Change search
Link to record
Permanent link

Direct link
BETA
Publications (10 of 41) Show all publications
Veseli, F., Pulls, T., Olvera, J. S. & Rannenberg, K. (2019). Engineering privacy by design: Lessons from the design and implementation of an identity wallet platform. In: Proceedings of the ACM Symposium on Applied Computing: . Paper presented at 34th Annual ACM Symposium on Applied Computing, SAC 2019, 8 April 2019 through 12 April 2019 (pp. 1475-1483). Association for Computing Machinery
Open this publication in new window or tab >>Engineering privacy by design: Lessons from the design and implementation of an identity wallet platform
2019 (English)In: Proceedings of the ACM Symposium on Applied Computing, Association for Computing Machinery , 2019, p. 1475-1483Conference paper, Published paper (Refereed)
Abstract [en]

Applying PbD principles to the design of a system is challenging. We provided our experience and lessons learnt from applying the LINDDUN as a privacy assessment framework in the design of the architecture for a cloud-based identity wallet platform. In this effort, we identified a need to improve LINDDUN in a number of cases, for which we proposed and documented concrete enhancements. We transform LINDDUN from a linear to an iterative process that requires adaptation, introduce the concept of “Constraints” and add a new step in the mitigation of threats. Further, we consider the mitigation strategies of LINDDUN too narrow, and propose other, more practicable ones. Finally, we not only identify further PETs for mitigating privacy threats, but also acknowledge the fact that some threats cannot be effectively mitigated with PETs alone. Thus, we introduce additional mitigation mechanisms besides PETs, introducing especially development guidelines and organizational measures. We demonstrate our enhancements with concrete examples, which could serve also other engineering projects following the PbD paradigm.

Place, publisher, year, edition, pages
Association for Computing Machinery, 2019
Keywords
Data flow diagram, Identity wallet, LINDDUN, Mitigation of risks, PbD, Privacy by design, Privacy risks, Privacy threat modelling, Concretes, Data flow analysis, Data flow graphs, Mathematical transformations, Data flow diagrams, Privacy threats, Risk assessment
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-72516 (URN)10.1145/3297280.3297429 (DOI)2-s2.0-85065644021 (Scopus ID)978-1-4503-5933-7 (ISBN)
Conference
34th Annual ACM Symposium on Applied Computing, SAC 2019, 8 April 2019 through 12 April 2019
Available from: 2019-06-13 Created: 2019-06-13 Last updated: 2019-10-24Bibliographically approved
Fischer-Hübner, S., Martucci, L., Fritsch, L., Pulls, T., Herold, S., Iwaya, L. H., . . . Albin, Z. (2018). A MOOC on Privacy by Design and the GDPR. In: Lynette Drevin, Marianthi Theocharidou (Ed.), Information Security Education: Towards a Cybersecure Society. Paper presented at 11th IFIP World Conference on Information Security Education (WISE 11), Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18–20, 2018, Proceedings (pp. 95-107). Cham, Switzerland: Springer
Open this publication in new window or tab >>A MOOC on Privacy by Design and the GDPR
Show others...
2018 (English)In: Information Security Education: Towards a Cybersecure Society / [ed] Lynette Drevin, Marianthi Theocharidou, Cham, Switzerland: Springer, 2018, p. 95-107Conference paper, Published paper (Refereed)
Abstract [en]

In this paper we describe how we designed a massive open online course (mooc) on Privacy by Design with a focus on how to achieve compliance with the eu gdpr principles and requirements in it engineering and management. This mooc aims at educating both professionals and undergraduate students, i.e., target groups with distinct educational needs and requirements, within a single course structure. We discuss why developing and publishing such a course is a timely decision and fulfills the current needs of the professional and undergraduate education. The mooc is organized in five modules, each of them with its own learning outcomes and activities. The modules focus on different aspects of the gdpr that data protection officers have to be knowledgeable about, ranging from the legal basics, to data protection impact assessment methods, and privacy-enhancing technologies. The modules were delivered using hypertext, digital content and three video production styles: slides with voice-over, talking heads and interviews. The main contribution of this work is the roadmap on how to design a highly relevant mooc on privacy by design and the gdpr aimed at an heterogeneous audience.

