security and privacy in social networks812449/...social networks have seen a dramatic growth during...
TRANSCRIPT
Social Networks and Privacy
OLEKSANDR BODRIAGOV
Licentiate ThesisStockholm, Sweden, 2015
TRITA-CSC-A 2015:07ISSN-1653-5723ISBN 978-91-7595-571-1
KTH Royal Institute of TechnologySchool of Computer Science and Communications
Department of Theoretical Computer ScienceSE-100 44 Stockholm
SWEDEN
Akademisk avhandling som med tillstand av Kungl Tekniska hogskolan framlagges till offentliggranskning for avlaggande av teknologie licentiatexamen i datalogi den 09 juni, 2015 i sal E2Lindstedsvagen 3, Kungliga Tekniska Hogskolan, Stockholm.
c© Oleksandr Bodriagov, January 13, 2015
Tryck: Universitetsservice US AB
Abstract
Centralized online social networks pose a threat to their users’ privacy as social networkproviders have unlimited access to users’ data. Decentralized social networks address thisproblem by getting rid of the provider and giving control to the users themselves, meaningthat only the end-users themselves should be able to control access of other parties to theirdata. While there have been several proposals and advances in the development of privacy-preserving decentralized social networks, the goal of secure, efficient, and available socialnetwork in a decentralized setting has not been fully achieved.
This thesis contributes to the research in the field of security for social networks withfocus on decentralized social networks. It studies encryption-based access control and man-agement of cryptographic keys/credentials (required for this access control) via user accountswith password-based login in decentralized social networks.
First, this thesis explores the requirements of encryption for decentralized social networksand proposes a list of criteria for evaluation that is then used to assess existing encryption-based access control systems. We find that all of them provide confidentiality guarantees(of the content itself), while privacy (of information about the content or access policies)is either not addressed at all or it is addressed at the expense of system’s performance andflexibility.
We highlight the potential of two classes of privacy preserving schemes in the decen-tralized online social network (DOSN) context: broadcast encryption schemes with hiddenaccess structures and predicate encryption (PE) schemes, and propose to use them. Both ofthese classes contain schemes that exhibit desirable properties and better fulfill the criteria.
Second, the thesis analyses predicate encryption and adapts it to the DOSN context asit is too expensive to use out of the box. We propose a univariate polynomial constructionfor access policies in PE that drastically increases performance of the scheme but leaks somepart of the access policy to users with access rights. We utilize Bloom filters as a meansof decreasing decryption time and indicate objects that can be decrypted by a particularuser. The thesis demonstrates that adapted scheme shows good performance and thus userexperience by making a newsfeed assembly experiment.
Third, the thesis presents a solution to the problem of management of cryptographic keysfor authentication and communication between users in decentralized online social networks.We propose a password-based login procedure for the peer-to-peer (P2P) setting that allowsa user who passes authentication to recover a set of cryptographic keys required for theapplication. In addition to password logins, we also present supporting protocols to providefunctionality related to password logins, such as remembered logins, password change, andrecovery of the forgotten password. The combination of these protocols allows emulatingpassword logins in centralized systems. The results of performance evaluation indicate thattime required for logging in operation is within acceptable bounds.
3
Sammanfattning
Centraliserade sociala online natverk utgor ett hot mot anvandarnas integritet. Detta eftersomleverantorer av sociala natverkstjanster har obegransad tillgang till anvandarnas information.Decentraliserade sociala natverk loser integritetsproblemet genom att eliminera leverantoreroch ge anvandarna kontroll over deras data. Inneborden av detta ar att anvandarna sjalva farbestamma vem som far tillgang till deras data. Aven om det finns flera forslag och vissa framstegi utvecklingen avseende integritetsbevarande decentraliserade sociala natverk, har malet omsakra, effektiva, och tillgangliga sociala natverk i en decentraliserad miljo inte uppnatts fullt ut.
Denna avhandling bidrar till forskning inom sakerhet avseende sociala natverk med fokus padecentraliserade sociala natverk. Avhandlingen inriktas pa krypteringsbaserad atkomstkontrolloch hantering av kryptografiska nycklar (som kravs for denna atkomstkontroll) med hjalp avanvandarkonton med losenordsbaserad inloggning i decentraliserade sociala natverk.
Forst undersoker denna avhandling krav pa kryptering for decentraliserade sociala natverkoch foreslar utvarderingskriterier. Dessa utvarderingskriterier anvands sedan for bedomningav befintliga krypteringsbaserade system for atkomstkontroll. Var utredning visar att samtligagaranterar sekretess av sjalva innehallet. Integritet av information om innehallet eller atkomstprinciperar dock inte skyddat alls, alternativt skyddade pa bekostnad av systemets prestanda och flexi-bilitet.
Vi lyfter fram potentialen i tva klasser av integritetsbevarande system i DOSN samman-hang: broadcast-krypteringssystem med dolda tillgangsstrukturer och predikat krypteringssys-tem; vi foreslar anvandning av dessa system. Bada dessa klasser innehaller system som uppvisaronskvarda egenskaper och uppfyller kriterier pa ett battre satt.
For det andra analyserar avhandlingen predikat kryptering och anpassar denna till DOSNsammanhang, eftersom det ar for dyrt att anvanda som det ar. Vi foreslar en ”univariate poly-nomial construction” for atkomstprinciper i predikat kryptering som drastiskt okar systemetsprestanda, men lacker nagon del av atkomstprincipen till anvandare med atkomstrattigheter. Vianvander Bloom-filter for att minska dekrypteringstiden och indikera objekt som kan dekrypterasav en viss anvandare. Genom att gora ett experiment med nyhetsflodessammansattning visasatt det anpassade systemet ger goda resultat och darmed anvandarupplevelse.
For det tredje presenterar avhandlingen en losning pa problemet avseende hanteringen avkryptografiska nycklar for autentisering och kommunikation mellan anvandare i decentraliseradesociala online natverk. Vi foreslar en losenordsbaserad inloggningsprocedur for peer-to-peer(P2P) miljon, som gor att anvandaren som passerar autentisering far atervinna en uppsattningkryptografiska nycklar som kravs for applikationen. Forutom losenordsinloggning presenterar viocksa stodprotokoll for att ge relaterat funktionalitet, sasom inloggning med lagrade losenord,losenordsbyte, och aterstallning av bortglomda losenord. Kombinationen av dessa protokolltillater simulera losenordsinloggning i centraliserade system. Prestandautvarderingen visar atttiden som kravs for inloggning ar inom acceptabla granser.
Acknowledgements
It took me a few years to write this thesis, and I must say that it was not the easiest task inmy life. It required a lot of time, dedication, and concentration. I would like to express mygratitude to all people that helped me on this way.
First and foremost, I would like to thank my adviser Sonja Buchegger for her help, support,invaluable advices, and guidance. She was the one who taught me how to do research in astructured way. Her simple and elegant guidelines, like a rule of thumb for writing introductionin papers, have been very useful to me in various situations beyond academic context.
Second, I would like to thank my colleagues from our small but quite efficient research group:Gunnar Kreitz, Benjamin Greschbach, and Guillermo Rodrıguez-Cano. I really enjoyed workingwith you all!
