Datenschutz und Technikgestaltung / Geschichte und Theorie des Datenschutzes aus informatischer Sicht und Folgerungen für die Technikgestaltung

Pohle, Jörg

03 May 2018

Ziel der vorliegenden Arbeit ist es, die historische Konstruktion des Datenschutzproblems, des Datenschutzes als seiner (abstrakten) Lösung sowie die Architektur seiner rechtlichen Implementation aufzudecken und einer kritischen Revision aus informatischer Sicht zu unterziehen, um daraus Folgerungen für die Technikgestaltung zu ziehen. Die Arbeit legt offen, welches Verständnis vom Menschen und von der Gesellschaft, von Organisationen, von der Informationstechnik und von der Informationsverarbeitung, welche informatischen, informationswissenschaftlichen, soziologischen und rechtswissenschaftlichen Konzepte, Denkschulen und Theoriegebäude und welche wissenschaftlichen und vorwissenschaftlichen Annahmen und Prämissen der Analyse des Datenschutzproblems zugrunde liegen und wie sie darüber hinaus die spezifische Lösung des Datenschutzproblems – den Datenschutz – gespeist haben. Auf der Basis einer informatisch fundierten Kritik zieht die Arbeit den Schluss, dass der Datenschutz als Lösung des durch die Industrialisierung der gesellschaftlichen Informationsverarbeitung erzeugten Datenmachtproblems neu abgeleitet werden muss, und legt dafür ein dem Stand der wissenschaftlichen Debatte entsprechendes, abstraktes – und damit jeweils noch anwendungsbereichsspezifisch zu konkretisierendes – Datenschutz-Angreifermodell, ein analytisches Raster für eine darauf aufbauende Bedrohungsanalyse sowie einen prozeduralen Operationalisierungsansatz, der die Vorgehensweise und die jeweils zu analysierenden oder zu prüfenden inhaltlichen Fragen deutlich werden lässt, vor. Abschließend zieht die Arbeit Folgerungen für die Gestaltung datenschutzfreundlicher – und dabei nicht notwendig nur datenschutzrechtskonformer – informationstechnischer Systeme. / The aim of this thesis is to uncover the historical construction of the data protection problem, of data protection as its (abstract) solution, as well as the architecture of its legal implementation, in order to critically assess this construction and to draw conclusions for the design of ICT systems. The thesis reveals which concepts of humankind and society, organizations, information technology and information processing, which informatics, information science, sociological and jurisprudential concepts, schools of thought and theories, and which scientific and pre-scientific assumptions and premises underlie the analysis of the data protection problem, and how they have influenced the specific solution of this problem. Based on a critical assessment of this construction the thesis concludes that data protection must be re-derived as a solution for the information power problem, which is generated by the industrialization of social information processing, and presents an abstract, state-of-the-art data protection attacker model, an analytical framework for a data protection impact assessment as well as a procedural operationalization approach illustrating the sequence as well as the substantive issues to be examined and addressed in this process. The thesis then draws conclusions for the design of data protection friendly—and not necessarily just legally compliant—ICT systems.

Datenschutz

Datenschutztheorie

Datenschutzgeschichte

Datenschutzrecht

Privacy

Surveillance

Angreifermodell

Bedrohungsmodell

Technikgestaltung

data protection

data protection theory

data protection history

data protection law

privacy

surveillance

attacker model

threat model

system design

PZ 4600

ddc:000

Inter-device authentication protocol for the Internet of Things

Wilson, Preethy

18 May 2017

The Internet of things (IoT) recently blossomed remarkably and has been transforming the everyday physical entities around us into an ecosystem of information that will enrich our lives in unimaginable ways. Authentication is one of the primary goals of security in the IoT and acts as the main gateway to a secure system which transmits confidential and/or private data.This thesis focuses on a Device-to-Device Mutual Authentication Protocol, designed for the smart home network, which is an essential component of communication in the Internet of Things(IoT). The protocol has been developed based on asymmetric cryptography to authenticate the devices in the network and for the devices to agree on a shared secret session key. In order to ensure the security of a communications session between the devices, the session keys are changed frequently - ideally after every communication session. The proposed scheme has been programmed in HLPSL, simulated and its efficiency verified using the SPAN/ AVISPA tool. When SPAN substantiates the protocol simulation and the attacker simulation, the back-ends of the AVISPA tool verifies the safety and security of the proposed authentication protocol. The thesis also evaluates the protocol's security against the attacks successful against protocols proposed by other researchers. / Graduate / 0544 / 0984 / 0537 / pwilson1@uvic.ca