Place, publisher, year, edition, pages
Cham, Switzerland: Springer, 2018
Series
IFIP Advances in Information Technology (AICT) ; 531
Keywords
privacy, teaching, mooc, course design
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-69413 (URN)10.1007/978-3-319-99734-6_8 (DOI)978-3-319-99734-6 (ISBN)
Conference
11th IFIP World Conference on Information Security Education (WISE 11), Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18–20, 2018, Proceedings
Projects
WISR
Funder
Knowledge Foundation, NU16
Available from: 2018-09-27 Created: 2018-09-27 Last updated: 2019-12-04Bibliographically approved
Pulls, T. & Dahlberg, R. (2018). Cryptology ePrint Archive: Report 2018/737.
Open this publication in new window or tab >>Cryptology ePrint Archive: Report 2018/737
2018 (English)Report (Other academic)
Abstract [en]

We present Steady: an end-to-end secure logging system engineered to be simple in terms of design, implementation, and assumptions for real-world use. Steady gets its name from being based on a steady (heart)beat of events from a forward-secure device sent over an untrusted network through untrusted relays to a trusted collector. Properties include optional encryption and compression (with loss of confidentiality but significant gain in goodput), detection of tampering, relays that can function in unidirectional networks (e.g., as part of a data diode), cost-effective use of cloud services for relays, and publicly verifiable proofs of event authenticity. The design is formalized and security proven in the standard model. Our prototype implementation (about 2,200 loc) shows reliable goodput of over 1M events/s (about 160 MiB/s) for a realistic dataset with commodity hardware for a device on a GigE network using 16 MiB of memory connected to a relay running at Amazon EC2.

Publisher
p. 17
Keywords
cryptographic protocols
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-71420 (URN)
Projects
HITS, 4707
Funder
Knowledge Foundation
Note

Original Publication (with major differences): NordSec 2018 DOI: 10.1007/978-3-030-03638-6_6

Available from: 2019-03-04 Created: 2019-03-04 Last updated: 2019-11-11Bibliographically approved
Pulls, T. & Dahlberg, R. (2018). Steady: A Simple End-to-End Secure Logging System. In: N. Gruschka (Ed.), N. Gruschka (Ed.), Secure IT Systems. NordSec 2018: Lecture Notes in Computer Science, vol 11252. Paper presented at Secure IT Systems. NordSec 2018, 28 November 2018 through 30 November 2018 (pp. 88-103). Springer
Open this publication in new window or tab >>Steady: A Simple End-to-End Secure Logging System
2018 (English)In: Secure IT Systems. NordSec 2018: Lecture Notes in Computer Science, vol 11252 / [ed] N. Gruschka, Springer, 2018, p. 88-103Conference paper, Published paper (Refereed)
Abstract [en]

We present Steady: an end-to-end secure logging system engineered to be simple in terms of design, implementation, and assumptions for real-world use. Steady gets its name from being based on a steady (heart)beat of events from a forward-secure device sent over an untrusted network through untrusted relays to a trusted collector. Properties include optional encryption and compression (with loss of confidentiality but significant gain in goodput), detection of tampering, relays that can function in unidirectional networks (e.g., as part of a data diode), cost-effective use of cloud services for relays, and publicly verifiable proofs of event authenticity. The design is formalized and security proven in the standard model. Our prototype implementation (2,200 loc) shows reliable goodput of over 1M events/s (160 MiB/s) for a realistic dataset with commodity hardware for a device on a GigE network using 16 MiB of memory connected to a relay running at Amazon EC2. 

Place, publisher, year, edition, pages
Springer, 2018
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 11252
Keywords
Applied cryptography, Protocols, Secure logging, Cost effectiveness, Cryptography, Network protocols, Commodity hardware, Prototype implementations, Publicly verifiable, Secure loggings, The standard model, Untrusted network, Untrusted relays, Network security
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-70592 (URN)10.1007/978-3-030-03638-6_6 (DOI)2-s2.0-85057425500 (Scopus ID)9783030036379 (ISBN)
Conference
Secure IT Systems. NordSec 2018, 28 November 2018 through 30 November 2018
Projects
HITS, 4707
Funder
Knowledge Foundation
Available from: 2018-12-20 Created: 2018-12-20 Last updated: 2019-11-11Bibliographically approved
Dahlberg, R. & Pulls, T. (2018). Verifiable Light-Weight Monitoring for Certificate Transparency Logs. In: N. Gruschka (Ed.), Secure IT Systems. NordSec 2018: Lecture Notes in Computer Science, vol. 11252. Paper presented at Secure IT Systems. NordSec 2018, 28 November 2018 through 30 November 2018 (pp. 171-183). Springer
Open this publication in new window or tab >>Verifiable Light-Weight Monitoring for Certificate Transparency Logs
2018 (English)In: Secure IT Systems. NordSec 2018: Lecture Notes in Computer Science, vol. 11252 / [ed] N. Gruschka, Springer, 2018, p. 171-183Conference paper, Published paper (Refereed)
Abstract [en]