I would also like to express my gratitude to Siavash Soleimanifard, Oliver Schwarz, andPedro de Carvalho Gomes for sharing their thoughts and comments whenever I asked them.Thanks to Dilian Gurov for his counsel on writing this thesis.
I am thankful to all members of the theoretical computer science group at KTH for makingthis group a very friendly place to work in. Special thanks to Benjamin Greschbach, GuillermoRodrıguez-Cano, Oliver Schwarz, Pedro de Carvalho Gomes, and Siavash Soleimanifard formany fun and interesting conversations.
Last but not least, a big thanks to my friends at NGO “Unga Ukrainare i Sverige”: Max,Vira, Ola, Kostya, Oksana, Alyona, Sergii, Tetiana, and Roman. You all are great people, andI am grateful for your support, company, and for the fantastic and unforgettable experience wehave had.
Oleksandr Bodriagov,Stockholm, January 2015.
Table of Contents
Table of Contents 7
List of Figures 9
List of Tables 9
1 Introduction 11
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Motivation and related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3 Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4 Thesis contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.5 Conclusions and Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2 Errata for included publications 23
Bibliography 25
3 Encryption for Peer-to-Peer Social Networks 29
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.2 Essential criteria for the P2P encryption systems . . . . . . . . . . . . . . . . . . 31
3.3 Existing P2P OSN Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4 Evaluation of existing encryption schemes based on our criteria . . . . . . . . . . 34
3.5 Broadcast Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.6 Predicate Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.7 Comparison and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4 Access Control in Decentralized Online Social Networks: Applying a Policy-Hiding Cryptographic Scheme and Evaluating Its Performance 47
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.3 Predicate Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.4 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5 Passwords in Peer-to-Peer 61
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
7
5.3 System Overview and Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . 635.4 Password-based P2P Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645.5 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695.6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735.7 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755.8 Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8
List of Figures
4.1 PE scheme performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554.2 News feed assembly time for 300 profiles . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.1 Overview of the system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655.2 Storage structure and login procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 665.3 Login latency CDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
List of Tables
3.1 Comparison of encryption systems of P2P social networks . . . . . . . . . . . . . . . 42
5.1 Protocol Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655.2 Recovery Protocol Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705.3 Latencies of protocols, in milliseconds. . . . . . . . . . . . . . . . . . . . . . . . . . . 77
9
Chapter 1
Introduction
Technological advances of mankind made mass communication and information sharing possible.By the end of the 19th century invasion of an individual’s privacy due to electrical telegraph,photography, and newspapers first occurred. In 1890 L. Brandeis and S.Warren published anarticle called ”The Right to Privacy” [1]. It was one of the first to advocate a right to privacyand its protection via legislative means. It became clear that privacy had to be protected.
Nowadays, with the emergence of social media, additional risks to an individual’s privacyhave appeared. Nevertheless, information technology gives us necessary mechanisms to protectour privacy, we do not have to rely solely on the legislative privacy protection. This thesiscontributes to the research in the field of social media security and is aimed at protectingprivacy in social networks via technological means.
1.1 Background
Social networks have seen a dramatic growth during the past decade. For users, the benefitsprovided by the services outweighed any risks to privacy imposed by usage of these services.The privacy concerns and awareness did not stop users from revealing large amounts of personalinformation [2, 3]. In fact, in 2005, the majority of users opted to use default privacy settings,which were quite loose [4]. This combined with security flaws existing in these services [5]created a favorable environment for collecting of private data not only by the service provider,but also by various third parties.
Gradually, the awareness of privacy risks among users increased. According to [6], in 2009the majority of surveyed Facebook users were already using much stricter access policies. Fur-thermore, users started actively defending their privacy. Changes, introduced by the socialnetwork provider, that users considered as a potential threat to their privacy were met withprotests [5].
While security patches and additional privacy mechanisms developed by social networkproviders gave users the impression that they were in control of their data, in reality it hasalways been a social network service provider (SNP) that has had full control. For example,Facebook’s Terms of Services (TOS) [7] up till November 2013 stated that it gets ”perpetual,non-exclusive, transferable, fully paid, worldwide” license to any content user posts and that itcan use it for commercial or advertising purposes. Google’s TOS [8] up till March 2012 statedthat the company had perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licenseto user content and that it could make this content available to other companies, organizationsor individuals for the provision of syndicated services. Other services like Twitter, Instagram,and Linkedin have TOS [9] that gives them similar rights to the user content. While Google’scurrent TOS [10] are much more modest and state that ”The rights you grant in this license are
11
for the limited purpose of operating, promoting, and improving our Services, and to develop newones.”, Facebook according to its current TOS [11] still retains: ”non-exclusive, transferable,sub-licensable, royalty-free, worldwide license to use any IP content that you post”.
Even if the policy states that it is a user who owns the information, de facto it is SNP whois the real owner of the information. SNPs have the right to change TOS at any moment andthey can introduce any changes to the service they wish (e.g. Facebook that unveiled privacychanges in 2009 [12]), and only a massive public protest can stop it. A user who is not happywith a service has mainly two options: either quitting the service or following its terms. Theuser cannot easily switch to another provider, especially if the majority of his friends still usesthe old provider. Users are locked in the system, and consequently they have less means toinfluence SNPs. Providers take advantage of this situation and set the rules as they like. Theuser, in some sense, has no control over his/her information after it is posted. According to [5],in 2007, Privacy International listed Facebook among companies with ”severe privacy threats”because of data mining, transfer of data to third parties, etc. The recent study [13] has shownthat half of the users that leave Facebook do this because of the privacy concerns.
Since locking gives providers bigger revenues and better control over the users, they have noincentives to switch to an open inter provider communication. The business model of SNPs isbased on data aggregation, data mining, and targeted advertisements as the main end product.According to Facebook’s annual report 2013 [14], more than 90 percent of all revenues comesfrom advertising.
The research community realized the importance of privacy in social networks and came upwith a number of proposals to tackle the privacy problem. Some researchers concentrated onanonymization techniques for mitigating a privacy threat associated with sharing of social data(e.g. a social network graph) with third parties. Social network APIs like Facebook API andOpenSocial API developed by Google allowed third-party applications to access a social graphand personal data of a user [15]. To anonymize data Felt et. al. [15] proposed to transformall user IDs in query responses, effectively prohibiting an application to access actual user IDs.However, according to Zhou et.al. [16], having some information about the connections of auser and the relationship between these connections, it was possible to reidentify the user inthe social network graph. Therefore they proposed an anonymization technique that modifiesthe graph [16].
The aforementioned solutions protected only against malicious third parties. Besides, theirimplementation depended on the good will of SNPs. Researchers realized that SNP itself posed athreat and proposed to take control of the user data from SNPs by creating overlay systems thatused online social network service as a communication medium or(and) as a storage. FlyByNight[17] is a third-party Facebook application that uses Facebook servers as a middle-ware for allinteraction between FlyByNight servers and end users. All messages are stored in encryptedform on the specially dedicated FlyByNight server.
