Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu Tadayoshi Kohno Amit A. Levy Henry M. Levy University of Washington

Problem:  Data is never truly forgotten caches caches Chat History Chat History Cloud Services Cloud Services Data Backups Data Backups Transmission to 3 rd parties Transmission to 3 rd parties  Resting data is vulnerable Recent hack on Sony for example Recent hack on Sony for example 2

Problem:  What kind of data? Chat History Chat History Posts on public forums Posts on public forums Pictures Pictures Personal Files Personal Files  Many items of sensitive data are only useful for a limited time 3

Problem:  Who wants your data? The spouse in a divorce case The spouse in a divorce case The public during an election cycle The public during an election cycle The government in a criminal case The government in a criminal case The plaintiff in a civil case The plaintiff in a civil case Your employer Your employer Identity Thief Identity Thief Someone who intends to blackmail you. Someone who intends to blackmail you. 4

Requirements:  We would like sensitive data to be permanently deleted after it has served its original purpose. Even if it is archived by any number of 3 rd parties Even if it is archived by any number of 3 rd parties Without any explicit action by the creator Without any explicit action by the creator Without the need to access the data where it is stored Without the need to access the data where it is stored Without the use of secure hardware Without the use of secure hardware Without deployment of new external services. Without deployment of new external services. 5

Intro to Vanish  Vanish claims to solve the problem while meeting all requirements.  At a High Level: Threshold Secret Sharing Threshold Secret Sharing Distributed Hash Tables (Vuze and OpenDHT) Distributed Hash Tables (Vuze and OpenDHT) Vanishing Data Object (VDO) Vanishing Data Object (VDO) 6

Threshold Secret Sharing  Many different implementations  Basic Principal n = Number of “shares” n = Number of “shares” t = Threshold t = Threshold The Secret can be revealed using any combination of t shares. The Secret can be revealed using any combination of t shares.  Vanish uses Shamir secret sharing 7

Threshold Secret Sharing Crafting and distributing shares 1. Generate a secret key K 2. Determine value for n and t 3. Calculate and distribute n shares Obtaining a secret from shares 1. Collect t shares from the set of n shareholders 2. Combine shares and determine the value K 8

Shamir Secret Sharing It takes k points to define a polynomial of degree k-1 1. Choose threshold coefficients a 1..a t 2. Choose its y-intercept (a 0 ) as the key 3. Choose any N points along the curve and distribute them as shares 4. One only needs k points to re-construct the curve and find the y-intercept. 9

Vuze Distributed Hash Table Desirable Properties: 1. Availability 2. Scale 3. Geographic Distribution 4. Decentralization 5. Churn 10

Vuze Distributed Hash Table  Based on the Kademlia Protocol  Has indexes split over 1M+ nodes  An index has a fixed 8-hour timeout  Data is copied to the 20 closest nodes to ensure availability until the timeout. Three commands: 1. Lookup – Find which node owns a particular index 2. Get – Get the data from a host for an index 3. Store – Store data on a host at an index. 11

Vanishing Data Object (VDO)  Input: Data Object D Data Object D Timeout T (optional) Timeout T (optional)  Output: VDO V = {L,C,N,threshold} VDO V = {L,C,N,threshold} 12

Vanish: Encapsulation Building the VDO: 1. Pick a random symmetric key K 2. Encrypt D with K to obtain C 3. Create N shares of K (secret sharing) 4. Generate access key L 5. Use PRNG seeded with L to generate DHT indices I 1 – I N 6. Store shares K 1 -K N into indices I 1 -I N 13

Vanish: Encapsulation 14 Image Credit: “Vanish”; Geambasu, Kohno, Levy, Levy 2009 pp. 7

Vanish: Decapsulation Getting back your data: 1. Obtain VDO V = {L,C,N,threshold} 2. Use L and N to derive indices I 1 -I N 3. Obtain at least threshold shares of K 1 -K N 4. Calculate key K 5. Obtain Data D = decrypt K (C) 15

Vanish Applications  FireVanish Plugin written for Firefox 3.0 Plugin written for Firefox 3.0 Requires the Unix Vuze DHT implementation. Requires the Unix Vuze DHT implementation. Was adapted from FireGPG Was adapted from FireGPG  Desktop File Application Only discussed in the paper and never distributed Only discussed in the paper and never distributed Claimed secure erasure of items in host trash bin. Claimed secure erasure of items in host trash bin. 16

Vanish: VDO Availability Using N=1 1% of VDOs expire too early 1% of VDOs expire too early 5% of VDOs expire LONG after intended 5% of VDOs expire LONG after intended Using N=100, T=99% Average Life was only 4 hours Average Life was only 4 hours Using 20≤ N ≤50+, T=90% Almost ideal results Almost ideal results 17 Image Credit: “Vanish”; Geambasu, Kohno, Levy, Levy 2009 pp. 8

Vanish: Performance  In 2009, it took 17 seconds to push 20 Index-Data pairs into Vuze DHT  Retrieving 20 values took 2.0 seconds  Both scale linearly  Pre-Push feature added to speed up encapsulation to about 0.1 seconds. 18

Vanish: Security  Attacks after the VDO has expired are infeasible Shares were spread over jurisdictions Shares were spread over jurisdictions Churn in Vuze makes it infeasible to identify which machines had shares. Churn in Vuze makes it infeasible to identify which machines had shares. 19

Vanish: Security  Some attacks before VDO’s expire: ISP proactively encapsulates ISP proactively encapsulates ○ Ans: Put VDO’s inside PGP container Someone sniffs and archives all DHT operations of sender or receiver Someone sniffs and archives all DHT operations of sender or receiver ○ Ans: Use tor The attacker joins the DHT in an attempt to retain copies of store and lookup requests. The attacker joins the DHT in an attempt to retain copies of store and lookup requests. ○ Ans: Stay Tuned… 20

21