust among participants is limited. Transactions are stored in a ledger, a replica of which is retained by every node of the blockchain network. The operations saved thereby are thus publicly accessible. While this aspect enhances transparency, reliability, and persistence, it hinders the utilization of public blockchains for process automation as it violates typical confidentiality requirements in corporate settings. To overcome this issue, we propose our approach named Multi-Authority Approach to Transaction Systems for Interoperating Applications (MARTSIA). Based on Multi-Authority Attribute-Based Encryption (MA-ABE), MARTSIA enables read-access control over shared data at the level of message parts. User-defined policies determine whether an actor can interpret the publicly stored information or not, depending on the actor's attributes declared by a consortium of certifiers. Still, all nodes in the blockchain network can attest to the publication of the (encrypted) data. We provide a formal analysis of the security guarantees of MARTSIA, and illustrate the proof-of-concept implementation over multiple blockchain platforms. To demonstrate its interoperability, we showcase its usage in ensemble with a state-of-the-art blockchain-based engine for multi-party process execution, and three real-world decentralized applications in the context of NFT markets, supply chain, and retail.Comment: arXiv admin note: substantial text overlap with arXiv:2303.1797

Privacy Enhancing Technologies for solving the privacy-personalization paradox : taxonomy and survey

Personal data are often collected and processed in a decentralized fashion, within different contexts. For instance, with the emergence of distributed applications, several providers are usually correlating their records, and providing personalized services to their clients. Collected data include geographical and indoor positions of users, their movement patterns as well as sensor-acquired data that may reveal users’ physical conditions, habits and interests. Consequently, this may lead to undesired consequences such as unsolicited advertisement and even to discrimination and stalking. To mitigate privacy threats, several techniques emerged, referred to as Privacy Enhancing Technologies, PETs for short. On one hand, the increasing pressure on service providers to protect users’ privacy resulted in PETs being adopted. One the other hand, service providers have built their business model on personalized services, e.g. targeted ads and news. The objective of the paper is then to identify which of the PETs have the potential to satisfy both usually divergent - economical and ethical - purposes. This paper identifies a taxonomy classifying eight categories of PETs into three groups, and for better clarity, it considers three categories of personalized services. After defining and presenting the main features of PETs with illustrative examples, the paper points out which PETs best fit each personalized service category. Then, it discusses some of the inter-disciplinary privacy challenges that may slow down the adoption of these techniques, namely: technical, social, legal and economic concerns. Finally, it provides recommendations and highlights several research directions

Privacy in the Smart City - Applications, Technologies, Challenges and Solutions

Many modern cities strive to integrate information technology into every aspect of city life to create so-called smart cities. Smart cities rely on a large number of application areas and technologies to realize complex interactions between citizens, third parties, and city departments. This overwhelming complexity is one reason why holistic privacy protection only rarely enters the picture. A lack of privacy can result in discrimination and social sorting, creating a fundamentally unequal society. To prevent this, we believe that a better understanding of smart cities and their privacy implications is needed. We therefore systematize the application areas, enabling technologies, privacy types, attackers and data sources for the attacks, giving structure to the fuzzy term “smart city”. Based on our taxonomies, we describe existing privacy-enhancing technologies, review the state of the art in real cities around the world, and discuss promising future research directions. Our survey can serve as a reference guide, contributing to the development of privacy-friendly smart cities

Towards assessing information privacy in microblogging online social networks. The IPAM framework