FaceCloak [18] allows users to hide any chosen piece of information from the SNP by storing itin encrypted form on a third-party server. When a user wants to post some hidden information,fake information is sent to SNP, while real information is sent to the third-party server. Fakeinformation is used to find out the identifier of the real information on the third-party server.
NOYB [19] hides real information from the SNP by using pseudorandom blocks of informa-tion (that look like real data to the SNP) and substituting real data with these blocks, thusthe SNP operates on the fake data. The system works as a substitution cipher. All data ispartitioned into chunks which are indexed and then substituted by the chunks of encrypteddata. The chunks for substitution are picked from the dictionary. The index of the real datachunk is encrypted and the ciphered index is used to choose the chunk for substitution.
These overlay solutions were not self-contained. They were entirely dependent on the good
12
will of the social network provider, which could stop the ”parasitic” services at any moment.Besides, these solutions have completely neglected the financial side of the problem connectedwith creating an altruistic provider of the ”privacy-enhancing service”.
Other researchers focused on the problem of locking of users. Lockr [20] decouples stored so-cial information from functionality, thus allowing users to be registered to different SNPs whilemaintaining a social connection. Lockr can operate both in a centralized and in a decentralizedmode. In the centralized mode the SNP is responsible for the access control enforcement anddata storage. SNPs do not store users’ social networks, only personal information. The storeddata is unencrypted. SNPs continue to serve user data as well as host third-party social appli-cations. In the decentralized mode, information is stored by the user himself, and the user isresponsible for access control.
1.2 Motivation and related work
Giving the full control to the end-user would be a solution to the privacy problem, meaningthat only the end-user himself should be able to control access of other parties to his data. Anunauthorized party should not have any technical means to access the end-user’s data.
Full data control
There are several approaches to achieve full control over one’s data:
• hosting user’s data on a constantly available paid server
• personal server for each user
• personal virtual machine in a paid cloud
• personal mobile devices with Internet connectivity acting as servers
• decentralized network
The first approach is to host users’ data on a constantly available server to achieve the samelevel of service and interactivity that is provided by online social networks (OSNs). However,this kind of service provided by a third party cannot be free unless the user is willing to allowdata mining and to receive advertisements. The problem is that research shows that usersare not willing to pay for the social network service, though they are willing to use it [21].Thus, it is doubtful that users will pay for the service with some security benefits if there isa similar one for free. Therefore a concept of a paid service with security guarantees for theend user is currently infeasible. Any solution with a central server raises payment and privacyconcerns. For example, the ad-free, paid online social networking platform and microbloggingservice App.net [22] gives users control over their data. The users give permissions to socialapplications/services running on top of the App.net platform to access their data. Yet, the userscan neither prevent App.net that manages this platform from accessing their data for purposesbeyond operating services nor prevent transfer of their data to third parties (e.g. recent reportson National Security Agency’s global surveillance program [23]). The App.net’s revenue modelis based on subscription fees paid by users and developers, but their subscription renewal ratein 2014 was so low that they did not have sufficient budget for full-time employees [24].
Another way would be to use a decentralized, provider-independent approach and have eachuser run his/her own server. The problem is that most of the users do not have sufficientexpertise for that, and it would be much more troublesome for them to keep it constantly
13
running and maintain it than using an ordinary social network. A decentralized social networkDiaspora [25], that has taken this approach, is a good example. Any user can join Diaspora bysetting up a private server, and users who decide not to set up their own servers can choosefrom one of the existing servers to store their data. According to their statistics [26], only a verysmall percentage of users decided to set up their own server, while 90% of all users are registeredon just 5 top servers (by the number of active users). It is important to point out that datathat is stored on these servers is not encrypted, and people running the server have full accessto users’ data [27]. Privacy can be ensured only by running a personal server. Besides, thereis no guarantee that one of these servers will not be shut down later in the future, potentiallyresulting in a complete loss of all data for the users of that server.
Taking into account the previous arguments about the paid services and Diaspora’s experi-ence with personal servers, one can claim that a Vis-a‘-Vis [28] model of the decentralized OSNbased on personal virtual machines running in a paid cloud is currently infeasible.
Another option would be to use mobile phones/tablets as servers. Users could download anapp on their mobile phones/tablets and run some kind of a server to achieve a fully decentralizednetwork. However, the homogeneous network of mobile phones will hardly be able to provideany connectivity at all because, to the best of our knowledge, all of the 3G/4G networks arebehind NAT (or two NATs) and firewalls [29] and NAT-traversal techniques [30] will not workwhen all devices are behind the NAT and there are no rendezvous points. Even if we assume thatthe transition to IPv6 and consequent disappearance of NATs happens very soon, this approachhas still some other disadvantages: a lost or stolen phone equals to loosing all information andthe profile; a forgotten phone means that it is impossible to access the profile; connection lossmeans that none of your friends can access your profile, popular high-definition videos or photoalbums can result in hundreds of megabytes of outgoing traffic that would be a big burden for thebattery. Consequently, user data should be backed-up on and served from some external storagemanaged by some other party. So, even if we assume that transition to IPv6 has happened andmobile phones can act as servers, user data should still be replicated regularly to some externalstorage to achieve 24/7 data availability and integrity.
A more realistic view of the fully decentralized network for social networking is a hetero-geneous P2P network consisting of various devices having different Internet connectivity andavailability. Devices in this network act as building blocks for a decentralized storage withreplication that stores all user data. Due to replication, data will still be available even if thenode from which this data originated goes off-line.
There has been a lot of research on distributed storage systems [31–39] that has shownthat such systems are feasible under realistic assumptions for node availability and replicationdegree.
This thesis follows this last approach and focuses on building a decentralized social networkon top of existing decentralized storage systems in order to give full control to the end-user andto ensure privacy.
Encryption-based access control
Replication of user data to untrusted storage in the decentralized social network creates manyprivacy issues. An access control mechanism should tackle these issues since we considereddecentralized networks with an aim of creating a privacy-preserving social network. The basicrequirement to an access control mechanism in this case is that it should prevent a node whichstores the replicated data from seeing it, except for meta information that identifies the datato be served. It should also guarantee that the user data is available only to a set of peopleauthorized by the owner of the data. Data encryption is one of the mechanisms that helpsto solve these two problems. It prevents the untrusted node that stores and serves the data
14
from seeing it, and it works as an access control mechanism as only people who were givencryptographic keys for decrypting data by the data owner should be able to decrypt it.
Encryption-based access control for decentralized social networks has received a lot of at-tention recently and many solutions have been developed [40–45].
An early version of the PeerSoN [40, 46] P2P social network used a distributed hash table(DHT) to look up data and a combination of symmetric and asymmetric cryptography forencryption-based access control on untrusted storage. Data was first encrypted with a symmetrickey and then this key was encrypted with a public key of each of the data recipients. Privacywas not sufficiently addressed since user Ids (or public keys) were stored alongside encrypteddata. Consequently, it was possible to infer who could decrypt the data.
The two-layered encryption, which is used in PeerSon, where the first layer is the symmet-ric encryption and the second layer encrypts the secret key used in the first layer is called akey encapsulation mechanism (KEM). KEM is beneficial when encrypting the same object formultiple recipients as it helps reduce encryption time and the resulting size of the encryptedobject. As far as we know, KEM is used in all solutions for decentralized social networks.
