146 Fix: Replace messages 2 and 3 to include a timestamp:\bigskip |
146 Fix: Replace messages 2 and 3 to include a timestamp:\bigskip |
147 |
147 |
148 \begin{minipage}{1.1\textwidth} |
148 \begin{minipage}{1.1\textwidth} |
149 \begin{center} |
149 \begin{center} |
150 \begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}} |
150 \begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}} |
151 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
151 \bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
152 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
152 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
153 \end{tabular} |
153 \end{tabular} |
154 \end{center} |
154 \end{center} |
155 \end{minipage} |
155 \end{minipage} |
156 |
156 |
158 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
158 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
159 |
159 |
160 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
160 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
161 \mode<presentation>{ |
161 \mode<presentation>{ |
162 \begin{frame}[t] |
162 \begin{frame}[t] |
163 \frametitle{Denning-Sacco Protocol} |
163 \frametitle{Denning-Sacco Fix} |
164 |
164 |
165 Denning-Sacco (1981) suggested to add the timestamp, but omit the handshake:\bigskip |
165 Denning-Sacco (1981) suggested to add the timestamp, but omit the handshake:\bigskip |
166 |
166 |
167 \begin{minipage}{1.1\textwidth} |
167 \begin{minipage}{1.1\textwidth} |
168 \begin{center} |
168 \begin{center} |
169 \begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}} |
169 \begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}} |
170 \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ |
170 \bl{$A \rightarrow S :$} & \bl{$A, B$}\\ |
171 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
171 \bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
172 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
172 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
173 \textcolor{lightgray}{$B \rightarrow A :$} & \textcolor{lightgray}{$\{N_B\}_{K_{AB}}$}\\ |
173 \textcolor{lightgray}{$B \rightarrow A :$} & \textcolor{lightgray}{$\{N_B\}_{K_{AB}}$}\\ |
174 \textcolor{lightgray}{$A \rightarrow B :$} & \textcolor{lightgray}{$\{N_B-1\}_{K_{AB}}$}\\ |
174 \textcolor{lightgray}{$A \rightarrow B :$} & \textcolor{lightgray}{$\{N_B-1\}_{K_{AB}}$}\\ |
175 \end{tabular} |
175 \end{tabular} |
176 \end{center} |
176 \end{center} |
177 \end{minipage}\bigskip |
177 \end{minipage}\bigskip |
178 |
178 |
179 they argue \bl{$A$} and \bl{$B$} can check that the messages are not replays of earlier |
179 they argue \bl{$A$} and \bl{$B$} can check that the messages are not replays of earlier |
180 runs, by checking the time difference when the protocol is last used |
180 runs, by checking the time difference with when the protocol is last used |
181 \end{frame}} |
181 \end{frame}} |
182 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
182 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
183 |
183 |
184 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
184 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
185 \mode<presentation>{ |
185 \mode<presentation>{ |
186 \begin{frame}[t] |
186 \begin{frame}[t] |
187 \frametitle{Denning-Sacco-Lowe Protocol} |
187 \frametitle{\begin{tabular}{@{}c@{}}Denning-Sacco-Lowe Fix of Fix\end{tabular}} |
188 |
188 |
189 Lowe (1997) disagreed and said the handshake should be kept, |
189 Lowe (1997) disagreed and said the handshake should be kept, |
190 otherwise:\bigskip |
190 otherwise:\bigskip |
191 |
191 |
192 \begin{minipage}{1.1\textwidth} |
192 \begin{minipage}{1.1\textwidth} |
193 \begin{center} |
193 \begin{center} |
194 \begin{tabular}{@{\hspace{-7mm}}r@ {\hspace{1mm}}l@{}} |
194 \begin{tabular}{@{\hspace{-7mm}}r@ {\hspace{1mm}}l@{}} |
195 \bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ |
195 \bl{$A \rightarrow S :$} & \bl{$A, B$}\\ |
196 \bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
196 \bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ |
197 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
197 \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ |
198 \bl{$I(A) \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\hspace{5mm}\textcolor{black}{replay}\\ |
198 \bl{$I(A) \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\hspace{5mm}\textcolor{black}{replay}\\ |
199 \end{tabular} |
199 \end{tabular} |
200 \end{center} |
200 \end{center} |
201 \end{minipage}\bigskip |
201 \end{minipage}\bigskip |
225 \only<2>{\begin{itemize} |
225 \only<2>{\begin{itemize} |
226 \item London Health Programmes lost in June unencrypted details of more than 8 million people |
226 \item London Health Programmes lost in June unencrypted details of more than 8 million people |
227 (no names, but postcodes and details such as gender, age and ethnic origin) |
227 (no names, but postcodes and details such as gender, age and ethnic origin) |
228 \end{itemize}} |
228 \end{itemize}} |
229 \only<3>{\begin{itemize} |
229 \only<3>{\begin{itemize} |
230 \item also in June Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. |
