sen-material: comparison slides/slides07.tex

equal deleted inserted replaced

-:5f6b72bb5f7f
+:82906b148ff5
 \documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
+\usepackage{../slides}
-\usepackage{beamerthemeplaincu}
-%\usepackage[T1]{fontenc}
-%\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{plotmarks}
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-\newcommand{\isaliteral}[1]{}
-\newcommand{\isactrlisub}[1]{\emph{\isascriptstyle${}\sb{#1}$}}
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-\lstset{language=Java,
-	basicstyle=\ttfamily,
-	keywordstyle=\color{javapurple}\bfseries,
-	stringstyle=\color{javagreen},
-	commentstyle=\color{javagreen},
-	morecomment=[s][\color{javadocblue}]{/**}{*/},
-	numbers=left,
-	numberstyle=\tiny\color{black},
-	stepnumber=1,
-	numbersep=10pt,
-	tabsize=2,
-	showspaces=false,
-	showstringspaces=false}
-\lstdefinelanguage{scala}{
-morekeywords={abstract,case,catch,class,def,%
-do,else,extends,false,final,finally,%
-for,if,implicit,import,match,mixin,%
-new,null,object,override,package,%
-private,protected,requires,return,sealed,%
-super,this,throw,trait,true,try,%
-type,val,var,while,with,yield},
-otherkeywords={=>,<-,<\%,<:,>:,\#,@},
-sensitive=true,
-morecomment=[l]{//},
-morecomment=[n]{/*}{*/},
-morestring=[b]",
-morestring=[b]',
-morestring=[b]"""
-}
-\lstset{language=Scala,
-	basicstyle=\ttfamily,
-	keywordstyle=\color{javapurple}\bfseries,
-	stringstyle=\color{javagreen},
-	commentstyle=\color{javagreen},
-	morecomment=[s][\color{javadocblue}]{/**}{*/},
-	numbers=left,
-	numberstyle=\tiny\color{black},
-	stepnumber=1,
-	numbersep=10pt,
-	tabsize=2,
-	showspaces=false,
-	showstringspaces=false}
 % beamer stuff
-\renewcommand{\slidecaption}{APP 07, King's College London, 19 November 2013}
+\renewcommand{\slidecaption}{APP 07, King's College London}
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
 \newcommand{\bl}[1]{\textcolor{blue}{#1}}
 \begin{document}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+\begin{frame}[t]
-\begin{frame}<1>[t]
 \frametitle{%
 \begin{tabular}{@ {}c@ {}}
 \\
 \LARGE Access Control and \\[-3mm]
 \LARGE Privacy Policies (7)\\[-6mm]
 \end{tabular}}\bigskip\bigskip\bigskip
-%\begin{center}
-%\includegraphics[scale=1.3]{pics/barrier.jpg}
+\normalsize
-%\end{center}
-\normalsize
 \begin{center}
 \begin{tabular}{ll}
 Email:  & christian.urban at kcl.ac.uk\\
 Office: & S1.27 (1st floor Strand Building)\\
 Slides: & KEATS (also homework is there)\\
 \end{tabular}
 \end{center}
+\end{frame}
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
+\mode<presentation>{
-\frametitle{}
+\begin{frame}[c]
+\frametitle{Man-in-the-Middle}
-Recall the following scenario:
+\begin{itemize}
-\begin{itemize}
+\item Border Gateway Protocol (BGP) --- routers believe their neighbours
-\item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file}}
+\item it is possible to advertise bad routes
-should be deleted, then this file must be deleted.
+\item can be done over continents\bigskip
-\item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
+\end{itemize}
-\textcolor{blue}{\isa{file}} should be deleted (delegation).
-\item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file}}.
+\hfill\footnotesize\url{http://www.renesys.com/2013/11/mitm-internet-hijacking/}
-\end{itemize}\bigskip
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\small
-\textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}},\\
+\begin{frame}[t]
-\isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
+\frametitle{Facebook Privacy}
-\isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}\\
-\end{tabular}}\medskip
+\begin{itemize}
+\item \large Who has a Facebook account?\pause\medskip
-\textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}}
-\end{frame}}
+\item \large Who keeps the list of friends private?\pause\medskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item \large Who knows that this is completely pointless?