Persona [43] relies on untrusted storage and uses ciphertext-policy attribute-based encryp-tion (ABE) with KEM for access control. ABE is used to encrypt data for groups of recipientsand different combinations of these groups. To provide specific rights to stored objects, theprofile owner defines access control lists (ACLs) and the storage enforces them. This scheme,however, does not guarantee privacy as the storage can see these ACLs in plaintext. ACLscontain the users’ public keys and their access rights. The storage authenticates the users andauthorizes their actions based on the entries in the ACL. This scheme provides limited dataintegrity protection since the storage is supposed to reliably store and serve data, and protectit from unauthorized modification or deletion. Yet, the credibility of access control enforcedby untrusted storage is not that strong, so the main protection mechanism is encryption, andit ensures only confidentiality. A user retrieving data (unlike the user writing data) does notneed to authenticate with the storage, so the storage does not know the identity of the userbut knows which groups of users can read data requested by the user as this this informationis leaked by the ABE encryption.
From privacy perspective, Persona has a small improvement compared to PeerSon if thereare many users who have only the right to read data.
Safebook [42] solves the problem of untrusted storage by using trusted friends to store dataon their computers and to ensure privacy. Confidentiality is again achieved with a combinationof symmetric and asymmetric encryption, and a DHT is used as a lookup service to find a pathto the stored data. Unlike other systems for decentralized social networks, Safebook providesuntraceability of communication as an integral part of the system. The privacy of the schemeis partial because explicitly trusted parties (most trusted friends that serve as mirrors) cantrace communication parties, but communication privacy is protected from external observersvia multi-hop routing.
We argue that reliance on friendships and trust may be harmful. Friendships may fade withtime or may end suddenly, and trust can be betrayed. It has been shown that half of adultfriendships are lost in seven years [47].
In comparison to PeerSon, Safebook has a slight improvement in privacy as only trustedfriends can see who can decrypt the data of the profile owner.
Cachet [44] is an update of the Decent architecture [48]. It uses a DHT to store data anduses ABE for encryption. In the used variant of ABE, the access policy is described openlyin the header of the ciphertext. The authors observe the resulting privacy violation, but onlyaddress it partially by hiding these headers from the storage system. Users can still observeheaders and thus can see plaintext ABE access policies. For efficiency, the authors used caching
15
of information and store the unencrypted version of this information on the nodes that satisfythe ABE policy (nodes that are able to decrypt). Thus users will know for whom the contentis encrypted, and they may even be able to trace the requests of other people who also candecrypt the same information.
Gunther et. al. [45] describe two solutions for publishing of content on social networkprofiles. One solution uses broadcast encryption with pseudonyms. Pseudonyms are neededto provide privacy protection and patch the used BE scheme which leaks the set of recipi-ents. Pseudonyms give a limited anonymity property [45], but it is still possible to see whichpseudonym is authorized to decrypt what. Taking into account that other users might havesome additional information about an event/question that the encrypted message covers, weargue that the protection is not sufficient as users may infer the identity behind the pseudonym.Their second construction is based on symmetric encryption. It requires for each attribute-valuepair in the system and for each user from the set of recipients of that value to have a separatedecryption key. This approach scales poorly to large system sizes.
Tahoe [49], a distributed file system, uses symmetric encryption. Each encrypted file isassociated with at least two unique cryptographic values/capabilities. One is a symmetricencryption key and the other one is a hash value for checking integrity. To give access to anencrypted file to a user, one has to share these two cryptographic capabilities with this user.Taking into account the large number of friends in social networks, such sharing results in toomuch overhead and becomes prohibitively expensive. By grouping a set of files into a directory(a file that contains all cryptographic capabilities required to read/write any file from the set[49]) and then sharing cryptographic capabilities only for this directory we could partially solvethe problem, but then we lose flexibility of fine-grained access to files.
Anderson et. al [41] describe a social network that divides a user profile in discrete encryptedblocks. Symmetric secret keys for these blocks are shared between users who should have accessto information stored in these blocks by using hierarchical group key management schemes. Weargue, that it is not obvious that there exists a hierarchy of users/groups (unlike the hierarchyof files and directories) in a profile of an average user besides the most simple one, in which anygroup is a subset of group “friends” containing all connections of the profile owner. In a systemwithout access rights hierarchy, a hierarchical group key management scheme will perform nobetter than a simple system based on shared keys for groups.
Issues covered in this thesis
All of the aforementioned systems ensure confidentiality of the users’ content, but informationabout access policies, which describe who has access to this content, is either not protectedat all or it is protected in a way that system’s performance and flexibility suffers. An access-control mechanism of the DOSN should be privacy-preserving, i.e. it should not reveal accesspolicies, and performant at the same time; and these depend on the underlying cryptographicprimitive(s). Taking into account the large number of objects and users in the social networkand the constrained resources of the distributed P2P storage, the cryptographic system usedfor encryption/decryption should have low cryptographic overhead, flexibility to support typicaldata sharing and communication functions of the social network, and adequate performance.What is the best encryption system for DOSNs? How should it be applied to the DOSN?
All cryptographic systems use secret cryptographic keys/credentials. In general, the moreentities/communicating parties the system includes, the bigger number of cryptographic keys isneeded. A typical social network user has hundreds of friends, which means many cryptographickeys/credentials. All of the aforementioned decentralized social networks assume that a userowns a device that has all cryptographic keys/credentials needed to interact with the system.However, if this device is lost or gets broken and there is no backup, then the user becomes cut
16
off from the system. This device becomes a single point of failure. Moreover, it is common thata user owns several devices, so they have to be synchronized. We could of course require usersto carry with them USB sticks containing necessary cryptographic keys. As another option,we could encrypt these keys, store them in the cloud and require users to remember only onekey needed to decrypt and fetch all other keys belonging to them. Either of these variantswould decrease usability. In centralized online social networks users have only one passwordinstead of many cryptographic keys, and they can log in from any computer in the world. Isit possible to use globally accessible accounts, stable network-wide identities, and username-password authentication in decentralized social networks? What would account registration,login, password change, remembered logins, and logout procedures look like?
1.3 Research methodology
This thesis follows the design science research methodology principles [50]. It involves thequalitative and quantitative analysis of existing design artifacts/DOSN architectures followedby the design of new artifacts and their evaluation.
In particular, for the research of encryption-based access control in DOSN, the design arti-facts were evaluated according to the following categories: efficiency, functionality, and privacy.By efficiency we mean how much effort the used encryption scheme creates in terms of storage,computational cost, and communications overhead. By functionality we categorize possibilitiesof using the encryption scheme to manage permissions. By privacy we denote the side-effects ofthe decentralized system of leaking information about the user data and not only the user dataitself (confidentiality).
For the research of password-based authentication in decentralized systems, the authentica-tion mechanisms of P2P backup and storage systems were analyzed.
