Decentralized Application Security

Licentiate thesis, 2016

On the internet today, everything is centralized. For most people, a single commercial entity owns the power to disclose all their personal emails. Most commonly your emails are only disclosed to you and your correspondent, but the power to choose who sees these emails is in fact not yours. Almost nothing that the internet is used for gives the originator the power to retract it, or to enforce intact delivery. When you use a social media platform, you are given the intuition that you choose which friends who can see any posts and photos that you publish. In reality the provider of the social media platform may share this data to anyone they like. It may choose to remove this data, to remove treasured family photos, or to not deliver a personal message to your friends. Of course, this would for most businesses not be a profitable mode of operation, no entrepreneur or business developer strive for this. However, governing authorities can exert force over the company to do this without economical motives, during political instabilities for instance. This thesis is about giving end-users control over their own personal data, while maintaining all the rich internet services that users normally enjoy on a day-to-day basis. Using traditional cryptographic techniques information can be made unreadable for everyone except the intended parties. Another type of cryptographic techniques, called homomorphic encryption, can make information usable while still being unreadable, enabling constructions that serve the same purpose but which does not suffer from potential intrusion on personal data. In this thesis, we will explore how to use both traditional and homomorphic encryption techniques for privacy of location-data and to efficiently a protect web session.