Cryptographic Security Secret Sharing, Vanishing Data 1Dennis Kafura – CS5204 – Operating Systems.

Slides:



Advertisements
Similar presentations
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
© 2004 Mobile VCE 3G © 2004 Mobile VCE 3G th October 2004 Regional Blackouts: Protection of Broadcast.
Sushil Jajodia, George Mason U Witold Litwin, U Paris Dauphine Thomas Schwarz, S.J., U Católica Uruguay.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu Yoshi Kohno Amit Levy Hank Levy University of Washington.
S EMINAR A SELF DESTRUCTING DATA SYSTEM BASED ON ACTIVE STORAGE FRAMEWORK ONON P RESENTED BY S HANKAR G ADHVE G UIDED BY P ROF.P RAFUL P ARDHI.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 王怡君.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Secret Sharing Algorithms
1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Applied Cryptography for Network Security
Key Management and Distribution. YSLInformation Security – Mutual Trust2 Major Issues Involved in Symmetric Key Distribution For symmetric encryption.
Middleware for P2P architecture Jikai Yin, Shuai Zhang, Ziwen Zhang.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs The University of Michigan Scott Wolchok J. Alex Halderman The University of Texas at Austin.
Privacy Preserving Query Processing in Cloud Computing Wen Jie
Privacy in P2P based Data Sharing Muhammad Nazmus Sakib CSCE 824 April 17, 2013.
Distributed Systems Concepts and Design Chapter 10: Peer-to-Peer Systems Bruce Hammer, Steve Wallis, Raymond Ho.
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
The Steganographic File System Ross Anderson, Roger Needlham, Adi Shamir Presented by: Pan Meng Presented by: Pan Meng.
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
Aggregation in Sensor Networks
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
1 Secure Ad-Hoc Network Eunjin Jung
Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Cryptographic Security Secret Sharing, Vanishing Data.
Terminodes and Sybil: Public-key management in MANET Dave MacCallum (Brendon Stanton) Apr. 9, 2004.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
1 Distributed Hash Tables (DHTs) Lars Jørgen Lillehovde Jo Grimstad Bang Distributed Hash Tables (DHTs)
Attribute-Based Encryption with Non-Monotonic Access Structures
Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu, Tadayoshi Kohno, Amit Levy, et al. University of Washington USENIX Security.
Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.
Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu Tadayoshi Kohno Amit A. Levy Henry M. Levy University of Washington.
Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu | Tadayoshi Kohno | Amit A. Levy | Henry M. Levy Presented by: Libert Tapia.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Peer-to-Peer Network Tzu-Wei Kuo. Outline What is Peer-to-Peer(P2P)? P2P Architecture Applications Advantages and Weaknesses Security Controversy.
CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.
Paper by: Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, Henry M. Levy University of Washington Vanish: Increasing Data Privacy with Self-Destructing.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Grid technology Security issues Andrey Nifatov A hacker.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
Weichao Wang, Bharat Bhargava Youngjoo, Shin
The Sybil attack “One can have, some claim, as many electronic persons as one has time and energy to create.” – Judith S. Donath.
One-way indexing for plausible deniability in censorship resistant storage Eugene Vasserman, Victor Heorhiadi, Nicholas Hopper, and Yongdae Kim.
1 Lect. 19: Secret Sharing and Threshold Cryptography.
Fall 2006CS 395: Computer Security1 Key Management.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Cryptographic Protocols Secret sharing, Threshold Security
Introduction to BitTorrent
A Novel Group Key Transfer Protocol
Vanish: Increasing Data Privacy with Self-Destructing Data
Cryptology Design Fundamentals
CSCE 715: Network Systems Security
CSCE 715: Network Systems Security
Cryptographic Protocols Secret Sharing, Threshold Security
Presentation transcript:

Cryptographic Security Secret Sharing, Vanishing Data 1Dennis Kafura – CS5204 – Operating Systems

Cryptographic Security - 2 Dennis Kafura – CS5204 – Operating Systems Secret Sharing How can a group of individuals share a secret? Requirements:  some information is confidential  the information is only available when any k of the n members of group collaborate (k <= n) k = n implies unanimity k >= n/2 implies simple majority k = 1 implies independence Assumptions  The secret is represented as a number  The number may be the secret or a (cryptographic) key that is used to decrypt the secret 2

