Protecting Sensitive User Data in Web Services

Опубликовано 15 марта 2018, 22:19

Web services like Google, Facebook, and Dropbox are now an essential part of people’s lives. In order to provide value to users, these services collect, store, and analyze large amounts of their users’ sensitive data. However, once the user provides her information to the web service, she loses control over how the application manipulates that data. For example, a user cannot control where the application forwards her data. Even if the service wanted to allow users to define access controls, it is unclear how these access controls should be expressed and enforced. Not only is it difficult to develop these secure access control mechanisms, but it is also difficult to ensure these mechanisms are practical. My research addresses these concerns. More specifically, it focuses on building practical, secure mechanisms for protecting user data in large-scale, distributed web services.

In this talk, I discuss one of my research systems, Splinter. Splinter keeps users' queries private and scales to realistic applications. Splinter extends a recent cryptographic primitive called Function Secret Sharing (FSS); Splinter’s modifications to FSS make Splinter up to an order of magnitude more efficient than prior systems which used other cryptographic techniques like Private Information Retrieval and garbled circuits. We ported several realistic applications to Splinter, including a Yelp clone and a flight search application; Splinter achieves end-to-end response latencies of less than 1.6 seconds while hiding queries from the application.

See more at microsoft.com/en-us/research/v...