Social Networks and Privacy

(1)

Social Networks and Privacy

OLEKSANDR BODRIAGOV

Licentiate Thesis Stockholm, Sweden, 2015

(2)

TRITA-CSC-A 2015:07 ISSN-1653-5723

ISBN 978-91-7595-571-1

KTH Royal Institute of Technology School of Computer Science and Communications Department of Theoretical Computer Science SE-100 44 Stockholm SWEDEN Akademisk avhandling som med tillst˚and av Kungl Tekniska högskolan framlägges till offentlig granskning för avläggande av teknologie licentiatexamen i datalogi den 09 juni, 2015 i sal E2 Lindstedsvägen 3, Kungliga Tekniska Högskolan, Stockholm.

c

Oleksandr Bodriagov, January 13, 2015 Tryck: Universitetsservice US AB

(3)

Abstract

Centralized online social networks pose a threat to their users’ privacy as social network providers have unlimited access to users’ data. Decentralized social networks address this problem by getting rid of the provider and giving control to the users themselves, meaning that only the end-users themselves should be able to control access of other parties to their data. While there have been several proposals and advances in the development of privacy-preserving decentralized social networks, the goal of secure, efficient, and available social network in a decentralized setting has not been fully achieved.

This thesis contributes to the research in the field of security for social networks with focus on decentralized social networks. It studies encryption-based access control and man-agement of cryptographic keys/credentials (required for this access control) via user accounts with password-based login in decentralized social networks.

First, this thesis explores the requirements of encryption for decentralized social networks and proposes a list of criteria for evaluation that is then used to assess existing encryption-based access control systems. We find that all of them provide confidentiality guarantees (of the content itself), while privacy (of information about the content or access policies) is either not addressed at all or it is addressed at the expense of system’s performance and flexibility.

We highlight the potential of two classes of privacy preserving schemes in the decen-tralized online social network (DOSN) context: broadcast encryption schemes with hidden access structures and predicate encryption (PE) schemes, and propose to use them. Both of these classes contain schemes that exhibit desirable properties and better fulfill the criteria. Second, the thesis analyses predicate encryption and adapts it to the DOSN context as it is too expensive to use out of the box. We propose a univariate polynomial construction for access policies in PE that drastically increases performance of the scheme but leaks some part of the access policy to users with access rights. We utilize Bloom filters as a means of decreasing decryption time and indicate objects that can be decrypted by a particular user. The thesis demonstrates that adapted scheme shows good performance and thus user experience by making a newsfeed assembly experiment.

Third, the thesis presents a solution to the problem of management of cryptographic keys for authentication and communication between users in decentralized online social networks. We propose a password-based login procedure for the peer-to-peer (P2P) setting that allows a user who passes authentication to recover a set of cryptographic keys required for the application. In addition to password logins, we also present supporting protocols to provide functionality related to password logins, such as remembered logins, password change, and recovery of the forgotten password. The combination of these protocols allows emulating password logins in centralized systems. The results of performance evaluation indicate that time required for logging in operation is within acceptable bounds.

(4)

Sammanfattning

Centraliserade sociala online nätverk utgör ett hot mot användarnas integritet. Detta eftersom leverantörer av sociala nätverkstjänster har obegränsad tillg˚ang till användarnas information. Decentraliserade sociala nätverk löser integritetsproblemet genom att eliminera leverantörer och ge användarna kontroll över deras data. Innebörden av detta är att användarna själva f˚ar bestämma vem som f˚ar tillg˚ang till deras data. Även om det finns flera förslag och vissa framsteg i utvecklingen avseende integritetsbevarande decentraliserade sociala nätverk, har m˚alet om säkra, effektiva, och tillgängliga sociala nätverk i en decentraliserad miljö inte uppn˚atts fullt ut. Denna avhandling bidrar till forskning inom säkerhet avseende sociala nätverk med fokus p˚a decentraliserade sociala nätverk. Avhandlingen inriktas p˚a krypteringsbaserad ˚atkomstkontroll och hantering av kryptografiska nycklar (som krävs för denna ˚atkomstkontroll) med hjälp av användarkonton med lösenordsbaserad inloggning i decentraliserade sociala nätverk.

Först undersöker denna avhandling krav p˚a kryptering för decentraliserade sociala nätverk och föresl˚ar utvärderingskriterier. Dessa utvärderingskriterier används sedan för bedömning av befintliga krypteringsbaserade system för ˚atkomstkontroll. V˚ar utredning visar att samtliga garanterar sekretess av själva inneh˚allet. Integritet av information om inneh˚allet eller ˚atkomstprinciper ¨

ar dock inte skyddat alls, alternativt skyddade p˚a bekostnad av systemets prestanda och flexi-bilitet.

Vi lyfter fram potentialen i tv˚a klasser av integritetsbevarande system i DOSN samman-hang: broadcast-krypteringssystem med dolda tillg˚angsstrukturer och predikat krypteringssys-tem; vi f¨oresl˚ar anv¨andning av dessa system. B˚ada dessa klasser inneh˚aller system som uppvisar ¨

onskvärda egenskaper och uppfyller kriterier p˚a ett bättre sätt.

För det andra analyserar avhandlingen predikat kryptering och anpassar denna till DOSN sammanhang, eftersom det är för dyrt att använda som det är. Vi föresl˚ar en ”univariate poly-nomial construction” för ˚atkomstprinciper i predikat kryptering som drastiskt ökar systemets prestanda, men läcker n˚agon del av ˚atkomstprincipen till användare med ˚atkomsträttigheter. Vi använder Bloom-filter för att minska dekrypteringstiden och indikera objekt som kan dekrypteras av en viss användare. Genom att göra ett experiment med nyhetsflödessammansättning visas att det anpassade systemet ger goda resultat och därmed användarupplevelse.

För det tredje presenterar avhandlingen en lösning p˚a problemet avseende hanteringen av kryptografiska nycklar för autentisering och kommunikation mellan användare i decentraliserade sociala online nätverk. Vi föresl˚ar en lösenordsbaserad inloggningsprocedur för peer-to-peer (P2P) miljön, som gör att användaren som passerar autentisering f˚ar ˚atervinna en uppsättning kryptografiska nycklar som krävs för applikationen. Förutom lösenordsinloggning presenterar vi ocks˚a stödprotokoll för att ge relaterat funktionalitet, s˚asom inloggning med lagrade lösenord, lösenordsbyte, och ˚aterställning av bortglömda lösenord. Kombinationen av dessa protokoll till˚ater simulera lösenordsinloggning i centraliserade system. Prestandautvärderingen visar att tiden som krävs för inloggning är inom acceptabla gränser.

(5)

Acknowledgements

It took me a few years to write this thesis, and I must say that it was not the easiest task in my life. It required a lot of time, dedication, and concentration. I would like to express my gratitude to all people that helped me on this way.