230 \item also in June Sony, got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. |
231 \end{itemize}} |
231 \end{itemize}} |
232 \end{minipage} |
232 \end{minipage} |
233 |
233 |
234 \end{frame}} |
234 \end{frame}} |
235 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
235 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
295 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
295 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
296 \mode<presentation>{ |
296 \mode<presentation>{ |
297 \begin{frame}[c] |
297 \begin{frame}[c] |
298 \frametitle{Scare Tactics} |
298 \frametitle{Scare Tactics} |
299 |
299 |
|
300 The actual policy reads:\bigskip |
|
301 |
300 ``As we explain in our Cookie Policy, cookies help you to get the most |
302 ``As we explain in our Cookie Policy, cookies help you to get the most |
301 out of our websites.\medskip |
303 out of our websites.\medskip |
302 |
304 |
303 If you do disable our cookies you may find that certain sections of our |
305 If you do disable our cookies you may find that certain sections of our |
304 website do not work. For example, you may have difficulties logging in |
306 website do not work. For example, you may have difficulties logging in |
336 \frametitle{Re-identification Attack} |
337 \frametitle{Re-identification Attack} |
337 |
338 |
338 Two researchers analysed the data: |
339 Two researchers analysed the data: |
339 |
340 |
340 \begin{itemize} |
341 \begin{itemize} |
341 \item with 8 ratings (2 of them can be wrong) and dates that have a 14-day error, 98\% of the |
342 \item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the |
342 records can be identified |
343 records can be identified |
343 \item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause |
344 \item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause |
344 \item they took 50 samples from IMDb (where people can reveal their identity) |
345 \item they took 50 samples from IMDb (where people can reveal their identity) |
345 \item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates) |
346 \item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates) |
346 \end{itemize} |
347 \end{itemize} |
357 \begin{itemize} |
358 \begin{itemize} |
358 \item Birth data, postcode and gender (unique for\\ 87\% of the US population) |
359 \item Birth data, postcode and gender (unique for\\ 87\% of the US population) |
359 \item Preferences in movies (99\% of 500K for 8 ratings) |
360 \item Preferences in movies (99\% of 500K for 8 ratings) |
360 \end{itemize}\bigskip |
361 \end{itemize}\bigskip |
361 |
362 |
362 Therefore best practices / or even law: |
363 Therefore best practices / or even law (HIPAA, EU): |
363 |
364 |
364 \begin{itemize} |
365 \begin{itemize} |
365 \item only year dates (age: 90 years or over), |
366 \item only year dates (age group for 90 years or over), |
366 \item no postcodes (sector data is OK, similarly in the US)\\ |
367 \item no postcodes (sector data is OK, similarly in the US)\\ |
367 \textcolor{gray}{no names, addresses, account numbers, licence plates} |
368 \textcolor{gray}{no names, addresses, account numbers, licence plates} |
368 \item disclosure information needs to be retained for 5 years |
369 \item disclosure information needs to be retained for 5 years |
369 \end{itemize} |
370 \end{itemize} |
370 |
371 |
377 \frametitle{How to Safely Disclose Information?} |
378 \frametitle{How to Safely Disclose Information?} |
378 |
379 |
379 \only<1>{ |
380 \only<1>{ |
380 \begin{itemize} |
381 \begin{itemize} |
381 \item Assume you make a survey of 100 randomly chosen people. |
382 \item Assume you make a survey of 100 randomly chosen people. |
382 \item Say 99\% of the people in the 10 - 40 age group have seen the |
383 \item Say 99\% of the surveyed people in the 10 - 40 age group have seen the |
383 Gangnam video on youtube.\bigskip |
384 Gangnam video on youtube.\bigskip |
384 |
385 |
385 \item What can you infer about the rest of the population? |
386 \item What can you infer about the rest of the population? |
386 \end{itemize}} |
387 \end{itemize}} |
387 \only<2>{ |
388 \only<2>{ |
388 \begin{itemize} |
389 \begin{itemize} |
389 \item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause |
390 \item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause |
390 |
391 |
391 \item Not even releasing only aggregate information prevents re-identification attacks. |
392 \item Not even releasing only aggregate information prevents re-identification attacks. |
392 (GWAS was a public database of gene-frequency studies linked to diseases; |
393 (GWAS was a public database of gene-frequency studies linked to diseases; |
393 you only needed enough data about phenotype (hair, eyes, skin colour...) in order |
394 you only needed partial DNA information in order |
394 to identify whether an individual was part of the study --- DB closed in 2008) |
395 to identify whether an individual was part of the study --- DB closed in 2008) |
395 \end{itemize}} |
396 \end{itemize}} |
396 |
397 |
397 \end{frame}} |
398 \end{frame}} |
398 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
399 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |