1. Field of the Invention
The present invention relates to a system and method for the secure processing of sensitive data. More specifically, the invention relates to systems where parties, which do not necessarily trust each other, need to control the processing and the use of their data.
2. Background of the Invention
Many IT applications are comprised of the processing of sensitive data, i.e. data that should be kept private or confidential by the IT system. A typical example for such an application is the screening of individuals against watch lists prior to boarding an airplane, or prior to employment. Such a screening can be a simple textbased matching of names and other personal data, especially, biometrics like fingerprint minutiae or features of the human face, (see Anil Jain, Lin Hong and Sharath Pankanti, “Biometric identification”, Communications of the ACM, 43 (2), pages 90–98, ACM Press, 2000), can be used to confirm the identity of matched individuals or to identify individuals in a set of candidates.
Cryptographic techniques exist to encrypt and protect data while it is sent over computer networks or stored on storage media, (see for example the book Bruce Schneier, “Applied Cryptography”, John Wiley & Sons, 1996). However, for the real processing steps, data has to be available in the clear to allow a computer system to interpret, and modify them, and to derive new data during the processing. During this processing, data is vulnerable to attackers, who intrude into the processing environment to spy out or modify data. IT systems have no means to protect programs and data against an attacker who found a way into their processing environment.
A way to protect an IT system against intruders is to confine the processing of sensitive data to a secure computation environment, (see Schneck, et al., “System for controlling access and distribution of digital property”, U.S. Pat. No. 6,314,409, issued Nov. 6, 2001, hereby incorporated herein by reference, and Sean W. Smith and Dave Safford, “Practical Private Information Retrieval with Secure Coprocessors” hereby incorporated herein by reference, IBM Research Report, RC 21806, July 2000). A secure computation environment is a general-purpose computing device like the IBM 4758 cryptographic coprocessor, which has a FIPS 140-1 Level 4 validation, (see http://www.ibm.com/security/cryptocards). Computations in a secure computation, environment cannot be observed from the outside. Further, it is impossible to maliciously change the processing or the processed data from outside the secure computation environment. Attempts to tamper with a secure computation environment, the programs running inside, or the data being processed inside are detected by the environment, which then destroys sensitive data stored inside the environment or makes it permanently inaccessible.
While a secure computation environment can give protection against attacks from the outside, it cannot guarantee by itself that the security and privacy demands of the parties are met by the system. The parties have to trust the provider of the application that their data is handled in the way they expect. There is no technical guarantee for this, because the parties cannot control the service.
Often parties are not willing to participate in a data processing task if they cannot control the processing and the use of their data, i.e. if they have to rely totally on trust.
Existing systems do not allow the involved parties to control the service, or they simply reduce the number of parties to one to circumvent the problem. For example, some airlines have databases of their own unruly passengers, and they can check passengers against this data. Here, all roles, i.e. the service provider, the information provider, the screener and the notified parties are all represented by the airline, which naturally trusts itself. Other examples of databases are law enforcement agencies, (see James X. Dempsey, “Overview of current criminal justice information systems”, in Proceedings of the 10th Conference on Computers, Freedom and Privacy, Toronto, pages 101–106, ACM Press, 2000), or credit history checks. These applications are under the complete control of the information provider, who is also the service provider. The screener party has no way to control how the service provider further uses the information that the screener provides. A similar example is a face recognition application at an airport, where passengers are checked against the picture in their own ID document. This application is under complete control of the screener, who is also the service provider.
Existing surveillance systems, as for example the facial recognition system used at the 2001 SuperBowl, or in several airports, (see Scholz and Johnson, “Interacting with identification Technology: Can it make us more secure?”, in Conference on Human Factors in Computer Systems, Minneapolis, pages 564–656, ACM Press, 2002), are mostly closed circuit systems. They return a direct answer to queries that compare biometric data against a local database, or against information stored on a smart card, which is carried by the individual. Thus, there is a need for a more general service that can be used by different interacting parties.
Other systems, such as are described in U.S. Pat. No. 6,148,290, issued Nov. 14, 2000 to Asit Dan and Francis Nicholas Parr, hereby incorporated herein by reference in its entirety, have been used to define possible interaction patterns with computer programs, where the interface specifications defines sequences of requests that are admissible to a server. In these systems, the service provider dictates a service contract. The contract defines assertions for the interface of the service, e.g. that a request A must be preceded by another request B to be valid. It is not possible for the parties to use these kinds of contracts to control the processing or the use of their data.
Most existing systems do not execute in secure computation environments. Here, an attacker who gains access to the processing may observe and influence the processing at will. Thus, even if the parties agree on processing steps and handling of data, there is no technical way to guarantee that the processing fulfills their security requirements in such an insecure environment.
Existing systems built on web services (Vadim Draluk, “Discovering Web Services: An Overview”, in Proceedings of the Twenty-seventh International Conference on Very Large Data Bases: Roma, Italy, page 637 Morgan Kaufmann, 2001) allow their clients to control which service provider they choose, but they allow no control over the service”s functionality itself.
Existing systems that use explicit contracts, like e.g. service level agreements or quality of service agreements as described in (Dinesh Verma, Mandis Beigi and Raymond Jennings, “Policy Based SLA Management in Enterprise Networks”, in Lecture Notes in Computer Science, Vol. 1995, pages 137 152, Springer-Verlag, 2001), only deal with nonfunctional features of services like resource consumption or turnaround times. These approaches do not allow parties to control the function of the service.