Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Leakage in Encrypted Deduplication via Frequency Analysis

Published byHenry Merritt Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Leakage in Encrypted Deduplication via Frequency Analysis"— Presentation transcript:

1 Information Leakage in Encrypted Deduplication via Frequency Analysis
Jingwei Li*, Chuan Qin#, Patrick P. C. Lee#, Xiaosong Zhang* *University of Electronic Science and Technology of China #The Chinese University of Hong Kong DSN 2017

2 Data Explosion Digital universe projected to grow from 4.4 ZB in 2013 to 44 ZB in 2020 [1] (Note: 1 ZB = 1 trillion GB) Data outsourcing to public clouds is common to ease data management Deduplication removes content duplicates to save storage space 50% space saving for Windows file system snapshots [Meyer, FAST’11] 98% space saving for backup data [Wallace, FAST’12] [1]

3 Storage space saved by 5/12 = 42%!
Deduplication Deduplication  coarse-grained compression Unit: chunk (fixed- or variable-size) Store only one copy of chunks with same content; other chunks refer to the copy by references (pointers) Storage space saved by 5/12 = 42%!

4 Encryption vs. Deduplication
Securing outsourced data is critical Traditional encryption is incompatible with deduplication Plaintext M1 Ciphertext C1 Ciphertext C2 K K’ Plaintext M2 Can’t be dedup’ed Can be Alice’s key Bob’s key Duplicate chunks encrypted by different keys  different ciphertext chunks

5 Encrypted Deduplication
Message-locked encryption (MLE) [Bellare, EuroCrypt’13] A general framework using content-derived keys for encryption Content-derived key K Plaintext M1 Ciphertext C1 Can be dedup’ed Can be dedup’ed K Plaintext M2 Ciphertext C2 Content-derived key Examples: Convergent encryption [Douceur, ICDCS’02]; Server-aided MLE [Bellare, Security’13]

6 Is MLE Fully Secure? (Server-aided) MLE is deterministic encryption
Same plaintexts lead to same ciphertexts Leak frequency distribution of plaintext chunks Practical storage workloads exhibit non-uniform frequency distribution 99.8% of chunks appear less than 100 times, while 30 chunks appear over 10,000 times Frequency distribution of FSL dataset

7 Frequency Analysis Frequency analysis was proposed by Al-Kindi, an Arab polymath, in 9th century Break substitution ciphers Frequency analysis against encrypted deduplication: Acquire knowledge of frequency distribution of plaintext chunks (e.g., via unintended data release [*] or data breaches) Count frequencies of ciphertext chunks Infer their plaintext chunks from ciphertext frequency distribution What is practical implication of frequency analysis against encrypted deduplication? [*]

8 Our Contributions Propose locality-based attack to exploit chunk locality to increase attack severity Ciphertext-only attack: infer 17.8% of data (vs % for classical frequency analysis) Known-plaintext attack: infer 27.1% of data with only 0.2% of data leakage Demonstrate MinHash encryption effectively resists frequency analysis Suppress inference rate of a real-world dataset to below 0.45%, even with a small leakage (e.g., 0.2%) Maintain deduplication saving as shown by prior work

9 Threat Model Target backup workloads
High content redundancy for deduplication [Zhu, FAST’08; Wallace, FAST’12] Chunk locality [Lillibridge, FAST’09; Xia, ATC’11] Access to auxiliary information (ground truth) Plaintext chunks of some prior backup Access to logical order of ciphertext chunks of latest backup before deduplication e.g., C = (C1,C2,C5,C2,C1,C2,C3,C4,C2,C3,C4,C4) Provide both frequency and locality information of latest backup Existing deduplication systems also process chunks in logical order (e.g., DDFS [Zhu, FAST’08])

10 Threat Model Adversarial goal: infer the content of plaintext chunks given the ciphertext chunks of the latest backup Ciphertext-only: only ciphertext chunks of latest backup known Known-plaintext: some plaintext chunks of latest backup known Chunk Dedup module ... Disks Deduplication system MLE protection Tapped by adversary

