privacy and computer science (eci 2015) day 1 ... · pdf filevirtualization reality, virtual...

Privacy and Computer Science (ECI 2015)Day 1 - Introduction

why cryptography is not enough

F. [email protected]

Ecole Normale Superieure de Lyon

July 2015

F. Prost [email protected] (Ecole Normale Superieure de Lyon)Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enoughJuly 2015 1 / 48

The Fall of Men and IT

Virtualization

Reality, virtual world and their interactions.

=⇒ problems linked to hypostatic union, schism between the OrientalOrthodox Church and the rest of Christendom...

Very complex philosophical problem having huge repercussions: e.g.the world map.

Security: a Counter-Intuitive Science

Si vis pacem, para bellum. (security in IT is very different thansecurity in civil engineering).

“Strategy: The Logic of War and Peace” (E.N. Luttwak).

=⇒ Greek wiretapping scandal (2006).

It is against the nature of the engineer’s mind: Programming Satan’sComputer [Anderson and Needham, 1995]!

System complexity is the Achille’s Heel: e.g. password on mobilephones (with gyroscope sensors)...

Every security solution is a trade-off.

Potter vs Hacker : Harry’s War

Tool Magic wand Computer, Internet

Method Magic formula Credit card number

Power Experience/Mastery Bank account

Vector Gobelin, dwarf UPS/FedEx employeeDrones ?

I.T. is literally like magic: it possesses all its features

Magic wand Computer, Internet

Method

Magic formula Credit card number

Experience/Mastery Bank account

Vector

Gobelin, dwarf UPS/FedEx employeeDrones ?

A scientific Approach to Privacy and IT

It is not magic, it is computer science (and communications) !

On top of that privacy issues embrace almost every aspects ofcomputer science from the deep theory to the smallesttechnical/material details.

The aim of the course is to give a broad overview of the scientificaspects of privacy in computer science.=⇒ It is an entry point to the subject.

Some basic definitions are still active objects of research: defining“Privacy” properly is not trivial.

Course’s Roadmap

1 Cryptography is not enough. Hard limits.

2 Privacy/Identity from a traditional cryptographic point of view.(Cryptography)

3 Non-interference and programming. (Programming Languages)

4 Zero-Knowledge proofs. (Mathematics)

5 Formal Approaches. (Logics)

Cryptography is not Enough

1 Cryptography is not EnoughEnigma CryptanalysisNaive Anonymization Just doesn’t Work

2 Information Theory Cryptology: [Shannon, 1949]Information theoretic studies of cryptosystemsEntropy of passwords

3 Conclusion

Cryptography is not Enough: you can run but you can’thide

The dreamt world of mathematicians vs. the harsh reality.

Implementation details do matter.

Usage protocol does matter.

Psychology does matter.

System complexity does matter.

Sheer luck can matter...

=⇒ Empirical proof: Snowden’s revalations about NSA’s practices...

Cryptography is not Enough Enigma Cryptanalysis

3 Conclusion

Enigma Cryptanalysis

Real life, extreme, example of the difficulty of information securityduring WWII. Historians estimate the effect as 1 to 2 years warshortening (literally millions of lives).

First mechanization of cryptanalysis: shift from linguistic tomathematics. First use of computers !

A. Turing, father of computer science, heavily involved.

Exemplary in the multiple ways used to break the “unbreakable”.

=⇒ Think outside the box !

Enigma Machine

Permutations with Rotors Schematically

AmBmCm

DmEmFm

AmBmCm

DmEmFm

��

BBBBBB

��

��AAAA

DDDDDDDDDD �

��

BBBBBB

��BBBBBB

Enigma Schematically

AmBmCm

DmEmFm �

��B

BBBBB �

��

BBBBBB

��

��AAAA

DDDDDDDDDD �

��

BBBBBB

��BBBBBB

Protocol for the Use of Enigma

Book of keys:

Date Rotor Initialization Plugboard

12 I II III REZ FD IZ LP MN TA SY

13 II V I KXU AN GZ ID LW MF UY

14 IV II III WGT ET IL MO NS WH BQ

15 II I V AQR UI YS AN MJ VB EH

. . . . . . . . . . . .

A key gives the initial configuration of the machine.

Once the machine is set the operator sent three letters in order toinitiate a session key (to avoid repetitions). This group of threeletters was repeated twice.

Some Numbers on Enigma

Each rotor is a permutation on 26: 263 = 17576

3 among 5 rotors: 5!/(3!2!) = 10

Plugboard, 6 wires:

Π5k=0

(26− 2k)!