First and foremost, I would like to thank my adviser Sonja Buchegger for her help, support, invaluable advices, and guidance. She was the one who taught me how to do research in a structured way. Her simple and elegant guidelines, like a rule of thumb for writing introduction in papers, have been very useful to me in various situations beyond academic context.

Second, I would like to thank my colleagues from our small but quite efficient research group: Gunnar Kreitz, Benjamin Greschbach, and Guillermo Rodr´ıguez-Cano. I really enjoyed working with you all!

I would also like to express my gratitude to Siavash Soleimanifard, Oliver Schwarz, and Pedro de Carvalho Gomes for sharing their thoughts and comments whenever I asked them. Thanks to Dilian Gurov for his counsel on writing this thesis.

I am thankful to all members of the theoretical computer science group at KTH for making this group a very friendly place to work in. Special thanks to Benjamin Greschbach, Guillermo Rodr´ıguez-Cano, Oliver Schwarz, Pedro de Carvalho Gomes, and Siavash Soleimanifard for many fun and interesting conversations.

Last but not least, a big thanks to my friends at NGO “Unga Ukrainare i Sverige”: Max, Vira, Ola, Kostya, Oksana, Alyona, Sergii, Tetiana, and Roman. You all are great people, and I am grateful for your support, company, and for the fantastic and unforgettable experience we have had.

Oleksandr Bodriagov, Stockholm, January 2015.

(6)

(7)

4 Access Control in Decentralized Online Social Networks: Applying a Policy-Hiding Cryptographic Scheme and Evaluating Its Performance 47 4.1 Introduction . . . 47 4.2 Related Work . . . 49 4.3 Predicate Encryption . . . 50 4.4 Performance Evaluation . . . 54 4.5 Conclusions . . . 57 References . . . 58 5 Passwords in Peer-to-Peer 61 5.1 Introduction . . . 61 5.2 Related Work . . . 62

(8)

5.3 System Overview and Assumptions . . . 63

5.4 Password-based P2P Login . . . 64

5.5 Password Recovery . . . 69

5.6 Security . . . 73

5.7 Evaluation . . . 75

5.8 Conclusions and Future Work . . . 78

References . . . 79

(9)

List of Figures

4.1 PE scheme performance . . . 55

4.2 News feed assembly time for 300 profiles . . . 57

5.1 Overview of the system. . . 65

5.2 Storage structure and login procedure . . . 66

5.3 Login latency CDF . . . 76

List of Tables

3.1 Comparison of encryption systems of P2P social networks . . . 42

5.1 Protocol Terminology . . . 65

5.2 Recovery Protocol Terminology . . . 70

(10)

(11)

Chapter 1

Introduction

Technological advances of mankind made mass communication and information sharing possible. By the end of the 19th century invasion of an individual’s privacy due to electrical telegraph, photography, and newspapers first occurred. In 1890 L. Brandeis and S.Warren published an article called ”The Right to Privacy” [1]. It was one of the first to advocate a right to privacy and its protection via legislative means. It became clear that privacy had to be protected.

Nowadays, with the emergence of social media, additional risks to an individual’s privacy have appeared. Nevertheless, information technology gives us necessary mechanisms to protect our privacy, we do not have to rely solely on the legislative privacy protection. This thesis contributes to the research in the field of social media security and is aimed at protecting privacy in social networks via technological means.

1.1 Background

Social networks have seen a dramatic growth during the past decade. For users, the benefits provided by the services outweighed any risks to privacy imposed by usage of these services. The privacy concerns and awareness did not stop users from revealing large amounts of personal information [2, 3]. In fact, in 2005, the majority of users opted to use default privacy settings, which were quite loose [4]. This combined with security flaws existing in these services [5] created a favorable environment for collecting of private data not only by the service provider, but also by various third parties.

Gradually, the awareness of privacy risks among users increased. According to [6], in 2009 the majority of surveyed Facebook users were already using much stricter access policies. Fur-thermore, users started actively defending their privacy. Changes, introduced by the social network provider, that users considered as a potential threat to their privacy were met with protests [5].

While security patches and additional privacy mechanisms developed by social network providers gave users the impression that they were in control of their data, in reality it has always been a social network service provider (SNP) that has had full control. For example, Facebook’s Terms of Services (TOS) [7] up till November 2013 stated that it gets ”perpetual, non-exclusive, transferable, fully paid, worldwide” license to any content user posts and that it can use it for commercial or advertising purposes. Google’s TOS [8] up till March 2012 stated that the company had perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to user content and that it could make this content available to other companies, organizations or individuals for the provision of syndicated services. Other services like Twitter, Instagram, and Linkedin have TOS [9] that gives them similar rights to the user content. While Google’s current TOS [10] are much more modest and state that ”The rights you grant in this license are

(12)

for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.”, Facebook according to its current TOS [11] still retains: ”non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post ”.

Even if the policy states that it is a user who owns the information, de facto it is SNP who is the real owner of the information. SNPs have the right to change TOS at any moment and they can introduce any changes to the service they wish (e.g. Facebook that unveiled privacy changes in 2009 [12]), and only a massive public protest can stop it. A user who is not happy with a service has mainly two options: either quitting the service or following its terms. The user cannot easily switch to another provider, especially if the majority of his friends still uses the old provider. Users are locked in the system, and consequently they have less means to influence SNPs. Providers take advantage of this situation and set the rules as they like. The user, in some sense, has no control over his/her information after it is posted. According to [5], in 2007, Privacy International listed Facebook among companies with ”severe privacy threats” because of data mining, transfer of data to third parties, etc. The recent study [13] has shown that half of the users that leave Facebook do this because of the privacy concerns.

Since locking gives providers bigger revenues and better control over the users, they have no incentives to switch to an open inter provider communication. The business model of SNPs is based on data aggregation, data mining, and targeted advertisements as the main end product. According to Facebook’s annual report 2013 [14], more than 90 percent of all revenues comes from advertising.

The research community realized the importance of privacy in social networks and came up with a number of proposals to tackle the privacy problem. Some researchers concentrated on anonymization techniques for mitigating a privacy threat associated with sharing of social data (e.g. a social network graph) with third parties. Social network APIs like Facebook API and OpenSocial API developed by Google allowed third-party applications to access a social graph and personal data of a user [15]. To anonymize data Felt et. al. [15] proposed to transform all user IDs in query responses, effectively prohibiting an application to access actual user IDs. However, according to Zhou et.al. [16], having some information about the connections of a user and the relationship between these connections, it was possible to reidentify the user in the social network graph. Therefore they proposed an anonymization technique that modifies the graph [16].

The aforementioned solutions protected only against malicious third parties. Besides, their implementation depended on the good will of SNPs. Researchers realized that SNP itself posed a threat and proposed to take control of the user data from SNPs by creating overlay systems that used online social network service as a communication medium or(and) as a storage. FlyByNight [17] is a third-party Facebook application that uses Facebook servers as a middle-ware for all interaction between FlyByNight servers and end users. All messages are stored in encrypted form on the specially dedicated FlyByNight server.