11 Security Implication Infer critical files of an encrypted backup snapshot e.g., system files, user databases How-to: Given plaintext chunks of some critical files, identify the ciphertext chunks that are inferred to those plaintext chunks The identified ciphertext chunks can be later attacked specifically (e.g., corruption or malicious attacks)

12 Basic Attack Given prior backup M = {M}, apply frequency analysis to infer plaintext chunks in latest backup C = {C} Sort chunks of M and C by chunk frequency Infer that i-th frequent chunk in M = plaintext chunk of i-th frequent chunk in C (Note: Numbers of chunks in M and C may differ) Result: small inference accuracy Sensitive to data updates  Many “ties” in frequency sorting

13 Locality-based Attack
Chunk locality: tendency of chunks and their neighbors to re-occur across backups Example: if chunk M1 is surrounded by M2, M3, M4 in one backup, then M1 is likely to be surrounded by M2, M3, M4 in next backup Improve deduplication indexing [Zhu, FAST’08; Lillibridge, FAST’09; Xia, ATC’11] Adapt chunk locality to frequency analysis If M is mapped to C, then neighbors of M are also probably mapped to neighbors of C Iteratively infer more ciphertext-plaintext pairs

14 Locality-based Attack
Frequency analysis top-frequent pairs C M Frequency analysis inferred set G = {(C, M)} top-frequent pairs Associative arrays LC = left chunks of C LM = left chunks of M RC = right chunks of C RM = right chunks of M (C, M) main loop Number of top-frequent pairs and size of inferred set are configurable

15 Example C1 C2 C5 C3 C4 M1 M2 M3 M4 C M M1 M2 M3 M4 C1 C2 C5 C3 C4 M1
map most freq chunks map left/right chunks M1 M2 M3 M4 C1 C2 C5 C3 C4 map right chunks C1 C2 C5 C3 C4 M1 M2 M3 M4 C1 C2 C5 C3 C4 Infer 4 out of 5 unique chunks

16 Attack Evaluation Datasets Testbed: Quad-core 3.0GHz CPU and 16GB RAM
FSL [Sun, MSST’16]: 5 monthly backups from Jan 22 to May 21, 2013, covering 2.69 TB in total Synthetic: 10 image snapshots derived from a Ubuntu image (4.28 GB space) via controlled modifications [Lillibridge, FAST’13] Testbed: Quad-core 3.0GHz CPU and 16GB RAM 15 hours to process 500 GB of data

17 Ciphertext-only FSL Auxiliary: Prior backup in x-axis Target: Backup on May 21 Synthetic Auxiliary: Initial Ubuntu snapshot Target: Latest backup in x-axis Locality-based attack has much higher inference rate than basic attack (e.g., 17.8% vs % in FSL)

18 Known-plaintext Slight increase in leakage rate  significant increase in inference rate  FSL: from 11.1% to 27.1% Synthetic: from 10.3% to 28.3%

19 Defense: MinHash Encryption
MinHash deduplication shown to mitigate performance overhead [Bhagwat, MASCOTS’09; Xia, ATC’11; Qin, ToS’17] Storage efficiency only slightly degrades, by Border’s theorem MinHash encryption’s flow: Group chunks into segments Choose minimum-fingerprint (minHash) chunk of each segment Derive encryption key from the minHash chunk Encrypt every chunk in the segment with the derived key Rationale: Disturb frequency ranking to combat frequency analysis, while maintaining deduplication saving

20 Defense Evaluation FSL Synthetic MinHash encryption significantly reduces inference rate   FSL: from up to 27.1% to 0.45% Synthetic: from up to 28.3% to 8%

21 Storage Efficiency Maintain storage saving
FSL Synthetic Maintain storage saving 3-4% off from exact chunk-based deduplication

22 Conclusions Locality-based attack is a new frequency analysis attack that severely compromises encrypted deduplication  MinHash encryption effectively defends against frequency analysis, with high storage efficiency Many open questions on both attack and defense sides Source code:

Download ppt "Information Leakage in Encrypted Deduplication via Frequency Analysis"

Similar presentations

Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
1 STAIR Codes: A General Family of Erasure Codes for Tolerating Device and Sector Failures in Practical Storage Systems Mingqiang Li and Patrick P. C.

