Presentation on theme: "Privecsg-14-0014-00-0000 1 IEEE 802 Privacy Threat Model Date: [2014-10-22] Authors: NameAffiliationPhone Juan Carlos"— Presentation transcript:
privecsg IEEE 802 Privacy Threat Model Date: [ ] Authors: NameAffiliationPhone Juan Carlos Alissa CooperCisco Notice: This document does not represent the agreed view of the IEEE 802 EC Privacy Recommendation SG. It represents only the views of the participants listed in the ‘Authors:’ field above. It is offered as a basis for discussion. It is not binding on the contributor, who reserve the right to add, amend or withdraw material contained herein. Copyright policy: The contributor is familiar with the IEEE-SA Copyright Policy.http://standards.ieee.org/IPR/copyrightpolicy.html Patent policy: The contributor is familiar with the IEEE-SA Patent Policy and Procedures: and.http://standards.ieee.org/guides/bylaws/sect6-7.html#6http://standards.ieee.org/guides/opman/sect6.html#6.3 Abstract The present document proposes a privacy threat model for IEEE 802 protocols, based on IETF’s RFC 6973, RFC 7258 and draft-iab-privsec-confidentiality-threat-00.
privecsg IEEE 802 Privacy Threat Model Juan Carlos Zúñiga Alissa Cooper
privecsg Introduction Privacy is a complicated concept that spans multiple disciplines Privacy can have different legal meanings and can be interpreted differently by different jurisdictions Other SDOs such as IETF have been able to provide general technical guidelines to Internet protocol developers, without references to legal frameworks
privecsg Privacy Implications (1/2) Communication protocols, such as the ones developed by IEEE 802, can be applicable to multiple system architectures Due to this flexible applicability, it is challenging to foresee privacy implications at design time –Protocols can rely on security features provided at different layers –But they can also create new privacy risks when deployed in a larger system or used in a way not envisioned at design time
privecsg Privacy Implications (2/2) Privacy implications of a complete system are dependent upon the complete system design Protocol designers should consider how their protocols are expected to interact with systems and information that exist outside the protocol bounds, but should not be expected to imagine every possible deployment scenario
privecsg Privacy Threat Model Privacy Threats from Security Model –Surveillance Targeted Monitoring Pervasive Monitoring –Stored Data Compromise –Intrusion –Misattribution Privacy-Specific Threats –Correlation –Identification –Secondary Use –Disclosure –Exclusion
privecsg Surveillance Surveillance is the observation or monitoring of an individual's communications or activities The effects of surveillance on the individual can range from anxiety and discomfort to behavioral changes such as inhibition and self-censorship, and even to the perpetration of violence against the individual The individual need not be aware of the surveillance for it to impact his or her privacy
privecsg Targeted Monitoring In some cases a single individual/host or limited group of individuals/hosts may become monitoring targets –Network admin monitoring potential attacker(s) –Law enforcement investigating an individual –Retailer monitoring customers –Parent monitoring a child –Etc.
privecsg Pervasive Monitoring Pervasive attacks indiscriminately gather as much data as possible and apply selective analysis on targets after the fact –This means that all, or nearly all, Internet communications are targets for these attacks To achieve this scale, attacks are physically pervasive; they affect a large number of Internet communications –They are pervasive in content, consuming and exploiting any information revealed by the protocol –And they are pervasive in technology, exploiting many different vulnerabilities in many different protocols
privecsg Stored Data Compromise End systems that do not take adequate measures to secure stored data from unauthorized or inappropriate access expose individuals to potential financial, reputational, or physical harm Protecting against this is usually outside the scope of the protocol. However, a number of common protocol functions require the storage of data about initiators of communications –E.g. key management, access control, or operational logging, etc.
privecsg Intrusion Intrusion consists of invasive acts that disturb or interrupt one's life or activities Unsolicited messages and denial-of-service attacks are the most common types of intrusion for communication protocols Intrusion can be perpetrated by any attacker that is capable of sending unwanted traffic to the initiator
privecsg Misattribution Misattribution occurs when data or communications related to one individual are attributed to another Misattribution in the protocol context comes as a result of using inadequate or insecure forms of identity or authentication, and is sometimes related to spoofing
privecsg Correlation Correlation is the combination of various pieces of information related to an individual or that obtain that characteristic when combined Correlation is closely related to identification –Communication protocols can facilitate correlation by allowing individuals' activities to be tracked and combined over time The use of persistent or infrequently replaced identifiers at any layer of the stack can facilitate correlation
privecsg Identification Identification is the linking of information to a particular individual to infer an individual's identity or to allow the inference of an individual's identity As with correlation, any observer or attacker may be able to engage in identification, depending on the information about the initiator that is available via the protocol mechanism or other channels
privecsg Secondary Use Secondary use is the use of collected information about an individual without the individual's consent for a purpose different from that for which the information was collected Secondary use is typically outside the scope of IEEE 802 protocols –Although worth keeping in mind since lots of secondary uses are made of link layer identifiers
privecsg Disclosure Disclosure is the revelation of information about an individual that affects the way others judge the individual Disclosure can violate individuals' expectations of the confidentiality of the data they share Any observer or attacker that receives data about an initiator may engage in disclosure
privecsg Exclusion Exclusion is the failure to allow individuals to know about the data that others have about them and to participate in its handling and use Exclusion is primarily considered problematic when the recipient fails to involve the initiator in decisions about data collection, handling, and use Eavesdroppers engage in exclusion by their very nature, since their data collection and handling practices are covert
privecsg References RFC Privacy Considerations for Internet Protocols –http://tools.ietf.org/html/rfc6973http://tools.ietf.org/html/rfc6973 Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement –http://tools.ietf.org/html/draft-iab-privsec-confidentiality- threat-00http://tools.ietf.org/html/draft-iab-privsec-confidentiality- threat-00 RFC Pervasive Monitoring is an Attack –http://tools.ietf.org/html/rfc7258http://tools.ietf.org/html/rfc7258