Modelling and Automatically Analysing Privacy Properties for Honest-but-Curious Adversaries

For certain communication protocols, undetectability and unlinkability of messages or information items are desirable properties, and are used to reason about anonymity and privacy. Previous work has formalized and analysed these properties using the notions of indistinguishability and observational equivalence. However, it is also possible to perform this analysis using a constructive definition of the adversary model an approach that has received less attention. The semihonest or honest-but-curious (HBC) adversary is commonly used in the analysis of these privacy properties. In this work, we develop a formal model of the capabilities of an HBC adversary with respect to undetectability and unlinkability. Our HBC model is defined as a deductive system consisting of a set of inference rules. We show that each rule is based on commonly accepted definitions and therefore claim that our overall model is a faithful representation of these definitions. The advantage of this constructive approach is that our HBC model can be directly integrated with methodologies for analysing security properties. We demonstrate this by integrating our HBC model with Casper/FDR, an established protocol analysis method based on the process algebra of CSP. We extend the Casper tool to also analyse undetectability and unlinkability properties for multiple adversaries based on a single description of the protocol. We demonstrate the effectiveness of our HBC model and Casper extension by analysing several protocols in terms of their security and privacy properties. In our case studies, we find new attacks as well as rediscover known attacks.

[1]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[2]  Prashant J. Shenoy,et al.  Private memoirs of a smart meter , 2010, BuildSys '10.

[3]  Bert-Jaap Koops,et al.  Smart Metering and Privacy in Europe: Lessons from the Dutch Case , 2013, European Data Protection.

[4]  Dawn Xiaodong Song,et al.  Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis , 2001, J. Comput. Secur..

[5]  Max Mühlhäuser,et al.  Analysis of privacy-enhancing protocols based on anonymity networks , 2012, 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm).

[6]  Marek Jawurek,et al.  Smart metering de-pseudonymization , 2011, ACSAC '11.

[7]  Dogan Kesdogan,et al.  GridPriv: A Smart Metering Architecture Offering k-Anonymity , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[8]  Stefan Köpsell,et al.  Modelling Unlinkability , 2003, Privacy Enhancing Technologies.

[9]  Christoph Krauß,et al.  Distributed Privacy-Preserving Aggregation of Metering Data in Smart Grids , 2013, IEEE Journal on Selected Areas in Communications.

[10]  Mark Ryan,et al.  Automatic Verification of Privacy Properties in the Applied pi Calculus , 2008, IFIPTM.

[11]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[12]  Gene Tsudik,et al.  Towards an Analysis of Onion Routing Security , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[13]  Ahmad-Reza Sadeghi,et al.  Anonymous Authentication with TLS and DAA , 2010, TRUST.

[14]  Kpatcha M. Bayarou,et al.  Towards a Holistic Privacy Engineering Approach for Smart Grid Systems , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Ueli Maurer,et al.  Anonymity-Preserving Public-Key Encryption: A Constructive Approach , 2013, Privacy Enhancing Technologies.

[16]  Jerry den Hartog,et al.  Formal Verification of Privacy for RFID Systems , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[17]  Bernd Meyer,et al.  Attacking Unlinkability: The Importance of Context , 2007, Privacy Enhancing Technologies.

[18]  Andrew William Roscoe,et al.  Model-checking CSP , 1994 .

[19]  Sila Kiliccote,et al.  Open Automated Demand Response Communications Specification (Version 1.0) , 2009 .

[20]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[21]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[22]  Vincent Cheval,et al.  Verifying Privacy-Type Properties in a Modular Way , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[23]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[24]  Jun Sun,et al.  SeVe: automatic tool for verification of security protocols , 2012, Frontiers of Computer Science.

[25]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[26]  Georgios Kalogridis,et al.  Smart Grid Privacy via Anonymization of Smart Metering Data , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[27]  Susan Stepney,et al.  Formalizing Anonymity: A Review , 2005 .

[28]  Andrew P. Martin,et al.  Security and Privacy in Smart Grid Demand Response Systems , 2014, SmartGridSec.

[29]  Chris J. Mitchell,et al.  Ninja: Non Identity Based, Privacy Preserving Authentication for Ubiquitous Environments , 2007, UbiComp.

[30]  Mark Ryan,et al.  Analysis of an Electronic Voting Protocol in the Applied Pi Calculus , 2005, ESOP.

[31]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[32]  Stefan Berthold,et al.  Linkability estimation between subjects and message contents using formal concepts , 2007, DIM '07.

[33]  Aniket Kate,et al.  AnoA: A Framework for Analyzing Anonymous Communication Protocols , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[34]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[35]  Ulrich Greveler,et al.  Multimedia Content Identification Through Smart Meter Power Usage Profiles , 2012 .

[36]  Stefan Katzenbeisser,et al.  Measuring unlinkability revisited , 2008, WPES '08.

[37]  G.W. Hart,et al.  Residential energy monitoring and computerized surveillance via utility power flows , 1989, IEEE Technology and Society Magazine.

[38]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[39]  Ian Goldberg,et al.  Provably Secure and Practical Onion Routing , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[40]  Nicola Zannone,et al.  Modeling Identity-Related Properties and Their Privacy Strength , 2010, Formal Aspects in Security and Trust.

[41]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[42]  Ling Liu,et al.  Protecting Location Privacy with Personalized k-Anonymity: Architecture and Algorithms , 2008, IEEE Transactions on Mobile Computing.

[43]  Markus Karwe,et al.  Maintaining Privacy in Data Rich Demand Response Applications , 2012, SmartGridSec.

[44]  E. Quinn Privacy and the New Energy Infrastructure , 2009 .

[45]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[46]  Jerry den Hartog,et al.  Linking Unlinkability , 2012, TGC.

[47]  Erik P. de Vink,et al.  A Formalization of Anonymity and Onion Routing , 2004, ESORICS.

[48]  Ian Brown Britain's smart meter programme: A case study in privacy by design , 2014 .

[49]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[50]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[51]  Nada Golmie,et al.  NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 , 2012 .

[52]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[53]  Ingmar Baumgart,et al.  Pseudonymous Smart Metering without a Trusted Third Party , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[54]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[55]  Ross Anderson,et al.  Who Controls the off Switch? , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[56]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[57]  Nicola Zannone,et al.  Formal Privacy Analysis of Communication Protocols for Identity Management , 2011, ICISS.

[58]  Martín Abadi,et al.  Hiding Names: Private Authentication in the Applied Pi Calculus , 2002, ISSS.

[59]  Liqun Chen,et al.  Lightweight Anonymous Authentication with TLS and DAA for Embedded Mobile Devices , 2010, ISC.

[60]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[61]  Bruno Blanchet,et al.  Security Protocol Verification: Symbolic and Computational Models , 2012, POST.

[62]  Jan Camenisch,et al.  A Formal Treatment of Onion Routing , 2005, CRYPTO.