Trust in publicly verifiable Certificate Transparency (CT) logs is reduced through cryptography, gossip, auditing, and monitoring. The role of a monitor is to observe each and every log entry, looking for suspicious certificates that interest the entity running the monitor. While anyone can run a monitor, it requires continuous operation and copies of the logs to be inspected. This has lead to the emergence of monitoring as-a-service: a trusted third-party runs the monitor and provides registered subjects with selective certificate notifications. We present a CT/bis extension for verifiable light-weight monitoring that enables subjects to verify the correctness of such certificate notifications, making it easier to distribute and reduce the trust which is otherwise placed in these monitors. Our extension supports verifiable monitoring of wild-card domains and piggybacks on CT’s existing gossip-audit security model. 

Place, publisher, year, edition, pages
Springer, 2018
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 11252
Keywords
Certificate Transparency, Monitoring, Security protocols, Network security, Transparency, Continuous operation, Light weight, Publicly verifiable, Security model, Trusted third parties, Wild cards, Patient monitoring
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-70591 (URN)10.1007/978-3-030-03638-6_11 (DOI)2-s2.0-85057389362 (Scopus ID)9783030036379 (ISBN)
Conference
Secure IT Systems. NordSec 2018, 28 November 2018 through 30 November 2018
Projects
HITS, 4707
Funder
Knowledge Foundation
Available from: 2018-12-20 Created: 2018-12-20 Last updated: 2019-11-11Bibliographically approved
Momen, N., Pulls, T., Fritsch, L. & Lindskog, S. (2017). How much Privilege does an App Need? Investigating Resource Usage of Android Apps. In: Proceedings of the Fifteenth International Conference on Privacy, Security and Trust – PST 2017 (IEEE proceedings pendings): . Paper presented at The Fifteenth International Conference on Privacy, Security and Trust – PST 2017. August 28-30, 2017 Calgary, Alberta, Canada. IEEE
Open this publication in new window or tab >>How much Privilege does an App Need? Investigating Resource Usage of Android Apps
2017 (English)In: Proceedings of the Fifteenth International Conference on Privacy, Security and Trust – PST 2017 (IEEE proceedings pendings), IEEE, 2017Conference paper, Published paper (Refereed)
Abstract [en]

Arguably, one of the default solutions to many of today’s everyday errands is to install an app. In order to deliver a variety of convenient and user-centric services, apps need to access different types of information stored in mobile devices, much of which is personal information. In principle, access to such privacy sensitive data should be kept to a minimum. In this study, we focus on privilege utilization patterns by apps installed on Android devices. Though explicit consent is required prior to first time access to the resource, the unavailability of usage information makes it unclear when trying to reassess the users initial decision. On the other hand, if granted privilege with little or no usage, it would suggest the likely violation of the principle of least privilege. Our findings illustrate a plausible requirement for visualising resource usage to aid the user in their decision- making and finer access control mechanisms. 

Place, publisher, year, edition, pages
IEEE, 2017
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-65605 (URN)10.1109/PST.2017.00039 (DOI)000447643500028 ()978-1-5386-2487-6 (ISBN)978-1-5386-2488-3 (ISBN)
Conference
The Fifteenth International Conference on Privacy, Security and Trust – PST 2017. August 28-30, 2017 Calgary, Alberta, Canada
Available from: 2018-01-15 Created: 2018-01-15 Last updated: 2019-07-11Bibliographically approved
Greschbach, B., Pulls, T., Roberts, L. M., Winter, P. & Feamster, N. (2017). The Effect of DNS on Tor´s Anonymity. In: NDSS Symposium 2017: . Paper presented at Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 26 Feb-1 Mar, 2017. Internet society
Open this publication in new window or tab >>The Effect of DNS on Tor´s Anonymity
Show others...
2017 (English)In: NDSS Symposium 2017, Internet society , 2017Conference paper, Published paper (Refereed)
Abstract [en]