2× (26− 4k)!= 72282089880000

Number of Enigma settings: 76× 1018

Age of the universe in seconds: 4, 3× 1017

Enigma strength is due to the combination that avoid repetitions(rotor mechanism) and huge space of keys (plugboard).

Even with a copy of the machine it is untractable.

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ' 403× 1024

to 533× 1012 (that is a 7, 5× 1011 reduction !!).

Because of the reflector a letter can never be encoded by itself.=⇒ Sometimes to test communications lines german sent large texts

only made of “T’s”.=⇒ crib technique developped by Turing.

External weaknesses (protocol use):

Germans forbid the use of the same rotor at the same place for twoconsecutive days.Repetition of the session key at the start of the message.Some messages had a predictable structure: typically meteorologicalmessages of 6:00 am of the Luftwaffe.Operator’s bias: always the same three settings (surname of hisfiancee...)

Enigma Weaknesses

to 533× 1012 (that is a 7, 5× 1011 reduction !!).Because of the reflector a letter can never be encoded by itself.=⇒ Sometimes to test communications lines german sent large texts

Enigma Weaknesses

Germans forbid the use of the same rotor at the same place for twoconsecutive days.

Repetition of the session key at the start of the message.Some messages had a predictable structure: typically meteorologicalmessages of 6:00 am of the Luftwaffe.Operator’s bias: always the same three settings (surname of hisfiancee...)

Enigma Weaknesses

Germans forbid the use of the same rotor at the same place for twoconsecutive days.Repetition of the session key at the start of the message.

Some messages had a predictable structure: typically meteorologicalmessages of 6:00 am of the Luftwaffe.Operator’s bias: always the same three settings (surname of hisfiancee...)

Enigma Weaknesses

Germans forbid the use of the same rotor at the same place for twoconsecutive days.Repetition of the session key at the start of the message.Some messages had a predictable structure: typically meteorologicalmessages of 6:00 am of the Luftwaffe.

Operator’s bias: always the same three settings (surname of hisfiancee...)

Enigma Weaknesses

Marjan Rejevski First Attempts

By espionnage French had a copy of the Enigma machine, given tothe Polish (30’s).

Marjan Rejevsky was a young polish mathematician who found a wayto exploit the protocol weakness of the germans (repetition of thesession key).

=⇒ The first and fourth letters are the same ones.

Using all the message sent in one day it is easy to construct acorresping alphabet like:

First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZFourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP

This table is independant from the plugboard.

Rejevski’s cycles

Given a corresponding alphabet one can factor it in cycles.

For instance inFirst Letter ABCDEFGHIJKLMNOPQRSTUVWXYZFourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP

One can make the cyclesA→ X → Y → T → N → V → U → J → Q →W → O → D → AB → F → BC → E → R → K → I → H → L→ G → S → M → CP → Z → P

It turns out that this decomposition in cycles is unique with relationto the original setting of the rotors (like DNA code for it).

=⇒ Just make a big book with all combinations ! (263 × 10)

It is not over: plugboard ? (easy to crack by hand. Do you find outhow ?)

Rejevski’s cycles

Cryptanalysis Automated: A. Turing at Bletchley Park

In may 1937 Germans changed their protocols and Rejevsky’s attackwas no longer possible.

Turing noted a similarity between messages: clear text attack.Famous example wetter in the message of the meteorological site.Called “cribs” it can lead to an attack.

Suppose you know that the message) starts with:

WETTERUEBERSICHTNULLSECHSNULLNULL

Consider the cyphertext:

W E T T E R U E B E R S I C H TE R G H W T S S K J F E G L A W

There is a cycle W →0 E →1 R →4 T →16 W

Cryptanalysis Bombe (schema)

How to automatically discovers those cycles ?

We can try to work on 4 machines in parallel. By linking themtogether, and setting them correctly, following the crib we can closean electrical circuit:

Turing’s Cryptanalysis Bombe

Information War

War actions were made to make the Germans communicate.

=⇒ indeed Allies knew how geographic data were encoded(standard espionage).

Allies knew where the U-boot were, they could have destroyed themall at once... but the Germans would have switched theircryptosystems. How to use the information ?

Information War

War actions were made to make the Germans communicate.=⇒ indeed Allies knew how geographic data were encoded

(standard espionage).

Information War

Conclusion

The mathematics of the cryptosystem is just a paramater amongothers:

espionage,protocol applications,practical implementations,sheer luck,...

