{"id":6425,"date":"2016-05-23T06:00:50","date_gmt":"2016-05-23T13:00:50","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/msr_er\/?p=6425"},"modified":"2016-07-20T07:28:28","modified_gmt":"2016-07-20T14:28:28","slug":"microsoft-researchers-present-ways-for-securing-technology-old-and-new","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/microsoft-researchers-present-ways-for-securing-technology-old-and-new\/","title":{"rendered":"Microsoft researchers present ways for securing technology old and new"},"content":{"rendered":"

By Allison Linn, Senior Writer, Microsoft<\/em><\/p>\n

Microsoft researchers are looking at ways to better secure both the latest, cutting-edge consumer technologies and the more traditional tools that we rely on for everyday activities like accessing bank records and identifying ourselves at work.<\/p>\n

The researchers will present four papers at the 37th annual IEEE Symposium on Security and Privacy (opens in new tab)<\/span><\/a>, a leading security conference that begins Monday in San Jose, Calif.<\/p>\n

Here\u2019s a look at some of the papers.<\/p>\n

Downgrade Resilience in Key-Exchange Protocols<\/strong> (opens in new tab)<\/span><\/a><\/p>\n

A group of researchers at Microsoft and the French research organization INRIA (opens in new tab)<\/span><\/a> made headlines (opens in new tab)<\/span><\/a> when they discovered and helped fix serious vulnerabilities, including Freak (opens in new tab)<\/span><\/a> and Logjam (opens in new tab)<\/span><\/a>, in a popular system for enabling secure Internet transactions.<\/p>\n

Now, those same researchers, along with collaborators from Hamburg University of Technology and Johns Hopkins University, are presenting mechanisms that would prevent that type of attack from even being possible.<\/p>\n

\"Cedric (opens in new tab)<\/span><\/a><\/p>\n

\u201cWe now understand, in a very general way, how to prevent that class of problem,\u201d said Cedric Fournet (opens in new tab)<\/span><\/a>, principal researcher at Microsoft Research Cambridge.<\/p>\n

They are presenting a paper on these attacks and countermeasures at the IEEE security symposium.<\/p>\n

Fournet said the researchers expect these new improvements to be included in the next generation of the Transport Layer Security (opens in new tab)<\/span><\/a>, or TLS. That\u2019s a system that many of us are using daily, whether we know it or not, for things like buying shoes online or checking corporate e-mail.<\/p>\n

Cinderella: Turning Shabby X.509 Certi\ufb01cates into Elegant Anonymous Credentials with the Magic of Veri\ufb01able Computation<\/strong> (opens in new tab)<\/span><\/a><\/p>\n

Every time you scan your key card at work, access your bank records or sign on to a secure Internet server, chances are you are using something called public key infrastructure, or PKI, to authenticate that you are really who you say you are.<\/p>\n

These systems are great for figuring out who you are, and they often also transmit a wealth of other information about you.<\/p>\n

That\u2019s where Cinderella comes in. It\u2019s a software system that people could run on top of existing PKI infrastructure to disclose only partial information about a person\u2019s identification.<\/p>\n

For example, let\u2019s say you want a system that verifies whether a user is at least 21 years old. You could use Cinderella to create a tool that verifies a person\u2019s age without sharing the user\u2019s entire personal data, such as name or address. The system also could be used to verify that a person works for a particular company \u2013 and is therefore eligible for a company discount — without disclosing other personal information such as that person\u2019s name or job title.<\/p>\n

Eventually, such a system could even be used for something like voter identification.<\/p>\n

\"Bryan (opens in new tab)<\/span><\/a><\/p>\n

Bryan Parno (opens in new tab)<\/span><\/a>, a Microsoft researcher specializing in security and privacy, said computer scientists have long been working on how to do partial identification. Cinderella is unique because the software could run on top of the existing infrastructure most companies and organizations currently use.<\/p>\n

It\u2019s a research project for now, and Parno said there are no plans to turn it into a product.<\/p>\n

Prepose: Privacy, Security, and Reliability for Gesture-Based Programming<\/strong> (opens in new tab)<\/span><\/a><\/p>\n

The use of gesture in computing is gradually becoming more mainstream, as developers improve the technology behind it and look at ways to incorporate it into applications beyond gaming.<\/p>\n

At the same time, researchers say, it\u2019s becoming more likely that a person could be accurately identified based on things like the exact measurement of certain bones in the body.<\/p>\n

A group of Microsoft researchers say those two developments combined mean that it\u2019s time to start thinking more carefully about how to keep people\u2019s personal identities private while they are using gesture-based tools.<\/p>\n

The system they are proposing is called Prepose, and it\u2019s built on top of the Microsoft theorem prover Z3 (opens in new tab)<\/span><\/a> and the Kinect SDK (opens in new tab)<\/span><\/a>.<\/p>\n

Prepose adds a layer of security to gesture-based systems by building in a level of abstraction that keeps the system for releasing the exact specifications of the users\u2019 body. Instead, the system shows, for example, that the area of the arm is less than or greater than a certain amount, so it can work without giving out the true measurement.<\/p>\n

Prepose also is designed to help users gesture safely and effectively. That includes avoiding poses that may cause them harm, detect conflicting gestures and preventing the user from creating a gesture that overlaps with an existing, reserved gesture, such as one that signals to the system that you want its attention.<\/p>\n

Margus Veanes (opens in new tab)<\/span><\/a>, one of several Microsoft researchers who worked on the project, said they don\u2019t know of any attempt to steal private information based on gesture yet \u2013 and that\u2019s a good reason to start building in such security safeguards now.<\/p>\n

\u201cI think it will be a potential concern because applications will grow,\u201d Veanes said.<\/p>\n

Related:<\/strong><\/p>\n