Securing Safebook : Secure Data Access Control and Key Management for Safebook

Abstract: Online social networks have become a fast and efficient way of sharing information and experiences. Over the past few years the trend of using social networks has drastically increased with an enormous amount of users’ private contents injected into the providers’ data centers. This has raised concerns about how the users’ contents are protected and how the privacy of users is preserved by the service providers. Moreover, current social networks have been subject to much criticism over their privacy settings and access control mechanism. The providers own the users’ contents and these contents are subject to potential misuse. Many socially engineered attacks have exposed user contents due to the lack of sufficient privacy and access control. These security and privacy threats are addressed by Project Safebook, a distributed peer-to-peer online social networking solution leveraging real life trust. By design Safebook decentralizes data storage and thus the control over user content is no longer in the service provider’s hands. Moreover, Safebook uses an anonymous routing technique to ensure communication privacy between different users. This thesis project addresses privacy aware data management for Safebook users and a data access control solution to preserve users’ data privacy and visibility utilizing a peer to peer paradigm. The solution focuses on three sub-problems: (1) preserving the user’s ownership of user data, (2) providing an access control scheme which supports fine grained access rights, and (3) secure key management. In our proposed system, the user profile is defined over a collection of small data artifacts. An artifact is the smallest logical entity of a profile. An artifact could be a user’s status tweak, text comment, photo album metadata, or multimedia contents. These artifacts are then logically arranged to form a hierarchical tree, call the User Profile Hierarchy. The root of the profile hierarchy is the only entry point exposed by Safebook from where the complete user profile can be traversed. The visibility of portions of the user profile can be defined by exposing a subset of profile hierarchy. This requires limiting access to child artifacts, by encrypting the connectivity information with specific access keys. Each artifact is associated with a dynamic access chain, which is an encrypted string and contains the information regarding the child nodes. A dynamic access chain is generated using a stream cipher, where each child’s unique identifier is encrypted with its specific access key and concatenated to form the dynamic access chain. The decryption process will reveal only those child artifacts whose access keys are shared. The access keys are managed in a hierarchical manner over the profile hierarchy. Child artifacts inherit the parent’s access key or their access key can be overridden with a new key. In this way, fine grained access rights can be achieved over a user’s artifacts. Remote users can detect changes in a specific branch of a profile hierarchy and fetch new artifacts through our proposed profile hierarchy update service. On top of the proposed access control scheme, any social networking abstraction (such as groups, circles, badges, etc.) can be easily implemented.