FaceCloak [18] allows users to hide any chosen piece of information from the SNP by storing it in encrypted form on a third-party server. When a user wants to post some hidden information, fake information is sent to SNP, while real information is sent to the third-party server. Fake information is used to find out the identifier of the real information on the third-party server.

NOYB [19] hides real information from the SNP by using pseudorandom blocks of informa-tion (that look like real data to the SNP) and substituting real data with these blocks, thus the SNP operates on the fake data. The system works as a substitution cipher. All data is partitioned into chunks which are indexed and then substituted by the chunks of encrypted data. The chunks for substitution are picked from the dictionary. The index of the real data chunk is encrypted and the ciphered index is used to choose the chunk for substitution.

These overlay solutions were not self-contained. They were entirely dependent on the good 12

(13)

will of the social network provider, which could stop the ”parasitic” services at any moment. Besides, these solutions have completely neglected the financial side of the problem connected with creating an altruistic provider of the ”privacy-enhancing service”.

Other researchers focused on the problem of locking of users. Lockr [20] decouples stored so-cial information from functionality, thus allowing users to be registered to different SNPs while maintaining a social connection. Lockr can operate both in a centralized and in a decentralized mode. In the centralized mode the SNP is responsible for the access control enforcement and data storage. SNPs do not store users’ social networks, only personal information. The stored data is unencrypted. SNPs continue to serve user data as well as host third-party social appli-cations. In the decentralized mode, information is stored by the user himself, and the user is responsible for access control.

1.2 Motivation and related work

Giving the full control to the end-user would be a solution to the privacy problem, meaning that only the end-user himself should be able to control access of other parties to his data. An unauthorized party should not have any technical means to access the end-user’s data.

Full data control

There are several approaches to achieve full control over one’s data: • hosting user’s data on a constantly available paid server • personal server for each user

• personal virtual machine in a paid cloud

• personal mobile devices with Internet connectivity acting as servers • decentralized network

The first approach is to host users’ data on a constantly available server to achieve the same level of service and interactivity that is provided by online social networks (OSNs). However, this kind of service provided by a third party cannot be free unless the user is willing to allow data mining and to receive advertisements. The problem is that research shows that users are not willing to pay for the social network service, though they are willing to use it [21]. Thus, it is doubtful that users will pay for the service with some security benefits if there is a similar one for free. Therefore a concept of a paid service with security guarantees for the end user is currently infeasible. Any solution with a central server raises payment and privacy concerns. For example, the ad-free, paid online social networking platform and microblogging service App.net [22] gives users control over their data. The users give permissions to social applications/services running on top of the App.net platform to access their data. Yet, the users can neither prevent App.net that manages this platform from accessing their data for purposes beyond operating services nor prevent transfer of their data to third parties (e.g. recent reports on National Security Agency’s global surveillance program [23]). The App.net’s revenue model is based on subscription fees paid by users and developers, but their subscription renewal rate in 2014 was so low that they did not have sufficient budget for full-time employees [24].

Another way would be to use a decentralized, provider-independent approach and have each user run his/her own server. The problem is that most of the users do not have sufficient expertise for that, and it would be much more troublesome for them to keep it constantly

(14)

running and maintain it than using an ordinary social network. A decentralized social network Diaspora [25], that has taken this approach, is a good example. Any user can join Diaspora by setting up a private server, and users who decide not to set up their own servers can choose from one of the existing servers to store their data. According to their statistics [26], only a very small percentage of users decided to set up their own server, while 90% of all users are registered on just 5 top servers (by the number of active users). It is important to point out that data that is stored on these servers is not encrypted, and people running the server have full access to users’ data [27]. Privacy can be ensured only by running a personal server. Besides, there is no guarantee that one of these servers will not be shut down later in the future, potentially resulting in a complete loss of all data for the users of that server.

Taking into account the previous arguments about the paid services and Diaspora’s experi-ence with personal servers, one can claim that a Vis-a‘-Vis [28] model of the decentralized OSN based on personal virtual machines running in a paid cloud is currently infeasible.

Another option would be to use mobile phones/tablets as servers. Users could download an app on their mobile phones/tablets and run some kind of a server to achieve a fully decentralized network. However, the homogeneous network of mobile phones will hardly be able to provide any connectivity at all because, to the best of our knowledge, all of the 3G/4G networks are behind NAT (or two NATs) and firewalls [29] and NAT-traversal techniques [30] will not work when all devices are behind the NAT and there are no rendezvous points. Even if we assume that the transition to IPv6 and consequent disappearance of NATs happens very soon, this approach has still some other disadvantages: a lost or stolen phone equals to loosing all information and the profile; a forgotten phone means that it is impossible to access the profile; connection loss means that none of your friends can access your profile, popular high-definition videos or photo albums can result in hundreds of megabytes of outgoing traffic that would be a big burden for the battery. Consequently, user data should be backed-up on and served from some external storage managed by some other party. So, even if we assume that transition to IPv6 has happened and mobile phones can act as servers, user data should still be replicated regularly to some external storage to achieve 24/7 data availability and integrity.

A more realistic view of the fully decentralized network for social networking is a hetero-geneous P2P network consisting of various devices having different Internet connectivity and availability. Devices in this network act as building blocks for a decentralized storage with replication that stores all user data. Due to replication, data will still be available even if the node from which this data originated goes off-line.

There has been a lot of research on distributed storage systems [31–39] that has shown that such systems are feasible under realistic assumptions for node availability and replication degree.

This thesis follows this last approach and focuses on building a decentralized social network on top of existing decentralized storage systems in order to give full control to the end-user and to ensure privacy.

Encryption-based access control

Replication of user data to untrusted storage in the decentralized social network creates many privacy issues. An access control mechanism should tackle these issues since we considered decentralized networks with an aim of creating a privacy-preserving social network. The basic requirement to an access control mechanism in this case is that it should prevent a node which stores the replicated data from seeing it, except for meta information that identifies the data to be served. It should also guarantee that the user data is available only to a set of people authorized by the owner of the data. Data encryption is one of the mechanisms that helps to solve these two problems. It prevents the untrusted node that stores and serves the data

(15)

from seeing it, and it works as an access control mechanism as only people who were given cryptographic keys for decrypting data by the data owner should be able to decrypt it.

Encryption-based access control for decentralized social networks has received a lot of at-tention recently and many solutions have been developed [40–45].

An early version of the PeerSoN [40, 46] P2P social network used a distributed hash table (DHT) to look up data and a combination of symmetric and asymmetric cryptography for encryption-based access control on untrusted storage. Data was first encrypted with a symmetric key and then this key was encrypted with a public key of each of the data recipients. Privacy was not sufficiently addressed since user Ids (or public keys) were stored alongside encrypted data. Consequently, it was possible to infer who could decrypt the data.