No such thing as coincidence...

Conclusion

espionage,

protocol applications,practical implementations,sheer luck,...

Conclusion

espionage,protocol applications,

practical implementations,sheer luck,...

Conclusion

espionage,protocol applications,practical implementations,

sheer luck,...

Conclusion

Cryptography is not Enough Naive Anonymization Just doesn’t Work

3 Conclusion

Practical Case of de-Anonymization: Netflix

Striking results [Narayanan and Shmatikov, 2009].

Netflix publishes a subset of its customer data: the aim is to produceusefull suggestions for movies in pay per view.

Users Movies/Marks Movies/marks hidden

456789 87/4, 998/2, 687/4 954/2, 486/4654953 45/3, 743/3, 486/4 687/3, 45/4...

Data are simply anonymized by changing the real name to a randomnumber.

Results : 99% of correct de-anonymization for more than 8 marks(84% if one forget about the date when the mark was set if nonmainstream movies are seen).

Practical Case of de-Anonymization: Netflix

Striking results [Narayanan and Shmatikov, 2009].

Netflix publishes a subset of its customer data: the aim is to produceusefull suggestions for movies in pay per view.

Users Movies/Marks Movies/marks hidden

456789 87/4, 998/2, 687/4 954/2, 486/4654953 45/3, 743/3, 486/4 687/3, 45/4...

Data are simply anonymized by changing the real name to a randomnumber.

Results : 99% of correct de-anonymization for more than 8 marks(84% if one forget about the date when the mark was set if nonmainstream movies are seen).

Social Data Anonymization: Dimensions and Principles

Problem more down to the earth than non-interference:

Partial knowledge of the graph by the opponent.

Active attacker (embedding fake sub graphs to re-identify them).

Object of interests vary from one data set to another.

Hence three important points to consider:1 Background Knowledge: What does the opponent know ? Model of

the opponent.

2 Privacity: what is attacked ?

3 Usage: How the data is going to be analyzed ?

=⇒ Anonymizing techniques

Social Data Anonymization: Dimensions and Principles

Problem more down to the earth than non-interference:

Partial knowledge of the graph by the opponent.

Active attacker (embedding fake sub graphs to re-identify them).

Object of interests vary from one data set to another.

Hence three important points to consider:1 Background Knowledge: What does the opponent know ? Model of

the opponent.

2 Privacity: what is attacked ?

3 Usage: How the data is going to be analyzed ?

=⇒ Anonymizing techniques

Social Data Anonymization: Techniques

Two families:

Clustering: group together edges and nodes.k-anonymity (and l-diversity): there should be at least k-1 othercandidates with similar features.

Let us focus on the k-anonymity approach: the problem amounts tocreate G ′ such that G ′ = G1⊕ G2⊕ ...⊕ Gk such that Gi s areisomorphic graphs.

It is NP-hard to find graph transformations minimizing the editingdistance between a graph and a k-isomorphic graph.

One tentative: select 1/k nodes randomly, create k clones, link theclones together e.g. with categorical graph transformationapproaches.

Two families:

Information Theory Cryptology: [Shannon, 1949]

3 Conclusion

IT and Privacy : Art or Science ?

Computer science : art or science ?“The Art of Computer Programming”, D.E. Knuth.

Basic issue in privacy : how do you study the strength of acryptosystem ?

Computational security.Provable security.Unconditional security.

What attack are considered ?

Cyphertext only ?Plaintext attack ?Partial plaintext ?etc.

IT and Privacy : Art or Science ?

Computer science : art or science ?“The Art of Computer Programming”, D.E. Knuth.

Basic issue in privacy : how do you study the strength of acryptosystem ?

Computational security.Provable security.Unconditional security.

What attack are considered ?

Cyphertext only ?Plaintext attack ?Partial plaintext ?etc.

Information Theory 101

First things first: What is information ?

=⇒ ultimately it can be seen as the way to reduce incertainty.

Pioneer work of C.E. Shannon:

“A mathematical Theory of communication”, The Bell SystemTechnical Journal, vol. 27, 1948.

“Communication Theory of Secrecy Systems”, The Bell SystemTechnical Journal, vol. 28, 1949.

It is a study of probability theory. More precisely how probabilitydistribution is affected by some hypotheses.