Les xarxes socials en línia incorporen diferents formes de comunicació interactiva com serveis de microblogs, compartició de fitxers multimèdia o xarxes de contactes professionals. En els últims anys han augmentat els escàndols públics en relació amb pràctiques qüestionables de la indústria de les xarxes socials pel que fa a la privacitat. Així, doncs, cal una avaluació efectiva i eficient del nivell de privacitat en les xarxes socials en línia. El focus de la present tesi és la construcció d'un esquema (IPAM) per a identificar i avaluar el nivell de privacitat proporcionat per les xarxes socials en línia, en particular per als serveis de microblogs. L'objectiu d'IPAM és ajudar els usuaris a identificar els riscos relacionats amb les seves dades. L'esquema també permet comparar el nivell de protecció de la privacitat entre diferents sistemes analitzats, de manera que pugui ser també utilitzat per proveïdors de servei i desenvolupadors per a provar i avaluar els seus sistemes i si les tècniques de privacitat usades són eficaces i suficients.Las redes sociales en línea incorporan diferentes formas de comunicación interactiva como servicios de microblogueo, compartición de ficheros multimedia o redes de contactos profesionales. En los últimos años han aumentado los escándalos públicos relacionados con prácticas cuestionables de la industria de las redes sociales en relación con la privacidad. Así pues, es necesaria una evaluación efectiva y eficiente del nivel de privacidad en las redes sociales en línea. El foco de la presente tesis es la construcción de un esquema (IPAM) para identificar y evaluar el nivel de privacidad proporcionado por las redes sociales en línea, en particular para los servicios de microblogueo. El objetivo de IPAM es ayudar a los usuarios a identificar los riesgos relacionados con sus datos. El esquema también permite comparar el nivel de protección de la privacidad entre diferentes sistemas analizados, de modo que pueda ser también utilizado por proveedores de servicio y desarrolladores para probar y evaluar sus sistemas y si las técnicas de privacidad usadas son eficaces y suficientes.Online social networks (OSNs) incorporate different forms of interactive communication, including microblogging services, multimedia sharing and business networking, among others. In recent years there has been an increase in the number of privacy-related public scandals involving questionable data handling practices in OSNs. This situation calls for an effective and efficient evaluation of the privacy level provided by such services. In this thesis, we take initial steps towards developing an information privacy assessment framework (IPAM framework) to compute privacy scores for online social networks in general, and microblogging OSNs in particular. The aim of the proposed framework is to help users identify personal data-related risks and how their privacy is protected when using one OSN or another. The IPAM framework also allows for a comparison between different systems' privacy protection level. This gives system providers, not only an idea of how they are positioned in the market vis-à-vis their competitors, but also recommendations on how to enhance their services

Privacy engineering for social networks

In this dissertation, I enumerate several privacy problems in online social networks (OSNs) and describe a system called Footlights that addresses them. Footlights is a platform for distributed social applications that allows users to control the sharing of private information. It is designed to compete with the performance of today's centralised OSNs, but it does not trust centralised infrastructure to enforce security properties. Based on several socio-technical scenarios, I extract concrete technical problems to be solved and show how the existing research literature does not solve them. Addressing these problems fully would fundamentally change users' interactions with OSNs, providing real control over online sharing. I also demonstrate that today's OSNs do not provide this control: both user data and the social graph are vulnerable to practical privacy attacks. Footlights' storage substrate provides private, scalable, sharable storage using untrusted servers. Under realistic assumptions, the direct cost of operating this storage system is less than one US dollar per user-year. It is the foundation for a practical shared filesystem, a perfectly unobservable communications channel and a distributed application platform. The Footlights application platform allows third-party developers to write social applications without direct access to users' private data. Applications run in a confined environment with a private-by-default security model: applications can only access user information with explicit user consent. I demonstrate that practical applications can be written on this platform. The security of Footlights user data is based on public-key cryptography, but users are able to log in to the system without carrying a private key on a hardware token. Instead, users authenticate to a set of authentication agents using a weak secret such as a user-chosen password or randomly-assigned 4-digit number. The protocol is designed to be secure even in the face of malicious authentication agents.This work was supported by the Rothermere Foundation and the Natural Sciences and Engineering Research Council of Canada (NSERC)