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+{\small (at least at the end of 2013)}\pause\medskip
-\mode<presentation>{
+\end{itemize}
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {\hspace{-2mm}}c@ {}}The Access Control Problem\end{tabular}}
+\only<4>{ Create a fake account. Send a friend request.
+Facebook answers with ``People you may know'' feature.
+Conveniently it has also a ``see all'' button. }
+\only<5>{\small\it ``Our policies explain that changing the
+visibility of people on your friend list controls how they
+appear on your Timeline, and that your friends may be visible
+on other parts of the site, such as in News Feed, Search and
+on other people's Timelines. This behavior is something we'll
+continue to evaluate to make sure we're providing clarity.'' }
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy, Anonymity et al}
+Some terminology:
+\begin{itemize}
+\item \alert{secrecy} is the mechanism used to limit the number of
+principals with access to information (e.g., cryptography or access controls)
+\item \alert{confidentiality} is the obligation to protect the secrets of other people
+or organizations (secrecy for the benefit of an organisation)
+\item \alert{anonymity} is the ability to leave no evidence of an activity (e.g., sharing a secret)
+\item \alert{privacy} is the ability or right to protect your personal secrets
+(secrecy for the benefit of an individual)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy vs Anonymity}
+\begin{itemize}
+\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review, exams)
+\end{itemize}\bigskip\bigskip\pause
+But privacy?\bigskip\bigskip
+``You have zero privacy anyway. Get over it.''\\
+\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\
+If you have nothing to hide, you have nothing to fear.
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+private data can be often used against me
+\begin{itemize}
+\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
+\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
+\item my employer might not like my opinions\bigskip\pause
+\item one the other hand, Freedom-of-Information Act
+\item medical data should be private, but medical research needs data
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy Problems}
+\begin{itemize}
+\item Apple takes note of every dictation (send over the Internet to Apple)
+\item markets often only work, if data is restricted (to build trust)
+\item Social network can reveal data about you
+\item have you tried the collusion (lightbeam?) extension for FireFox?
+\item I do use Dropbox, store cards
+\end{itemize}
+\begin{textblock}{5}(12,9.9)
+\includegraphics[scale=0.2]{../pics/gattaca.jpg}\\
+\small Gattaca (1997)
+\end{textblock}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+\begin{minipage}{1.05\textwidth}
+\begin{itemize}
+\item we \alert{do} want that government data is made public (free maps for example)
+\item we \alert{do not} want that medical data becomes public (similarly tax data, school
+records, job offers)\bigskip
+\item personal information can potentially lead to fraud
+(identity theft)
+\end{itemize}\pause
+{\bf ``The reality'':}
+\only<2>{\begin{itemize}
+\item London Health Programmes lost in June two years unencrypted details of more than 8 million people
+(no names, but postcodes and details such as gender, age and ethnic origin)
+\end{itemize}}
+\only<3>{\begin{itemize}
+\item also in June two years ago, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
+\end{itemize}}
+\end{minipage}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy and Big Data}
+\mbox{}\\[-16mm]\mbox{}
+Selected sources of ``Big Data'':\smallskip{}
+\begin{itemize}
+\item Facebook
+\begin{itemize}
+\item 40+ Billion photos (100 PB)
+\item 6 Billion messages daily (5 - 10 TB)
+\item 900 Million users
+\end{itemize}
+\item Common Crawl
+\begin{itemize}
+\item covers 3.8 Billion webpages (2012 dataset)
+\item 50 TB of data
+\end{itemize}
+\item Google
+\begin{itemize}
+\item 20 PB daily (2008)
+\end{itemize}
+\item Twitter
+\begin{itemize}
+\item 7 Million users in the UK
+\item a company called Datasift is allowed to mine all tweets since 2010
+\item they charge 10k per month for other companies to target advertisement
+\end{itemize}
+\end{itemize}\pause
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Cookies\ldots}
+``We have published a new cookie policy. It explains what cookies are
+and how we use them on our site. To learn more about cookies and
+their benefits, please view our cookie policy.\medskip
+If you'd like to disable cookies on this device, please view our information
+pages on 'How to manage cookies'. Please be aware that parts of the
+site will not function correctly if you disable cookies. \medskip
+By closing this
+message, you consent to our use of cookies on this device in accordance
+with our cookie policy unless you have disabled them.''
