Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA

Published byAmari Burkman Modified over 10 years ago

Similar presentations

Presentation on theme: "Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA"— Presentation transcript:

1 Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA {jajodia@gmu.edu} 2 Université Paris Dauphine, Lamsade {witold.litwin@dauphine.fr} 3 Thomas Schwarz, UCU, Montevideo {tschwarz@ucu.edu.uy}jajodia@gmu.eduwitold.litwin@dauphine.frtschwarz@ucu.edu.uy 1

2 What ? New schemes for backup of encryption keys entrusted to an Escrow – Collectively called RE NS Schemes – They backup high quality encryption keys AES (256b), DH 500+b… Backup itself is specifically encrypted Unlike a traditional simple key copy 2

3 What ? Fast brute-force recovery remains possible – In the absence of key owner – Within the timing wished by the recovery requestor But only over a large cloud 1K – 100K nodes 3

4 What ? Key owner (creator) sets up the backup encryption complexity (hardness) No one can easily decrypt the backup – Without a large calculation Neither the escrow nor an attacker Not even the key owner 4

5 What ? Fast legal recovery – E.g., 10 min max on 10K-node cloud Assuming all nodes available when recovery starts. 5

6 What ? Unwelcome recovery is unlikely – E.g. could easily take, say, 70 or even 700 days at escrows processor alone – Illegal use of a large cloud is implausible Cloud providers do best to prevent it Easily noticeable if ever starts – Follow the money Leaves compromising traces in numerous logs 6

7 Why High quality key loss danger is Achilles heel of modern crypto – Makes many folks refraining of any encryption – Other loose many tears if unthinkable happens 7

8 Why If you create key copies… – Every copy increases danger of disclosure – For an Escrow, her/his copy is an obvious temptation – Some Escrows may not resist to In short users face the dilemma: Key loss or disclosure ? That is The Question 8

9 Why RE NS schemes alleviate this dilemma Easily available large clouds make them realistic Our schemes should benefit numerous applications 9

10 How (Overview) : Key Owner Side Key owner or client chooses inhibitive timing of 1-node (brute- force) recovery – Presumably unwelcome at escrows site alone – E.g. 70 days – Or 700 days for less trusted escrows – Or anything between 10

11 How : Key Owner Side Consequently, the owner fixes a large integer – Called backup encryption complexity or hardness Actually, this step may be programmed – The backup encryption agent on client node may be in charge of 11

12 How : Key Owner Side Key owner or the agent creates the shared noised secret – Some share(s) of the actual secret become noised shares – « Burried » among very many look-alike but fake noise shares 12

13 How : Key Owner Side The only way to recognize whether a noise share is a noised one is to try out its « footprint » The owner/agent creates the footprint for each noised share Each footprint is unique Remember Cinderella ? 13

14 How : Key Owner Side Key owner/agent sends the noised secret to Escrow Noised secret is the backup – Guess your key by its print in this mess (inspired by CSIS actual ex.) 14

15 How (Overview) : Escrow Side Key requestor asks Escrow to recover data in acceptable max recovery time – E.g. 10 min Escrows server sends the time and all but one shares of the noised secret to the cloud Intruder to the cloud cannot find the key 15

16 How : Escrows Side RE NS scheme executed at the cloud chooses the cloud size – To fit the calculus time limit for sure – Say 10K nodes Search for the noised share gets partitioned over the nodes Nodes work in parallel – Matching the footprints 16

17 How : Escrows Side Every lucky node reports back to Escrow the noised share found Escrow server recovers the key from all the shares – Using the clasical XORing Sends the recovered key to Requestor – Not forgetting the bill 17

18 What Else ? Well, everything is in details – Client Side Encryption – Server Side Recovery Static Scheme Scalable Scheme – Related Work – Conclusion 18

19 What Else ? More : – Res. Rep. http://www.lamsade.dauphine.fr/~litwin/Recoverabl e%20Encryption_10.pdf – S. Jajodia, W. Litwin & Th. Schwarz. Recoverable Encryption through a Noised Secret over a Large Cloud. 5th Inl. Conf. on Data Management in Cloud, Grid and P2P Systems (Globe 2012 ) Publ. Springer Verlag, Lecture Notes in Comp. 19

20 Client Side (Backup) Encryption Client X backs up encryption key S X estimates 1-node inhibitive time D – Say 70 days D measures trust to Escrow – Lesser trust ? Choose 700 days 20

