Vanishing Documents Impact on Privacy
24
VANISHING DOCUMENTS IMPACT ON PRIVACY George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council
description
Vanishing Documents Impact on Privacy. George B. Dobbs Chief Architect & Director Shared Services, Knights of Columbus Supreme Council. Knights of Columbus. Fraternal Benefit Society with 1.7M members United States, Canada, Latin America, Philippines & Poland Membership driven - PowerPoint PPT Presentation
Transcript of Vanishing Documents Impact on Privacy
VANISHING DOCUMENTSIMPACT ON PRIVACY
George B. DobbsChief Architect & Director Shared Services, Knights of Columbus Supreme Council
KNIGHTS OF COLUMBUS• Fraternal Benefit Society
with 1.7M members • United States, Canada, Latin
America, Philippines & Poland• Membership driven• Insures its members and
their families • Whole life, Term life, Fixed
annuities and Long term care products
• Career Agency System ~1400 agents
• Fortune 997, ~1.5 B Revenue
EPHEMERAL DOCUMENTS Give access – but only for a
while Owner’s copies are still valid Correspondent not fully trusted Example: shopping a business
plan Intentional forgetting
All copies vanish after an interval
Correspondent trusted but lazy Example: frank conversation in
email, later to be regretted.
PROVIDE ACCESS ONLY FOR A WHILE
Encrypt but control key access Correspondent must get key each time
(central control) or
Key is stored locally for a while for offline use
Requires client side container/code that could be attacked.
Commercial products in the Digital Rights Management category
Subject to legal or technical attacks on key holder
INTENTIONAL FORGETTING Encrypt but key access removed
after a while No action needed by user No retroactive retrieval by adversary
Even from storage such as caches, mail routers or backup tapes
No one can access after the interval expires even the owner has no access to they
key Research project at U. Washington Subject to key capture during the
interval Correspondent may copy message
during interval
VANISH RESEARCH PROJECT University of Washington
(Aug 2009) Use cases focus on
trusted but lazy correspondents
Splits symmetric key into parts
Used an open distributed hash table
AVOIDING A CENTRALIZED STORE Distributed Hash Tables
Used for many P2P applications Academic studies since 2001 Unless refreshed, DHT, times out entries
PREPARING A VANISHING DATA OBJECT
Pick a random symmetric key, K Encrypt the user data locally,
yielding C Pick a seed, L, for pseudo random
number generation Use L to generate indices in the
hash table x1..xn Divide the key into pieces k1..kn
where m parts are needed to compute the key, K. (Shamir Secret Sharing)
put(xi,ki) for i=1 to n destroys the local copy of the key, Sends {C,L} to correspondent
World-Wide DHT
HOW VANISH WORKS
Vanish
Encapsulate (data, timeout)
Vanish Data ObjectVDO = {C, L}
Secret Sharing
(M of N)
k1k2
kN
...k3
k1k2k3
kN
Ann
C = EK(data)
L
K
k1
k3kN
k2
9
VDO = {C, L}Carla
HOW VANISH WORKS
10
Vanish
Encapsulate (data, timeout)
Ann
C = EK(data)
World-Wide DHT
Vanish
Decapsulate (VDO = {C, L})
data
Carla
Secret Sharin
g(M of
N)
...k1
k3
kN
data = DK(C)
kNk3
k1
L L
KSecret
Sharing
(M of N)
X
VDO = {C, L}
k2k2
Vanish Data ObjectVDO = {C, L}
THE FIREFOX PLUG IN Implemented as an extension to the GPG plug in
Entirely client side
Shows potential for becoming mainstream
ATTACK Defeating Vanish (Sep 2009)
Researchers showed feasible to Infiltrate the open DHT Record all keys
Originators responded with improvements Use hybrid of open and closed DHT Closed DHT restricts entry of nodes into system
END OF TECHNICAL PART Next section
scratches at possible issues from an Enterprise point of view
Please suggest your own thoughts.
ORGANIZATIONAL DILEMMAS Lets suppose the
vanish ability becomes mainstream
What kinds of scenarios can we dream up?
LITIGATION HOLDS Legal framework
Stop the clock on document destruction Clearly this prohibits organizations
from originating these documents If someone does create a VDO
Keys and plaintext gone, but Crypto text is evidence that the document
existed What controls can we envision to
prevent their use?
INBOUND COMMUNICATIONS VDO’s could come from ‘outside’
Are there business reasons to allow this?
What about going ‘out’ to visit a VDO?
Are there cases when a VDO should not be opened?
Are there cases when it must be opened?
BUSINESS USES Probably few legitimate uses for large
commercial enterprises. Customer Service Brand Management
Public Safety Attorneys under privilege
GOING OUTSIDE TO VIEW Go to a website to view a VDO Does that constitute corporate knowledge?
Company uses social networking site Stay in contact with customers for customer
service, say Since VDO is mainstream,
A user turns it on for ALL communications, thinking that safer
But for enterprise, it’s a business transaction So….
Does it need to be ‘imported’ for preservation? Capture the key and ciphertext or just the
plaintext?
LETTING VDOS IN Email with a vanishing data object Options:
1. Detect and prevent entry, like spam2. Allow in, but prevent acquisition of keys,
through network policy.3. Allow in, but decode passing through gateway4. Allow in with quarantine & special handling
Is there a duty to preserve it? For e-Discovery? Would the court consider the unpacked as
equivalent? To prove it is equivalent you’d need the key
FOR SAFETY, MUST OPEN
Suppose clear text subject line contains a threat: “Bomb active. Defuse
instructions enclosed” Mail is received but
enterprise policies prevent acquisition of key
This scenario indicates some sort of handling
BRAND BUZZ Corporations sometimes
watch what is being said about them in public venues If social network acts as an
amplifier/repeater, and the VDOs time out say in 8 hours
Watcher scan cycle time would need to be less than the timeout
If today a daily scan is adequate, it might need to be every few hours
OUTBOUND COMMUNICATIONS Lying to a customer
EE or Agent promises something Controllable on internal equipment/email
Employee sends stolen company info User A with enterprise IP goes to sneaky.com Under the cover of HTTPS writes a VDO with
internal information User B an investor, foreign power etc, reads info In order to stop
Blacklist sneaky.com Terminate SSL at border
Intercept & decode, possibly quarantine Prevent anything that appears further encrypted.
NOT, PERHAPS, JERICHO, BUT Millions of consumer computers
Harnessed to provide some privacy Is an example of how
The walled garden model of the enterprise May no longer be sufficient
REFERENCES Vanish Self-Destructing Digital Data
http://vanish.cs.washington.edu/ New Technology to Make Digital Data Self-Destruct
http://www.nytimes.com/2009/07/21/science/21crypto.html
Distributed Hash Tables http://en.wikipedia.org/wiki/Distributed_hash_table
Attack http://z.cs.utexas.edu/users/osa/unvanish/papers/vanish-broken.pdf
Vanishing E-mail and Electronically Stored Information: an E-Discovery Hazard http://www.rlgsc.com/blog/ruminations/vanishing-electronic-data-ediscovery.html