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Scare Tactics}
+The actual policy reads:\bigskip
+``As we explain in our Cookie Policy, cookies help you to get the most
+out of our websites.\medskip
+If you do disable our cookies you may find that certain sections of our
+website do not work. For example, you may have difficulties logging in
+or viewing articles.''
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Netflix Prize}
+Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
+\begin{itemize}
+\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
+\item dataset contained 10\% of all Netflix users (appr.~500K)
+\item names were removed, but included numerical ratings as well as times of rating
+\item some information was \alert{perturbed} (i.e., slightly modified)
+\end{itemize}
+\hfill{\bf\alert{All OK?}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attacks}
+Two researchers analysed the data:
+\begin{itemize}
+\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
+records can be identified
+\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
+\item they took 50 samples from IMDb (where people can reveal their identity)
+\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attacks}
+\begin{itemize}
+\item in 1990 insurance databases were made public with names removed, but  birth dates,
+gender, ZIP-code were retained\medskip
+\item could be cross referenced with public voter registration data in order to find out what the
+medical record of the governor of Massachusetts was
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{}
+\begin{itemize}
+\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
+\item Preferences in movies (99\% of 500K for 8 ratings)
+\end{itemize}\bigskip
+Therefore best practices / or even law (HIPAA, EU):
+\begin{itemize}
+\item only year dates (age group for 90 years or over),
+\item no postcodes (sector data is OK, similarly in the US)\\
+\textcolor{gray}{no names, addresses, account numbers, licence plates}
+\item disclosure information needs to be retained for 5 years
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{\large How to Safely Disclose Information?}
+\only<1>{
+\begin{itemize}
+\item Assume you make a survey of 100 randomly chosen people.
+\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
+Gangnam video on youtube.\bigskip
+\item What can you infer about the rest of the population?
+\end{itemize}}
+\only<2>{
+\begin{itemize}
+\item Is it possible to re-identify data later, if more data is released? \bigskip\bigskip\pause
+\item Not even releasing only  aggregate information prevents re-identification attacks.
+(GWAS was a public database of gene-frequency studies linked to diseases;
+you only needed partial DNA information  in order
+to identify whether an individual was part of the study --- DB closed in 2008)
+\end{itemize}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{\Large We cannot exclude all Harm}
+\begin{itemize}
+\item Analysis of a given data set teaches us that smoking causes cancer.
+Mary, a smoker, is harmed by this analysis: her insurance premiums rise.
+Mary’s premiums rise whether or not her data are in the data set. In other words,
+Mary is harmed by the finding smoking causes cancer.\bigskip
+\item \ldots of course she is also helped; she might quit smoking
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{Differential Privacy}
+\begin{itemize}
+\item Goal: Nothing about an individual should be learnable from the database that
+cannot be learned without access to the database.\pause\bigskip
+\item Differential privacy is a ``protocol'' which you run on some dataset \bl{$X$} producing
+some output \bl{$O(X)$}.\bigskip
+\item You want to achieve \alert{forward privacy}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Differential Privacy}
 \begin{center}
-\begin{tikzpicture}[scale=1]
+User\;\;\;\;
+\begin{tabular}{c}
-\draw[line width=1mm] (-.3, -0.5) rectangle (1.5,2);
+tell me \bl{$f(x)$} $\Rightarrow$\\
-\draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
+$\Leftarrow$ \bl{$f(x) + \text{noise}$}
-\draw (4.2,1) node {\begin{tabular}{l}provable/\\not provable\end{tabular}};