The analysis was followed by the design of the new protocols for the password-based authen-tication and the new encryption-based access control mechanism aimed at solving the privacyproblem without sacrificing performance. Lightweight custom simulators were developed toevaluate the efficiency of the design. The data used in simulations was taken from the real-world performance measurements of the BitTorrent Mainline DHT overlay and statistical datafrom Facebook. Security properties of the proposed architectures were thoroughly analyzed,but no formal security proofs were made.
1.4 Thesis contribution
A total of 4 research papers have been co-authored during the licentiate thesis. They canbe broadly characterized into three topics: encryption protocols for encryption-based accesscontrol, management of cryptographic keys/credentials via user accounts with password-basedlogin in decentralized P2P networks, and communication protocols and general architecture fordecentralized social networks. The thesis focuses on the first two topics.
List of Papers
1. O. Bodriagov and S. Buchegger, “Encryption for peer-to-peer social networks,” in Securityand Privacy in Social Networks, Y. Altshuler, Y. Elovici, A. B. Cremers, N. Aharony, andA. Pentland, Eds. Springer New York, 2013, pp. 47–65.
Abstract. To address privacy concerns over online social networking services, severaldecentralized alternatives have been proposed. These peer-to-peer (P2P) online socialnetworks do not rely on centralized storage of user data. Instead, data can be stored not
17
only on a computer of a profile owner but almost anywhere (friends’ computers, randompeers from the social network, third-party external storage, etc.). Since the externalstorage is often untrusted or only semi-trusted, encryption plays a fundamental role inthe security of P2P social networks.Such a system needs to be efficient to be used on a large scale, provide the functionalityof changing access rights suitable for social networks, and, crucially, it should preserveprivacy properties itself. That is, beyond user data confidentiality, it has to protectagainst information leakage about users’ access rights and behavior. In this paper weexplore the requirements of encryption for P2P social networks and propose a list ofcriteria for evaluation that we then use to compare a set of existing approaches. We findthat none of the current P2P architectures for social networks achieve secure, efficient,24/7 access control enforcement and data storage. They either rely on trust, requireconstantly running servers for each user, use expensive encryption, or fail to protect theprivacy of access information. In the search for a solution that better fulfills the criteria,we found that some broadcast encryption (BE) and predicate encryption (PE) schemesexhibit several desirable properties.
Contribution statement. Oleksandr Bodriagov was the main contributor of this work.Sonja Buchegger provided valuable feedback and contributed to parts of the writing,particularly the abstract and introduction.
2. O. Bodriagov, G. Kreitz, and S. Buchegger, ”Access control in decentralized online so-cial networks: Applying a policy-hiding cryptographic scheme and evaluating its perfor-mance,” Pervasive Computing and Communications Workshops (PERCOM Workshops),2014 IEEE International Conference on , vol., no., pp.622,628, 24-28 March 2014
Abstract. Privacy concerns in online social networking services have prompted a numberof proposals for decentralized online social networks (DOSN) that remove the centralprovider and aim at giving the users control over their data and who can access it. This isusually done by cryptographic means. Existing DOSNs use cryptographic primitives thathide the data but reveal the access policies. At the same time, there are privacy-preservingvariants of these cryptographic primitives that do not reveal access policies. They are,however, not suitable for usage in the DOSN context because of performance or storageconstraints.
A DOSN needs to achieve both privacy and performance to be useful. We analyze predi-cate encryption (PE) and adapt it to the DOSN context. We propose a univariate poly-nomial construction for access policies in PE that drastically increases performance of thescheme but leaks some part of the access policy to users with access rights. We utilizeBloom filters as a means of decreasing decryption time and indicate objects that can bedecrypted by a particular user.
We evaluate the performance of the adapted scheme in the concrete scenario of a newsfeed. Our PE scheme is best suited for encrypting for groups or small sets of separateidentities.
Contribution statement. Oleksandr Bodriagov was the main contributor of this work.Gunnar Kreitz contributed to active discussion and parts of the writing. Sonja Bucheggerprovided valuable feedback and contributed to parts of the writing, particularly introduc-tion.
3. G. Kreitz, O. Bodriagov, B. Greschbach, G. Rodriguez-Cano, and S. Buchegger, “Pass-words in peer-to-peer,” in Peer-to-Peer Computing (P2P), 2012 IEEE 12th InternationalConference on, sept. 2012, pp. 167–178.
18
Abstract. One of the differences between typical peer-to-peer (P2P) and client-serversystems is the existence of user accounts. While many P2P applications, like public filesharing, are anonymous, more complex services such as decentralized online social net-works require user authentication. In these, the common approach to P2P authenticationbuilds on the possession of cryptographic keys. A drawback with that approach is usabilitywhen users access the system from multiple devices, an increasingly common scenario.
In this work, we present a scheme to support logins based on users knowing a username-password pair. We use passwords, as they are the most common authentication mech-anism in services on the Internet today, ensuring strong user familiarity. In addition topassword logins, we also present supporting protocols to provide functionality related topassword logins, such as resetting a forgotten password via e-mail or security questions.Together, these allow P2P systems to emulate centralized password logins. The resultsof our performance evaluation indicate that incurred delays are well within acceptablebounds.
Contribution statement. Gunnar Kreitz was the main contributor of this work. Olek-sandr Bodriagov contributed to active discussion, protocols design (all except for thepassword recovery mechanism), and the adaptation of functional requirements for thepassword-based authentication from the ISO 27002 standard. The protocols were jointlydesigned by all authors. Sonja Buchegger provided valuable feedback.
Other papers (not included in thesis)
4. O. Bodriagov and S. Buchegger, “P2P social networks with broadcast encryption protectedprivacy,” in Privacy and Identity Management for Life, ser. IFIP Advances in Informationand Communication Technology, J. Camenisch, B. Crispo, S. Fischer-Hbner, R. Leenes,and G. Russello, Eds. Springer Berlin Heidelberg, 2012, vol. 375, pp. 197–206.
Summary of Contribution
The contribution of this thesis falls in two topics: encryption-based access control and manage-ment of cryptographic keys/credentials (required for this access control) via user accounts withpassword-based login in decentralized social networks.
Encryption-based access control (papers 1 and 2)
• Four types of encryption systems for decentralized social networks found in the literatureare: symmetric cryptography with key sharing according to hierarchical group key man-agement schemes, combination of asymmetric and symmetric cryptographies, CP-ABE,and broadcast encryption with pseudonyms. To find the most suitable encryption system,we investigated the scenario of decentralized social networks without trusted parties andthe impact this environment has on encryption-based access control systems. Based onthis analysis we formulated the following evaluation criteria that encompass efficiency,functionality, and privacy areas: efficiency of addition/removal of users from a group, ef-ficiency of user key revocation, encryption/decryption efficiency, encryption header over-head, ability to encrypt for the conjunction/disjunction of groups, ability to encrypt for agroup that one is not a member of, ability to encrypt for ”friends of friends”, ability notto reveal access structures in the header.
