The importance of privacy has been growing steadily for over 25 years. Increasingly popularareas (such as IoT, cryptocurrencies and genomics) have attracted and fueled new types of
privacy-focused attacks and exploits. This dissertation focuses on the lifecycle of secrets
(or data) -- from initial entry to use, to present attacks and defenses that utilize emerging
technologies.
We start by presenting a side-channel attack that targets password entry. This attack uses
thermal residues (that results from human fingertips touching the keyboard) to recover recently
entered passwords on external keyboards. Then, we present a privacy-preserving
CAPTCHA alternative that mimics the rate-limiting nature of CAPTCHAs. To skip CAPTCHAs,
clients generate rate-proofs when the rate at which they have performed an action (e.g., visit
a website, sign up for an email account) is below a server-supplied threshold. Rate-proofs,
generated by client-side Trusted Execution Environments (TEEs), assure servers that clients
are not acting in an abusive manner. We also propose a scalable data ownership framework
in which clients with no accounts on a website can prove ownership of data collected
from them. Although data ownership proofs are possible using traditional authentication
methods (e.g., passwords), there is no accepted way of achieving this for acountless clients.
This framework completes the missing piece of verifiable consumer requests which are used
to exercise data rights (access/modify/delete) granted by recent data protection regulations
such as GDPR and CCPA. A client-side TEE can be used to store a secret that can initiate
these requests. The use of TEEs, as shown in these two work, allows us to secure and
privacy-protect secrets/data after entry.
Lastly, we present a cryptograpy-based solution for range queries in the genomics domain.
This ensures the authenticity and integrity of the genome of the individual while minimizing
the exposed data to testers. It uses a variety of techniques ranging from zero-knowledge
range proofs and digital signatures to continual linking of elements inspired by literature
on range queries on databases. We use the genomics domain to show how privacy can be
achieved if there are no TEEs.