Privacy-PreservingAttribution and
ProvenanceUC San Diego & University of Washington
Alex C. Snoeren & Yoshi Kohno, PIs
Stefan Savage, Amin Vahdat, Geoff Voelker (UCSD)
Privacy-respecting forensics
Privacy: No extra information to “bad guys”.
Attributable / trackable: Can track the “bad guys” with special “properties”
Violate privacy: “Bad guys” can “track” the “good guys” without intended “special properties”
Avoid attribution / tracking: “Bad guys” can circumvent “tracking”
Evidence-based security research
Pursue a two-pronged research agenda Long-term “clean slate” architectural design, grounded in Principled work on today’s concrete security environment
Obvious analogy to the medical field Ongoing, fundamental research into biological processes Continuously developing treatments for prevalent disease Each independent process informs and guides the other
A vision for a future Internet
Strong anonymity Strong forensics
We are hereCan we get here and here
simultaneously?
What we have today
Each hop and destination might: Inspect/influence payload Fingerprint OS Fingerprint application Fingerprint physical device
Ad hoc; easy to fool if skilled attacker; but loss of privacy if average user
A
B
A
B
A
Attributable: Trusted third party can attribute physical origin of every single packet
Verifiable: Every hop and destination can verify that the trusted third party can attribute origin
Anonymous: Unauthorized parties cannot attribute physical origin of packets
What we want
Our System: Clue
Dual Pentium 3.4GHz, 4GB RAM;Dual Pentium 3GHz, 1GB RAM
CSI/FBI Computer Crime and Security Survey: Laptop and mobile device theft prevalent
and expensive problem: $30k per incident
10% of laptops are lost or stolen in first year
97% of lost or stolen laptops never recovered
Lost/stolen Internet devices
Privacy-respecting recovery
Goal: Recover locations of lost or stolen devices
Timeline Owner possession (not lost nor stolen) Lost or stolen but unmodified State erased or reset Machine destroyed
Recoverability: Loss or flea market thief
Location privacy: Tracking service, thief, outsider
Lookup IKi(T) IKi(T),EKi(LocationInfo)
Adeona
Forward secure PRG to evolve keys over time
Use shared key to compute indices as well as encrypt data
Use DHT to prevent traffic profiling
Our goal: Determine feasibility of putting privacy-respecting attribution into the network
But lots of issues, including: Who should be the trusted third pary?
Internet is multi-national Remember the Clipper Chip? Intel’s Processor Serial Number?
Politics and technology