Cryptographic Security - 2 Secret Sharing General idea:  Secret data D is divided in n pieces D 1,…D n  Knowledge of k or more Di pieces makes D easily computable  Knowledge of k-1 or fewer pieces leaves D completely unknowable Terminology  This is called a (k,n) threshold scheme Uses  Divided authority (requires multiple distinct approvals from among a set of authorities)  Cooperation under mutual suspicion (secret only disclosed with sufficient agreement) Dennis Kafura – CS5204 – Operating Systems3

Cryptographic Security - 2 Secret Sharing Mathematics  A polynomial of degree n-1 is of the form  Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, if then Dennis Kafura – CS5204 – Operating Systems4

Cryptographic Security - 2 Simple (k,n) Threshold Scheme Given D, k, and n  Construct a random k-1 degree polynomial Dennis Kafura – CS5204 – Operating Systems5

Cryptographic Security - 2 Simple (k,n) Threshold Scheme Given D, k, and n  Construct a random k-1 degree polynomial Distribute the n pieces as (i, D i ) Any k of the n pieces can be used to find the unique polynomial and discover a 0 (equivalently solve for q(0) ) Finding the polynomial is called polynomial interpolation Dennis Kafura – CS5204 – Operating Systems6

Cryptographic Security - 2 Example Suppose k=2, n=3, and D=34 Choose a random k-1 degree polynomial: Generate n values: The n pieces are (1,46), (2,58), and (3,70) Dennis Kafura – CS5204 – Operating Systems7

Cryptographic Security - 2 Example Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations: Dennis Kafura – CS5204 – Operating Systems8

Cryptographic Security - 2 Vanishing Data Motivation  Many forms of data (e.g., ) are archived by service providers for reliability/availability  Data stored “in the cloud” beyond user control  Such data creates a target for intruders, and may persist beyond useful lifetime to the user’s detriment through disclosure of personal information  Recreates “forget-ability” and/or deniability  Protect against retroactive data disclosure Innovation: “vanishing data object” (VDO) Dennis Kafura – CS5204 – Operating Systems9

Cryptographic Security - 2 Vanishing Data VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO and all persistent cryptographic keys Dennis Kafura – CS5204 – Operating Systems10

Cryptographic Security - 2 Vanishing Data VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO and all persistent cryptographic keys Does not require  explicit action by the user or storage service to render the data unreadable  changes to any of the stored copies of the data  secure hardware  any new services (leverage existing services) Dennis Kafura – CS5204 – Operating Systems11

Cryptographic Security - 2 Example Applications Dennis Kafura – CS5204 – Operating Systems12

Cryptographic Security - 2 Vanish Architecture Key elements  Threshold secret sharing  Distributed hash tables (DHT) P2P systems Availability Scale, geographic distribution, decentralization Churn  Median lifetime minutes/hours  2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze)  extended to desired period by background refresh VUZE  Open-source P2P system  using bittorrent protocol Dennis Kafura – CS5204 – Operating Systems13

Cryptographic Security - 2 Vanish Architecture Operation  Locator is a pseudorandom number generator keyed by L; used to select random locations in the DHT for storing the VDO  VDO is encrypted with key K  N shares of K are created and then K is erased  VDO = (L, C, N, threshold) Dennis Kafura – CS5204 – Operating Systems14

Cryptographic Security - 2 Setting Parameters Dennis Kafura – CS5204 – Operating Systems15 Use threshold=90%Use N=50

Cryptographic Security - 2 Setting Parameters Tradeoff  Larger threshold values provide more security  Larger threshold values provide shorter lifetimes Dennis Kafura – CS5204 – Operating Systems16

Cryptographic Security - 2 Performance Measurement Prepush – Vanish proactively creates and distributes data keys Dennis Kafura – CS5204 – Operating Systems17

Cryptographic Security - 2 Attack Vectors and Defenses Decapsulate VDO prior to expiration  Further encrypt data using traditional encryption schemes Eavesdrop on net connection  Use DHT that encrypts traffic between nodes  Compose with system (like TOR) to tunnel interactions with DHT through remote machines Integrate in DHT  Eavesdrop on store/lookup operations Possible but extremely expensive to attacker (see next)  Standard attacks on DHTs Adopt standard solution Dennis Kafura – CS5204 – Operating Systems18

Cryptographic Security - 2 Parameters and security Assuming 5% of the DHT nodes are compromised what is the probability of VDO compromise? Dennis Kafura – CS5204 – Operating Systems19