14 DAY TRIAL // Three security and privacy researchers propose a cryptographic service for protecting user data on servers that manage real-time communication between users.
The service is called DP5 (Dagstuhl Privacy Preserving Presence Protocol P, where the last “P” is for extra privacy) and permits the exchange of user information (indicators of presence) between the clients without revealing it to the server.
Presence details generally consist of the current status of a friend (online/offline), but other information can be collected, like IP address or the device used.
DP5’s purpose is to encrypt all this data and protect the privacy of the users’ “buddy list.” One reason for this is to render futile interception activities of all nature: either resulting from mass surveillance or from an attack on the service.
The proposed service is designed to allow user information to be exchanged based on their encryption keys, thus keeping the details secure from snooping eyes.
The report notes that “users have acquired a public key corresponding to each of their friends,” which permits DP5 to carry out operations like friend and presence registration, presence status query or friend suspension or revocation.
Infrastructure services are necessary for DP5 to work, but they do not need long-term secrets and include support for perfect forward secrecy, which means that “a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised.”
Despite the robustness of the protocol against network-related threats, its efficiency is also determined by factors touching on the client devices used. The end-user system has to be secure so that the long-term private keys remain safe.
Written by security and privacy researchers from the University of Illinois, US, the University College London, UK, and the University of Waterloo, Canada, the paper detailing the DP5 presence system provides a full description of the protocol and how it works.
The researchers implemented the protocol as a set of libraries that can be integrated into servers and clients. A cryptographic core relies on OpenSSL for conducting encryption, hash operations and TLS communication between the involved parties.
DP5 is the first private presence system designed to prevent leakage of details about the connection topology of a “buddy list.” It uses short-term encryption keys, which prevent tracing the status of a contact or their identification.
According to the document detailing DP5, the system can be used on tens of thousands of concurrent users, a figure more suitable for smaller organizations.