Sonia Jahid Department of Computer Science University of Illinois at UrbanaChampaign March 10 2011 wwwsoniajahidcom 2 Statistics Privacy Issues Research on Online Social Network security and privacy ID: 627367
Download Presentation The PPT/PDF document "Privacy in Online Social Networks" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Privacy in Online Social Networks
Sonia JahidDepartment of Computer ScienceUniversity of Illinois at Urbana-ChampaignMarch 10, 2011
www.soniajahid.comSlide2
2Slide3
StatisticsPrivacy Issues
Research on Online Social Network security and privacyflyByNightPersonaEASiERNOYBOutline3Slide4
Facebook Case:
More than 500 million active users50% of active users log on to Facebook in any given dayAverage user has 130 friendsPeople spend over 700 billion minutes per month on FacebookThere are over 900 million objects that people interact with Average user is connected to 80 community pages, groups and eventsAverage user creates 90 pieces of content each monthMore than 30 billion pieces of
content
shared each month
.
Statistics
4
[1] [2] [3]Slide5
Information
leak by the Online Social Network (OSN)Intentional“You’ve Been Poked by University Police”“More Advertising Issues on Facebook”Accidental“Facebook Revealed Private Email Addresses Last Night”“Facebook suspends app that permitted peephole” Attacks
Spam
Phishing
Oversharing
StalkingPrivacy Issues
5
60% users trust their friends18% users trust the provider
6% users trust strangers
[4, 5, 6, 7, 8, 9]Slide6
Isn’t privacy protected by policies?Privacy policy changes over time
Confusing!Leads to unwanted information leak to users!Privacy Policies6
[10]Slide7
Research on Privacy
in OSNToday’s FocusCryptographySlide8
flyByNight: Mitigating the Privacy Risks of Social Networking
Matthew M. Lucas, Nikita BorisovWPES, October 20088Slide9
A
facebook application designed to encrypt and decrypt data with an aim to mitigate privacy risks in social networks. Primary goal:Hide information transferred through the OSN from the provider and the application server.Key idea:Encrypt sensitive data using JavaScript on the client side and send the cipher text to
intended parties,
i.e., facebook friends
.
Uses El-Gamal encryptionProxy Cryptography
Overview9Slide10
Initialization
Client generates Public/Private key pair, passwordClient transfers encrypted private key to flyByNight server, and saves in key DatabaseSend Data:Client encrypts private data M with friends’ PK, and tags the encrypted data with friends’ ID, saves encrypted data in message Database on flyByNight serverReceive Data:Client decrypts private key with password, decrypts M with the private key
Architecture
10Slide11
User encrypts the dataUser gives the ciphertext to a proxy
User generates a key for the proxy, and for the friendProxy transforms the ciphertext for an intended party using El-Gamal encryptionOne-to-Many Communication11Slide12
One encryption per recipientA partial solution
Discussion12Slide13
Persona: An Online Social Network with User-Defined Privacy
Randy Baden, Adam Bender, Neil Spring, Bobby BhattacharjeeSIGCOMM 200913Slide14
A new architecture for OSN that provides privacy
Encryption, Distributed StorageKey Idea:Defines social relationships by attribute-key assignmentEncrypts data once for an attribute policyProvides confidentiality through various cryptographic mechanismsStores user information in distributed storageProvides OSN functionality as servicesOverview
14Slide15
Cryptography (Background on Attribute-based Encryption)
15
1
Professor OR (RA AND Security)
Professor OR (RA AND Security)
1
Message
1
can be viewed by
Professor OR (RA AND Security)
Professor OR (RA AND Security)
Professor OR (RA AND Security)
SK
Sarah
Attribute:
Professor, Architecture
SK
Sam
Attribute:
RA, Networking
1
1
PK
MSK
Key Authority
PKSlide16
Symmetric
Keys (AES)
Data
Encryption
