388 research outputs found
Privacy Enhancing Protocols using Pairing Based Cryptography
This thesis presents privacy enhanced cryptographic constructions,
consisting of formal definitions, algorithms and motivating
applications. The contributions are a step towards the development of
cryptosystems which, from the design phase, incorporate privacy as a
primary goal. Privacy offers a form of protection over personal and
other sensitive data to individuals, and has been the subject of much
study in recent years.
Our constructions are based on a special type of algebraic group called
bilinear groups. We present existing cryptographic constructions which
use bilinear pairings, namely Identity-Based Encryption (IBE). We define
a desirable property of digital signatures, blindness, and present new
IBE constructions which incorporate this property.
Blindness is a desirable feature from a privacy perspective as it allows
an individual to obscure elements such as personal details in the data
it presents to a third party. In IBE, blinding focuses on obscuring
elements of the identity string which an individual presents to the key
generation centre. This protects an individual's privacy in a direct
manner by allowing her to blind sensitive elements of the identity
string and also prevents a key generation centre from subsequently
producing decryption keys using her full identity string. Using blinding
techniques, the key generation centre does not learn the full identity
string.
In this thesis, we study selected provably-secure cryptographic
constructions. Our contribution is to reconsider the design of such
constructions with a view to incorporating privacy. We present the new,
privacy-enhanced cryptographic protocols using these constructions as
primitives. We refine useful existing security notions and present
feasible security definitions and proofs for these constructions
Towards an auditable cryptographic access control to high-value sensitive data
We discuss the challenge of achieving an auditable key management for cryptographic access control to high-value sensitive data. In such settings it is important to be able to audit the key management process - and in particular to be able to provide verifiable proofs of key generation. The auditable key management has several possible use cases in both civilian and military world. In particular, the new regulations for protection of sensitive personal data, such as GDPR, introduce strict requirements for handling of personal data and apply a very restrictive definition of what can be considered a personal data. Cryptographic access control for personal data has a potential to become extremely important for preserving industrial ability to innovate, while protecting subject\u27s privacy, especially in the context of widely deployed modern monitoring, tracking and profiling capabilities, that are used by both governmental institutions and high-tech companies. However, in general, an encrypted data is still considered as personal under GDPR and therefore cannot be, e.g., stored or processed in a public cloud or distributed ledger. In our work we propose an identity-based cryptographic framework that ensures confidentiality, availability, integrity of data while potentially remaining compliant with the GDPR framework
Towards an auditable cryptographic access control to high-value sensitive data
We discuss the challenge of achieving an auditable key management for cryptographic access control to high-value sensitive data. In such settings it is important to be able to audit the key management process - and in particular to be able to provide verifiable proofs of key generation. The auditable key management has several possible use cases in both civilian and military world. In particular, the new regulations for protection of sensitive personal data, such as GDPR, introduce strict requirements for handling of personal data and apply a very restrictive definition of what can be considered a personal data. Cryptographic access control for personal data has a potential to become extremely important for preserving industrial ability to innovate, while protecting subject's privacy, especially in the context of widely deployed modern monitoring, tracking and profiling capabilities, that are used by both governmental institutions and high-tech companies. However, in general, an encrypted data is still considered as personal under GDPR and therefore cannot be, e.g., stored or processed in a public cloud or distributed ledger. In our work we propose an identity-based cryptographic framework that ensures confidentiality, availability, integrity of data while potentially remaining compliant with the GDPR framework
Anonymity and Software Agents: An Interdiscplinary Challenge
Item does not contain fulltex
Public Key Encryption with Keyword Search from Lattices in Multiuser Environments
A public key encryption scheme with keyword search capabilities is proposed using lattices for applications in multiuser environments. The proposed scheme enables a cloud server to check if any given encrypted data contains certain keywords specified by multiple users, but the server would not have knowledge of the keywords specified by the users or the contents of the encrypted data, which provides data privacy as well as privacy for user queries in multiuser environments. It can be proven secure under the standard learning with errors assumption in the random oracle model
Secure Remote Storage of Logs with Search Capabilities
Dissertação de Mestrado em Engenharia InformáticaAlong side with the use of cloud-based services, infrastructure and storage, the use of application logs
in business critical applications is a standard practice nowadays. Such application logs must be stored
in an accessible manner in order to used whenever needed. The debugging of these applications is a
common situation where such access is required. Frequently, part of the information contained in logs
records is sensitive.
This work proposes a new approach of storing critical logs in a cloud-based storage recurring to
searchable encryption, inverted indexing and hash chaining techniques to achieve, in a unified way, the
needed privacy, integrity and authenticity while maintaining server side searching capabilities by the logs
owner.
