
Intelligent environments gather significant amounts of data about their inhabitants


Behavior patterns

Work hours

Room occupancies
Personal preferences


TV viewing
Shopping habits

Inhabitant data


Address books
Medical data



Electronic threats


Electronic identity theft
Intellectual property theft


Unsolicited marketing
Publication of private information
Physical threats


Illegal entering / robberies
Electronic theft of property information

Credit card and banking information





Wireless communications

Wireless communications are easy to intercept
Remote access facilities

Intelligent environments can frequently be accessed remotely over the network
Large databases

Large amounts of private information represent a target for intruders
Computer-enabled access to the home

Intruders can falsify access authentications




US Constitution

Fourth Amendment (abridged)


The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.
Fifth Amendment (abridged)

No person shall be compelled in any criminal case to be a witness against himself.
Laws grant law enforcement access to private communications and data if there is reasonable cause
No specific “right to privacy”




Data Processing

Processing data on-line and only storing information relevant to decision making

E.g. no stored video / audio data
Encryption

Encryption of data reduces risk of information theft


Encryption of communications
Encryption of stored data
Authentication

Authentication makes if more difficult for intruders to enter the system

Electronic authentication for data connections

Physical authentication when entering the environment



Avoiding the storage of unnecessary data can be an efficient means of facilitating privacy

Necessary information should be extracted immediately



Location information rather than raw video
Store models rather than large data sets
Hide identities in data sets if they are not necessary
There is a tradeoff between storing of data and the decision making capabilities of the intelligent environment


Encryption reduces the risk of an intruder being able to access information


Encryption of communications to prevent eavesdropping


How to set up encrypted communications ?
How to keep decryption secret ?
Encryption of stored data and information to prevent intruders from accessing and using it

How to permit the home applications decrypt data without revealing the decryption code ?



Private key encryption uses a secret key to encrypt and decrypt a message (symmetric encryption)



Decryption algorithm is public

Algorithm used for message is known
Encryption key is private

One key is used for all encryption/decryption
Strength of encryption depends on number of possible keys
Problems:

How to securely distribute the private key ?

How to ensure authenticity of messages ?







DES was developed at IBM in 1977
Uses 56-bit private-key encryption

56-bit key results in 2 56 = 72 x 10 15 keys
Each message is encrypted with a randomly chosen key

Key exchange is a major concern
Applies 56-bit key to each 64-bit block of data
Can be made stronger using multiple passes

Triple DES (3DES) still in use (2 56+56+56 keys)
Still used in some telecom networks




Public key encryption uses a pair of private and public keys to encrypt and decrypt messages (asymmetric encryption)

Private key is held securely by the user

Public key is published openly
Messages encrypted with one of the keys can be decrypted using the other
 private(public(M)) = M
 public(private(M)) = M
Addresses problems of key exchange




Authentication of sender (digital signature)


Sender encrypts with his/her private key
Recipient decrypts with sender’s public key
Encryption of content fro privacy


Sender encrypts with recipient’s public key
Recipient decrypts with his/her private key
Authentication and privacy



Sender encrypts message first with his/her private key and then with the recipient’s public key
Recipient decrypts and authenticates by applying his/her private key and then the sender’s public key public
S
(private
R
(public
R
(private
S
(M))) = M




Patented by RSA Security Inc.
Key generation:


Public key = (e,n)
Private key = (d,n)


 encrypt
A decrypt
(M) = M e modulo n
A
(M) = M d modulo n n = p*q, where p and q are large random primes
 e and d chosen based on p and q
Security is based on the fact that finding the prime factors of a number is NP-complete

Breaking of encryption takes a long time


Laws require that individual communications can be wiretapped by law enforcement


Communications Assistance for Law Enforcement
Act ( CALEA ) mandates that communications systems equipment be designed to allow practical wiretapping by law enforcement
Any encrypted message must be decryptable by law enforcement with proper authorization