Previous attacks that link the sender and receiver oftraffic in the Tor network (“correlation attacks”) have generallyrelied on analyzing traffic from TCP connections. The TCPconnections of a typical client application, however, are oftenaccompanied by DNS requests and responses. This additionaltraffic presents more opportunities for correlation attacks. Thispaper quantifies how DNS traffic can make Tor users more vulnerableto correlation attacks. We investigate how incorporatingDNS traffic can make existing correlation attacks more powerfuland how DNS lookups can leak information to third partiesabout anonymous communication. We (i) develop a method toidentify the DNS resolvers of Tor exit relays; (ii) develop a newset of correlation attacks (DefecTor attacks) that incorporate DNStraffic to improve precision; (iii) analyze the Internet-scale effectsof these new attacks on Tor users; and (iv) develop improvedmethods to evaluate correlation attacks. First, we find that thereexist adversaries that can mount DefecTor attacks: for example,Google’s DNS resolver observes almost 40% of all DNS requestsexiting the Tor network. We also find that DNS requests oftentraverse ASes that the corresponding TCP connections do nottransit, enabling additional ASes to gain information about Torusers’ traffic. We then show that an adversary that can mount aDefecTor attack can often determine the website that a Tor useris visiting with perfect precision, particularly for less popularwebsites where the set of DNS names associated with that websitemay be unique to the site. We also use the Tor Path Simulator(TorPS) in combination with traceroute data from vantage pointsco-located with Tor exit relays to estimate the power of AS-leveladversaries that might mount DefecTor attacks in practice.

Place, publisher, year, edition, pages
Internet society, 2017
Keywords
Tor, Website Fingerprinting, Correlation Attacks, Anonymity, DNS
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-64786 (URN)10.14722/ndss.2017.23311 (DOI)1-891562-46-0 (ISBN)
Conference
Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 26 Feb-1 Mar, 2017
Projects
Hoppet till Tor (5065)
Available from: 2017-10-26 Created: 2017-10-26 Last updated: 2018-10-11Bibliographically approved
Karegar, F., Pulls, T. & Fischer-Hübner, S. (2017). Visualizing Exports of Personal Data by Exercising the Right of Data Portability in the Data Track - Are People Ready for This?. In: Privacy and Identity Management. Facing up to Next Steps. Privacy and Identity 2016. IFIP Advances in Information and Communication Technology.: . Paper presented at The 11th International IFIP Summer School on Privacy and Identity Management, August 21-26, 2016, Karlstad, Sweden (pp. 164-181). Springer, 498
Open this publication in new window or tab >>Visualizing Exports of Personal Data by Exercising the Right of Data Portability in the Data Track - Are People Ready for This?
2017 (English)In: Privacy and Identity Management. Facing up to Next Steps. Privacy and Identity 2016. IFIP Advances in Information and Communication Technology., Springer, 2017, Vol. 498, p. 164-181Conference paper, Published paper (Refereed)
Abstract [en]

A transparency enhancing tool called Data Track has been developed at Karlstad University. The latest stand-alone version of the tool allows users to visualize their data exports. For analyzing the users’ perceptions of the Data Track in regard to transparency features and the concepts of data export and data portability, we have conducted a qualitative user study. We observed that although users had rather little interest in the visualization of derived data activities revealed in the Google location file, they were interested in other kinds of derived data like usage patterns for different service providers. Also, as earlier user studies revealed, we again confirmed that it is confusing for users to differentiate between locally and remotely stored and controlled data. Finally, in spite of being concerned about the security of the data exported to their machines, for exercising data portability rights pursuant to the General Data Protection Regulation, most participants would prefer to first export and edit the data before uploading it to another service provider and would appreciate using a tool such as the Data Track for helping them in this context.

