Cryptographic Security Secret Sharing, Vanishing Data 1Dennis Kafura – CS5204 – Operating Systems

Cryptographic Security - 2 Dennis Kafura – CS5204 – Operating Systems Secret Sharing How can a group of individuals share a secret? Requirements:  some information is confidential  the information is only available when any k of the n members of group collaborate (k <= n) k = n implies unanimity k >= n/2 implies simple majority k = 1 implies independence Assumptions  The secret is represented as a number  The number may be the secret or a (cryptographic) key that is used to decrypt the secret 2

Cryptographic Security - 2 Secret Sharing General idea:  Secret data D is divided in n pieces D 1,…D n  Knowledge of k or more Di pieces makes D easily computable  Knowledge of k-1 or fewer pieces leaves D completely unknowable Terminology  This is called a (k,n) threshold scheme Uses  Divided authority (requires multiple distinct approvals from among a set of authorities)  Cooperation under mutual suspicion (secret only disclosed with sufficient agreement) Dennis Kafura – CS5204 – Operating Systems3

Cryptographic Security - 2 Secret Sharing Mathematics  A polynomial of degree n-1 is of the form  Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, if then Dennis Kafura – CS5204 – Operating Systems4

Cryptographic Security - 2 Simple (k,n) Threshold Scheme Given D, k, and n  Construct a random k-1 degree polynomial Dennis Kafura – CS5204 – Operating Systems5

Cryptographic Security - 2 Simple (k,n) Threshold Scheme Given D, k, and n  Construct a random k-1 degree polynomial Distribute the n pieces as (i, D i ) Any k of the n pieces can be used to find the unique polynomial and discover a 0 (equivalently solve for q(0) ) Finding the polynomial is called polynomial interpolation Dennis Kafura – CS5204 – Operating Systems6

Cryptographic Security - 2 Example Suppose k=2, n=3, and D=34 Choose a random k-1 degree polynomial: Generate n values: The n pieces are (1,46), (2,58), and (3,70) Dennis Kafura – CS5204 – Operating Systems7

Cryptographic Security - 2 Example Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations: Dennis Kafura – CS5204 – Operating Systems8

Cryptographic Security - 2 Vanishing Data Motivation  Many forms of data (e.g., ) are archived by service providers for reliability/availability  Data stored “in the cloud” beyond user control  Such data creates a target for intruders, and may persist beyond useful lifetime to the user’s detriment through disclosure of personal information  Recreates “forget-ability” and/or deniability  Protect against retroactive data disclosure Innovation: “vanishing data object” (VDO) Dennis Kafura – CS5204 – Operating Systems9

Cryptographic Security - 2 Vanishing Data VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO and all persistent cryptographic keys Dennis Kafura – CS5204 – Operating Systems10

Cryptographic Security - 2 Vanishing Data VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO and all persistent cryptographic keys Does not require  explicit action by the user or storage service to render the data unreadable  changes to any of the stored copies of the data  secure hardware  any new services (leverage existing services) Dennis Kafura – CS5204 – Operating Systems11

Cryptographic Security - 2 Example Applications Dennis Kafura – CS5204 – Operating Systems12

Cryptographic Security - 2 Vanish Architecture Key elements  Threshold secret sharing  Distributed hash tables (DHT) P2P systems Availability Scale, geographic distribution, decentralization Churn  Median lifetime minutes/hours  2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze)  extended to desired period by background refresh VUZE  Open-source P2P system  using bittorrent protocol Dennis Kafura – CS5204 – Operating Systems13

Cryptographic Security - 2 Vanish Architecture Operation  Locator is a pseudorandom number generator keyed by L; used to select random locations in the DHT for storing the VDO  VDO is encrypted with key K  N shares of K are created and then K is erased  VDO = (L, C, N, threshold) Dennis Kafura – CS5204 – Operating Systems14

Cryptographic Security - 2 Setting Parameters Dennis Kafura – CS5204 – Operating Systems15 Use threshold=90%Use N=50

Cryptographic Security - 2 Setting Parameters Tradeoff  Larger threshold values provide more security  Larger threshold values provide shorter lifetimes Dennis Kafura – CS5204 – Operating Systems16

Cryptographic Security - 2 Performance Measurement Prepush – Vanish proactively creates and distributes data keys Dennis Kafura – CS5204 – Operating Systems17

Cryptographic Security - 2 Attack Vectors and Defenses Decapsulate VDO prior to expiration  Further encrypt data using traditional encryption schemes Eavesdrop on net connection  Use DHT that encrypts traffic between nodes  Compose with system (like TOR) to tunnel interactions with DHT through remote machines Integrate in DHT  Eavesdrop on store/lookup operations Possible but extremely expensive to attacker (see next)  Standard attacks on DHTs Adopt standard solution Dennis Kafura – CS5204 – Operating Systems18

Cryptographic Security - 2 Parameters and security Assuming 5% of the DHT nodes are compromised what is the probability of VDO compromise? Dennis Kafura – CS5204 – Operating Systems19