The two-layered encryption, which is used in PeerSon, where the first layer is the symmet-ric encryption and the second layer encrypts the secret key used in the first layer is called a key encapsulation mechanism (KEM). KEM is beneficial when encrypting the same object for multiple recipients as it helps reduce encryption time and the resulting size of the encrypted object. As far as we know, KEM is used in all solutions for decentralized social networks.

Persona [43] relies on untrusted storage and uses ciphertext-policy attribute-based encryp-tion (ABE) with KEM for access control. ABE is used to encrypt data for groups of recipients and different combinations of these groups. To provide specific rights to stored objects, the profile owner defines access control lists (ACLs) and the storage enforces them. This scheme, however, does not guarantee privacy as the storage can see these ACLs in plaintext. ACLs contain the users’ public keys and their access rights. The storage authenticates the users and authorizes their actions based on the entries in the ACL. This scheme provides limited data integrity protection since the storage is supposed to reliably store and serve data, and protect it from unauthorized modification or deletion. Yet, the credibility of access control enforced by untrusted storage is not that strong, so the main protection mechanism is encryption, and it ensures only confidentiality. A user retrieving data (unlike the user writing data) does not need to authenticate with the storage, so the storage does not know the identity of the user but knows which groups of users can read data requested by the user as this this information is leaked by the ABE encryption.

From privacy perspective, Persona has a small improvement compared to PeerSon if there are many users who have only the right to read data.

Safebook [42] solves the problem of untrusted storage by using trusted friends to store data on their computers and to ensure privacy. Confidentiality is again achieved with a combination of symmetric and asymmetric encryption, and a DHT is used as a lookup service to find a path to the stored data. Unlike other systems for decentralized social networks, Safebook provides untraceability of communication as an integral part of the system. The privacy of the scheme is partial because explicitly trusted parties (most trusted friends that serve as mirrors) can trace communication parties, but communication privacy is protected from external observers via multi-hop routing.

We argue that reliance on friendships and trust may be harmful. Friendships may fade with time or may end suddenly, and trust can be betrayed. It has been shown that half of adult friendships are lost in seven years [47].

In comparison to PeerSon, Safebook has a slight improvement in privacy as only trusted friends can see who can decrypt the data of the profile owner.

Cachet [44] is an update of the Decent architecture [48]. It uses a DHT to store data and uses ABE for encryption. In the used variant of ABE, the access policy is described openly in the header of the ciphertext. The authors observe the resulting privacy violation, but only address it partially by hiding these headers from the storage system. Users can still observe headers and thus can see plaintext ABE access policies. For efficiency, the authors used caching

(16)

of information and store the unencrypted version of this information on the nodes that satisfy the ABE policy (nodes that are able to decrypt). Thus users will know for whom the content is encrypted, and they may even be able to trace the requests of other people who also can decrypt the same information.

G¨unther et. al. [45] describe two solutions for publishing of content on social network profiles. One solution uses broadcast encryption with pseudonyms. Pseudonyms are needed to provide privacy protection and patch the used BE scheme which leaks the set of recipi-ents. Pseudonyms give a limited anonymity property [45], but it is still possible to see which pseudonym is authorized to decrypt what. Taking into account that other users might have some additional information about an event/question that the encrypted message covers, we argue that the protection is not sufficient as users may infer the identity behind the pseudonym. Their second construction is based on symmetric encryption. It requires for each attribute-value pair in the system and for each user from the set of recipients of that value to have a separate decryption key. This approach scales poorly to large system sizes.

Tahoe [49], a distributed file system, uses symmetric encryption. Each encrypted file is associated with at least two unique cryptographic values/capabilities. One is a symmetric encryption key and the other one is a hash value for checking integrity. To give access to an encrypted file to a user, one has to share these two cryptographic capabilities with this user. Taking into account the large number of friends in social networks, such sharing results in too much overhead and becomes prohibitively expensive. By grouping a set of files into a directory (a file that contains all cryptographic capabilities required to read/write any file from the set [49]) and then sharing cryptographic capabilities only for this directory we could partially solve the problem, but then we lose flexibility of fine-grained access to files.

Anderson et. al [41] describe a social network that divides a user profile in discrete encrypted blocks. Symmetric secret keys for these blocks are shared between users who should have access to information stored in these blocks by using hierarchical group key management schemes. We argue, that it is not obvious that there exists a hierarchy of users/groups (unlike the hierarchy of files and directories) in a profile of an average user besides the most simple one, in which any group is a subset of group “friends” containing all connections of the profile owner. In a system without access rights hierarchy, a hierarchical group key management scheme will perform no better than a simple system based on shared keys for groups.

Issues covered in this thesis

All of the aforementioned systems ensure confidentiality of the users’ content, but information about access policies, which describe who has access to this content, is either not protected at all or it is protected in a way that system’s performance and flexibility suffers. An access-control mechanism of the DOSN should be privacy-preserving, i.e. it should not reveal access policies, and performant at the same time; and these depend on the underlying cryptographic primitive(s). Taking into account the large number of objects and users in the social network and the constrained resources of the distributed P2P storage, the cryptographic system used for encryption/decryption should have low cryptographic overhead, flexibility to support typical data sharing and communication functions of the social network, and adequate performance. What is the best encryption system for DOSNs? How should it be applied to the DOSN?

All cryptographic systems use secret cryptographic keys/credentials. In general, the more entities/communicating parties the system includes, the bigger number of cryptographic keys is needed. A typical social network user has hundreds of friends, which means many cryptographic keys/credentials. All of the aforementioned decentralized social networks assume that a user owns a device that has all cryptographic keys/credentials needed to interact with the system. However, if this device is lost or gets broken and there is no backup, then the user becomes cut

(17)

off from the system. This device becomes a single point of failure. Moreover, it is common that a user owns several devices, so they have to be synchronized. We could of course require users to carry with them USB sticks containing necessary cryptographic keys. As another option, we could encrypt these keys, store them in the cloud and require users to remember only one key needed to decrypt and fetch all other keys belonging to them. Either of these variants would decrease usability. In centralized online social networks users have only one password instead of many cryptographic keys, and they can log in from any computer in the world. Is it possible to use globally accessible accounts, stable network-wide identities, and username-password authentication in decentralized social networks? What would account registration, login, password change, remembered logins, and logout procedures look like?

1.3 Research methodology

This thesis follows the design science research methodology principles [50]. It involves the qualitative and quantitative analysis of existing design artifacts/DOSN architectures followed by the design of new artifacts and their evaluation.

In particular, for the research of encryption-based access control in DOSN, the design arti-facts were evaluated according to the following categories: efficiency, functionality, and privacy. By efficiency we mean how much effort the used encryption scheme creates in terms of storage, computational cost, and communications overhead. By functionality we categorize possibilities of using the encryption scheme to manage permissions. By privacy we denote the side-effects of the decentralized system of leaking information about the user data and not only the user data itself (confidentiality).

For the research of password-based authentication in decentralized systems, the authentica-tion mechanisms of P2P backup and storage systems were analyzed.