+\end{tabular}
-\draw (0.6,0.8) node {\footnotesize \begin{tabular}{l}AC-\\ Checker:\\ applies\\ inference\\ rules\end{tabular}};
+\;\;\;\;\begin{tabular}{@{}c}
+Database\\
-\draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
+\bl{$x_1, \ldots, x_n$}
-\draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
-\draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
-\draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\boldmath\bl{$\Gamma$})\end{tabular}};
-\end{tikzpicture}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\begin{itemize}
-\item \bl{$P \,\text{says}\, F$} means \bl{$P$} can send a ``signal'' \bl{$F$} through a wire, or
-can make a ``statement'' \bl{$F$}\bigskip\pause
-\item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\
-\bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip
-\begin{center}
-\bl{\infer{\Gamma \vdash F}{\Gamma \vdash P\,\text{controls}\, F & \Gamma \vdash P\,\text{says}\,F}}
-\end{center}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Security Levels}
-\small
-\begin{itemize}
-\item Top secret (\bl{$T\!S$})
-\item Secret (\bl{$S$})
-\item Public (\bl{$P$})
-\end{itemize}
-\begin{center}
-\bl{$slev(P) < slev(S) < slev(T\!S)$}\pause
-\end{center}
-\begin{itemize}
-\item Bob has a clearance for ``secret''
-\item Bob can read documents that are public or sectret, but not top secret
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Reading a File}
-\bl{\begin{center}
-\begin{tabular}{c}
-\begin{tabular}{@ {}l@ {}}
-\only<2->{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$}}\\
-\only<2->{\hspace{3cm}}Bob controls Permitted $($File, read$)$\\
-Bob says Permitted $($File, read$)$\only<2->{\\}
-\only<2>{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$}}%
-\only<3>{\textcolor{red}{$slev($File$)$ $=$ $P$}\\}%
-\only<3>{\textcolor{red}{$slev($Bob$)$ $=$ $S$}\\}%
-\only<3>{\textcolor{red}{$slev(P)$ $<$ $slev(S)$}\\}%
-\end{tabular}\\
-\hline
-Permitted $($File, read$)$
-\end{tabular}
-\end{center}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Substitution Rule}
-\small
-\bl{\begin{center}
-\begin{tabular}{c}
-$\Gamma \vdash slev(P) = l_1$ \hspace{4mm} $\Gamma \vdash slev(Q) = l_2$
-\hspace{4mm} $\Gamma \vdash l_1 < l_2$\\\hline
-$\Gamma \vdash slev(P) < slev(Q)$
-\end{tabular}
-\end{center}}\bigskip\pause
-\begin{itemize}
-\item \bl{$slev($Bob$)$ $=$ $S$}
-\item \bl{$slev($File$)$ $=$ $P$}
-\item \bl{$slev(P) < slev(S)$}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Reading a File}
-\bl{\begin{center}
-\begin{tabular}{c}
-\begin{tabular}{@ {}l@ {}}
-$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$\\
-\hspace{3cm}Bob controls Permitted $($File, read$)$\\
-Bob says Permitted $($File, read$)$\\
-$slev($File$)$ $=$ $P$\\
-$slev($Bob$)$ $=$ $T\!S$\\
-\only<1>{\textcolor{red}{$?$}}%
-\only<2>{\textcolor{red}{$slev(P) < slev(S)$}\\}%
-\only<2>{\textcolor{red}{$slev(S) < slev(T\!S)$}}%
-\end{tabular}\\
-\hline
-Permitted $($File, read$)$
-\end{tabular}
-\end{center}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Transitivity Rule}
-\small
-\bl{\begin{center}
-\begin{tabular}{c}
-$\Gamma \vdash l_1 < l_2$
-\hspace{4mm} $\Gamma \vdash l_2 < l_3$\\\hline
-$\Gamma \vdash l_1 < l_3$
-\end{tabular}
-\end{center}}\bigskip
-\begin{itemize}
-\item \bl{$slev(P) < slev (S)$}
-\item \bl{$slev(S) < slev (T\!S)$}
-\item[] \bl{$slev(P) < slev (T\!S)$}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Reading Files}
-\begin{itemize}
-\item Access policy for Bob for reading
-\end{itemize}
-\bl{\begin{center}
-\begin{tabular}{c}
-\begin{tabular}{@ {}l@ {}}
-$\forall f.\;slev(f)$ \only<1>{$<$}\only<2>{\textcolor{red}{$\le$}} $slev($Bob$)$ $\Rightarrow$\\
-\hspace{3cm}Bob controls Permitted $(f$, read$)$\\
-Bob says Permitted $($File, read$)$\\
-$slev($File$)$ $=$ \only<1>{$P$}\only<2>{\textcolor{red}{$T\!S$}}\\
-$slev($Bob$)$ $=$ $T\!S$\\
-$slev(P) < slev(S)$\\
-$slev(S) < slev(T\!S)$
-\end{tabular}\\
-\hline
-Permitted $($File, read$)$
-\end{tabular}
-\end{center}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Writing Files}
-\begin{itemize}
-\item Access policy for Bob for {\bf writing}
