PORs: Proofs of Retrievability for Large Files

Slides:

Advertisements

Similar presentations

Simple and Practical Anonymous Digital Coin Tracing

Advertisements

PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.

A CASE FOR REDUNDANT ARRAYS OF INEXPENSIVE DISKS (RAID) D. A. Patterson, G. A. Gibson, R. H. Katz University of California, Berkeley.

What is RAID Redundant Array of Independent Disks.

RAID Oh yes Whats RAID? Redundant Array (of) Independent Disks. A scheme involving multiple disks which replicates data across multiple drives. Methods.

Cloud Computing Security Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧ nen, Pasquale Puzio December 18, 2013 – Sophia-Antipolis, France.

Henry C. H. Chen and Patrick P. C. Lee

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

HAIL (High-Availability and Integrity Layer) for Cloud Storage

Yuchong Hu1, Henry C. H. Chen1, Patrick P. C. Lee1, Yang Tang2

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.

January 11, Csci 2111: Data and File Structures Week1, Lecture 1 Introduction to the Design and Specification of File Structures.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

HAIL (High-Availability and Integrity Layer) for Cloud Storage Kevin Bowers and Alina Oprea RSA Laboratories Joint work with Ari Juels.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Årskonference 2003 Theory and Practice of Personal Digital Signatures - The ITSCI project Ivan Damgård, University of Aarhus.

Cooperative backup on Social Network Nguyen Tran and Jinyang Li.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

1 Verification Codes Michael Luby, Digital Fountain, Inc. Michael Mitzenmacher Harvard University and Digital Fountain, Inc.

Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.

Writing on Wind and Water*: Storage Security in the Cloud Ari Juels Chief Scientist RSA © 2011 RSA Laboratories Workshop on Cryptography and Security in.

RAID Systems CS Introduction to Operating Systems.

On Error Preserving Encryption Algorithms for Wireless Video Transmission Ali Saman Tosun and Wu-Chi Feng The Ohio State University Department of Computer.

Database Management Systems (DBMS)

Security and Deduplication in the Cloud

ICOM 6005 – Database Management Systems Design Dr. Manuel Rodríguez-Martínez Electrical and Computer Engineering Department Lecture 6 – RAID ©Manuel Rodriguez.

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Redundant Array of Independent Disks

Cryptography Lecture 8 Stefan Dziembowski

1 INF244 Textbook: Lin and Costello Lectures (Tu+Th ) covering roughly Chapter 1;Chapters 9-19? Weekly exercises: For your convenience Mandatory.

Failure Resilience in the Peer-to-Peer-System OceanStore Speaker: Corinna Richter.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Error Control Code. Widely used in many areas, like communications, DVD, data storage… In communications, because of noise, you can never be sure that.

The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Robustness in the Salus scalable block store Yang Wang, Manos Kapritsos, Zuocheng Ren, Prince Mahajan, Jeevitha Kirubanandam, Lorenzo Alvisi, and Mike.

Digital Signatures, Message Digest and Authentication Week-9.

Lecture 2: Introduction to Cryptography

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

ADVANTAGE of GENERATOR MATRIX:

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.

1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.

Efficient Fork-Linearizable Access to Untrusted Shared Memory Presented by: Alex Shraer (Technion) IBM Zurich Research Laboratory Christian Cachin IBM.

Solution to the Third COSC 6360 Quiz for Fall 2013 Jehan-François Pâris

Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.

Raptor Codes Amin Shokrollahi EPFL. BEC(p 1 ) BEC(p 2 ) BEC(p 3 ) BEC(p 4 ) BEC(p 5 ) BEC(p 6 ) Communication on Multiple Unknown Channels.

Candidates should be able to:  describe the purpose and use of common utility programs for:  computer security (antivirus, spyware protection and firewalls)

Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.

Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.

Ari Juels, Burton S. Kaliski Jr 14th ACM conference on Computer and communications security,2007 Cited:793 Presenter: 張哲豪 Date:2014/11/24.

Database Laboratory Regular Seminar TaeHoon Kim Article.

Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

CS Introduction to Operating Systems

Searchable Encryption in Cloud

Security and Deduplication in the Cloud

ICOM 6005 – Database Management Systems Design

Assignment #7 – Solutions

RAID Redundant Array of Inexpensive (Independent) Disks

Replica Placement Model: We consider objects (and don’t worry whether they contain just data or code, or both) Distinguish different processes: A process.