Currently: Encrypter must provide means to decrypt message



Position of US Government


Public-key encryption too difficult to wiretap
Limit export of encryption

Use government-designed, tap-able encryption schemes
Industry’s position


Use widely-accepted, strong encryption standard
Freely export standard


EES developed by U.S. government in 1993

Private key encryption/decryption algorithms are implemented on chips




Each chip has an 80-bit unit key, which is escrowed in two parts to two different agencies
Chip also includes a 30-bit serial number and an
80-bit family key common to all chips
Law-Enforcement Access Field (LEAF) appended to message and encrypted with family key includes


Session key encrypted with unit key
Serial number of sender
Law enforcement can obtain decryption keys form escrow agencies



Encryption provides protection for data and communications

Makes stolen data less useful

Time required to break encryption is relatively long

Permits reliable authentication of sender of messages
Problems

Conflict between privacy and law enforcement mandates

Encryption can be broken with sufficient computing power

Data is only secure for a limited amount of time




Firewalls

Filter packets not meeting specified constraints


Access limitations to particular users


IP number constraints
Port constraints
Access limitations to particular services

Connection-type constraints
Encrypted computer access channels

Secure Shell ( www.ssh.com
)
Intrusion detection

Identify unusual access and/or traffic patterns

Restrict users who make illegal access attempts



Electronic keys

RFID keys


IR keys
Keys can be stolen and used by unauthorized persons
Biometrics

Recognize a user/inhabitant using distinguishing traits






Face recognition
Voice recognition
Fingerprint recognition, hand and finger geometry
Iris, retinal scans
Vein patterns
Handwriting recognition




Recognition in front of a controlled background


Skin color and facial features


Shape of head
Spatial relations between eyes, nose, mouth, etc.
Eigenfaces

Characterize faces using a set of “prototypical” faces
Motion patterns (e.g., blinks)

Unconstrained scenes

Neural networks
Problems:


Complex technology with relatively high error rates
Difficult to secure against manipulations



Voice recognition attempts to identify a user from the voice pattern


Identify and match pitch, frequency patterns, etc.
Hidden Markov Models are one of the most used mechanisms to model voice
Problems:

Relatively unreliable so far


Voice changes when sick
High risk of falsification


Tape recording
Synthesized patterns



Fingerprints can be used as unique identifiers for a person

Identification by matching a number of features in the fingerprint


Requires image processing and pattern recognition techniques
Fingerprint readers can be purchased relatively cheaply
Problems:

Can not be read from a distance



Identify an individual from the pattern formed by the blood vessels on the retina or by the patterns on the iris



Retinal and iris patterns are unique
Encode wavelet patterns
Can be evaluated rapidly

100,000 comparisons per second on 300MHz machine
Problems:


Difficult to read from a distance
Iris pattern has to be read at a particular light intensity


The pattern of blood vessels is a unique identifier for humans



Identification of pattern using image processing
Matching of picture against vein map
Commercial products are available
( www.veinid.com
)

Problems:


Can not be read from a distance
Diseases or accidents can change vein patterns



Biometrics provide a means of reliably identifying individuals

Reduces the risk of illegal access


Eliminates the need for keys or access IDs
Unique identification (in particular if multiple techniques are used)
Problems

Techniques have to be reliable even in cases of injury


Personal data has to be stored for authentication
High reliance on computer technology


Software in intelligent environments can operate physical devices



Safety and reliability of software is important

Software should not fail

Decision makers should not issue unsafe decisions
Risk analysis for software is a difficult task that has a subjective component


Models of the system are never complete
Models and programs are very difficult to validate
No widely accepted standards for developing safety-critical software exist

Resources: The Risks Digest http://catless.ncl.ac.uk/Risks/




Intelligent environments pose many security and privacy issues




Inhabitant privacy has to be protected
Access has to be restricted to authorized individuals
Communication links have to be secure
Software has to be reliable
A number of mechanisms have been developed that address individual aspects


Encryption
Biometric authentication
Software risk analysis and verification

No absolute security or privacy


Conflict between law enforcement and privacy
Encryption can be broken, biometrics can be fooled