-\end{itemize}
-\bl{\begin{center}
-\begin{tabular}{c}
-\begin{tabular}{@ {}l@ {}}
-$\forall f.\;slev($Bob$)$ $\le$ $slev(f)$ $\Rightarrow$\\
-\hspace{3cm}Bob controls Permitted $(f$, write$)$\\
-Bob says Permitted $($File, write$)$\\
-$slev($File$)$ $=$ $T\!S$\\
-$slev($Bob$)$ $=$ $S$\\
-$slev(P) < slev(S)$\\
-$slev(S) < slev(T\!S)$
-\end{tabular}\\
-\hline
-Permitted $($File, write$)$
-\end{tabular}
-\end{center}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Encrypted Messages}
-\begin{itemize}
-\item Alice sends a message \bl{$m$}
-\begin{center}
-\bl{Alice says $m$}
-\end{center}\medskip\pause
-\item Alice sends an encrypted message \bl{$m$}\\ (with key \bl{$K$})
-\begin{center}
-\bl{Alice says $\{m\}_K$}
-\end{center}\medskip\pause
-\item Decryption of Alice's message\smallskip
-\begin{center}
-\bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
-{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
-\end{center}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Encryption}
-\begin{itemize}
-\item Encryption of a message\smallskip
-\begin{center}
-\bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K}
-{\Gamma \vdash \text{Alice}\;\text{says}\;m & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
-\end{center}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Trusted Third Party}
-Simple protocol for establishing a secure connection via a mutually
-trusted 3rd party (server):
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
-Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
 \end{tabular}
 \end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{itemize}
+\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+individual entries  \bl{$x_1, \ldots, x_n$}\\
-\mode<presentation>{
+\item Intuition: whatever is learned from the dataset would be learned regardless of whether
-\begin{frame}[c]
+\bl{$x_i$} participates\bigskip\pause
-\frametitle{Sending Rule}
+\item Noised needed in order to prevent queries:\\ Christian's salary $=$
-\bl{\begin{center}
+\begin{center}
-\mbox{$\infer{\Gamma \vdash Q \;\text{says}\; F}
+\bl{\large$\Sigma$} all staff $-$  \bl{\large$\Sigma$} all staff $\backslash$ Christian
-{\Gamma \vdash P \;\text{says}\; F & \Gamma \vdash P \;\text{sends}\; Q : F}$}
+\end{center}
-\end{center}}\bigskip\pause
+\end{itemize}
-\bl{$P \,\text{sends}\, Q : F \dn$}\\
+\end{frame}}
-\hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{Example}
-\mode<presentation>{
-\begin{frame}[c]
+\begin{center}
-\frametitle{Trusted Third Party}
+\begin{tabular}{l|l}
+Name	 & Has the disease?\\\hline
-\begin{center}
+Alice          & yes\\
-\bl{\begin{tabular}{l}
+Bob     	 & no\\
-$A$ sends $S$ : $\text{Connect}(A,B)$\\
+Charlie	 & yes\\
-\bl{$S \,\text{says}\, (\text{Connect}(A,B) \Rightarrow$}\\
+Eve	         & no\\
-\hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
+Chandler	 & yes\\
-\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
+\end{tabular}
-$S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+\end{center}
-$A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
-$A$ sends $B$ : $\{m\}_{K_{AB}}$
+How many people have a disease?
-\end{tabular}}
-\end{center}\bigskip\pause
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\bl{$\Gamma \vdash B \,\text{says} \, m$}?
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{frame}}
+\mode<presentation>{
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Adding Noise}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
+Adding noise is not as trivial as one would wish:
-\begin{frame}[c]
-\frametitle{Public/Private Keys}
+\begin{itemize}
+\item If I ask how many of three have a disease and get a result
-\begin{itemize}
+as follows
-\item Bob has a private and public key: \bl{$K_{Bob}^{pub}$}, \bl{$K_{Bob}^{priv}$}\bigskip
 \begin{center}
-\bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
+\begin{tabular}{l|c}
-{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_{K_{Bob}^{pub}} &
+Alice & yes\\
-\Gamma \vdash K_{Bob}^{priv}}}}
+Bob & no\\
-\end{center}\bigskip\pause
+Charlie & yes\\
+\end{tabular}
-\item this is {\bf not} a derived rule!