The analysis was followed by the design of the new protocols for the password-based authen-tication and the new encryption-based access control mechanism aimed at solving the privacy problem without sacrificing performance. Lightweight custom simulators were developed to evaluate the efficiency of the design. The data used in simulations was taken from the real-world performance measurements of the BitTorrent Mainline DHT overlay and statistical data from Facebook. Security properties of the proposed architectures were thoroughly analyzed, but no formal security proofs were made.

1.4 Thesis contribution

A total of 4 research papers have been co-authored during the licentiate thesis. They can be broadly characterized into three topics: encryption protocols for encryption-based access control, management of cryptographic keys/credentials via user accounts with password-based login in decentralized P2P networks, and communication protocols and general architecture for decentralized social networks. The thesis focuses on the first two topics.

List of Papers

1. O. Bodriagov and S. Buchegger, “Encryption for peer-to-peer social networks,” in Security and Privacy in Social Networks, Y. Altshuler, Y. Elovici, A. B. Cremers, N. Aharony, and A. Pentland, Eds. Springer New York, 2013, pp. 47–65.

Abstract. To address privacy concerns over online social networking services, several decentralized alternatives have been proposed. These peer-to-peer (P2P) online social networks do not rely on centralized storage of user data. Instead, data can be stored not

(18)

only on a computer of a profile owner but almost anywhere (friends’ computers, random peers from the social network, third-party external storage, etc.). Since the external storage is often untrusted or only semi-trusted, encryption plays a fundamental role in the security of P2P social networks.

Such a system needs to be efficient to be used on a large scale, provide the functionality of changing access rights suitable for social networks, and, crucially, it should preserve privacy properties itself. That is, beyond user data confidentiality, it has to protect against information leakage about users’ access rights and behavior. In this paper we explore the requirements of encryption for P2P social networks and propose a list of criteria for evaluation that we then use to compare a set of existing approaches. We find that none of the current P2P architectures for social networks achieve secure, efficient, 24/7 access control enforcement and data storage. They either rely on trust, require constantly running servers for each user, use expensive encryption, or fail to protect the privacy of access information. In the search for a solution that better fulfills the criteria, we found that some broadcast encryption (BE) and predicate encryption (PE) schemes exhibit several desirable properties.

Contribution statement. Oleksandr Bodriagov was the main contributor of this work. Sonja Buchegger provided valuable feedback and contributed to parts of the writing, particularly the abstract and introduction.

2. O. Bodriagov, G. Kreitz, and S. Buchegger, ”Access control in decentralized online so-cial networks: Applying a policy-hiding cryptographic scheme and evaluating its perfor-mance,” Pervasive Computing and Communications Workshops (PERCOM Workshops), 2014 IEEE International Conference on , vol., no., pp.622,628, 24-28 March 2014

Abstract. Privacy concerns in online social networking services have prompted a number of proposals for decentralized online social networks (DOSN) that remove the central provider and aim at giving the users control over their data and who can access it. This is usually done by cryptographic means. Existing DOSNs use cryptographic primitives that hide the data but reveal the access policies. At the same time, there are privacy-preserving variants of these cryptographic primitives that do not reveal access policies. They are, however, not suitable for usage in the DOSN context because of performance or storage constraints.

A DOSN needs to achieve both privacy and performance to be useful. We analyze predi-cate encryption (PE) and adapt it to the DOSN context. We propose a univariate poly-nomial construction for access policies in PE that drastically increases performance of the scheme but leaks some part of the access policy to users with access rights. We utilize Bloom filters as a means of decreasing decryption time and indicate objects that can be decrypted by a particular user.

We evaluate the performance of the adapted scheme in the concrete scenario of a news feed. Our PE scheme is best suited for encrypting for groups or small sets of separate identities.

Contribution statement. Oleksandr Bodriagov was the main contributor of this work. Gunnar Kreitz contributed to active discussion and parts of the writing. Sonja Buchegger provided valuable feedback and contributed to parts of the writing, particularly introduc-tion.

3. G. Kreitz, O. Bodriagov, B. Greschbach, G. Rodriguez-Cano, and S. Buchegger, “Pass-words in peer-to-peer,” in Peer-to-Peer Computing (P2P), 2012 IEEE 12th International Conference on, sept. 2012, pp. 167–178.

(19)

Abstract. One of the differences between typical peer-to-peer (P2P) and client-server systems is the existence of user accounts. While many P2P applications, like public file sharing, are anonymous, more complex services such as decentralized online social net-works require user authentication. In these, the common approach to P2P authentication builds on the possession of cryptographic keys. A drawback with that approach is usability when users access the system from multiple devices, an increasingly common scenario. In this work, we present a scheme to support logins based on users knowing a username-password pair. We use username-passwords, as they are the most common authentication mech-anism in services on the Internet today, ensuring strong user familiarity. In addition to password logins, we also present supporting protocols to provide functionality related to password logins, such as resetting a forgotten password via e-mail or security questions. Together, these allow P2P systems to emulate centralized password logins. The results of our performance evaluation indicate that incurred delays are well within acceptable bounds.

Contribution statement. Gunnar Kreitz was the main contributor of this work. Olek-sandr Bodriagov contributed to active discussion, protocols design (all except for the password recovery mechanism), and the adaptation of functional requirements for the password-based authentication from the ISO 27002 standard. The protocols were jointly designed by all authors. Sonja Buchegger provided valuable feedback.

Other papers (not included in thesis)

4. O. Bodriagov and S. Buchegger, “P2P social networks with broadcast encryption protected privacy,” in Privacy and Identity Management for Life, ser. IFIP Advances in Information and Communication Technology, J. Camenisch, B. Crispo, S. Fischer-Hbner, R. Leenes, and G. Russello, Eds. Springer Berlin Heidelberg, 2012, vol. 375, pp. 197–206.

Summary of Contribution

The contribution of this thesis falls in two topics: encryption-based access control and manage-ment of cryptographic keys/credentials (required for this access control) via user accounts with password-based login in decentralized social networks.

Encryption-based access control (papers 1 and 2)

• Four types of encryption systems for decentralized social networks found in the literature are: symmetric cryptography with key sharing according to hierarchical group key man-agement schemes, combination of asymmetric and symmetric cryptographies, CP-ABE, and broadcast encryption with pseudonyms. To find the most suitable encryption system, we investigated the scenario of decentralized social networks without trusted parties and the impact this environment has on encryption-based access control systems. Based on this analysis we formulated the following evaluation criteria that encompass efficiency, functionality, and privacy areas: efficiency of addition/removal of users from a group, ef-ficiency of user key revocation, encryption/decryption efef-ficiency, encryption header over-head, ability to encrypt for the conjunction/disjunction of groups, ability to encrypt for a group that one is not a member of, ability to encrypt for ”friends of friends”, ability not to reveal access structures in the header.

