Problem: Replication versus Confidentiality

Slides:

Advertisements

Similar presentations

Operating System Security

Advertisements

Agreement: Byzantine Generals UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau Paper: “The.

CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Reliable Multicast Steve Ko Computer Sciences and Engineering University at Buffalo.

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Message Queues COMP3017 Advanced Databases Dr Nicholas Gibbins –

6.852: Distributed Algorithms Spring, 2008 Class 7.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Prepared by Ilya Kolchinsky.  n generals, communicating through messengers  some of the generals (up to m) might be traitors  all loyal generals should.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.

EEC 688/788 Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.

L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 15 Wenbing Zhao Department of Electrical and Computer Engineering.

1 Fault-Tolerant Consensus. 2 Failures in Distributed Systems Link failure: A link fails and remains inactive; the network may get partitioned Crash:

2/23/2009CS50901 Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Fred B. Schneider Presenter: Aly Farahat.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Applied Cryptography for Network Security

Aran Bergman, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Recitation 5: Reliable.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

MOCA : Mobile Certificate Authority for Wireless Ad Hoc Networks The 2nd Annual PKI Research Workshop (PKI 2003) Seung Yi, Robin Kravets September. 25,

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

Fault Tolerance via the State Machine Replication Approach Favian Contreras.

Where Fault-tolerance and Security Meet DARPA PI Meeting, July 2001 Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York.

Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Wireless TCP Prasun Dewan Department of Computer Science University of North Carolina

Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Csci5233 computer security & integrity 1 Cryptography: an overview.

Agenda Fail Stop Processors –Problem Definition –Implementation with reliable stable storage –Implementation without reliable stable storage Failure Detection.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Commit Algorithms Hamid Al-Hamadi CS 5204 November 17, 2009.

Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)

Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department

PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.

Systems Research Barbara Liskov October Replication Goal: provide reliability and availability by storing information at several nodes.

Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,

Distributed Storage Systems: Data Replication using Quorums.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Langley Research Center An Architectural Concept for Intrusion Tolerance in Air Traffic Networks Jeffrey Maddalon Paul Miner {jeffrey.m.maddalon,

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Fail-Stop Processors UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau One paper: Byzantine.

Fundamentals of Fault-Tolerant Distributed Computing In Asynchronous Environments Paper by Felix C. Gartner Graeme Coakley COEN 317 November 23, 2003.

Unreliable Failure Detectors for Reliable Distributed Systems Tushar Deepak Chandra Sam Toueg Presentation for EECS454 Lawrence Leinweber.

Secret Sharing Schemes In cryptography, secret sharing schemes refers to any method for distributing a secret among a group of participants, each of which.

Intrusion Tolerant Architectures

Peer-to-peer networking

Distributed Systems CS

EEC 688/788 Secure and Dependable Computing

Implementing Consistency -- Paxos

Sisi Duan Assistant Professor Information Systems

Presentation transcript:

Asynchronous Proactive Secret Sharing Fred B. Schneider* fbs@cs.cornell.edu Department of Computer Science Cornell University Ithaca, New York 14853 *Joint work with Robbert van Renesse and Lidong Zhou.

Problem: Replication versus Confidentiality State replication provides: Increased availability Increased vulnerability to compromised secrets. Secure services invariably keep secrets (viz keys). Servers Client

Solution: Threshold Cryptography (n,t) secret sharing [Shamir, Blakely]: Secret s is divided into n shares. Any t or more shares suffice for reconstructing s. Fewer shares convey no information about s. Threshold cryptography: Perform cryptographic operations piecewise using shares of secret key; result is as if secret key was used. Example: Threshold digital signatures

Problem: Mobile Virus Attacks [Ostrovsky] Attack server 1 and learn its secret shares … attacker evicted, server returned to operation. Attack server 2 and learn its secret shares … At most 1 server compromised at any instant but secret revealed after server t attacked! Secret erodes over time!!! time

Solution: Share Refreshing For an (n,t) sharing of a secret s: Start with set of old shares. Compute set of new shares. such that t or fewer old shares cannot be combined with t or fewer new shares to recover s. Proactive Secret Sharing (PSS)!!!!