• The existing access control systems based on symmetric cryptography with key sharing,although being very fast, do not have sufficient functionality and thus have excessivecryptographic overhead in complex information sharing scenarios with fine-grained rights
19
management. We evaluated three other types of encryption systems in terms of theirsuitability for the decentralized social network scenario looking at the stated criteria. Wefound that the combination of asymmetric and symmetric cryptography does not havesufficient efficiency and functionality. CP-ABE schemes have favourable computationalcost and functionality, but there are no CP-ABE schemes with hidden access structuresand low storage and computational cost at the same time. The class of CP-ABE schemesreveals access structures [51]. The only ABE scheme with hidden ciphertext policies [52]that we know of and that was named/classified as ”HP-ABE” by Camenisch et al [53],is not suitable for decentralized social networks because of the quadratic growth of theciphertext size in the number of attributes.
Broadcast encryption with pseudonyms gives only a limited anonymity property. Usersmay infer the identity behind the pseudonym as it is still possible to see which pseudonymis authorized to decrypt what.
• We proposed to use two classes of privacy preserving schemes in the DOSN context:broadcast encryption schemes with hidden access structures and predicate encryption(PE) schemes. Both of these schemes do not have the mentioned drawbacks, though wenote that current PE schemes are relatively slow compared to BE schemes.
• We applied inner-product predicate encryption to the DOSN context. It is too expensiveto use out of the box. Therefore, for PE we developed a construction for access policiesthat drastically increases performance, but introduces some trade-offs: it allows encrypt-ing for a bounded set of groups/users; this bound is a trade-off between efficiency andfunctionality of the scheme; the number of groups in the system is unlimited; a user has 2g
different decryption keys, where g is the number of groups a user is a member of; havingmultiple keys leaks some information about access policies. We designed an experimentthat showed that for newsfeed assembly from all friends (one of the most time consumingoperations) our scheme shows good performance and thus user experience.
• For schemes that do not reveal access policies and have relatively slow decryption, weproposed to use Bloom filters to indicate to users which files they can decrypt. Bloomfilters are both fast and space-efficient, and thus are suitable for DOSNs.
Management of cryptographic keys, user accounts, and login (paper 3)
• Decentralized online social networks require cryptographic keys for authentication andcommunication between users. With users having and using multiple devices (which oftendo not belong to them) to interact, direct usage of cryptographic keys for authenticationdrastically decreases usability. We propose a password-based login procedure for the P2Psetting that allows a user who passes authentication to recover a set of cryptographickeys required for the application. Password-based authentication being the most commonauthentication mechanism on the Internet today has strong user familiarity. As far as weknow, our work was the first to focus on password-based logins in a P2P setting in generaland decentralized social networks in particular. Our security questions are similar to [54],but the protocols are new and relatively straightforward.
• In addition to password logins, we also present supporting protocols to provide functional-ity related to password logins, such as remembered logins, password change, and recoveryof the forgotten password via e-mail or security questions. The combination of theseprotocols allows to emulate password logins in centralized systems.
20
• The performance of our mechanisms in terms of delay depends on the underlying P2P sys-tem in general and on amount of intentional delay added by parametrizing cryptographicfunctions. We developed a lightweight custom simulator to evaluate the performance ofthe login operation. The results indicate that incurred delays are well within acceptablebounds [55].
1.5 Conclusions and Future work
This thesis focuses on the problem of privacy in current online social networks and develops asolution to it in the domain of encryption-based decentralized social networks. First, we de-scribed the potential of broadcast encryption schemes with hidden access structures and pred-icate encryption schemes for the decentralized social networks and their advantages comparedto encryption systems used in existing decentralized social networks.
Second, we designed an encryption-based access control system using predicate encryptionwith specially crafted access policies. As a proof of concept, we performed a simulation reflectingthe realistic scenario of assembling the news feed which demonstrated feasibility of predicateencryption for decentralized social networks.
Third, we proposed a mechanism of managing and retrieving the cryptographic keys usedby encryption-based decentralized social networks that uses password-based authentication,meaning a strong user familiarity and ease of usage. We also presented supporting protocolsfor password change, remembered logins, and recovery of the forgotten password.
The encryption-based access control system and the key management system with password-based login that we designed are independent and can be used separately.
Directions for Future work
While the thesis includes initial discussions of security properties of our constructions, the nextstep should be a thorough security analysis. In the proposed encryption-based access controlsystem we should analyze the leakage of information about access policies to people who haveaccess according to these policies.
Another issue worth considering is protection against malicious/curious storage nodes thattry to map identities of nodes requesting information to the requested information. This map-ping would potentially allow these storage nodes to find out the network identities of friendsof a person whose content is stored on these storage nodes. Although the problem of anony-mous communications has been mostly addressed by onion routing networks, recent studies andreports [56, 57] show that a well-known onion routing network Tor is vulnerable. We should in-vestigate if onion routing can protect against the identity mapping and if it can be incorporatedinto the system.
Another direction is adaptation of broadcast encryption schemes with hidden access struc-tures for the decentralized social networks. We have advanced considerably in this directionwhile working with anonymous broadcast encryption (ANOBE) [58]. Our ultimate goal is to de-sign an encryption-based access control system for decentralized systems without any trade-offsbetween privacy and performance.
In the area of key management we have only touched upon the question of key revocation,but it deserves a thorough investigation. Another question related to key revocation is theeffect of forward-secrecy on encryption-based access control systems and whether this propertyis beneficial for decentralized social networks.
21
All measurements and estimations for cryptographic schemes in this thesis were made at a128-bit security level. While a security-strength time frame for this level according to NISTspans beyond 2031 [59], it is worth considering higher security levels for long-term privacy.
It is also worth investigating applicability of the developed encryption-based access controlmechanisms to decentralized systems with a multi-recipient communication pattern other thansocial networks.
22
Chapter 2
Errata for included publications
Two articles included in the thesis that deal with encryption for P2P social networks are ”En-cryption for Peer-to-Peer Social Networks” and ”Access Control in Decentralized Online SocialNetworks: Applying a Policy-Hiding Cryptographic Scheme and Evaluating Its Performance”.The time difference between these two papers is a couple of years. The first paper states:”CP-ABE and PE decryption algorithms contain bilinear pairing operations, and since they arecomputationally expensive and their number linearly depends on the number of attributes, wecan conclude that this operation is quite expensive”. At the same time encryption operation isconsidered far less time consuming than decryption: ”the encryption time is very favorable” inthis paper. We assumed that bilinear pairing are very expensive and should be the dominantcomponent in the total operation latency. However, after the first article had been published,an article with extremely efficient implementation of pairing-based protocols [60] appeared.The authors achieved significantly lower timings than predecessors, in some cases ”more than30 times faster” [60]. The authors measured the performance of the implemented CP-ABEscheme by Waters [61] and observed that ”the Encrypt step for this implementation of this pro-tocol is actually more time-consuming than the pairing-heavy Decrypt step. This goes counterto the received wisdom”. So in fact, for this CP-ABE scheme encryption was slightly faster thandecryption even though decryption contained bilinear pairings. By the time we were writing oursecond article, we already knew about these results, and applied predicate encryption scheme,which also contained bilinear pairing operations, to the P2P social networks context.
23
Bibliography
[1] Samuel D Warren and Louis D Brandeis. “The right to privacy”. In: Harvard law review(1890), pp. 193–220.