Discrete Probabilities

Discrete random variable: X

Probability distribution: P s. t.∑

i∈I PrP [X = xi ] = 1

Joint Probability: PrP,Q[X = x ,Y = y ]

Conditional Probability: PrP,Q[ X = x | Y = y ]

PrP,Q[x , y ] = PrP,Q[ x | y ]PrQ[y ] = PrQ,P [ y | x ]PrP [x ]

Theorem (Baye’s theorem)

if PrP [y ] > 0 then

PrP,Q[ x | y ] =PrP [x ]PrQ,P [ y | x ]

PrQ[y ]

i∈I PrP [X = xi ] = 1

PrQ[y ]

i∈I PrP [X = xi ] = 1

PrQ[y ]

i∈I PrP [X = xi ] = 1

PrQ[y ]

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

3 Conclusion

Perfect Secrecy

How to prove unconditional strength for a cryptosystem ?

Formal definition of a cryptosystem:

Definition (cryptosystem)

(T ,C ,K , E ,∆) with:

T : clear T exts.

C : Cyphers.

K : Keys.

∀k ∈ K there is ek ∈ E and dk ∈ ∆ such that

ek : T → Cdk : C → T

and ∀x ∈ T , one has dk(ek(x)) = x

Perfect Secrecy

How to prove unconditional strength for a cryptosystem ?

Formal definition of a cryptosystem:

Definition (cryptosystem)

(T ,C ,K , E ,∆) with:

T : clear T exts.

C : Cyphers.

K : Keys.

∀k ∈ K there is ek ∈ E and dk ∈ ∆ such that

ek : T → Cdk : C → T

and ∀x ∈ T , one has dk(ek(x)) = x

Secrecy and Probabilities

Plaintext: X following P.Key: K following equiprobable distribution.Since usually the key is chosen before encryption it is fair to assumeK and X are independent random variables.The probability of cyphertexts can be computed from K and X:

C (K ) = {eK (x) | x ∈ T}

PrP [Y = y ] =∑{K |y∈C(K)} PrK[K = K ]PrP [x = dK (y)]

PrP [ y = y | x = x ] =∑{K |x=dK (y)} PrK[K = K ]

By Baye’s theorem

PrP [ x = x | y = y ] =

PrP [x = x ]×∑

{K |x=dK (y)}

PrK[K = K ]

∑{K |y∈C(K)}

PrK[K = K ]PrP [x = dK (y)]

C (K ) = {eK (x) | x ∈ T}PrP [Y = y ] =

∑{K |y∈C(K)} PrK[K = K ]PrP [x = dK (y)]

By Baye’s theorem

PrP [ x = x | y = y ] =

PrP [x = x ]×∑

{K |x=dK (y)}

PrK[K = K ]

∑{K |y∈C(K)}

C (K ) = {eK (x) | x ∈ T}PrP [Y = y ] =

By Baye’s theorem

PrP [ x = x | y = y ] =

PrP [x = x ]×∑

{K |x=dK (y)}

PrK[K = K ]

∑{K |y∈C(K)}

C (K ) = {eK (x) | x ∈ T}PrP [Y = y ] =

By Baye’s theorem

PrP [ x = x | y = y ] =

PrP [x = x ]×∑

{K |x=dK (y)}

PrK[K = K ]

∑{K |y∈C(K)}

Defining Perfect Secrecy

Definition (Perfect Secrecy)

A cryptotsytem has perfect secrecy if:

Pr[ x | y ] = Pr[x ]

In other words if the a posteriori probability that the plaintext is x ,given the cypher y is identical to the a priori probability that theplaintext is x .

One-time pad can be proven to achieve perfect secrecy.

Shannon’s perfect secrecy theorem: The cryptosystem has perfectsecrecy if and only if

each key is used with equal probability 1/|K |for every plaintext x and ciphertext y, there is a unique key k such thatek(x) = y .

Entropy

What if the key is used for more than one encryption ?

Entropy is a mathematical measure of information or uncertainty.=⇒ computed as function of probability distribution.

Suppose X following P: what is learnt through experiments followingP ?=⇒ This is the entropy of X: H(X)

Imagine a mind game: guess a word while its letters are given one byone.

Entropy

Entropy definition

Definition (Entropy)

Let X follow P, then

H(X) = −∑x∈X

PrP [X = x ] log2(PrP [X = x ])

The log is undefined for 0, but the limit is 0... so it is ok in the sum.

The choice of the base of the log is arbitrary.

Many applications to cryptosystems, eg:

Theorem

Consider the cryptosystem (T ,C ,K , E ,∆):

H(K | C) = H(K) + H(P)− H(C)

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

3 Conclusion

How to Choose a Password ?