Presentation transcript:

PORs: Proofs of Retrievability for Large Files Ari Juels RSA Laboratories Burt Kaliski EMC Innovation Network © 2007 RSA Laboratories

The Subprime Mortgage Debacle Banks issued dubious mortgages to customers Banks packed mortgages as securities and sold them They “outsourced” risk But risk came home to roost… E.g. Bank of America’s Q3 ’07 earnings dropped 32% The moral: Risk is passed around in complex, difficult-to-trace ways…

Storage-as-a-Service (SaaS) ! MegArchive Corp. Seattle, USA My Wedding Photos Alice Peer-to-peer network MiniFile Inc. Bangalore, India One day, Alice’s machine crashes, so she contacts MegArchive… Bob Liverpool, UK

Other financially motivated service degradation MegArchive moves Alice’s file to a slow disk array File is there, but retrieval is unacceptably slow MegArchive uses cheap storage that degrades over time MegArchive throws away a portion of Alice’s file to save space Most users don’t retrieve their backup files anyway

PORs: Proofs of Retrievability Alice would like to ensure that her file F is retrievable She may also want to ensure compliance with a Service-Level Agreement (SLA) The simple approach: Alice periodically downloads F This is resource-intensive! What about spot-checking instead?

Spot checking: Preparation Archive f2 f2 f1 f3 f1 f3 F Alice

Spot checking: Verification Archive ~ f1 ~ ~ f2 f3 ~ F Alice = ? f1 f2 f3

Spot checking: Verification Archive ~ f1 ~ ~ X f2 f3 ~ F Alice f1 f2 f3

F Spot checking ~ ~ f1 ~ ~ f2 f3 f1 f2 f3 Pros: Cons: Archive ~ f1 ~ ~ f2 f3 Pros: Alice needn’t download all of F Can detect large erasure / corruption F ~ Cons: Alice must store chunks of F Can’t detect small erasure / corruption Alice f1 f2 f3

MAC refinement: Preparation Archive f2 f1 f3 c2 c3 F MACk[f1] c1 Alice k

MAC refinement: Preparation Archive f2 f1 f3 F MACk[f1] c2 c1 c3 Alice k

MAC refinement: Preparation Archive f2 f1 f3 c2 c1 c3 F Alice k

MAC refinement: Verification Archive f2 f1 f3 c1 c2 c3 F ~ F Pros: Alice needn’t store any of F Can detect large erasure / corruption Alice k Cons: Can’t detect small erasure / corruption

* F F Error correcting code Archive * F parity bits decoder F With ECC to encode F → F*, big error in F* induces small error in F In effect, we can amplify errors in stored file

ECC + MAC [loosely like LIBBI ’03, NR ’06] Archive f2 f1 f3 parity bits f4 c4 c1 c2 c3 F* F Pros: Alice needn’t store any of F—only key k Alice can detect even small corruption in F (= large corruption in F*) Alice k

ECC + MAC: Verification Archive f2 f1 f3 parity bits f4 c4 c1 c2 c3 F* F Example: ECC corrects up to 10% corruption Alice checks 30 positions Each check detects corruption with probability ≥ .9 Alice detects insurmountable corruption with prob. ≥ 1 - .930 > 95% Alice k

A challenge Applying such an ECC to all of F is impractical Instead, we can stripe the ECC We’ll need many stripes for efficiency But then a clever adversarial archive can corrupt selectively…

F* F Selective corruption c1 c2 c3 c4 Archive c1 c2 c3 c4 F* F Adversary corrupts just one stripe S File is now irretrievable! Unless Alice checks S, she does not detect corruption If S is tiny fraction of file, adversary escapes detection with high probability

Solution: Hide ECC stripes Archive c1 c2 c3 c4 F* F Do secret, randomized partitioning of F into stripes E.g. use secret key to generate pseudorandom permutation and then choose stripes sequentially Encrypt and permute parity bits In paper, we permute and encrypt F too, but not strictly necessary F itself is untouched, i.e., intact within F*! But adversary does not know where stripes are, so Adversary cannot feasibly target a stripe!

Another challenge: How do we formally define a POR? Adversary may respond correctly to challenges, but deny service on retrieval! No global solution: Pattern / number of requests betrays nature of request A practical approach to definition: Assume memoryless adversary, e.g., software that can be rewound/reset Ensure that challenge interface is identical to retrieval interface, i.e., formal extraction model Limit distinction to pattern / number of requests

Yet another challenge: Bandwidth As Alice makes many checks, she fetches many file pieces fi Can we reduce bandwidth? One approach: MAC on server side For ith check, generate one-time MACing key ki = g(k) Let archive compute and return m’i = MACk [fi] and E[mi] Alice checks that m’i = mi To preserve extraction interface, Alice must also request and check a (small) piece of fi i

Another bandwidth-limiting approach: Sentinels F Insert hidden, random sentinel blocks into encryption of F Idea: Check sentinel blocks instead of file blocks Theoretically interesting because POR independent of F! Compare with proof of knowledge… Interesting in practical sense because sentinels can be combined Archive can XOR sentinels before sending Allows for, e.g., hierarchical POR (In paper, we permute F too, but not strictly necessary)

Further / related research Implementation F may be too large to fit in main memory Quantifying QoS guarantees File updates: PORs break! Efficient fix? Extended models E.g., publicly verifiable Algebraic approaches Burns et al., CCS ’07 (next talk!) and other previous work [E.g., FB ’06]