[Cryptography] Data in Use

Jan Dušátko jan at dusatko.org
Sat Aug 6 06:28:50 EDT 2022 


Dne 5. 8. 2022 v 1:26 Jerry Leichter napsal(a):
>> So I got into a Twitter argument with Kenn White about the value of 'Data at Rest' security and I think I came up with a more general insight. In short, the traditional Data-in-Motion / Data-at-Rest diad is insufficiently descriptive. What we really have is a triad:
>>
>> Data at Rest
>> Data in Use
>> Data in Motion
>>
>> This gives us the acronym 'RUM'.
>>
>> The reason for making the distinction is that if you have a Web application or a database actively reading and modifying your data, it is really not 'at rest' in any useful sense. It is something different that is going to require us to take a very different approach.
> This third class is implicit in every system that uses encrypted data.  I don't think I've ever seen it called out in exactly this form.
>
> There are plenty of techniques that amount to "ways to keep data in use" secure.  I can think of at least two broad catagories:
>
> - Limit the data exposed to that actually needed for a particular use.  For example, there are all kinds of techniques that provide ways to give a program an encrypted database record but only allow it to decrypt parts of the record.  Of course the simplest is to have different keys for each field - but one can do better.  You could argue that mechanisms to allow access only to aggregated data while denying access to individual data fall into this category (though unfortunately they can't actually work well, as we know).  The way Google protects gMail mailboxes (or did, a decade ago) is an interesting example:  Every mailbox has its own encryption key, and when a user logs in to his email account, he's assigned a machine at random, his authentication information goes to that machine, and the machine can then use that to ask a key server for his key.  So even if you manage to take over a machine, you can only get at some random collection of mailboxes that that machine is handling right now - you can't get to a chosen mailbox.  Homomorphic encryption is, in a way, the ultimate endpoint of this approach.
>
> - Limit the scope of the environment that has access to the decrypted data.  I'm thinking of various techniques around "sealed" virtual machines, where data in memory is decrypted only when the VM is running - even the OS sees the data as encrypted when it gains control (because a hypervisor intercedes to encrypt it before letting the OS run).  In the extreme, you can look at encryption in the hardware path, where the data is decrypted only when it's inside the guts of the CPU.  Actually, I believe Apple implements this for its Secure Enclave and T2 chips.
>                                                          -- Jerry
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

Jerry, Phillip,
Beside RUM are amazing acronym, I not sure if reasons described are correct.
For data at the rest I prefer to use object encryption. Doesn't matter, 
if that object are on the disk or in memory. The main disadvantage of 
object encryption are problem with the protection. Because does not 
support ephemeral keys (may there could be technique which I do not 
know), can protect confidentiality of data, but cannot protect 
confidentiality of data about subject.
Opposite of that, data in motion (transport) can use ephemeral keys and 
protect not only confidentiality of data, but also confidentiality of 
data about subject. I'm a little bit sceptical about current way of use 
encryption of channel like HTTP/2 and HTTP/3, where thanks to the 
channel encryption we slowly move to the object encryption.
Idea of data in the use are quite good, but I think half of that belong 
to MCP (Multiparty Computation) and to the anonymization techniques, 
second half to symmetric, asymmetric. Not sure if I'm true, but I use 
MCP term to cover homomorphic encryption, differential privacy, private 
set intersection, zero knowledge protocols. The anonymization technique 
use part of that technologies and "classic" attitude like data 
aggregation, generalization, masking, perturbation, pseudonymization, 
randomization, redacting, suppression, synthetize, tokenization and also 
homomorphic encryption and zero knowledge protocols. Also, because 
hardware support for security enclaves, there are CPU protection and 
encryption (beside of their weakness). This mean, that data in the use 
can be hardly described and too complex. Because of that, I prefer to 
separate anonymization techniques, which seat on top of RM diade/RUM 
triade. And without anonymization, we stay on the object encryption. I 
think we need to define it better for case of use this nice acronym.

Regards

Jan

-- 
-- --- ----- -
Jan Dušátko

Tracker number:	+420 602 427 840
e-mail:		jan at dusatko.org
GPG Signature:	https://keys.dusatko.org/E535B585.asc
GPG Encrypt:	https://keys.dusatko.org/B76A1587.asc

More information about the cryptography mailing list