Proactive Secret Sharing: Share Refreshing for (m,m) sharing old share: si reconstruct split: =si1+si2+si3 … s3’ new sharing s2’ split reconstruct: s1i+s2i+s3i … s1’ s1 s2 s3 =new share: si’ old sharing

Implementing (n,t) by (m,m) s = s1 + s2 + … + sm (m,m) sharing suffices [Ito] for getting (n,t) sharing Each (n,t) share of s is a set of (m,m) shares of s Only with enough (=m) of the (m,m) shares, is s derived. P1: {s2, s3, s4} P2: {s1, s3, s4} P3: {s1, s2, s4} P4: {s1, s2, s3} an (n,t) share (4,1) sharing of s: an (m,m) share

Problem: Denial of Service Attacks Assumptions = Vulnerabilities. Denial of service attacks violate assumptions about: Execution timing Message delivery delay Weak system models are preferable!

System Model for APSS Anything weaker unlikely to allow solution. Asynchronous System. No bounds on: message delivery delays process execution speeds Byzantine Servers. At most t servers are compromised within a window of vulnerability, 3t < n. Total of n servers. Fair Links. A message sent often enough will be delivered. Anything weaker unlikely to allow solution.

From Strong to Weak Assumptions Servers Links Additional Omission Secure 1 Fault-free Coordinator Omission Fair 1 Fault-free Coordinator Omission Fair t+1 Omission Coordinators Malicious Fair Weak assumptions = Strong adversary

Steps toward APSS Protocol Each (m,m) share stored at multiple sites. Soln: Fault-free coordinator chooses one subsharing for each (m,m) share. Message loss due to fair links. Soln: Repeated sends, awaiting semantic ack. Coordinator faulty. Soln: With t+1 coordinators, one is correct. Compromised processors send bogus msgs. Soln: Messages are made self-checking, so receivers can reject those messages that are not valid.

Steps toward APSS: Multiple Subsharings P1: {s2, s3, s4} P2: {s1, s3, s4} s23+t23+r23 s13+t13+r13 Coordinator chooses: split of share s1: … split of share s2: … split of share s3: P1 …

Steps toward APSS: Handling Fair Links Send M repeatedly to P until receive Msgs from Q. Note: - P, Q might be sets of processors - Msgs might be sets of messages sender receiver

Steps toward APSS: Coordinator Faulty Having t+1 coordinators ensures one is correct. Implications: t+1 new sharings might be produced. Associate a label with each share and sharing. Different sharings not necessarily independent. Multiple sharings built from same subshares if different coordinators select same process for split of given share. But all related subshares produce shares stored together, so combining all shares at a given server is not productive.

Steps toward APSS: Arbitrary Processor Compromise Messages convey predicates (not values!). Examples: “If sender r is correct then all shares stored at r.” “Share is stored by t+1 or more correct processors.” Valid message: Predicate is true when msg sent. Compromised processors may send messages that convey false predicates. Sender adds content to msgs, so receiver can test whether msg is valid. Always possible? Possible for messages employed in APSS.

Steps toward APSS: Making Messages Self-Verifying Some messages are always valid: “If r is correct then A(r) holds” -- r is sender For predicates involving shares and subshares: Employ redundancy with one-way, trap-door functions Digital signatures Validity checks on shares and subshares < s > = vcConst( < s1 >, < s2 >, … < sm > ) < s > = oneWay( s ) For predicates involving consistency of values across servers: Attach 2t+1 messages; at least t+1 are correct. Make inference from predicates for t+1 valid messages. E.g., “Share stored at some correct server.”

Optimization: Absent Attacks In normal environment: Coordinators correct: no need to replicate. No denial of service: system is synchronous. In any protocol for asynchronous systems: Delay of actions permitted. Allows optimized protocol: Delay all but one coordinator Cp for T secs. Run other coordinators only after T secs pass and new sharing still unavailable.

APSS Status, Plans, Lessons Implemented, running, performance data. Used in Cornell On-line Certification Authority (COCA). Design for JBI encryption-based access control. Stand-alone APSS package now being built: (m,m) secret sharing. (n,t) secret sharing without (m,m) reduction. Composing fault-tolerance and security? Need protocols for weak computational models. Need secret sharing for replicated secrets.