Vanish (computer science)
Encyclopedia
Vanish is a project at the University of Washington which endeavors to "give users control over the lifetime of personal data stored on the web." The project proposes to allow a user to enter information that he or she will send out across the internet, thereby relinquishing control of it. However, the user is able to include an "expiration date," after which the information is no longer usable by anyone who may have a copy of it, even the creator. The Vanish approach was found to be vulnerable to a Sybil attack
, and thus insecure, by a team called Unvanish from the University of Texas, University of Michigan, and Princeton.
concerning how long the information should remain available. The system then encrypts the information, but does not store either the encryption key or the, instead breaking up the decryption key into smaller components that are disseminated across distributed hash tables, or DHTs via the internet. The DHTs refresh information within their nodes on a set schedule unless told to persist the information. The time-delay entered by the user in the metadata controls how long the DHTs should allow the information to persist, but once that time period is over, the DHTs will reuse those nodes, making the information about the decryption stored irretrievable. As long as the decryption key may be reassembled from the DHTs, the information is retrievable. However, the time initially entered by the user has lapsed, the information is not recoverable, as the user was never informed of the decryption key.
email or Facebook
message, and choose to send the message via Vanish. The message is then encrypted and sent via the normal networking pathways through the cloud
to the recipient. The recipient must have the same Firefox plug-in to decrypt the message. The plugin accesses BitTorrent DHTs, which have 8-hour lifespans. This means the user may select an expiration date for the message in increments of 8 hours. After the expiration of the user-defined time span, the information in the DHT is overwritten, thereby eliminating the key. While both the user and recipient may have copies of the original encrypted message, the key used to turn it back into plain text is now gone.
Although this particular instance of the data has become inaccessible, it's important to note that the information can always be saved by other means before expiration (copied, or even via screen shots) and published again.
Sybil attack
The Sybil attack in computer security is an attack wherein a reputation system is subverted by forging identities in peer-to-peer networks. It is named after the subject of the book Sybil, a fictional case study of a woman with multiple personality disorder...
, and thus insecure, by a team called Unvanish from the University of Texas, University of Michigan, and Princeton.
Theory
Vanish acts by automating the encryption of information entered by the user with an encryption key that is unknown to the user. Along with the actual information the user enters, he or she also enters metadataMetadata
The term metadata is an ambiguous term which is used for two fundamentally different concepts . Although the expression "data about data" is often used, it does not apply to both in the same way. Structural metadata, the design and specification of data structures, cannot be about data, because at...
concerning how long the information should remain available. The system then encrypts the information, but does not store either the encryption key or the, instead breaking up the decryption key into smaller components that are disseminated across distributed hash tables, or DHTs via the internet. The DHTs refresh information within their nodes on a set schedule unless told to persist the information. The time-delay entered by the user in the metadata controls how long the DHTs should allow the information to persist, but once that time period is over, the DHTs will reuse those nodes, making the information about the decryption stored irretrievable. As long as the decryption key may be reassembled from the DHTs, the information is retrievable. However, the time initially entered by the user has lapsed, the information is not recoverable, as the user was never informed of the decryption key.
Implementation
Vanish currently exists as a Firefox plug-in which allows a user to enter text into either a standard GmailGmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
email or Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
message, and choose to send the message via Vanish. The message is then encrypted and sent via the normal networking pathways through the cloud
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
to the recipient. The recipient must have the same Firefox plug-in to decrypt the message. The plugin accesses BitTorrent DHTs, which have 8-hour lifespans. This means the user may select an expiration date for the message in increments of 8 hours. After the expiration of the user-defined time span, the information in the DHT is overwritten, thereby eliminating the key. While both the user and recipient may have copies of the original encrypted message, the key used to turn it back into plain text is now gone.
Although this particular instance of the data has become inaccessible, it's important to note that the information can always be saved by other means before expiration (copied, or even via screen shots) and published again.
See also
- CryptographyCryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...
- Internet privacyInternet privacyInternet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, providing to third-parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail both Personally Identifying Information or non-PII information such as a...
- Proactive Cyber DefenceProactive Cyber DefenceProactive Cyber Defence means acting in anticipation to oppose an attack against computers and networks. Proactive cyber defence will most often require additional security from internet service providers....