Microsoft Research Blog

The Microsoft Research blog shares stories of collaborations with computer scientists at academic and scientific institutions to advance technical innovations in computing, as well as related events, scholarships, and fellowships.

  • Blog
  • Security
  • Microsoft researchers present ways for securing technology old and new

Microsoft researchers present ways for securing technology old and new

May 23, 2016 | Posted by Microsoft Research Blog

By Allison Linn, Senior Writer, Microsoft

Microsoft researchers are looking at ways to better secure both the latest, cutting-edge consumer technologies and the more traditional tools that we rely on for everyday activities like accessing bank records and identifying ourselves at work.

The researchers will present four papers at the 37th annual IEEE Symposium on Security and Privacy, a leading security conference that begins Monday in San Jose, Calif.

Here’s a look at some of the papers.

Downgrade Resilience in Key-Exchange Protocols

A group of researchers at Microsoft and the French research organization INRIA made headlines when they discovered and helped fix serious vulnerabilities, including Freak and Logjam, in a popular system for enabling secure Internet transactions.

Now, those same researchers, along with collaborators from Hamburg University of Technology and Johns Hopkins University, are presenting mechanisms that would prevent that type of attack from even being possible.

Cedric Fournet

“We now understand, in a very general way, how to prevent that class of problem,” said Cedric Fournet, principal researcher at Microsoft Research Cambridge.

They are presenting a paper on these attacks and countermeasures at the IEEE security symposium.

Fournet said the researchers expect these new improvements to be included in the next generation of the Transport Layer Security, or TLS. That’s a system that many of us are using daily, whether we know it or not, for things like buying shoes online or checking corporate e-mail.

Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation

Every time you scan your key card at work, access your bank records or sign on to a secure Internet server, chances are you are using something called public key infrastructure, or PKI, to authenticate that you are really who you say you are.

These systems are great for figuring out who you are, and they often also transmit a wealth of other information about you.

That’s where Cinderella comes in. It’s a software system that people could run on top of existing PKI infrastructure to disclose only partial information about a person’s identification.

For example, let’s say you want a system that verifies whether a user is at least 21 years old. You could use Cinderella to create a tool that verifies a person’s age without sharing the user’s entire personal data, such as name or address. The system also could be used to verify that a person works for a particular company – and is therefore eligible for a company discount — without disclosing other personal information such as that person’s name or job title.

Eventually, such a system could even be used for something like voter identification.

Bryan Parno

Bryan Parno, a Microsoft researcher specializing in security and privacy, said computer scientists have long been working on how to do partial identification. Cinderella is unique because the software could run on top of the existing infrastructure most companies and organizations currently use.

It’s a research project for now, and Parno said there are no plans to turn it into a product.

Prepose: Privacy, Security, and Reliability for Gesture-Based Programming

The use of gesture in computing is gradually becoming more mainstream, as developers improve the technology behind it and look at ways to incorporate it into applications beyond gaming.

At the same time, researchers say, it’s becoming more likely that a person could be accurately identified based on things like the exact measurement of certain bones in the body.

A group of Microsoft researchers say those two developments combined mean that it’s time to start thinking more carefully about how to keep people’s personal identities private while they are using gesture-based tools.

The system they are proposing is called Prepose, and it’s built on top of the Microsoft theorem prover Z3 and the Kinect SDK.

Prepose adds a layer of security to gesture-based systems by building in a level of abstraction that keeps the system for releasing the exact specifications of the users’ body. Instead, the system shows, for example, that the area of the arm is less than or greater than a certain amount, so it can work without giving out the true measurement.

Prepose also is designed to help users gesture safely and effectively. That includes avoiding poses that may cause them harm, detect conflicting gestures and preventing the user from creating a gesture that overlaps with an existing, reserved gesture, such as one that signals to the system that you want its attention.

Margus Veanes, one of several Microsoft researchers who worked on the project, said they don’t know of any attempt to steal private information based on gesture yet – and that’s a good reason to start building in such security safeguards now.

“I think it will be a potential concern because applications will grow,” Veanes said.

Related:

Allison Linn is a senior writer at Microsoft. Follow her on Twitter