The security challenges of open IT systems – Maryline Laurent, Télécom SudParis

In today’s society, IT security systems are seriously put to the test: clouddata storage, the omnipresence of micro chips, social networking… Not only does constant communication via networks expose cryptographic systems to multitudes of threatening connections, but security mechanisms must also now function on devices with weak computing capacity, such as mobile phones. The older algorithms are under strain, and increasingly vulnerable to identity fraud and other violations of privacy. IMT, and specifically, the Télécom SudParis R3S (Réseaux, systèmes, services et sécurité – Networks, systems, services and security) team led by Maryline Laurent, is facing up the challenge of making these systems secure. The work of this team, conducted in collaboration with other research laboratories and industrial partners, focuses on developing new architecture and advanced cryptographic technology.

One of the most significant contemporary security problems is data storage in clouds: “Nowadays, a system fitted with a single entry point is relatively easy to secure,” explains Maryline Laurent, “but when a cloud is distributed on any hardware featuring (disc) storage resources, the protection of confidential data against potential criminals becomes a real problem.” This is an issue for private users just as much as it is for professionals, given that routers (Internet provider boxes) connect our domestic devices to a worldwide system.

The R3S team is working in partnership with telephone service providers such as Orange to come up with solutions capable of improving the security of content. Their goal: to ensure that content remains confidential and anonymous. Maryline Laurent explains: “Each user on a network is provided with a unique identifier in order to be recognised. We adopted a two-stage approach, the first stage enabling the encryption of data using a symmetric key and the second stage enabling the symmetric key to be secured within the cloud using the ID-based method; the symmetric key, which enables encryption and decryption, is generated by the users based on their identifier.” Consequently, not only would hackers be unable to read the data if stolen, but they would not even be able to tell who the data belongs to.

Furthermore, the standard ID-based method now appears to be insufficient for open systems such as cloudcomputing. More often than not it is not just a single user, but entire groups of users who share and access the same data. A further refinement has therefore been implemented: “To increase security, we decided that our ID-based encryption would generate its key not just from the unique user identifier, but also from the data itself.” This provides a unique cloud, where each piece of data has its own unique identifier providing a summary of its content. To find data in such a system, you need to know what you are looking for.

The challenge of securing a passive system

However this method requires a high level of processing power on the part of the user, while today’s systems are increasingly portable and scaled down. “A further challenge,” says Maryline Laurent “is being able to quickly authenticate devices such as smart phones, which are limited to carrying out simple processing operations.” Whether by use of a password or some other means, this authentication should provide evidence that the network user is who they say they are.

Maryline Laurent has carried out research on an extreme case of lack of power, in relation to RFID (Radio Frequency Identification) chips, which are tiny and yet play an important role in identifying remote devices. The security drawbacks of RFID chips explain why Europe is so reluctant to use them. A new European regulation should also enable general regulations on data protection to be updated. In the United States, industrial groups have already established uses for RFID chips, which are, for example, now replacing labels and barcodes at Walmart. Incorporated within daily objects, they could even allow a handbag to be scanned instantly to see if it contains the cigarette lighter you’re looking for, or a stolen ring. However, this quickly poses a threat to privacy: without strong authentification, anyone could potentially search your bag without permission! Success in blocking access could be the key to opening the European market to RFID chips.

Resolving the issue of lack of power required an innovative solution. “We took the NTRU (N-th degree truncated polynomial ring) method, a highly promising public key method, and adapted it. It is now possible to divide up the cryptographic processes: the entire workload is given to the server and the RFID chip only has a few binary operations to perform.”

Technically, what has been developed is a light system of two-way authentification where the processing principle consists of converting the NTRU into a binary polynomial and proposing a new method of generating/multiplying polynomials. “We can now carry out multiplication using simple shift operations.”

RFID chips will also benefit from strong authentification. “Our RFID chips project is highly advanced and has enabled us to register two patents. And if this encryption functions on passive chips, it will of course function on any machine.” 

Taking back control of identity

These two developments allow data to be secured, but there is another element to take into account in order for users to put their trust into the systems: the security of data flows. Maryline Laurent explains: “The classic example is Facebook; if you return to Facebook a year after you have unsubscribed, you will find that all the data in your profile has been retained. This does not comply with the right to erasure of data outlined by European regulations. In social networks as they are today, users are losing control of the information they transmit and produce, and are unaware of the location of their data, of whether it has been duplicated and who has access to it.”

Maryline Laurent’s team are working on this issue alongside the W3C (World Wide Web Consortium), the organisation which works to standardize web technologies. The concept works by testing solutions which enable the user to manage access and distribution of their data on a social network, using a resource named MyProfile. Amongst other things, the user is able to physically control their data, as if it appeared on a home computer. It is not the data of the user which is transmitted, but solely its location on the hard disk. This is made possible using semantic web technology, meaning the network is required to connect to the disk in order to access the data. Using this approach, if users wish to erase their data there is no way for anyone to gain access to it.

Unfortunately, it will be difficult to get social networks to adopt these privacy-respecting technologies, which are clearly a disadvantage to them. The solution is therefore to establish new rival networks. The general public is becoming increasingly aware of the risks and will, in theory, eventually migrate towards networks which will respect their privacy, giving them greater control over their personal data.

Maintaining security

Despite all these measures, is it possible for data to ever be truly secure? We are increasingly entrusting our secrets to a growing number of people. Ultimately, vulnerability does not occur as a result of the system but of the user: “Users do not really understand the consequences of decisions they make in relation to data and system security,” explains Maryline Laurent. “Our role as researchers is to come up with solutions to protect users from the risks connected with new technologies, to guide their decision making, and to give them the confidence to know that their efforts are not in vain.”

The Personal Information Values and Policies Chair