Attribute-based Encryption
(CPABE)
Distribute the
AES keys for groups
Distribute RSA keys for group identitiesAsymmetric (RSA) keysDistribute attribute-secret keyIdea:Generate Attribute Secret Key for
U1: ASK1Encrypt ASK1 with PK1 - Enc
PK1(ASK1)Enc(M, K), ABE(K, policy, APK)
U
1
:
Decrypt
Enc
PK1
(ASK1) with her RSA private key to get ASK
1
Use ASK
1
to get K from
ABE(K, policy, APK)
Use K to get M from
Enc
(M,K
)
16
Cryptography
friend,
neighbor
colleague,
neighbor
friend
A.APKSlide17
Data storage
Stored/retrieved through get/putNo authentication for getFunctionalities like wall, profile provided through a multiple reader/writer applicationUsers register for applicationUsers add ACL to the application pageApplication page contains metadata, i.e., references to dataEncryption/Decryption done at client side using browser extensionArchitecture
17
Storage Service
Application Server
(Wall)
Post (data)
ref
Post (ref)
authenticate
Alice posts on Bob’s wallSlide18
Persona does not support efficient revocationHave to rekey rest of the group just to revoke one user from the group
Though it says distributed storage, physically it is implemented on the same serverDiscussion18Slide19
EASiER: Encryption-based Access Control in Social Networks with Efficient Revocation
Sonia Jahid, Prateek Mittal, and Nikita BorisovASIACCS, March 2011 (to appear)19Slide20
An ABE scheme to enhance privacy in OSN with support for efficient revocation
Supports complete or partial relationship revocationPrimary Goal:Support efficient revocation in ABE for OSN for fine-grained access controlKey Idea:Social relationships defined using attribute keysIntroduces a minimally trusted proxyRekeys the proxy each time some key is revokedOverview
20Slide21
Architecture
21
21
(SK
1
)
(SK
2
)
(SK
3
)
u
1
u
2
u
3
KeyProxy (Revoke u
1
, u
2
)
Proxy
Modified CT
component
CT
component
PK, MK
1
AND
Colleague
Neighbor
OR
FriendSlide22
Revoked users can not decrypt future data, and even past data assuming they do not store data.
EASiER efficiently supports the fine-grained access control in existing OSNsEASiER can be used in any domain that implements ABEEASiER does not support access delegationThe proxy has to forget old keyDiscussion
22Slide23
NOYB: Privacy in Online Social Networks
Saikat Guha, Kevin Tang, and Paul FrancisWOSN 200823Slide24
An architecture where user data is scattered and public, and a collection of other users’ data
Key Idea:Encrypt user data such that the ciphertext follows semantic and statistical properties of legitimate dataAllow the service provider to work on ciphertextOverview24Slide25
Uses out of band channel for key management
User data is divided into atomsAtoms of similar type constitute a dictionaryAtoms are replaced with other atoms from the dictionaryArchitecture25
(Alice, F, 26)
(Bob, M, 30)
(Alice, F)
(26)
(Bob, M)
(30)
(Alice, F,
27)
(Bob, M, 26)
(Carol, F, 27)
(Carol, F)
(27)Slide26
Hiding in the crowd
Needs character level substitution for unique values, e.g., email addressesDiscussion26Slide27
Online Social Networks need more privacy aware architecture
Lot of research work on OSN security and privacyPrivacy aware works includeCryptographyProgramming language-based access control enforcementDecentralization of OSNConclusion
27
Online Social Network in Real LifeSlide28
Facebook Statistics
Facebook Statistics, Stats & Facts For 2011Infographic: Twitter Statistics, Facts & FiguresEDITORIAL: You've been poked by University police
More Advertising Issues on
Facebook
Facebook Revealed Private Email Addresses Last
Night
Facebook suspends app that permitted peepholeSocial phishing, T. N. Jagatic
, N. A. Johnson, M. JakobssonImagined Communities: Awareness, Information Sharing, and Privacy on the Facebook,” Alessandro Acquisti and Ralph Gross.
PET, 2006Facebook's Eroding Privacy Policy: A TimelineReferences
28