pVault Sharing Architecture

Slides:



Advertisements
Similar presentations
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Advertisements

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security+ Guide to Network Security Fundamentals
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
Hsu-Chen Cheng, *Wen-Wei Liao, Tian-Yow Chi, Siao-Yun Wei
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
JavaScript, Fourth Edition
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
SODA Archiving October 2013
SEC835 Practical aspects of security implementation Part 1.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Identity-Based Secure Distributed Data Storage Schemes.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Applied cryptography Project 2. 2CSE539 Applied Cryptography A demo Chat server registration Please enter a login name : > Alice Please enter the.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Computer Security By Duncan Hall.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Information Systems Design and Development Security Precautions Computing Science.
1 Example security systems n Kerberos n Secure shell.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Security Issues in Information Technology
Shucheng Yu, Cong Wang, Kui Ren,
Key management issues in PGP
BUILD SECURE PRODUCTS AND SERVICES
Chapter 5 Electronic Commerce | Security Threats - Solution
Hardware-rooted Trust for Secure Key Management & Transient Trust
World Wide Web policy.
Computer Communication & Networks
Secure Software Confidentiality Integrity Data Security Authentication
Security Issues.
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Hardware Cryptographic Coprocessor
Chapter 5 Electronic Commerce | Security Threats - Solution
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
BY: SHIVI AGRAWAL ( ) CSE-(6)C
Enhancing Web Application Security with Secure Hardware Tokens
NAAS 2.0 Features and Enhancements
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
SECURITY IN THE LINUX OPERATING SYSTEM
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Building an Encrypted and Searchable Audit Log
KERBEROS.
CDK: Chapter 7 TvS: Chapter 9
Addressing confidentiality issue in third party xml publication
Erica Burch Jesse Forrest
Designing IIS Security (IIS – Internet Information Service)
Electronic Payment Security Technologies
Presentation transcript:

pVault Sharing Architecture Ravi Chandra Jammalamadaka

pVault: Secure Personal Data Manager Users use the same passwords across different sites including secure and insecure sites which cannot be trusted . As a result same password attacks become common. Only solution is to remember a strong password for every website that requires password authentication. How many strong passwords can we remember ??

pVault features Stores passwords securely in a remote location. Generates strong passwords during registration. Provides mobile access of passwords. Autofills the required password on the website visited. Prevents Pharming and Phishing attacks

Download pVault pVault websites: http://www.itr-rescue.org/pVault http://www.responsphere.org/pVault

pVault Entry Based on XML All pvault entries are XML documents which follow a particular schema. Stores personal data (secrets) that belongs to more than one URL.

pVault Entry schema * pVault_Entry Secret Metadata Actualdata Individual_Secret url Name id Keywords

Design Criteria Store pvault entries in a relational database at the server (i.e. No changes at the server). Minimal Client side software and data storage. Allow both group sharing and sharing with individuals. PKI based

Security Consideration Data confidentiality: Protecting data from being accessed from unauthorized users. Data Integrity: Prevent tampering of the data at the server side.

Privacy Policy Rule Syntax: <object> < subject> <Access Modes> Group id/User Id Leaf node in the pvault entry Read/Write Example: \\pvault_entry Ravi read

XML subtree encryption pVault_Entry * Secret Metadata Actualdata url Keywords Encrypted_Node id Name Individual_Secret

Structure Preserving encryption pVault_Entry * * Secret url * E(Id) Metadata E(Name) E(Actualdata) Individual_Secret * E(keywords) E(Metadata) E(Actualdata)

Issues There is no requirement to hide the structure of the pvault entry from the server. ( public knowledge) Just Encrypt the content of the leaf nodes, structure preserving. Allows queries to be run at the server side.

Creating a Pvault Entry E (PE) E ( K ) K P A E ( K ) P E ( PE) A K Server PE K User A

Reading a Pvault Entry E (PE) K E (PE) K E (K) P A E (K) P A User A

Writing a pVault Entry Execute the read protocol Update the PE Replace the previous PE.

Sharing Protocol E (PE) K E ( PE) E (PE) K K E ( K) E ( K) E ( K) P B E ( K) E ( K) E ( K) P E ( K) P P B P A A B E ( K) Server P B PE K K PE User A User B

Data Integrity Since the Data is Stored at an Untrusted site, the service provider can 1. Modify data objects 2. Delete data objects 3. Not send the correct query results How do we prevent the Service Provider from doing above ??

XML Integrity 1 2 3 4 5 6 7 h( h(1.tag) || h(2) || h(5)) h(3.value + 3.tag) h(h(2.tag)|| h(3) || h(4)) h( h(1.tag) || h(2) || h(5)) h(4.value + 4.tag) h(6.value + 6.tag) h(7.value + 7.tag) h(h(5.tag)|| h(6) || h(7))

Another Method * * * pVault_Entry urlcount secretcount Secret id Metadata Name Actualdata Individual_Secret * metadatacount Keywords Metadata Actualdata

Drawbacks How is access to a pvault entry revoked ? Re-encrypt the pvault and update the key entries for other users. Similar deal when a user leaves a group. Re-encryption Inevitable. Burden for the client.

Using Server as a Certificate Authority Since the server is untrusted, the server can lie about the public key. When Alice wants to share a file with Bob, Alice requests the public key from the server. The server can generate a new public key/private key pair and return the public key as Bob’s public key. The sever now has access to all the files that Alice shares with Bob.

Secure Coprocessor SC is a general purpose computer that can be trusted faithfully to perform a computation. SC are resistant against forseeable physical and logical attacks, except DOS attacks. Trusted Third Party IBM 4758 SC is equipped with 99Mhz and 2 MB onboard memory.

Secure Coprocessor Duties Provide access to private keys of pvault users. During revocation, re-encrypt pvault entries.

Lost Update Problem Client/User requests an update on pvault entry o to change its content from c to c . The server ignores the update. The next time the pvault entry o is queried the server return c as the pvault entry’s content. How can the client be sure about the freshness of the pvault entry’s content?? - Maintain Version numbers.