[2] Alessandro Acquisti and Ralph Gross. “Imagined Communities: Awareness, Informa-tion Sharing, and Privacy on the Facebook”. In: Privacy Enhancing Technologies. Ed.by George Danezis and Philippe Golle. Vol. 4258. Lecture Notes in Computer Science.Springer Berlin Heidelberg, 2006, pp. 36–58.
[3] Zeynep Tufekci. “Can You See Me Now? Audience and Disclosure Regulation in Online So-cial Network Sites”. In: Bulletin of Science, Technology & Society 28.1 (2008), pp. 20–36.url: userpages.umbc.edu/%5C~%7B%7Dzeynep/papers/ZeynepCanYouSeeMeNowBSTS.pdf.
[4] Ralph Gross and Alessandro Acquisti. “Information Revelation and Privacy in OnlineSocial Networks”. In: Proceedings of the 2005 ACM Workshop on Privacy in the ElectronicSociety. WPES ’05. Alexandria, VA, USA: ACM, 2005, pp. 71–80.
[5] Bernhard Debatin et al. “Facebook and Online Privacy: Attitudes, Behaviors, and Un-intended Consequences”. In: J. Computer-Mediated Communication 15.1 (2009), pp. 83–108.
[6] Sonja Utz and N Kramer. “The privacy paradox on social network sites revisited: The roleof individual characteristics and group norms”. In: Cyberpsychology: Journal of Psychoso-cial Research on Cyberspace 3(2), article 1 (2009). url: http://www.cyberpsychology.eu/view.php?cisloclanku=2009111001&article=1.
[7] Facebook’s New Terms Of Service: ”We Can Do Anything We Want With Your Content.Forever.”. Consumerist, 2009. url: http://consumerist.com/2009/02/15/facebooks-new- terms- of- service- we- can- do- anything- we- want- with- your- content-
forever/.
[8] Google Terms of Service. Google, 2007. url: http : / / www . google . com / intl / en /
policies/terms/archive/20070416/.
[9] Oliver Smith. Facebook terms and conditions: why you don’t own your online life. 2013.url: http://www.telegraph.co.uk/technology/social-media/9780565/Facebook-terms-and-conditions-why-you-dont-own-your-online-life.html.
[10] Google Terms of Service. Google, 2014. url: http : / / www . google . com / intl / en /
policies/terms/.
[11] Facebook’s New Terms Of Service: ”We Can Do Anything We Want With Your Content.Forever.”. Facebook, 2013. url: https://www.facebook.com/legal/terms.
[12] Facebook unveils privacy changes. CNN, 2009. url: http://edition.cnn.com/2009/TECH/12/10/facebook.privacy/.
25
[13] Stefan Stieger et al. “Who commits virtual identity suicide? Differences in privacy con-cerns, Internet addiction, and personality between facebook users and quitters”. In: Cy-berpsychology, Behavior, and Social Networking 16.9 (2013), pp. 629–634.
[14] Facebook annual report 2013. Facebook, 2013. url: http://files.shareholder.com/downloads/AMDA-NJ5DZ/3101818145x0x741493/EDBA9462-3E5E-4711-B0B4-1DFE9B541222/
FB_AR_33501_FINAL.pdf.
[15] Adrienne Felt and David Evans. Privacy Protection for Social Networking Platforms.W2SP ’08: Workshop on Web 2.0 Security and Privacy. Oakland, California, May 2008.
[16] Bin Zhou and Jian Pei. “Preserving Privacy in Social Networks Against NeighborhoodAttacks”. In: ICDE ’08: Proceedings of the 2008 IEEE 24th on Data Engineering. Cancun,Mexico, Apr. 2008, pp. 506–515.
[17] Matthew Lucas and Nikita Borisov. “FlyByNight: mitigating the privacy risks of so-cial networking”. In: Proceedings of the 5th Symposium on Usable Privacy and Security.SOUPS ’09. Mountain View, California, 2009, 37:1–37:1. url: http://doi.acm.org/10.1145/1572532.1572577.
[18] Wanying Luo, Qi Xie, and U. Hengartner. “FaceCloak: An Architecture for User Privacyon Social Networking Sites”. In: Computational Science and Engineering, 2009. CSE ’09.International Conference on. Vol. 3. Aug. 2009, pp. 26–33.
[19] Saikat Guha, Kevin Tang, and Paul Francis. “NOYB: Privacy in Online Social Networks”.In: Proceedings of the First Workshop on Online Social Networks. WOSN ’08. Seattle, WA,USA: ACM, 2008, pp. 49–54.
[20] Amin Tootoonchian et al. “Lockr: Better Privacy for Social Networks”. In: Proceedings ofthe 5th International Conference on Emerging Networking Experiments and Technologies.CoNEXT ’09. Rome, Italy: ACM, 2009, pp. 169–180.
[21] BO Han and John Windsor. “USER’S WILLINGNESS TO PAY ON SOCIAL NET-WORK SITES.” In: Journal of computer information systems 51.4 (2011).
[22] About App.net. 2014. url: https://app.net/about/.
[23] Glenn Greenwald and Ewen MacAskill. NSA Prism program taps in to user data of Apple,Google and others. 2013. url: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data.
[24] Dalton Caldwell. App.net State of the Union. May 2014. url: https://app.net/about/.
[25] Welcome to diaspora*. May 2014. url: https://diasporafoundation.org.
[26] How many users are in the DIASPORA network? May 2014. url: https://diasp.eu/stats.html.
[27] Diaspora*: FAQ for users. May 2014. url: https://wiki.diasporafoundation.org/FAQ_for_users#Account_and_data_management.
[28] Amre Shakimov et al. “Vis-a-Vis: Privacy-preserving online social networking via VirtualIndividual Servers”. In: COMSNETS. 2011, pp. 1–10.
[29] Zhaoguang Wang et al. “An untold story of middleboxes in cellular networks”. In: Proceed-ings of the ACM SIGCOMM 2011 conference. SIGCOMM ’11. Toronto, Ontario, Canada:ACM, 2011, pp. 374–385. isbn: 978-1-4503-0797-0. doi: 10.1145/2018436.2018479. url:http://doi.acm.org/10.1145/2018436.2018479.
[30] Pyda Srisuresh, Bryan Ford, and Dan Kegel. State of Peer-to-Peer (P2P) Communicationacross Network Address Translators (NATs). IETF Informational. 2008. url: https:
//tools.ietf.org/html/rfc5128#page-7.
26
[31] B. Amann et al. “IgorFs: A Distributed P2P File System”. In: Peer-to-Peer Computing ,2008. P2P ’08. Eighth International Conference on. Sept. 2008, pp. 77–78.
[32] Dinh Nguyen Tran, Frank Chiang, and Jinyang Li. “Friendstore: Cooperative OnlineBackup Using Trusted Nodes”. In: Proceedings of the 1st Workshop on Social NetworkSystems. SocialNets ’08. New York, NY, USA: ACM, 2008, pp. 37–42.
[33] Fay Chang et al. “Bigtable: A distributed storage system for structured data”. In: ACMTransactions on Computer Systems (TOCS) 26.2 (2008), p. 4.