By far the most used technology of access control.

Problems linked to the number of passwords to manage (reuse?).

A lot of advices are available in order to buid a “secure” password.

Information theory can help us to scientifically assess whether apassword is good.=⇒ The problem is to find a not too short, but not too long and

difficult to rememeber.

In real life:

Building of a dictionnary by a scan of the hard drive (50% successrate).Using a password manager is a good compromise.

How to Choose a Password ?

By far the most used technology of access control.

Problems linked to the number of passwords to manage (reuse?).

A lot of advices are available in order to buid a “secure” password.

Information theory can help us to scientifically assess whether apassword is good.=⇒ The problem is to find a not too short, but not too long and

difficult to rememeber.

In real life:

Building of a dictionnary by a scan of the hard drive (50% successrate).Using a password manager is a good compromise.

Brute Force Attack and the Age of the Universe

The problem is reduced to the exhaustive search.

If you enumerate the possible passwords it amounts to check integers.

Suppose you can check 1015 password per second.

Suppose that Google or the NSA can devote 1000 computers to thesearch: 1018 passwords per second. We have the following timetable:

size in bits execution time

56 less than 1 sec64 18 sec

128 1, 07× 1013 years256 3, 65× 1051 years512 4, 25× 10128 years

for your information the age of the universe is estimated 13, 7x109

years.

Landauer’s Principle

What if the NSA has a super computer that is really, really fast ?

It has to follow the laws of physics: the minimal energy expenditureat temperature T is given by

∆E ≥ kT log(2)

where k = 1.38× 10−23J/K

To enumerate all integers on 128 bits requires1018 ' 30gigaWatts/year which is equivalent to 267teraWatts/hourroughly half the electrical power in France.

There is not enough energy in the visible space to enumerate allintegers on 256 bits.

=⇒ More than a hundred bits of entropy is overkill.

∆E ≥ kT log(2)

where k = 1.38× 10−23J/K

∆E ≥ kT log(2)

where k = 1.38× 10−23J/K

Measuring the Strength of a Password

The idea is to measure the entropy associated to a password.

Under an equiprobable probability distribution, in a set of size n theentropy of an element picked is log(n).

With N symbols and a password of length L, NL possible passwords,hence log(NL) = L log(N)

Symbols Entropy per symbol

0-9 3,320-9+’A’-’F’ 4

’a’-’z’ 4,70-9+’a’-’z’ 5,1

’A’-’Z’+’a’-’z’ 5,70-9+’a’-’z’+’A’-’Z’ 5,9

ASCII writable 6,56

Spanish dictionnary size 100000, hence 16 entropy bits per word.

Conclusion

3 Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually.

Concretly.

Technologically.

Scientifically.

Security requires a proper mindset that is usually not the onedevelopped in usual cursus.

Information theory is just one side of the story: how does it help towrite a “safe” program ?

Conclusion

Concretly.

Technologically.

Scientifically.

Conclusion

Concretly.

Technologically.

Scientifically.

Conclusion

Concretly.

Technologically.

Scientifically.

Conclusion

Concretly.

Technologically.

Scientifically.

Conclusion

Concretly.

Technologically.

Scientifically.

Conclusion

Bibliography I

Anderson, R. J. and Needham, R. M. (1995).Programming satan’s computer.In Computer Science Today: Recent Trends and Developments, pages426–440. Springer.

Andersson, R. (2008).Security Engineering: A Guide to Building Dependable DistributedSystems.Wiley.

Narayanan, A. and Shmatikov, V. (2009).De-anonymizing social networks.In 30th IEEE Symposium on Security and Privacy (S&P 2009), 17-20May 2009, Oakland, California, USA, pages 173–187.

Conclusion

Bibliography II

Schneier, B. (1996).Applied Cryptography: Protocols, Algorithms, and Source Code in C.Wiley.

Shannon, C. (1948).A mathematical theory of communication.Bell System Technical Journal, 27:379–423, 623–656.

Shannon, C. (1949).Communication theory of secrecy systems.Bell System Technical Journal, Vol 28, pp. 656-715.

Singh, S. (2000).The Code Book: The Science of Secrecy from Ancient Egypt toQuantum Cryptography.Anchor.

Conclusion

Bibliography III

Stinson, D. (2005).Cryptography Theory and Practice.CHapman and Hall/CRC.third edition.

privacy and computer science (eci 2015) day 1 ... · pdf filevirtualization reality, virtual...

Documents