1 STAIR Codes: A General Family of Erasure Codes for Tolerating Device and Sector Failures in Practical Storage Systems Mingqiang Li and Patrick P. C.
1 Toward I/O-Efficient Protection Against Silent Data Corruptions in RAID Arrays Mingqiang Li and Patrick P. C. Lee The Chinese University of Hong Kong.

1 Toward I/O-Efficient Protection Against Silent Data Corruptions in RAID Arrays Mingqiang Li and Patrick P. C. Lee The Chinese University of Hong Kong.
Low-Cost Data Deduplication for Virtual Machine Backup in Cloud Storage Wei Zhang, Tao Yang, Gautham Narayanasamy University of California at Santa Barbara.

Low-Cost Data Deduplication for Virtual Machine Backup in Cloud Storage Wei Zhang, Tao Yang, Gautham Narayanasamy University of California at Santa Barbara.
1 Live Deduplication Storage of Virtual Machine Images in an Open-Source Cloud Chun-Ho Ng, Mingcao Ma, Tsz-Yeung Wong, Patrick P. C. Lee, John C. S. Lui.

1 Live Deduplication Storage of Virtual Machine Images in an Open-Source Cloud Chun-Ho Ng, Mingcao Ma, Tsz-Yeung Wong, Patrick P. C. Lee, John C. S. Lui.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Seafile - Scalable Cloud Storage System

Seafile - Scalable Cloud Storage System
Yongtao Zhou, Yuhui Deng, Junjie Xie

Yongtao Zhou, Yuhui Deng, Junjie Xie
MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,

MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,
Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.

Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.
Multi-level Selective Deduplication for VM Snapshots in Cloud Storage Wei Zhang*, Hong Tang †, Hao Jiang †, Tao Yang*, Xiaogang Li †, Yue Zeng † * University.

Multi-level Selective Deduplication for VM Snapshots in Cloud Storage Wei Zhang*, Hong Tang †, Hao Jiang †, Tao Yang*, Xiaogang Li †, Yue Zeng † * University.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
1 Convergent Dispersal: Toward Storage-Efficient Security in a Cloud-of-Clouds Mingqiang Li 1, Chuan Qin 1, Patrick P. C. Lee 1, Jin Li 2 1 The Chinese.

1 Convergent Dispersal: Toward Storage-Efficient Security in a Cloud-of-Clouds Mingqiang Li 1, Chuan Qin 1, Patrick P. C. Lee 1, Jin Li 2 1 The Chinese.
Min Xu1, Yunfeng Zhu2, Patrick P. C. Lee1, Yinlong Xu2

Min Xu1, Yunfeng Zhu2, Patrick P. C. Lee1, Yinlong Xu2
1 On Querying Historical Evolving Graph Sequences Chenghui Ren $, Eric Lo *, Ben Kao $, Xinjie Zhu $, Reynold Cheng $ $ The University of Hong Kong $ {chren,

1 On Querying Historical Evolving Graph Sequences Chenghui Ren $, Eric Lo *, Ben Kao $, Xinjie Zhu $, Reynold Cheng $ $ The University of Hong Kong $ {chren,
Panagiotis Antonopoulos Microsoft Corp Ioannis Konstantinou National Technical University of Athens Dimitrios Tsoumakos.

Panagiotis Antonopoulos Microsoft Corp Ioannis Konstantinou National Technical University of Athens Dimitrios Tsoumakos.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
DATA DEDUPLICATION By: Lily Contreras April 15, 2010.

DATA DEDUPLICATION By: Lily Contreras April 15, 2010.
Demystifying Deduplication. Global SMB Event Marketing 2 APPROACH: What is deduplication? Eliminate redundant data Start with the backup environment as.

Demystifying Deduplication. Global SMB Event Marketing 2 APPROACH: What is deduplication? Eliminate redundant data Start with the backup environment as.

Similar presentations

Ads by Google