21 Client Side Encryption D determines minimal cloud size N for future recovery in any acceptable time R – Chosen by recovery requestor E.g. 10 min – X expects N > D / R but also N D / R E.g. N 10K for D = 70 days – N 100K for D = 700 days 21

22 Client Side Encryption X creates a classical shared secret for S – S is seen as a large integer, E.g., 256b long for AES – Basically, X creates a 2-share secret – Share s 0 is a random integer – Share s 1 is calculated as s 1 = s 0 XOR S Common knowledge: – S = s 0 XOR s 1 22

23 Client Side Encryption X transforms the shared secret into a noised one – X makes s 0 a noised share : Chooses a 1-way hash H – E.g. SHA 256 Computes the hint h = H (s 0 ) – Chooses the noise space I = 0,1…,m,…M-1 – For some large M determined as we explain soon 23

24 Client-Side Encryption – Each noise m and s 0 define a noise share s In a way we show soon as well – There are M different pseudo random noise shares All but one are different from s 0 But it is not known which one is s 0 – The only way to find for any s whether s = s 0 is to attempt the match H (s) ?= h 24

25 Shared Secret / Noised (Shared) Secret 25 = S S0S0 XOR S = S0S0 Noise shares Noise shares Noised share S 0 n Noise space I Hint H (s 0 ) S1S1 S1S1 H is one-way hash SHA 256 by default

26 Client Side Encryption X estimates the 1-node throughput T – # of match attempts H (s) ?= h per time unit 1 Sec by default X sets M to M = Int (DT). – M should be 2 40 ÷ 2 50 in practice 26

27 Client Side Encryption X randomly chooses m I = [0,1…M[ Calculates base noise share f = s 0 – m Defines noised share s 0 n = (f, M, h). Sends the noised secret S = (s 0 n, s 1 ) to Escrow as the backup 27

28 Escrow-Side Recovery (Backup Decryption) Escrow E receives legitimate request of S recovery in time R at most E chooses between static or scalable recovery schemes E sends data S = (s 0 n, R) to some cloud node with request for processing accordingly – Keeps s 1 out of the cloud 28

29 Recovery Processing Parameters Node load L n : # of noises among M assigned to node n for match attempts Throughput T n : # of match attempts node n can process / sec Bucket (node) capacity B n : # of match attempts node n can process / time R – B n = R T n Load factor n = L n / B n 29

30 Node Load 30 L B T 1 α L B T L B T OverloadNormal loadOptimal load 1 R t

31 Recovery Processing Parameters Notice the data storage oriented vocabulary Node n respects R iff n 1 – Assuming T constant during the processing The cloud respects R if for every n we have n 1 This is our goal – For both static and scalable schemes we now present 31

32 Static Scheme 32 Intended for a homogenous Cloud – All nodes provide the same throughput

33 Static Scheme : Init Phase Node C that got S from E becomes coordinator Calculates a (M) = M / B (C) – Usually (M) >> 1 Defines N as a (M) – Implicitly considers the cloud as homogenous E.g., N = 10K or N = 100K in our ex. 33

34 Static Scheme : Map Phase C asks for allocation of N-1 nodes Associates logical address n = 1, 2…N-1 with each new node & 0 with itself Sends out to every node n data (n, a 0, P) – a 0 is its own physical address, e.g., IP – P specifies Reduce phase 34

35 Static Scheme : Reduce Phase P requests node n to attempt matches for every noise share s = (f + m) such that n = m mod N In practice, e.g., while m < M: – Node 0 loops over noise m = 0, N, 2N… So over the noise shares f, f + N, f + 2N… – Node 1 loops over noise m = 1, N+1, 2N+1… – ….. – Node N – 1 loops over m = (your guess here) 35

36 Static Scheme : Node Load 36 T 1 α 0 1 2 N - 1 1 R, B t, L …….. f + 2N f + N f …….. f + 2N + 1 f + N + 1 f + 1 …….. f + 2N + 2 f + N + 2 f + 2 …….. f + 3N - 1 f + 2N - 1 f + N - 1

37 Static Scheme Node n that gets the successful match sends s to C Otherwise node n enters Termination C asks every node to terminate – Details depend on actual cloud C forwards s as s 0 to E 37

38 Static Scheme E discloses the secret S and sends S to Requestor – Bill included (we guess) E.g., up to 400$ on CloudLayer for – D = 70 days – R = 10 min – Both implied N = 10K with private option 38