Place, publisher, year, edition, pages
Springer, 2017
Series
IFIP Advances in Information and Communication Technology book series, ISSN 1868-4238
Keywords
Transparency Enhancing Tools, Data portability, visualization, Data Track
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-64555 (URN)10.1007/978-3-319-55783-0_12 (DOI)000460572100012 ()978-3-319-55782-3 (ISBN)978-3-319-55783-0 (ISBN)
Conference
The 11th International IFIP Summer School on Privacy and Identity Management, August 21-26, 2016, Karlstad, Sweden
Available from: 2017-10-16 Created: 2017-10-16 Last updated: 2019-09-05Bibliographically approved
Dahlberg, R., Pulls, T. & Peeters, R. (2016). Efficient Sparse Merkle Trees: Caching Strategies and Secure (Non-)Membership Proofs. In: Billy Bob Brumley, Juha Röning (Ed.), Secure IT Systems: 21st Nordic Conference, NordSec 2016, Oulu, Finland, November 2-4, 2016. Proceedings. Paper presented at NordSec 2016 - 21st Nordic Conference on Secure IT Systems, Oulu, Finland, November 2nd and 4th, 2016 (pp. 199-215). Springer
Open this publication in new window or tab >>Efficient Sparse Merkle Trees: Caching Strategies and Secure (Non-)Membership Proofs
2016 (English)In: Secure IT Systems: 21st Nordic Conference, NordSec 2016, Oulu, Finland, November 2-4, 2016. Proceedings / [ed] Billy Bob Brumley, Juha Röning, Springer, 2016, p. 199-215Conference paper, Published paper (Refereed)
Abstract [en]

A sparse Merkle tree is an authenticated data structure based on a perfect Merkle tree of intractable size. It contains a distinct leaf for every possible output from a cryptographic hash function, and can be simulated efficiently because the tree is sparse (i.e., most leaves are empty). We are the first to provide complete, succinct, and recursive definitions of a sparse Merkle tree and related operations. We show that our definitions enable efficient space-time trade-offs for different caching strategies, and that verifiable audit paths can be generated to prove (non-)membership in practically constant time (<4 ms) when using SHA-512/256. This is despite a limited amount of space for the cache—smaller than the size of the underlying data structure being authenticated—and full (concrete) security in the multi-instance setting.

Place, publisher, year, edition, pages
Springer, 2016
Series
Lecture notes in computer science, ISSN 0302-9743 ; 10014
Keywords
Hash Function, Certificate Authority, Cache Strategy, Cryptographic Hash Function, Empty Node
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-47716 (URN)10.1007/978-3-319-47560-8_13 (DOI)000452458200013 ()978-3-319-47559-2 (ISBN)
Conference
NordSec 2016 - 21st Nordic Conference on Secure IT Systems, Oulu, Finland, November 2nd and 4th, 2016
Projects
HITS
Funder
Knowledge Foundation
Available from: 2017-01-25 Created: 2017-01-25 Last updated: 2019-11-11Bibliographically approved
Peeters, R. & Pulls, T. (2016). Insynd: Improved Privacy-Preserving Transparency Logging. In: Ioannis Askoxylakis, Sotiris Ioannidis, Sokratis Katsikas,Catherine Meadows (Ed.), Computer Security - ESORICS 2016: 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016, Proceedings, Part II. Paper presented at ESORICS 2016 - The 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016 (pp. 121-139). Cham: Springer, 9879
Open this publication in new window or tab >>Insynd: Improved Privacy-Preserving Transparency Logging
2016 (English)In: Computer Security - ESORICS 2016: 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016, Proceedings, Part II / [ed] Ioannis Askoxylakis, Sotiris Ioannidis, Sokratis Katsikas,Catherine Meadows, Cham: Springer, 2016, Vol. 9879, p. 121-139Conference paper, Published paper (Refereed)
Abstract [en]

Service providers collect and process more user data then ever, while users of these services remain oblivious to the actual processing and utility of the processed data to the service providers. This leads users to put less trust in service providers and be more reluctant to share data. Transparency logging is about service providers continuously logging descriptions of the data processing on their users' data, where each description is intended for a particular user.

We propose Insynd, a new cryptographic scheme for privacy-preserving transparency logging. Insynd improves on prior work by (1) increasing the utility of all data sent through the scheme thanks to our publicly verifiable proofs: one can disclose selected events without having to disclose any long term secrets; and (2) enabling a stronger adversarial model: Inysnd can deal with an untrusted server (such as commodity cloud services) through the use of an authenticated data structure named Balloon. Finally, our publicly available prototype implementation shows greatly improved performance with respect to related work and competitive performance for more data-intensive settings like secure logging.

Place, publisher, year, edition, pages
Cham: Springer, 2016
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 9879
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-46375 (URN)10.1007/978-3-319-45741-3_7 (DOI)000387954500007 ()978-3-319-45740-6 (ISBN)
Conference
ESORICS 2016 - The 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016
Projects
HITSA4Cloud
Available from: 2016-10-03 Created: 2016-10-03 Last updated: 2019-11-11Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0001-6459-8409

Search in DiVA

Show all publications