The designed search algorithm enables conjunctive keywords queries plus a fine-grained search
supported by field searching and nested queries, which are essential in the referred use case. To the
best of our knowledge, the proposed solution is also the first to introduce a query language that enables
complex conjunctive keywords and a fine-grained search backed by field searching and sub queries.A gerac¸ ˜ao de logs em aplicac¸ ˜oes e a sua posterior consulta s˜ao fulcrais para o funcionamento de qualquer
neg´ocio ou empresa. Estes logs podem ser usados para eventuais ac¸ ˜oes de auditoria, uma vez
que estabelecem uma baseline das operac¸ ˜oes realizadas. Servem igualmente o prop´ osito de identificar
erros, facilitar ac¸ ˜oes de debugging e diagnosticar bottlennecks de performance. Tipicamente, a maioria
da informac¸ ˜ao contida nesses logs ´e considerada sens´ıvel.
Quando estes logs s˜ao armazenados in-house, as considerac¸ ˜oes relacionadas com anonimizac¸ ˜ao,
confidencialidade e integridade s˜ao geralmente descartadas. Contudo, com o advento das plataformas
cloud e a transic¸ ˜ao quer das aplicac¸ ˜oes quer dos seus logs para estes ecossistemas, processos de
logging remotos, seguros e confidenciais surgem como um novo desafio. Adicionalmente, regulac¸ ˜ao
como a RGPD, imp˜oe que as instituic¸ ˜oes e empresas garantam o armazenamento seguro dos dados.
A forma mais comum de garantir a confidencialidade consiste na utilizac¸ ˜ao de t ´ecnicas criptogr ´aficas
para cifrar a totalidade dos dados anteriormente `a sua transfer ˆencia para o servidor remoto. Caso sejam
necess´ arias capacidades de pesquisa, a abordagem mais simples ´e a transfer ˆencia de todos os dados
cifrados para o lado do cliente, que proceder´a `a sua decifra e pesquisa sobre os dados decifrados.
Embora esta abordagem garanta a confidencialidade e privacidade dos dados, rapidamente se torna
impratic ´avel com o crescimento normal dos registos de log. Adicionalmente, esta abordagem n˜ao faz
uso do potencial total que a cloud tem para oferecer.
Com base nesta tem´ atica, esta tese prop˜oe o desenvolvimento de uma soluc¸ ˜ao de armazenamento
de logs operacionais de forma confidencial, integra e autˆ entica, fazendo uso das capacidades de armazenamento
e computac¸ ˜ao das plataformas cloud. Adicionalmente, a possibilidade de pesquisa sobre
os dados ´e mantida. Essa pesquisa ´e realizada server-side diretamente sobre os dados cifrados e sem
acesso em momento algum a dados n˜ao cifrados por parte do servidor..
Pudding: Private User Discovery in Anonymity Networks
Anonymity networks allow messaging with metadata privacy, providing better
privacy than popular encrypted messaging applications. However, contacting a
user on an anonymity network currently requires knowing their public key or
similar high-entropy information, as these systems lack a privacy-preserving
mechanism for contacting a user via a short, human-readable username. Previous
research suggests that this is a barrier to widespread adoption.
In this paper we propose Pudding, a novel private user discovery protocol
that allows a user to be contacted on an anonymity network knowing only their
email address. Our protocol hides contact relationships between users, prevents
impersonation, and conceals which usernames are registered on the network.
Pudding is Byzantine fault tolerant, remaining available and secure as long as
less than one third of servers are crashed, unavailable, or malicious. It can
be deployed on Loopix and Nym without changes to the underlying anonymity
network protocol, and it supports mobile devices with intermittent network
connectivity. We demonstrate the practicality of Pudding with a prototype using
the Nym anonymity network. We also formally define the security and privacy
goals of our protocol and conduct a thorough analysis to assess its compliance
with these definitions.Comment: Accepted at the IEEE Symposium on Security and Privacy (S&P) 202
Improved Data Confidentiality of Audit Trail Data in Multi-Tenant Cloud
Cloud computing is delivery of services rather than a product and among different cloud deployment models, the public cloud provides improved scalability and cost reduction when compared to others. Security and privacy of data is one of the key factors in transitioning to cloud. Typically the cloud providers have a demilitarized zone protecting the data center along with a reverse proxy setup. The reverse proxy gateway acts as initial access point and provides additional capabilities like load balancing, caching, security monitoring capturing events, syslogs related to hosts residing in the cloud. The audit-trail logs captured by reverse proxy server comprise important information related to all the tenants. While the PKI infrastructure works in cloud scenario it becomes cumbersome from manageability point of view and they lack flexibility in providing controlled access to data. In this paper we evaluate
risks associated with security and privacy of audit logs produced by reverse proxy server. We provide a two-phase approach for sharing the audit-logs with users allowing fine-grained access. In this paper we evaluate certain Identity-Based and AttributeBased Encryption schemes and provide detailed analysis on performance
- …