• The existing access control systems based on symmetric cryptography with key sharing, although being very fast, do not have sufficient functionality and thus have excessive cryptographic overhead in complex information sharing scenarios with fine-grained rights

(20)

management. We evaluated three other types of encryption systems in terms of their suitability for the decentralized social network scenario looking at the stated criteria. We found that the combination of asymmetric and symmetric cryptography does not have sufficient efficiency and functionality. CP-ABE schemes have favourable computational cost and functionality, but there are no CP-ABE schemes with hidden access structures and low storage and computational cost at the same time. The class of CP-ABE schemes reveals access structures [51]. The only ABE scheme with hidden ciphertext policies [52] that we know of and that was named/classified as ”HP-ABE” by Camenisch et al [53], is not suitable for decentralized social networks because of the quadratic growth of the ciphertext size in the number of attributes.

Broadcast encryption with pseudonyms gives only a limited anonymity property. Users may infer the identity behind the pseudonym as it is still possible to see which pseudonym is authorized to decrypt what.

• We proposed to use two classes of privacy preserving schemes in the DOSN context: broadcast encryption schemes with hidden access structures and predicate encryption (PE) schemes. Both of these schemes do not have the mentioned drawbacks, though we note that current PE schemes are relatively slow compared to BE schemes.

• We applied inner-product predicate encryption to the DOSN context. It is too expensive to use out of the box. Therefore, for PE we developed a construction for access policies that drastically increases performance, but introduces some trade-offs: it allows encrypt-ing for a bounded set of groups/users; this bound is a trade-off between efficiency and functionality of the scheme; the number of groups in the system is unlimited; a user has 2g different decryption keys, where g is the number of groups a user is a member of; having multiple keys leaks some information about access policies. We designed an experiment that showed that for newsfeed assembly from all friends (one of the most time consuming operations) our scheme shows good performance and thus user experience.

• For schemes that do not reveal access policies and have relatively slow decryption, we proposed to use Bloom filters to indicate to users which files they can decrypt. Bloom filters are both fast and space-efficient, and thus are suitable for DOSNs.

Management of cryptographic keys, user accounts, and login (paper 3)

• Decentralized online social networks require cryptographic keys for authentication and communication between users. With users having and using multiple devices (which often do not belong to them) to interact, direct usage of cryptographic keys for authentication drastically decreases usability. We propose a password-based login procedure for the P2P setting that allows a user who passes authentication to recover a set of cryptographic keys required for the application. Password-based authentication being the most common authentication mechanism on the Internet today has strong user familiarity. As far as we know, our work was the first to focus on password-based logins in a P2P setting in general and decentralized social networks in particular. Our security questions are similar to [54], but the protocols are new and relatively straightforward.

• In addition to password logins, we also present supporting protocols to provide functional-ity related to password logins, such as remembered logins, password change, and recovery of the forgotten password via e-mail or security questions. The combination of these protocols allows to emulate password logins in centralized systems.

(21)

• The performance of our mechanisms in terms of delay depends on the underlying P2P sys-tem in general and on amount of intentional delay added by parametrizing cryptographic functions. We developed a lightweight custom simulator to evaluate the performance of the login operation. The results indicate that incurred delays are well within acceptable bounds [55].

1.5 Conclusions and Future work

This thesis focuses on the problem of privacy in current online social networks and develops a solution to it in the domain of encryption-based decentralized social networks. First, we de-scribed the potential of broadcast encryption schemes with hidden access structures and pred-icate encryption schemes for the decentralized social networks and their advantages compared to encryption systems used in existing decentralized social networks.

Second, we designed an encryption-based access control system using predicate encryption with specially crafted access policies. As a proof of concept, we performed a simulation reflecting the realistic scenario of assembling the news feed which demonstrated feasibility of predicate encryption for decentralized social networks.

Third, we proposed a mechanism of managing and retrieving the cryptographic keys used by encryption-based decentralized social networks that uses password-based authentication, meaning a strong user familiarity and ease of usage. We also presented supporting protocols for password change, remembered logins, and recovery of the forgotten password.

The encryption-based access control system and the key management system with password-based login that we designed are independent and can be used separately.

Directions for Future work

While the thesis includes initial discussions of security properties of our constructions, the next step should be a thorough security analysis. In the proposed encryption-based access control system we should analyze the leakage of information about access policies to people who have access according to these policies.

Another issue worth considering is protection against malicious/curious storage nodes that try to map identities of nodes requesting information to the requested information. This map-ping would potentially allow these storage nodes to find out the network identities of friends of a person whose content is stored on these storage nodes. Although the problem of anony-mous communications has been mostly addressed by onion routing networks, recent studies and reports [56, 57] show that a well-known onion routing network Tor is vulnerable. We should in-vestigate if onion routing can protect against the identity mapping and if it can be incorporated into the system.

Another direction is adaptation of broadcast encryption schemes with hidden access struc-tures for the decentralized social networks. We have advanced considerably in this direction while working with anonymous broadcast encryption (ANOBE) [58]. Our ultimate goal is to de-sign an encryption-based access control system for decentralized systems without any trade-offs between privacy and performance.

In the area of key management we have only touched upon the question of key revocation, but it deserves a thorough investigation. Another question related to key revocation is the effect of forward-secrecy on encryption-based access control systems and whether this property is beneficial for decentralized social networks.

(22)

All measurements and estimations for cryptographic schemes in this thesis were made at a 128-bit security level. While a security-strength time frame for this level according to NIST spans beyond 2031 [59], it is worth considering higher security levels for long-term privacy.

It is also worth investigating applicability of the developed encryption-based access control mechanisms to decentralized systems with a multi-recipient communication pattern other than social networks.

(23)

Chapter 2

Errata for included publications

Two articles included in the thesis that deal with encryption for P2P social networks are ”En-cryption for Peer-to-Peer Social Networks” and ”Access Control in Decentralized Online Social Networks: Applying a Policy-Hiding Cryptographic Scheme and Evaluating Its Performance”. The time difference between these two papers is a couple of years. The first paper states: ”CP-ABE and PE decryption algorithms contain bilinear pairing operations, and since they are computationally expensive and their number linearly depends on the number of attributes, we can conclude that this operation is quite expensive”. At the same time encryption operation is considered far less time consuming than decryption: ”the encryption time is very favorable” in this paper. We assumed that bilinear pairing are very expensive and should be the dominant component in the total operation latency. However, after the first article had been published, an article with extremely efficient implementation of pairing-based protocols [60] appeared. The authors achieved significantly lower timings than predecessors, in some cases ”more than 30 times faster ” [60]. The authors measured the performance of the implemented CP-ABE scheme by Waters [61] and observed that ”the Encrypt step for this implementation of this pro-tocol is actually more time-consuming than the pairing-heavy Decrypt step. This goes counter to the received wisdom”. So in fact, for this CP-ABE scheme encryption was slightly faster than decryption even though decryption contained bilinear pairings. By the time we were writing our second article, we already knew about these results, and applied predicate encryption scheme, which also contained bilinear pairing operations, to the P2P social networks context.