Authentication

Internet of Things (IoT)

Smart Homes

Smart Home Network

AVISPA/SPAN

AVISPA

Internet Security

Cryptography

Encryption

Asymmetric Cryptography

Shared Session Key

Private Key

Public Key

Cloud

Fog

Security

HLPSL

Quality Metrics

Simulation

Protocol Simulation

Attacker Simulation

Formal Verification

Verification

Multi-protocol Attack

Reflection Attack

OFMC

CL-AtSe

Communication

Computing

Mutual Authentication

Device-to-device

inter-device

machine-to-machine

Attacks

WebLang: A Prototype Modelling Language for Web Applications : A Meta Attack Language based Domain Specific Language for web applications / WebLang: Ett Prototypmodelleringsspråk för Web Applikationer : Ett Meta Attack Language baserat Domän Specifikt Språk för Web Applikationer

af Rolén, Mille, Rahmani, Niloofar

January 2023

This project explores how a Meta Attack Language based Domain Specific Language for web applications can be used to threat model web applications in order to evaluate and improve web application security. Organizations and individuals are targeted by cyberattacks every day where malicious actors could gain access to sensitive information. These malicious actors are also developing new and innovative ways to exploit the many different components of web applications. Web applications are becoming more and more complex and the increasingly complex architecture gives malicious actors more components to target with exploits. In order to develop a secure web application, developers have to know the ins and outs of web application components and web application security. The Meta Attack Language, a framework for developing domain specific languages, was recently developed and has been used to create languages for domains such as Amazon Web Services and smart cars but no language previously existed for web applications. This project presents a prototype web application language delimited to the first vulnerability in the top ten list provided by Open Worldwide Application Security Project (OWASP), which is broken access control, and tests it against the OWASP juice shop, which is an insecure web application developed by OWASP to test new tools. Based on the results it is concluded that the prototype can be used to model web application vulnerabilities but more work needs to be done in order for the language to work on any given web application and vulnerability. / Detta projekt utforskar hur ett Meta Attack Language baserat Domän Specifikt Språk för webbapplikationer kan användas för att hotmodellera samt undersöka och förbättra webbapplikationssäkerhet. Organisationer och individer utsätts dagligen för cyberattacker där en hackare kan få tillgång till känslig information. Dessa hackare utverklar nya och innovativa sätt att utnyttja dem många olika komponenterna som finns i webbapplikationer. Webbapplikationer blir mer och mer komplexa och denna ökande komplexa arkitekturen leder till att det finns mer mål för en hackare att utnyttja. För att utveckla en säker webbapplikation måste utvecklare veta allt som finns om webbapplikations komponenter och webbapplikations säkerhet. Meta Attack Language är ett ramverk för att utveckla nya språk för domäner som till exempel Amazon Web Services och smarta fordon men innan detta existerade inget språk för webbapplikationer. Detta projekt presenterar en webbapplikations språk prototyp som är avgränsad till den första sårbarheten i top tio listan av Open Worldwide Application Security Project (OWASP) vilket är broken access control, och testar den mot OWASP juice shop, vilket är en sårbar webapplikation som utveckalts av OWASP för att testa nya verktyg. Baserat på resultaten dras slutsatsen att prototypen kan användas för att modellera webbapplikations sårbarheter men att det behövs mer arbete för att språket ska fungera på vilken webbapplikation och sårbarhet som helst.

Meta Attack Language

Domain Specific Language

OWASP

Attack Simulations

Cyber Attacks

Threat Modelling

OWASP Juice Shop

Broken Access Control

Meta Attack Language

Domän Specifikt Språk

OWASP

Attack Simuleringar

Cyber Attacker

Hotmodellering

OWASP Juice Shop

Broken Access Control

Computer and Information Sciences

Data- och informationsvetenskap