The use of personal information for private and business life is a trend in our increasingly information-driven society. Since the rise of social media, individuals are revealing more personal data online than ever before. This data disclosure provides value to users, such as enhancing social contacts or obtaining personalized services and products. However, the existing social internet makes it difficult for using personal information in a controlled way while retaining privacy where required. The European project di.me has been investigating on a new paradigm to mitigate this risk and now it has opened its code.
In 2010, a group of European research organizations and industrial companies started to investigate on a technology that would enable the user to share personal data in a controlled, trustworthy and intelligent way. The constituted cooperative project, digital.me, is aimed at researching on social technology that deeply incorporates user-control in design. The project’s approach is to develop a technical platform with the “di.me userware” as the central component.
The project consortium has developed the dime platform that incorporates new paradigms of social network and service development: Decentralization, Multiple Identity Management, Trust Management and Recommendations.
The project has recently ended up with the publication of the di.me code as Open Source. Di.me is, thus, extendible and the publication of its code enables developers to use it as a base for further initiatives.
Dipl.-Inform Simon Thiel, Fraunhofer IAO, Germany
Technical coordinator of di.me project
The rise of social networks we've experienced in the past years left many questions open. Who is taking responsibility for my private data? How well is it protected? How can I know about 3rd parties able to access it? Will it be open to the government or sold to other companies? These questions are about having control on my private data. The concern di.me started with was to give the control back to the user.
With our project partners CAS, YellowMap and Telecom Italia we had potent stakeholders for exploiting the development in different markets directly in the consortium.
In my opinion, there is generally an inherent gap between public funded research and ready for market products. While it's clear that within a cooperative research project, the result cannot be a marked ready product, the efforts of the EC to make the best value of the projects outcome are very helpful and productive. From my experience a mixed consortium with partners from research and industry is very appropriate to achieve high quality results.
Opening backdoors on embedded devices (OpenSesame)
Networked embedded devices such as routers, switches, rewalls, sensors and actuators are
part of our critical infrastructure. These devices are often assembled and programmed overseas - beyond our control - and placed within our trusted networks or even used for military applications. But can we really trust them? There have been several incidents where backdoors have been found in the rmware (also on silicon) of these devices. Such a backdoor allows an adversary to gain (remote) access to the device.
OpenSesame addresses this problem by developing novel automated techniques to test the software and rmware of embedded devices for the presence of such backdoors. Standard protocol fuzzing techniques, such as feeding programs invalid or random data to test for
unexpected behaviour, are not very eective as the chances of hitting the right input are tiny. Our approach consists of rst recovering the (read-protected) rmware from the device.
Having access to the rmware enables us to apply smarter techniques, such as symbolic execution, to detect the presence of backdoors in any possible execution path. This technique does not scale very well when addressing large computer programs. However, embedded devices with their smaller code bases are exactly the right target for symbolic execution.
Lead : Prof.dr. B.P.F. Jacobs (Radboud Universiteit Nijmegen
After years of research in various projects, Intrinsic-ID a Philips spin-off realised another application of Physical Unclonable Functions (PUFs) in action.
Saturnus leverages the Hardware Intrinsic Security™ technology (HIS) developed and patented by Intrinsic-ID. HIS technology protects the secret keys used by Saturnus and adds an extra layer of protection. Instead of keeping keys in software only, security is anchored in the hardware. Secret keys are extracted from the hardware properties of the smartcard chip in the USB token, like an `electronic fingerprint’ used to anchor the cloud data with the physical device. Since the keys are not present when the device is switched off, a very high security level is achieved. HIS technology comes with reference credentials and a proven track record in the smartcard, government, automotive, networking and telecom industries.
Saturnus is a combined software and hardware solution to protect your data in Dropbox. It's software runs on Android and Windows platforms. A smart token, enhanced with HIS*, provides security based on a hardware root of trust at the client site.
This is a great European new trustworthy ICT solution that applies some of the research funded in various European research projects. For more information, please go to :
Interested in purchasing Saturnus or more information on the product :
Saturnus Promotion Bundle includes one USB token and a 3 year license for Saturnus® for both Android 4.x and Windows 7 devices.
For more information, contact the FIRE innovation partners info at trustworthyictonfire.com or reach out to Pim Tuyls of Intrinsic-ID.