(24)

(25)

Bibliography

[1] Samuel D Warren and Louis D Brandeis. “The right to privacy”. In: Harvard law review (1890), pp. 193–220.

[2] Alessandro Acquisti and Ralph Gross. “Imagined Communities: Awareness, Informa-tion Sharing, and Privacy on the Facebook”. In: Privacy Enhancing Technologies. Ed. by George Danezis and Philippe Golle. Vol. 4258. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2006, pp. 36–58.

[3] Zeynep Tufekci. “Can You See Me Now? Audience and Disclosure Regulation in Online So-cial Network Sites”. In: Bulletin of Science, Technology & Society 28.1 (2008), pp. 20–36. url: userpages.umbc.edu/%5C~%7B%7Dzeynep/papers/ZeynepCanYouSeeMeNowBSTS. pdf.

[4] Ralph Gross and Alessandro Acquisti. “Information Revelation and Privacy in Online Social Networks”. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society. WPES ’05. Alexandria, VA, USA: ACM, 2005, pp. 71–80.

[5] Bernhard Debatin et al. “Facebook and Online Privacy: Attitudes, Behaviors, and Un-intended Consequences”. In: J. Computer-Mediated Communication 15.1 (2009), pp. 83– 108.

[6] Sonja Utz and N Kramer. “The privacy paradox on social network sites revisited: The role of individual characteristics and group norms”. In: Cyberpsychology: Journal of Psychoso-cial Research on Cyberspace 3(2), article 1 (2009). url: http://www.cyberpsychology. eu/view.php?cisloclanku=2009111001&article=1.

[7] Facebook’s New Terms Of Service: ”We Can Do Anything We Want With Your Content. Forever.”. Consumerist, 2009. url: http://consumerist.com/2009/02/15/facebooksnew terms of service we can do anything we want with your content -forever/.

[8] Google Terms of Service. Google, 2007. url: http : / / www . google . com / intl / en / policies/terms/archive/20070416/.

[9] Oliver Smith. Facebook terms and conditions: why you don’t own your online life. 2013. url: http://www.telegraph.co.uk/technology/social-media/9780565/Facebook-terms-and-conditions-why-you-dont-own-your-online-life.html.

[10] Google Terms of Service. Google, 2014. url: http : / / www . google . com / intl / en / policies/terms/.

[11] Facebook’s New Terms Of Service: ”We Can Do Anything We Want With Your Content. Forever.”. Facebook, 2013. url: https://www.facebook.com/legal/terms.

[12] Facebook unveils privacy changes. CNN, 2009. url: http://edition.cnn.com/2009/ TECH/12/10/facebook.privacy/.

(26)

[13] Stefan Stieger et al. “Who commits virtual identity suicide? Differences in privacy con-cerns, Internet addiction, and personality between facebook users and quitters”. In: Cy-berpsychology, Behavior, and Social Networking 16.9 (2013), pp. 629–634.

[14] Facebook annual report 2013. Facebook, 2013. url: http://files.shareholder.com/ downloads/AMDA-NJ5DZ/3101818145x0x741493/EDBA9462-3E5E-4711-B0B4-1DFE9B541222/ FB_AR_33501_FINAL.pdf.

[15] Adrienne Felt and David Evans. Privacy Protection for Social Networking Platforms. W2SP ’08: Workshop on Web 2.0 Security and Privacy. Oakland, California, May 2008. [16] Bin Zhou and Jian Pei. “Preserving Privacy in Social Networks Against Neighborhood

Attacks”. In: ICDE ’08: Proceedings of the 2008 IEEE 24th on Data Engineering. Cancun, Mexico, Apr. 2008, pp. 506–515.

[17] Matthew Lucas and Nikita Borisov. “FlyByNight: mitigating the privacy risks of so-cial networking”. In: Proceedings of the 5th Symposium on Usable Privacy and Security. SOUPS ’09. Mountain View, California, 2009, 37:1–37:1. url: http://doi.acm.org/10. 1145/1572532.1572577.

[18] Wanying Luo, Qi Xie, and U. Hengartner. “FaceCloak: An Architecture for User Privacy on Social Networking Sites”. In: Computational Science and Engineering, 2009. CSE ’09. International Conference on. Vol. 3. Aug. 2009, pp. 26–33.

[19] Saikat Guha, Kevin Tang, and Paul Francis. “NOYB: Privacy in Online Social Networks”. In: Proceedings of the First Workshop on Online Social Networks. WOSN ’08. Seattle, WA, USA: ACM, 2008, pp. 49–54.

[20] Amin Tootoonchian et al. “Lockr: Better Privacy for Social Networks”. In: Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies. CoNEXT ’09. Rome, Italy: ACM, 2009, pp. 169–180.

[21] BO Han and John Windsor. “USER’S WILLINGNESS TO PAY ON SOCIAL NET-WORK SITES.” In: Journal of computer information systems 51.4 (2011).

[22] About App.net. 2014. url: https://app.net/about/.

[23] Glenn Greenwald and Ewen MacAskill. NSA Prism program taps in to user data of Apple, Google and others. 2013. url: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data.

[24] Dalton Caldwell. App.net State of the Union. May 2014. url: https://app.net/about/. [25] Welcome to diaspora*. May 2014. url: https://diasporafoundation.org.

[26] How many users are in the DIASPORA network? May 2014. url: https://diasp.eu/ stats.html.

[27] Diaspora*: FAQ for users. May 2014. url: https://wiki.diasporafoundation.org/ FAQ_for_users#Account_and_data_management.

[28] Amre Shakimov et al. “Vis-`a-Vis: Privacy-preserving online social networking via Virtual Individual Servers”. In: COMSNETS. 2011, pp. 1–10.

[29] Zhaoguang Wang et al. “An untold story of middleboxes in cellular networks”. In: Proceed-ings of the ACM SIGCOMM 2011 conference. SIGCOMM ’11. Toronto, Ontario, Canada: ACM, 2011, pp. 374–385. isbn: 978-1-4503-0797-0. doi: 10.1145/2018436.2018479. url: http://doi.acm.org/10.1145/2018436.2018479.

[30] Pyda Srisuresh, Bryan Ford, and Dan Kegel. State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs). IETF Informational. 2008. url: https : //tools.ietf.org/html/rfc5128#page-7.

(27)

[31] B. Amann et al. “IgorFs: A Distributed P2P File System”. In: Peer-to-Peer Computing , 2008. P2P ’08. Eighth International Conference on. Sept. 2008, pp. 77–78.

[32] Dinh Nguyen Tran, Frank Chiang, and Jinyang Li. “Friendstore: Cooperative Online Backup Using Trusted Nodes”. In: Proceedings of the 1st Workshop on Social Network Systems. SocialNets ’08. New York, NY, USA: ACM, 2008, pp. 37–42.

[33] Fay Chang et al. “Bigtable: A distributed storage system for structured data”. In: ACM Transactions on Computer Systems (TOCS) 26.2 (2008), p. 4.