Privacy-preserving spatiotemporal multicast for mobile information services

Mobile devices have become essential for accessing information services anywhere at any time. While the so-called geographic multicast (geocast) has been considered in detail in existing research, it only focuses on delivering messages to all mobile devices that are currently residing within a certain geographic area. This thesis extends this notion by introducing a Spatiotemporal Multicast (STM), which can informally be described as a "geocast into the past". Instead of addressing users based on their current locations, this concept relates to the challenge of sending a message to all devices that have resided within a geographic area at a certain time in the past. While a wide variety of applications can be envisioned for this concept, it presents several challenges to be solved. In order to deliver messages to all past visitors of a certain location, an STM service would have to fully track all user movements at all times. However, collecting this kind of information is not desirable considering the underlying privacy implications, i.e., users may not wish to be identified by the sender of a message as this can disclose sensitive personal information. Consequently, this thesis aims to provide a privacy-preserving notion of STM. In order to realize such a service, this work first presents a detailed overview of possible applications. Based on those, functional, non-functional, as well as security and privacy objectives are proposed. These objectives provide the foundation for an in-depth literature review of potential mechanisms for realizing an STM service. Among the suggested options, the most promising relies on Rendezvous Points (RPs) for datagram delivery. In simple terms, RPs represent "anonymous mailboxes" that are responsible for certain spatiotemporal regions. Messages are deposited at RPs so that users can retrieve them later on. Protecting the privacy of users then translates to obfuscating the responsibilities of RPs for specific spatiotemporal regions. This work proposes two realizations: CSTM, which relies on cryptographic hashing, and OSTM, which considers the use of order-preserving encryption in a CAN overlay. Both approaches are evaluated and compared in detail with respect to the given objectives. While OSTM yields superior performance-related properties, CSTM provides an increased ability of protecting the privacy of users.Mobilgeräte bilden heute die Grundlage allgegenwärtiger Informationsdienste. Während der sogenannte geografische Multicast (Geocast) hier bereits ausführlich erforscht worden ist, so bezieht sich dieser nur auf Geräte, welche sich aktuell innerhalb einer geografischen Zielregion befinden. Diese Arbeit erweitert dieses Konzept durch einen räumlich-zeitlichen Multicast, welcher sich informell als "Geocast in die Vergangenheit" beschreiben lässt. Dabei wird die Zustellung einer Nachricht an alle Nutzer betrachtet, die sich in der Vergangenheit an einem bestimmten Ort aufgehalten haben. Während eine Vielzahl von Anwendungen für dieses Konzept denkbar ist, so ergeben sich hier mehrere Herausforderungen. Um Nachrichten an ehemalige Besucher eines Ortes senden zu können, müsste ein räumlich-zeitlicher Multicast-Dienst die Bewegungen aller Nutzer vollständig erfassen. Aus Gründen des Datenschutzes ist das zentralisierte Sammeln solch sensibler personenbezogener Daten jedoch nicht wünschenswert. Diese Arbeit befasst sich daher insbesondere mit dem Schutz der Privatsphäre von Nutzern eines solchen Dienstes. Zur Entwicklung eines räumlich-zeitlichen Multicast-Dienstes erörtert diese Arbeit zunächst mögliche Anwendungen. Darauf aufbauend werden funktionale, nicht-funktionale, sowie Sicherheits- und Privatsphäre-relevante Anforderungen definiert. Diese bilden die Grundlage einer umfangreichen Literaturrecherche relevanter Realisierungstechniken. Der vielversprechendste Ansatz basiert hierbei auf der Hinterlegung von Nachrichten in sogenannten Rendezvous Points. Vereinfacht betrachtet stellen diese "anonyme Briefkästen" für bestimmte räumlich-zeitliche Regionen dar. Nachrichten werden in diesen so hinterlegt, dass legitime Empfänger sie dort später abholen können. Der Schutz der Nutzer-Privatsphäre entspricht dann der Verschleierung der Zuständigkeiten von Rendezvous Points für verschiedene räumlich-zeitliche Regionen. Diese Arbeit schlägt zwei Ansätze vor: CSTM, welches kryptografische Hashfunktionen nutzt, sowie OSTM, welches ordnungserhaltende Verschlüsselung in einem CAN Overlay einsetzt. Beide Optionen werden detailliert analytisch sowie empirisch bezüglich ihrer Diensteigenschaften untersucht und verglichen. Dabei zeigt sich, dass OSTM vorteilhaftere Leistungseigenschaften besitzt, während CSTM einen besseren Schutz der Nutzer-Privatsphäre bietet

Identity Management and Authorization Infrastructure in Secure Mobile Access to Electronic Health Records