[34] H.B. Ribeiro and E. Anceaume. “DataCube: A P2P Persistent Data Storage ArchitectureBased on Hybrid Redundancy Schema”. In: Parallel, Distributed and Network-Based Pro-cessing (PDP), 2010 18th Euromicro International Conference on. Feb. 2010, pp. 302–306. doi: 10.1109/PDP.2010.60.
[35] R. Sharma et al. “An empirical study of availability in friend-to-friend storage systems”.In: Peer-to-Peer Computing (P2P), 2011 IEEE International Conference on. Aug. 2011,pp. 348–351.
[36] R. Sharma and A. Datta. “SuperNova: Super-peers based architecture for decentralizedonline social networks”. In: Communication Systems and Networks (COMSNETS), 2012Fourth International Conference on. Jan. 2012, pp. 1–10.
[37] R. Gracia-Tinedo, M. Sanchez Artigas, and P. Garda Lopez. “Analysis of data availabilityin F2F storage systems: When correlations matter”. In: Peer-to-Peer Computing (P2P),2012 IEEE 12th International Conference on. Sept. 2012, pp. 225–236.
[38] K. Rzadca, A. Datta, and S. Buchegger. “Replica Placement in P2P Storage: Complexityand Game Theoretic Analyses”. In: Distributed Computing Systems (ICDCS), 2010 IEEE30th International Conference on. June 2010, pp. 599–609.
[39] Rammohan Narendula, Thanasis G. Papaioannou, and Karl Aberer. “Towards the Real-ization of Decentralized Online Social Networks: An Empirical Study”. In: Proceedings ofthe 2012 32Nd International Conference on Distributed Computing Systems Workshops.ICDCSW ’12. IEEE Computer Society, 2012, pp. 155–162. isbn: 978-0-7695-4686-5.
[40] Sonja Buchegger et al. “PeerSoN: P2P social networking: early experiences and insights”.In: Proceedings of the Second ACM EuroSys Workshop on Social Network Systems. SNS’09. 2009, pp. 46–52.
[41] Jonathan Anderson et al. “Privacy-enabling Social Networking over Untrusted Networks”.In: Proceedings of the 2Nd ACM Workshop on Online Social Networks. WOSN ’09. Barcelona,Spain: ACM, 2009, pp. 1–6.
[42] L.A. Cutillo, R. Molva, and T. Strufe. “Safebook: A privacy-preserving online social net-work leveraging on real-life trust”. In: Communications Magazine, IEEE 47.12 (Dec.2009), pp. 94–101. issn: 0163-6804.
[43] Randy Baden et al. “Persona: an online social network with user-defined privacy”. In:SIGCOMM Comput. Commun. Rev. 39 (4 Aug. 2009), pp. 135–146.
[44] Shirin Nilizadeh et al. “Cachet: a decentralized architecture for privacy preserving socialnetworking with caching”. In: CoNEXT. Nice, France: ACM, 2012, pp. 337–348. isbn:978-1-4503-1775-7. doi: 10.1145/2413176.2413215.
[45] Felix Gunther, Mark Manulis, and Thorsten Strufe. “Cryptographic treatment of pri-vate user profiles”. In: Financial Cryptography. Vol. 7126. LNCS. Rodney Bay, St. Lucia:Springer-Verlag, 2012, pp. 40–54. isbn: 978-3-642-29888-2.
27
[46] Youssef Afify. “Access Control in a Peer-to-peer Social Network”. MA thesis. Lausanne,Switzerland: EPFL, 2008.
[47] Gerrit Willem Mollenhorst. Networks in contexts: How meeting opportunities affect per-sonal relationships. Vol. 150. Utrecht University, 2009.
[48] Sonia Jahid et al. “DECENT: A decentralized architecture for enforcing privacy in onlinesocial networks”. In: PerCom Workshops. 2012, pp. 326–332.
[49] Zooko Wilcox-O’Hearn and Brian Warner. “Tahoe: The Least-authority Filesystem”. In:Proceedings of the 4th ACM International Workshop on Storage Security and Survivability.StorageSS ’08. Alexandria, Virginia, USA: ACM, 2008, pp. 21–26.
[50] Ken Peffers et al. “A Design Science Research Methodology for Information SystemsResearch”. In: J. Manage. Inf. Syst. 24.3 (Dec. 2007), pp. 45–77. url: http://dx.doi.org/10.2753/MIS0742-1222240302.
[51] Allison Lewko et al. “Fully Secure Functional Encryption: Attribute-Based Encryption and(Hierarchical) Inner Product Encryption”. In: Advances in Cryptology - EUROCRYPT2010. Vol. 6110. Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2010,pp. 62–91.
[52] Takashi Nishide, Kazuki Yoneyama, and Kazuo Ohta. “Attribute-based encryption withpartially hidden encryptor-specified access structures”. In: ACNS. Vol. 5037. LNCS. NewYork,NY, USA: Springer-Verlag, 2008, pp. 111–129.
[53] Jan Camenisch et al. “Oblivious Transfer with Hidden Access Control from Attribute-based Encryption”. In: Proceedings of the 8th International Conference on Security andCryptography for Networks. SCN’12. Amalfi, Italy: Springer-Verlag, 2012, pp. 559–579.
[54] Niklas Frykholm and Ari Juels. “Error-tolerant password recovery”. In: CCS. ACM, 2001,pp. 1–9. isbn: 1-58113-385-5.
[55] Niraj Tolia, David G. Andersen, and Mahadev Satyanarayanan. “Quantifying InteractiveUser Experience on Thin Clients”. In: IEEE Computer Society 39.3 (2006), pp. 46–52.
[56] Aaron Johnson et al. “Users Get Routed: Traffic Correlation on Tor by Realistic Ad-versaries”. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer &Communications Security. CCS ’13. Berlin, Germany: ACM, 2013, pp. 337–348. url:http://doi.acm.org/10.1145/2508859.2516651.
[57] Thoughts and Concerns about Operation Onymous. The Tor Project, Inc, 2014. url:https://blog.torproject.org/category/tags/operation-onymous.
[58] Benoıt Libert, Kenneth G. Paterson, and Elizabeth A. Quaglia. “Anonymous broadcastencryption: adaptive security and efficient constructions in the standard model”. In: PKC.Vol. 7293. LNCS. Springer-Verlag, 2012.
[59] Elaine Barker et al. NIST SP 800-57: Recommendation for Key Management – Part 1:General(Revision 3). NIST, 2012.
[60] Michael Scott. “On the Efficient Implementation of Pairing-Based Protocols”. In: Cryptog-raphy and Coding. Ed. by Liqun Chen. Vol. 7089. LNCS. Springer-Verlag, 2011, pp. 296–308. isbn: 978-3-642-25515-1. doi: 10.1007/978-3-642-25516-8_18.
[61] Brent Waters. “Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient,and Provably Secure Realization”. English. In: Public Key Cryptography – PKC 2011. Ed.by Dario Catalano et al. Vol. 6571. Lecture Notes in Computer Science. Springer BerlinHeidelberg, 2011, pp. 53–70. isbn: 978-3-642-19378-1.
28