[34] H.B. Ribeiro and E. Anceaume. “DataCube: A P2P Persistent Data Storage Architecture Based on Hybrid Redundancy Schema”. In: Parallel, Distributed and Network-Based Pro-cessing (PDP), 2010 18th Euromicro International Conference on. Feb. 2010, pp. 302– 306. doi: 10.1109/PDP.2010.60.

[35] R. Sharma et al. “An empirical study of availability in friend-to-friend storage systems”. In: Peer-to-Peer Computing (P2P), 2011 IEEE International Conference on. Aug. 2011, pp. 348–351.

[36] R. Sharma and A. Datta. “SuperNova: Super-peers based architecture for decentralized online social networks”. In: Communication Systems and Networks (COMSNETS), 2012 Fourth International Conference on. Jan. 2012, pp. 1–10.

[37] R. Gracia-Tinedo, M. Sanchez Artigas, and P. Garda Lopez. “Analysis of data availability in F2F storage systems: When correlations matter”. In: Peer-to-Peer Computing (P2P), 2012 IEEE 12th International Conference on. Sept. 2012, pp. 225–236.

[38] K. Rzadca, A. Datta, and S. Buchegger. “Replica Placement in P2P Storage: Complexity and Game Theoretic Analyses”. In: Distributed Computing Systems (ICDCS), 2010 IEEE 30th International Conference on. June 2010, pp. 599–609.

[39] Rammohan Narendula, Thanasis G. Papaioannou, and Karl Aberer. “Towards the Real-ization of Decentralized Online Social Networks: An Empirical Study”. In: Proceedings of the 2012 32Nd International Conference on Distributed Computing Systems Workshops. ICDCSW ’12. IEEE Computer Society, 2012, pp. 155–162. isbn: 978-0-7695-4686-5. [40] Sonja Buchegger et al. “PeerSoN: P2P social networking: early experiences and insights”.

In: Proceedings of the Second ACM EuroSys Workshop on Social Network Systems. SNS ’09. 2009, pp. 46–52.

[41] Jonathan Anderson et al. “Privacy-enabling Social Networking over Untrusted Networks”. In: Proceedings of the 2Nd ACM Workshop on Online Social Networks. WOSN ’09. Barcelona, Spain: ACM, 2009, pp. 1–6.

[42] L.A. Cutillo, R. Molva, and T. Strufe. “Safebook: A privacy-preserving online social net-work leveraging on real-life trust”. In: Communications Magazine, IEEE 47.12 (Dec. 2009), pp. 94–101. issn: 0163-6804.

[43] Randy Baden et al. “Persona: an online social network with user-defined privacy”. In: SIGCOMM Comput. Commun. Rev. 39 (4 Aug. 2009), pp. 135–146.

[44] Shirin Nilizadeh et al. “Cachet: a decentralized architecture for privacy preserving social networking with caching”. In: CoNEXT. Nice, France: ACM, 2012, pp. 337–348. isbn: 978-1-4503-1775-7. doi: 10.1145/2413176.2413215.

[45] Felix G¨unther, Mark Manulis, and Thorsten Strufe. “Cryptographic treatment of pri-vate user profiles”. In: Financial Cryptography. Vol. 7126. LNCS. Rodney Bay, St. Lucia: Springer-Verlag, 2012, pp. 40–54. isbn: 978-3-642-29888-2.

(28)

[46] Youssef Afify. “Access Control in a Peer-to-peer Social Network”. MA thesis. Lausanne, Switzerland: EPFL, 2008.

[47] Gerrit Willem Mollenhorst. Networks in contexts: How meeting opportunities affect per-sonal relationships. Vol. 150. Utrecht University, 2009.

[48] Sonia Jahid et al. “DECENT: A decentralized architecture for enforcing privacy in online social networks”. In: PerCom Workshops. 2012, pp. 326–332.

[49] Zooko Wilcox-O’Hearn and Brian Warner. “Tahoe: The Least-authority Filesystem”. In: Proceedings of the 4th ACM International Workshop on Storage Security and Survivability. StorageSS ’08. Alexandria, Virginia, USA: ACM, 2008, pp. 21–26.

[50] Ken Peffers et al. “A Design Science Research Methodology for Information Systems Research”. In: J. Manage. Inf. Syst. 24.3 (Dec. 2007), pp. 45–77. url: http://dx.doi. org/10.2753/MIS0742-1222240302.

[51] Allison Lewko et al. “Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption”. In: Advances in Cryptology - EUROCRYPT 2010. Vol. 6110. Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2010, pp. 62–91.

[52] Takashi Nishide, Kazuki Yoneyama, and Kazuo Ohta. “Attribute-based encryption with partially hidden encryptor-specified access structures”. In: ACNS. Vol. 5037. LNCS. NewYork, NY, USA: Springer-Verlag, 2008, pp. 111–129.

[53] Jan Camenisch et al. “Oblivious Transfer with Hidden Access Control from Attribute-based Encryption”. In: Proceedings of the 8th International Conference on Security and Cryptography for Networks. SCN’12. Amalfi, Italy: Springer-Verlag, 2012, pp. 559–579. [54] Niklas Frykholm and Ari Juels. “Error-tolerant password recovery”. In: CCS. ACM, 2001,

pp. 1–9. isbn: 1-58113-385-5.

[55] Niraj Tolia, David G. Andersen, and Mahadev Satyanarayanan. “Quantifying Interactive User Experience on Thin Clients”. In: IEEE Computer Society 39.3 (2006), pp. 46–52. [56] Aaron Johnson et al. “Users Get Routed: Traffic Correlation on Tor by Realistic

Ad-versaries”. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. CCS ’13. Berlin, Germany: ACM, 2013, pp. 337–348. url: http://doi.acm.org/10.1145/2508859.2516651.

[57] Thoughts and Concerns about Operation Onymous. The Tor Project, Inc, 2014. url: https://blog.torproject.org/category/tags/operation-onymous.

[58] Benoˆıt Libert, Kenneth G. Paterson, and Elizabeth A. Quaglia. “Anonymous broadcast encryption: adaptive security and efficient constructions in the standard model”. In: PKC. Vol. 7293. LNCS. Springer-Verlag, 2012.

[59] Elaine Barker et al. NIST SP 800-57: Recommendation for Key Management – Part 1: General(Revision 3). NIST, 2012.

[60] Michael Scott. “On the Efficient Implementation of Pairing-Based Protocols”. In: Cryptog-raphy and Coding. Ed. by Liqun Chen. Vol. 7089. LNCS. Springer-Verlag, 2011, pp. 296– 308. isbn: 978-3-642-25515-1. doi: 10.1007/978-3-642-25516-8_18.

[61] Brent Waters. “Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization”. English. In: Public Key Cryptography – PKC 2011. Ed. by Dario Catalano et al. Vol. 6571. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2011, pp. 53–70. isbn: 978-3-642-19378-1.

Social Networks and Privacy