We live in an age of the mobile paradigm of anytime/anywhere access, as the mobile device is the most ubiquitous device that people now hold. Due to their portability, availability, easy of use, communication, access and sharing of information within various domains and areas of our daily lives, the acceptance and adoption of these devices is still growing. However, due to their potential and raising numbers, mobile devices are a growing target for attackers and, like other technologies, mobile applications are still vulnerable. Health information systems are composed with tools and software to collect, manage, analyze and process medical information (such as electronic health records and personal health records). Therefore, such systems can empower the performance and maintenance of health services, promoting availability, readability, accessibility and data sharing of vital information about a patients overall medical history, between geographic fragmented health services. Quick access to information presents a great importance in the health sector, as it accelerates work processes, resulting in better time utilization. Additionally, it may increase the quality of care. However health information systems store and manage highly sensitive data, which raises serious concerns regarding patients privacy and safety, and may explain the still increasing number of malicious incidents reports within the health domain. Data related to health information systems are highly sensitive and subject to severe legal and regulatory restrictions, that aim to protect the individual rights and privacy of patients. Along side with these legislations, security requirements must be analyzed and measures implemented. Within the necessary security requirements to access health data, secure authentication, identity management and access control are essential to provide adequate means to protect data from unauthorized accesses. However, besides the use of simple authentication models, traditional access control models are commonly based on predefined access policies and roles, and are inflexible. This results in uniform access control decisions through people, different type of devices, environments and situational conditions, and across enterprises, location and time. Although already existent models allow to ensure the needs of the health care systems, they still lack components for dynamicity and privacy protection, which leads to not have desire levels of security and to the patient not to have a full and easy control of his privacy. Within this master thesis, after a deep research and review of the stat of art, was published a novel dynamic access control model, Socio-Technical Risk-Adaptable Access Control modEl (SoTRAACE), which can model the inherent differences and security requirements that are present in this thesis. To do this, SoTRAACE aggregates attributes from various domains to help performing a risk assessment at the moment of the request. The assessment of the risk factors identified in this work is based in a Delphi Study. A set of security experts from various domains were selected, to classify the impact in the risk assessment of each attribute that SoTRAACE aggregates. SoTRAACE was integrated in an architecture with requirements well-founded, and based in the best recommendations and standards (OWASP, NIST 800-53, NIST 800-57), as well based in deep review of the state-of-art. The architecture is further targeted with the essential security analysis and the threat model. As proof of concept, the proposed access control model was implemented within the user-centric architecture, with two mobile prototypes for several types of accesses by patients and healthcare professionals, as well the web servers that handles the access requests, authentication and identity management. The proof of concept shows that the model works as expected, with transparency, assuring privacy and data control to the user without impact for user experience and interaction. It is clear that the model can be extended to other industry domains, and new levels of risks or attributes can be added because it is modular. The architecture also works as expected, assuring secure authentication with multifactor, and secure data share/access based in SoTRAACE decisions. The communication channel that SoTRAACE uses was also protected with a digital certificate. At last, the architecture was tested within different Android versions, tested with static and dynamic analysis and with tests with security tools. Future work includes the integration of health data standards and evaluating the proposed system by collecting users’ opinion after releasing the system to real world.Hoje em dia vivemos em um paradigma móvel de acesso em qualquer lugar/hora, sendo que os dispositivos móveis são a tecnologia mais presente no dia a dia da sociedade. Devido à sua portabilidade, disponibilidade, fácil manuseamento, poder de comunicação, acesso e partilha de informação referentes a várias áreas e domínios das nossas vidas, a aceitação e integração destes dispositivos é cada vez maior. No entanto, devido ao seu potencial e aumento do número de utilizadores, os dispositivos móveis são cada vez mais alvos de ataques, e tal como outras tecnologias, aplicações móveis continuam a ser vulneráveis. Sistemas de informação de saúde são compostos por ferramentas e softwares que permitem recolher, administrar, analisar e processar informação médica (tais como documentos de saúde eletrónicos). Portanto, tais sistemas podem potencializar a performance e a manutenção dos serviços de saúde, promovendo assim a disponibilidade, acessibilidade e a partilha de dados vitais referentes ao registro médico geral dos pacientes, entre serviços e instituições que estão geograficamente fragmentadas. O rápido acesso a informações médicas apresenta uma grande importância para o setor da saúde, dado que acelera os processos de trabalho, resultando assim numa melhor eficiência na utilização do tempo e recursos. Consequentemente haverá uma melhor qualidade de tratamento. Porém os sistemas de informação de saúde armazenam e manuseiam dados bastantes sensíveis, o que levanta sérias preocupações referentes à privacidade e segurança do paciente. Assim se explica o aumento de incidentes maliciosos dentro do domínio da saúde. Os dados de saúde são altamente sensíveis e são sujeitos a severas leis e restrições regulamentares, que pretendem assegurar a proteção dos direitos e privacidade dos pacientes, salvaguardando os seus dados de saúde. Juntamente com estas legislações, requerimentos de segurança devem ser analisados e medidas implementadas. Dentro dos requerimentos necessários para aceder aos dados de saúde, uma autenticação segura, gestão de identidade e controlos de acesso são essenciais para fornecer meios adequados para a proteção de dados contra acessos não autorizados. No entanto, além do uso de modelos simples de autenticação, os modelos tradicionais de controlo de acesso são normalmente baseados em políticas de acesso e cargos pré-definidos, e são inflexíveis. Isto resulta em decisões de controlo de acesso uniformes para diferentes pessoas, tipos de dispositivo, ambientes e condições situacionais, empresas, localizações e diferentes alturas no tempo. Apesar dos modelos existentes permitirem assegurar algumas necessidades dos sistemas de saúde, ainda há escassez de componentes para accesso dinâmico e proteção de privacidade , o que resultam em níveis de segurança não satisfatórios e em o paciente não ter controlo directo e total sobre a sua privacidade e documentos de saúde. Dentro desta tese de mestrado, depois da investigação e revisão intensiva do estado da arte, foi publicado um modelo inovador de controlo de acesso, chamado SoTRAACE, que molda as diferenças de acesso inerentes e requerimentos de segurança presentes nesta tese. Para isto, o SoTRAACE agrega atributos de vários ambientes e domínios que ajudam a executar uma avaliação de riscos, no momento em que os dados são requisitados. A avaliação dos fatores de risco identificados neste trabalho são baseados num estudo de Delphi. Um conjunto de peritos de segurança de vários domínios industriais foram selecionados, para classificar o impacto de cada atributo que o SoTRAACE agrega. O SoTRAACE foi integrado numa arquitectura para acesso a dados médicos, com requerimentos bem fundados, baseados nas melhores normas e recomendações (OWASP, NIST 800-53, NIST 800-57), e em revisões intensivas do estado da arte. Esta arquitectura é posteriormente alvo de uma análise de segurança e modelos de ataque. Como prova deste conceito, o modelo de controlo de acesso proposto é implementado juntamente com uma arquitetura focada no utilizador, com dois protótipos para aplicações móveis, que providênciam vários tipos de acesso de pacientes e profissionais de saúde. A arquitetura é constituída também por servidores web que tratam da gestão de dados, controlo de acesso e autenticação e gestão de identidade. O resultado final mostra que o modelo funciona como esperado, com transparência, assegurando a privacidade e o controlo de dados para o utilizador, sem ter impacto na sua interação e experiência. Consequentemente este modelo pode-se extender para outros setores industriais, e novos níveis de risco ou atributos podem ser adicionados a este mesmo, por ser modular. A arquitetura também funciona como esperado, assegurando uma autenticação segura com multi-fator, acesso e partilha de dados segura baseado em decisões do SoTRAACE. O canal de comunicação que o SoTRAACE usa foi também protegido com um certificado digital. A arquitectura foi testada em diferentes versões de Android, e foi alvo de análise estática, dinâmica e testes com ferramentas de segurança. Para trabalho futuro está planeado a integração de normas de dados de saúde e a avaliação do sistema proposto, através da recolha de opiniões de utilizadores no mundo real

