Protecting Public OSN Posts from Unintended Access

TL;DR

This paper proposes a cryptographic scheme enabling users to share posts with unintended audiences without prior interaction, enhancing privacy and access control in online social networks.

Contribution

It introduces a novel encryption-based approach that allows public posts to be securely accessed by users with specific knowledge, complementing existing access controls.

Findings

The scheme's security depends on the entropy of user knowledge.

Efficiency analysis shows the scheme is practical against dictionary attacks.

Implementation demonstrates feasible performance for real-world use.

Abstract

The design of secure and usable access schemes to personal data represent a major challenge of online social networks (OSNs). State of the art requires prior interaction to grant access. Sharing with users who are not subscribed or previously have not been accepted as contacts in any case is only possible via public posts, which can easily be abused by automatic harvesting for user profiling, targeted spear-phishing, or spamming. Moreover, users are restricted to the access rules defined by the provider, which may be overly restrictive, cumbersome to define, or insufficiently fine-grained. We suggest a complementary approach that can be easily deployed in addition to existing access control schemes, does not require any interaction, and includes even public, unsubscribed users. It exploits the fact that different social circles of a user share different experiences and hence encrypts arbitrary posts. Hence arbitrary posts are encrypted, such that only users with sufficient knowledge about the owner can decrypt. Assembling only well-established cryptographic primitives, we prove that the security of our scheme is determined by the entropy of the required knowledge. We consequently analyze the efficiency of an informed dictionary attack and assess the entropy to be on par with common passwords. A fully functional implementation is used for performance evaluations, and available for download on the Web.