PISA - Personal Information Security Assistant
The personal information security assistant (PISA) is focusing on the growing dependence of society on ICT has increased information security risks. PISA attempts to improve this by focusing on end-users. First, they are the weakest link, as they
lack resources and expertise that enterprises have. By strengthening them we remove a large
vulnerability in society. Second, they are early adopters of technology and drive change
The approach is to help end-users perform risk-management. This is an iterative process of dening goals, examining the threats against them, deciding how to act on them, and actually implementing these actions. Risk management is commonplace in enterprises, with demonstrated eectiveness, but it is too complex for end-users. We will simplify it, creating a lightweight risk management process that is usable by end-users. For this PISA will (1) develop a simple but expressive risk ontology to represent risks. PISA will also (2) develop a repository
of end-user risks, and (3) design a secure tool that can answer questions about the end-users' risks (for example of online social networks) and suggest actions to reduce these togetherwith their cost. We will (4) perform experiments with prototypes on test subjects, to test
prototypes? usability, persuasiveness and eectiveness in reducing risks. Finally PISA intends to (5) use the knowledge gained in these experiments to create one end-user risk management method that can be standardized.
Lead : Prof.dr. R.J. Wieringa (Universiteit Twente)
Partners: KPN, XS4All, CSC IT consultancy, Hyves.nl, ITUnited
Online Social Networks have become an important part of daily digital interactions for more than half a billion users around the world. The various personal information sharing practices that online social network providers promote have led to their success as innovative social interaction platforms. At the same time, these practices have raised much critique and concerns with respect to privacy and security from different stakeholders.
Studying and addressing these privacy and security concerns in online social networks is the research challenge that SPION is undertaking. It plans to tackle the responsibilization of individuals with the task of mitigating privacy and security concerns in online social networks by putting the focus on the responsibilities of service providers and stakeholder organizations. SPION explores ways in which the underlying social networking infrastructures and the organizations that run them can be made responsible and accountable for the relevant privacy and security concerns. We will also propose ways to develop and run SNS that are technically more secure and transparent to different stakeholders. The proposals will include mechanisms that fulfill the SNS user communities’ privacy needs.
SPION is approaching target audience’s needs as well as forms of responsibilization from a variety of disciplines. This target audience includes users, communities and organizations in Flanders. The project brings the proposed legal, technical, social, educational and economic mechanisms to mitigate these concerns to the attention of different stakeholders of online social networks.
The projecy is developing solutions that facilitate better decision making with respect to the target groups’ privacy and security concerns, to mitigate the risks, threats and concerns that are currently manifest in this domain, and, most importantly, create educational tools to raise the awareness of privacy-issues with youngsters. With the dissemination and application of the research results we expect to contribute to increasing awareness about privacy and security problems in online social networks.
For more information, visit the SPION website
The US National Institute of Standards and Technology (NIST) announced in October 2012 the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.
Credit: K. Talbott/NIST with Shutterstock images
The winning algorithm, Keccak (pronounced “catch-ack”), was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team’s entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST’s SHA-3 hash algorithm.
Hash algorithms are used widely for cryptographic applications that ensure the authenticity of digital documents, such as digital signatures and message authentication codes. These algorithms take an electronic file and generate a short "digest," a sort of digital fingerprint of the content. A good hash algorithm has a few vital characteristics. Any change in the original message, however small, must cause a change in the digest, and for any given file and digest, it must be infeasible for a forger to create a different file with the same digest.
The NIST team praised the Keccak algorithm for its many admirable qualities, including its elegant design and its ability to run well on many different computing devices. The clarity of Keccak’s construction lends itself to easy analysis (during the competition all submitted algorithms were made available for public examination and criticism), and Keccak has higher performance in hardware implementations than SHA-2 or any of the other finalists.
“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently.”
Polk says that the two algorithms will offer security designers more flexibility. Despite the attacks that broke other somewhat similar but simpler hash algorithms in 2005 and 2006, SHA-2 has held up well and NIST considers SHA-2 to be secure and suitable for general use.
What then will SHA-3 be good for? While Polk says it may take years to identify all the possibilities for Keccak, it immediately provides an essential insurance policy in case SHA-2 is ever broken. He also speculates that the relatively compact nature of Keccak may make it useful for so-called “embedded” or smart devices that connect to electronic networks but are not themselves full-fledged computers. Examples include sensors in a building-wide security system and home appliances that can be controlled remotely.
“The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network,” Polk says. “SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”
(Source : http://www.nist.gov/itl/csd/sha-100212.cfm)
For more on the SHA3 competition, see http://csrc.nist.gov/groups/ST/hash/sha-3/index.html.