39 Static Scheme Observe that N D / R and N D / R – If the initial estimate of T by S owner holds Observe also that for every node n, we have (n) 1 Under our assumptions maximal recovery time is thus indeed R Average recovery time is R / 2 – Since every noise share is equally likely to be the lucky one 39

40 Static Scheme See papers for – Details, – Numerical examples – Proof of correctness The scheme really partitions I Whatever is N and s 0, one and only one node finds s 0 40

41 Static Scheme Safety – No disclosure method can in practice be faster than the scheme – Dictionary attack, inverted file of hints… Other properties 41

42 Scalable Scheme Heterogeneous cloud – Node throughputs may differ 42

43 Scalable Scheme Intended for heterogenous clouds – Different node throughputs – Basically only locally known E.g. – Private or hybrid cloud – Public cloud without so-called private node option 43

44 Scalable Scheme Init phase similar up to (M) calculus – Basically (M) >> 1 – Also we note it now 0 If > 1 we say that node overflows Node 0 sets then its level j to j = 0 and splits – Requests node 2 j = 1 – Sets j to j = 1 – Sends to node 1, (S, j, a 0 ) 44

45 Scalable Scheme As result – There are N = 2 nodes – Both have j = 1 – Node 0 and node 1 should each process M / 2 match attempts We show precisely how on next slides – Iff both 0 and 1 are no more than 1 Usually it should not be the case The splitting should continue as follows 45

46 Scalable Scheme Recursive rule – Each node n splits until n 1 – Each split increases node level j n to j n + 1 – Each split creates new node n = n + 2 j n – Each node n gets j n = j n initially Node 0 splits thus perhaps into nodes 1,2,4… Until 0 1 Node 1 starts with j= 1 and splits into nodes 3,5,9… Until 1 1 46

47 Scalable Scheme Node 2 starts with j = 2 and splits into 6,10,18… Until 2 1 Your general rule here Node with smaller T splits more times and vice versa 47

48 Scalable Scheme : Splitting 48 5 B α = 0.5 3 0 1 2 4 8 16 1 2 4 α = 0.8 α = 0.7 5 Node 0 split 5 times. Other nodes did not split. j T T T

49 Scalable Scheme If cloud is homogenous, the address space is contiguous Otherwise, it is not – No problem – Unlike for a extensible or linear hash data structure 49

50 Scalable Scheme : Reduce phase Every node n attempts matches for every noise k [0, M-1] such that n = k mod 2 j n. If node 0 splits three times, in Reduce phase it attempts to match noised shares (f + k) with k = 0, 8, 16… If node 1 splits four times, it attempts to match noised shares (f + k) with k = 1, 17, 33… Etc. 50

51 Scalable Scheme : Reduce Phase 51 3 B α = 0.5 0 1 4 j T …. f + 16 f + 8 f …. f + 33 f + 17 f + 1 L

52 Scalable Scheme N D / R – If S owner initial estimate holds For homogeneous cloud it is 30% greater on the average and twice as big at worst / static scheme Cloud cost may still be cheaper – No need for private option Versatility may still make it preferable besides 52

53 Scalable Scheme Max recovery time is up to R – Depends on homogeneity of the cloud Average recovery time is up to R /2 See again the papers for – Examples – Correctness – Safety – … – Detailed perf. analysis remains future work 53

54 Related Work RE scheme for outsourced LH* files CSCP scheme for outsourced LH* records sharing Crypto puzzles One way hash with trapdoor 30-year old excitement around Clipper chip Botnets 54

55 Conclusion Key safety is Achilles heel of cryptography Key loss or key disclosure ? That is The Question RE NS schemes alleviate the dilemma Future work Deeper formal analysis – Proof of concept implementation – Variants 55

56 Thanks for Your Attention 56 Witold LITWIN & al

Download ppt "Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Repaso: Unidad 2 Lección 2

Repaso: Unidad 2 Lección 2
1 A B C 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52.

1 A B C
Simplifications of Context-Free Grammars

Simplifications of Context-Free Grammars
Variations of the Turing Machine

Variations of the Turing Machine
EE384y: Packet Switch Architectures

EE384y: Packet Switch Architectures
3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.

3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
& dding ubtracting ractions.

& dding ubtracting ractions.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
STATISTICS HYPOTHESES TEST (I)

STATISTICS HYPOTHESES TEST (I)
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Create an Application Title 1Y - Youth Chapter 5.

Create an Application Title 1Y - Youth Chapter 5.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
CALENDAR.

CALENDAR.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.

1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

Similar presentations

Ads by Google