Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu | Tadayoshi Kohno | Amit A. Levy | Henry M. Levy Presented by: Libert Tapia USENIX Security Symposium (Usenix), 2009 (best student paper award)
What is Vanish ? Vanish is a project developed at the University of Washington which give the users the ability to determine the lifespan of their personal data stored in the web such as private message on Facebook, documents on Google Docs, or private photo on Flickr by making the Web object self-destruct or vanish automatically.
Motivating Problem: Data Lives Forever Sensitive sender HotmailGmail The sensitive is store in several servers before arriving to its final destination and if the sender deletes the from his / hers inbox the will still be store on several other locations for a long period of time. Creates multiple points where an attack can be performed. And compromise the person involved in the conversation
Effects Sensitive sender HotmailGmail subpoena Lawyer, Attacker Receiver
Candidate Approaches User explicitly and manually delete there data or install a cron job to do that. Use a standard public key or symmetric encryption scheme. Stenography, Deniable encryption or Deniable file system Ephemeral key exchange for interactive communication systems (eg: OTR) Ephemerizer (trusted 3rd parties)
Assumptions Vanishing Data Object (VDO) 1.Time-limited value – store only for a limited period of time. 2.Known timeout – can be specified by the user. 3.Internet connectivity – required to interact with the VDO. 4.Dispensability under attack – user can destroy even if prematurely.
Goals Even if an attacker can retroactively obtain a pristine copy of that data and any relevant persistent cryptographic keys and passphrases from before that timeout, perhaps from stored or archived copies; Without the use of any explicit delete action by the user or the parties storing that data; (Automatically) Without needing to modify any of the stored or archived copies of that data; Without the use of secure hardware; and Without relying on the introduction of any new external services that would need to be deployed (whether trusted or not).
Threat Model Goal: 1.Trusted data owners 2.Retroactive attacks on privacy Out of scope threats 1.User making a clear text copy of the VDO and storing it. 2.ISPs that might spy on user DHT interaction.
World-Wide DHT How Vanish Works: Data Encapsulation Vanish Encapsulate (data, timeout) Vanish Data Object VDO = {C, L} Secret Sharing (M of N) k1k1 k2k2 kNkN... k3k3 Random indexes k1k1 k2k2 k3k3 kNkN C = E K (data) L K k1k1 k3k3 kNkN k2k2 9 VDO = {C, L}
Data Encapsulation
How Vanish Works: Data Decapsulation 11 Vanish Encapsulate (data, timeout) Random indexes C = E K (data) World-Wide DHT Vanish Decapsulate (VDO = {C, L}) data Secret Sharing (M of N)... Random indexes k1k1 k3k3 kNkN data = D K (C) kNkN k3k3 k1k1 LL K Secret Sharing (M of N) VDO = {C, L} k2k2 k2k2 Vanish Data Object VDO = {C, L}. k1k1 k2k2 k3k3 kNkN. k1k1 k2k2 k3k3 kNkN
How Vanish Works: Data Timeout The DHT loses key pieces over time – Natural churn: nodes crash or leave the DHT – Built-in timeout: DHT nodes purge data periodically Key loss makes all data copies permanently unreadable 12 World-Wide DHT Vanish Secret Sharing (M of N)... Random indexes k1k1 k3k3 kNkN data = D K (C) L K X kNkN k3k3 k1k1 12 X X
Vuze Background (a.k.a Azureus) Uses Kademlia protocol Nodes or assigned a random 160-bit Id based on IP and port. Looks for 20 nodes with ID closets to the index. Republish every 30 minutes to the other 19 nodes to combat churn.
Availability and Expiration in Vuze
Vanish Applications FireVanish Vanishing Files – Self-destructive trash bin or Microsoft Word’s auto save
Performance Based on T2500 DUO 2GB of Ram, Java 1.6 basic broadband network.
Security Analyses DHT can store information about the communication and an anonymization software like Tor is recommended. User not Vanishing the proper data. Vanish my raise legal implication in the new eDiscovery rules.
Retroactive Attacks Vanish Secret Sharing (M of N) k1k1 k2k2 kNkN... k3k3 K Direct put Replication Defense The attacker must join ~8% of the DHT size, for 25% capture. Decentralization Constant Evolution
Decapsulation Prior to Expiration provider decapsulate on real time and storing them. Defense – Use PGP(Pretty Good Privacy) or GPG(GNU Privacy Guard) – this will make it harder for the provider to decapsulate and the VDO will expire.
Sniff User’s Internet Connection Attacker might try to intercept and preserve the data users push into or retrieve from DHT. Defense – Vuze provides security for this type of attack. – Use Tor to tunnel the interaction with a DHT through remote machine.
Integrate into DHT (Sybil / Eclipse Attacks) Attacker integrate within the DHT in order to create copies of all data that is ask to store. This is estimate to cost around $860k/year in Amazon EC2 computation and networking cost.
Conclusions This paper introduced a new approach for protecting data privacy from attackers who retroactively obtain, through legal or other means, a user’s stored data and private decryption keys.
Improvements Using RSA before sending data to the node(SafeVanish Paper) provider stores decrypted data every certain time.