+\end{center}
-\end{itemize}
+then I have to add a noise of \bl{$1$}. So answers would be in the
-\end{frame}}
+range of \bl{$1$} to \bl{$3$}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\bigskip
+\item But if I ask five questions for all the dataset (has the disease, is male, below 30, \ldots),
-%  \begin{itemize}
+then one individual can change the dataset by \bl{$5$}
-%  \item Alice calls Sam for a key to communicate with Bob
+\end{itemize}
-%  \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
-% \item Alice sends the message encrypted with the key and the second key it recieved
+\end{frame}}
-% \end{itemize}\bigskip
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
-\begin{frame}[c]
+\begin{frame}[t]
-\frametitle{Sending Rule}
+\frametitle{\begin{tabular}{@{}c@{}}Tor (private web browsing)\end{tabular}}
+\begin{itemize}
-\bl{\begin{center}
+\item initially developed by US Navy Labs, but then opened up to the world
-\mbox{\infer{\Gamma \vdash Q \;\textit{says}\; F}
+\item network of proxy nodes
-{\Gamma \vdash P \;\textit{says}\; F & \Gamma \vdash P \;\textit{sends}\; Q : F}}
+\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause
-\end{center}}\bigskip\pause
+\end{itemize}
-\bl{$P \,\text{sends}\, Q : F \dn$}\\
+\only<2>{
-\hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
+\begin{itemize}
+\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic:
-\end{frame}}
+\begin{itemize}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while
+Tunesia `Tunesia' and India `1234')
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{itemize}
-\mode<presentation>{
+\end{itemize}}
-\begin{frame}[c]
+\only<3>{
-\frametitle{Trusted Third Party}
+\begin{itemize}
+\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor
-\begin{center}
+\begin{itemize}
-\bl{\begin{tabular}{l}
+\item background: 40\% of traffic on Tor is generated by BitTorrent
-$A$ sends $S$ : $\textit{Connect}(A,B)$\\
+\end{itemize}
-\bl{$S \,\text{says}\, (\textit{Connect}(A,B) \Rightarrow$}\\
+\end{itemize}}
-\hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
-\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
-$S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+\end{frame}}
-$A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-$A$ sends $B$ : $\{m\}_{K_{AB}}$
-\end{tabular}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{center}\bigskip\pause
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Tor Nodes}
-\bl{$\Gamma \vdash B \,\text{says} \, m$}?
-\end{frame}}
+Dan Egerstad wrote:\bigskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\it ``If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on. Who would pay for this and be anonymous?"
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
+\end{frame}}
-\frametitle{Challenge-Response Protocol}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{itemize}
-\item an engine \bl{$E$} and a transponder \bl{$T$} share a key \bl{$K$}\bigskip
-\item \bl{$E$} sends out a \alert{nonce} \bl{$N$} (random number) to \bl{$T$}\bigskip
-\item \bl{$T$} responds with \bl{$\{N\}_K$}\bigskip
-\item if \bl{$E$} receives  \bl{$\{N\}_K$} from \bl{$T$}, it starts engine
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{itemize}
+\mode<presentation>{
+\begin{frame}[t]
-\end{frame}}
+\frametitle{\begin{tabular}{@{}c@{}}Skype\end{tabular}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{itemize}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\item Skype used to be known as a secure online communication (encryption cannot be disabled),
-\mode<presentation>{
+but \ldots\medskip
-\begin{frame}[c]
-\frametitle{Challenge-Response Protocol}
+\item it is impossible to verify whether crypto algorithms are correctly used, or whether  there are backdoors.\bigskip
-\begin{center}
+\item recently someone found out that you can reset the password of somebody else's
-\bl{\begin{tabular}{l}
+account, only knowing their email address (needed to suspended the password reset feature temporarily)
-$E \;\text{says}\; N$\hfill(start)\\
+\end{itemize}
-$E \;\text{sends}\; T : N$\hfill(challenge)\\
-$(T \;\text{says}\; N) \Rightarrow (T \;\text{sends}\; E : \{N\}_K \wedge$\\
-\hspace{3.5cm} $T \;\text{sends}\; E : \text{Id}(T))$\;\;\;\hfill(response)\\
+\end{frame}}
-$T \;\text{says}\; K$\hfill(key)\\
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-$T \;\text{says}\; \text{Id}(T)$\hfill(identity)\\
-$(E \;\text{says}\; \{N\}_K \wedge E \;\text{says}\; \text{Id}(T)) \Rightarrow$\\
-\hspace{5cm}$ \text{start\_engine}(T)$\hfill(engine)\\
-\end{tabular}}
-\end{center}\bigskip
-\bl{$\Gamma \vdash \text{start\_engine}(T)$}?