Security in Internet of Things: networked smart objects.

Internet of Things (IoT) is an innovative paradigm approaching both industries and humans every-day life. It refers to the networked interconnection of every-day objects, which are equipped with ubiquitous intelligence. It not only aims at increasing the ubiquity of the Internet, but also at leading towards a highly distributed network of devices communicating with human beings as well as with other devices. Thanks to rapid advances in underlying technologies, IoT is opening valuable opportunities for a large number of novel applications, that promise to improve the quality of humans lives, facilitating the exchange of services. In this scenario, security represents a crucial aspect to be addressed, due to the high level of heterogeneity of the involved devices and to the sensibility of the managed information. Moreover, a system architecture should be established, before the IoT is fully operable in an efficient, scalable and interoperable manner. The main goal of this PhD thesis concerns the design and the implementation of a secure and distributed middleware platform tailored to IoT application domains. The effectiveness of the proposed solution is evaluated by means of a prototype and real case studies

Data Spaces

This open access book aims to educate data space designers to understand what is required to create a successful data space. It explores cutting-edge theory, technologies, methodologies, and best practices for data spaces for both industrial and personal data and provides the reader with a basis for understanding the design, deployment, and future directions of data spaces. The book captures the early lessons and experience in creating data spaces. It arranges these contributions into three parts covering design, deployment, and future directions respectively. The first part explores the design space of data spaces. The single chapters detail the organisational design for data spaces, data platforms, data governance federated learning, personal data sharing, data marketplaces, and hybrid artificial intelligence for data spaces. The second part describes the use of data spaces within real-world deployments. Its chapters are co-authored with industry experts and include case studies of data spaces in sectors including industry 4.0, food safety, FinTech, health care, and energy. The third and final part details future directions for data spaces, including challenges and opportunities for common European data spaces and privacy-preserving techniques for trustworthy data sharing. The book is of interest to two primary audiences: first, researchers interested in data management and data sharing, and second, practitioners and industry experts engaged in data-driven systems where the sharing and exchange of data within an ecosystem are critical