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Exchange of a Fresh Key}
+\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
-\bl{$A$} and \bl{$B$} share a (``super-secret'') key \bl{$K_{AB}$} and want to share another key
+According to Ross Anderson: \bigskip
+\begin{itemize}
-\begin{itemize}
+\item Creating large databases of sensitive personal information is intrinsically
-\item assumption \bl{$K_{AB}$} is only known to \bl{$A$} and \bl{$B$}\bigskip
+hazardous (NHS)\bigskip
-\item \bl{$A \,\text{sends}\, B :  A, \{N_A\}_{K_{AB}}$}
-\item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
-\item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
+\item Privacy in a big hospital is just about doable.\medskip
-\item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}
+\item How do you enforce privacy  in something as big as Google
-\item<2> \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}
+or complex as Facebook? No body knows.\bigskip
-\end{itemize}\bigskip
+Similarly, big databases imposed by government
-Assume \bl{$K^{new}_{AB}$} is compromised by \bl{$I$}
+\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{The Attack}
-An intruder \bl{$I$} convinces \bl{$A$} to accept the compromised key \bl{$K^{new}_{AB}$}\medskip
-\begin{minipage}{1.1\textwidth}
-\begin{itemize}
-\item \bl{$A \,\text{sends}\, B :  A, \{N_A\}_{K_{AB}}$}
-\item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
-\item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
-\item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\;\;recorded by \bl{$I$}\pause
-\item \bl{$A \,\text{sends}\, B :  A, \{M_A\}_{K_{AB}}$}
-\item \bl{$B\,\text{sends}\, A : \{M_A + 1, M_B\}_{K_{AB}}$}
-\item \bl{$A \,\text{sends}\, B : \{M_B + 1\}_{K_{AB}}$}
-\item \bl{$B \,\text{sends}\, I : \{K^{newer}_{AB}, N^{newer}_B\}_{K_{AB}}$}\;intercepted by \bl{$I$}
-\item \bl{$I \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\pause
-\item \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}\;\;\;\;\bl{$I$} can read it also
-\end{itemize}
-\end{minipage}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-A Man-in-the-middle attack in real life:
-\begin{itemize}
-\item the card only says yes or no to the terminal if the PIN is correct
-\item trick the card in thinking transaction is verified by signature
-\item trick the terminal in thinking the transaction was verified by PIN
-\end{itemize}
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
-\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
-\end{center}
-\end{minipage}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Problems with EMV}
-\begin{itemize}
-\item it is a wrapper for many protocols
-\item specification by consensus (resulted unmanageable complexity)
-\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
-further parts are secret
-\item other attacks have been found
-\item one solution might be to require always online verification of the PIN with the bank
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Problems with WEP (Wifi)\end{tabular}}
-\begin{itemize}
-\item a standard ratified in 1999
-\item the protocol was designed by a committee not including cryptographers
-\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
-\item WEP did not allocate enough bits for the nonce
-\item for authenticating packets it used CRC checksum which can be easily broken
-\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
-\item encryption was turned off by default
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocols are Difficult}
-\begin{itemize}
-\item even the systems designed by experts regularly fail\medskip
-\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
-\item the one who can fix a system should also be liable for the losses\medskip
-\item cryptography is often not {\bf the} answer\bigskip\bigskip
-\end{itemize}
-logic is one way protocols are studied in academia
-(you can use computers to search for attacks)
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Public-Key Infrastructure}
-\begin{itemize}
-\item the idea is to have a certificate authority (CA)
-\item you go to the CA to identify yourself
-\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
-\item CA must be trusted by everybody
-\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
-explicitly limits liability to \$100.)
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \end{document}
 %%% Local Variables:
 %%% mode: latex
 %%% TeX-master: t

changeset 299	82906b148ff5
parent 143	5d6c0e3b4ebb
child 300	9aeb88f8cbec