Presentation is loading. Please wait.

Presentation is loading. Please wait.

A F RAMEWORK FOR THE A NALYSIS OF M IX -B ASED S TEGANOGRAPHIC F ILE S YSTEMS Claudia Diaz, Carmela Troncoso, Bart Preneel K.U.Leuven / COSIC Cambridge,

Published byElvin Harper Modified over 9 years ago

Similar presentations

Presentation on theme: "A F RAMEWORK FOR THE A NALYSIS OF M IX -B ASED S TEGANOGRAPHIC F ILE S YSTEMS Claudia Diaz, Carmela Troncoso, Bart Preneel K.U.Leuven / COSIC Cambridge,"— Presentation transcript:

1 A F RAMEWORK FOR THE A NALYSIS OF M IX -B ASED S TEGANOGRAPHIC F ILE S YSTEMS Claudia Diaz, Carmela Troncoso, Bart Preneel K.U.Leuven / COSIC Cambridge, January 28, 2009 1

2 M OTIVATION Problem: we want to keep stored information secure (confidential) Encryption protects against the unwanted disclosure of information but… reveals the fact that hidden information exists! User can be threatened / tortured / coerced to disclose the decryption keys (“ coercion attack ”) We need to hide the existence of files Property: plausible deniability Allow users to deny believably that any further encrypted data is located on the storage device If password is not known, not possible to determine the existence of hidden files 2

3 A TTACKER MODEL : ONE SNAPSHOT Attacker has never inspected the user’s computer before coercion Ability to coerce the user at any point in time User produces some keys Attacker inspects user computer Game: If attacker is able to determine that the user has not provided all her keys, the attacker wins 3

4 A NDERSON, N EEDHAM & S HAMIR (1998) 1. Use cover files such that a linear combination (XOR) of them reveals the information Password: subset of files to combine Hierarchy (various levels of security) User can show some “low” security levels while hiding “high” security levels Not possible to know whether she has revealed the keys to all existing levels Drawbacks: File read operations have high cost Needs a lot of cover files to be secure (computationally infeasible to try all combinations) Assumes adversary knows nothing about the plaintext 4

5 A NDERSON, N EEDHAM & S HAMIR (1998) 2. Real files hidden in encrypted form in pseudo- random locations amongst random data Location derived from the name of the file and a password Collisions (birthday paradox) overwrite data: Use only small part of the storage capacity ( < ) Replication All copies of a block need to be overwritten to lose the data Linear hierarchy: higher security levels need more replication 5

6 S TEG FS: M C D ONALD & K UHN (1999) o Implemented as extension of the Linux file system (Ext2fs) o Hidden files are placed into unused blocks of a “normal” partition o Normal files are overwritten with random data when deleted o Attacker cannot distinguish a deleted normal file from an encrypted hidden file o Block allocation table with one entry per block on the partition: o Used blocks: entry encrypted with same key as data block o Unused blocks: random data o The table helps locating data and detecting corrupted blocks (lower security levels can still overwrite higher ones) 6

7 What if attacker can observe accesses to the store? Remote or shared semi-trusted store Distributed P2P system Same game as before: o Ability to coerce the user at any point in time o User produces keys to some security levels o Attacker inspects user computer o If attacker is able to determine that the user has not provided all her keys, the attacker wins BUT now the adversary has prior information (which blocks have been accessed/modified) Previous systems do not provide plausible deniability against this adversary model A TTACKER MODEL : CONTINUOUS OBSERVATION 7

8 P REVIOUS WORK WHERE THIS ADVERSARY IS RELEVANT : P2P Distributed (P2P) steganographic file systems: Mnemosyne: Hand and Roscoe (2002) Mojitos: Giefer and Letchner (2002) Propose dummy traffic to hide access patterns (no details provided) 8

9 P REVIOUS WORK WHERE THIS ADVERSARY IS RELEVANT : S EMI - TRUSTED REMOTE STORE Semi-trusted remote store: Zhou et al. (2004) Use of constant rate cover traffic (dummy accesses) to disguise file accesses Every time a block location is accessed, it is overwritten with different data (re-encrypted with different IV) Block updates no longer indicate file modifications Every time a file block is accessed, it is moved to another (empty) location Protects against simple access frequency analysis Relocations are low-entropy Broken by Troncoso et al. (2007) with traffic analysis attacks that find correlations between sets of accesses Multi-block files are found prior to coercion if they are accessed twice One-block files are found if accessed a few times 9

10 H OW IT IS BROKEN ( SIMPLIFIED VERSION ) 1 10 2 20 3 30 4 40 … … 10 100 20 200 30 300 40 400 At time t 1 At time t 2 10

11 Can we provide plausible deniability against an adversary who monitors the store prior to coercion? 11

12 S YSTEM MODEL Files are stored on fixed-size blocks Blocks containing (encrypted) file data are undistinguishable from empty blocks containing random data Several levels of security (we assume hierarchical) User discloses keys to some of these levels while keeping others hidden Data persistence: erasure codes for redundancy (impact on plausible deniability) Traffic analysis resistance Constant rate dummy traffic High entropy block relocation 12 Process user file requests Generate dummy traffic (uniform)

13 U SER L OGIN User logs in with security level s, by providing key uk s Agent trial-decrypts every entry in the table Files in security levels s or lower can be found in the table Files in higher security levels are indistinguishable from random (empty) Agent starts making block accesses (either dummy or to retrieve files requested by the user) For each block, the agent performs an access cycle 13 Table

14 Block containing a file in security level s User key: uk s (One time) block key: bk i Empty block, or containing a file in security level higher than s B LOCK ENCRYPTION 14 data random

15 A CCESS CYCLE 15 Table

16 A TTACK METHODOLOGY 1. Attacker profiles the system to extract: Typical access sequences when the user is idle (dummy traffic) Typical access sequences when the user is accessing a file 2. Attacker monitors accesses and looks for sequences that look like file accesses 3. Attacker coerces the user when sequence indicates possible file access (worst case scenario) 4. Attacker obtains some user keys and inspects computer 5. Attacker combines the evidence obtained before and after coercion to try to determine if there are more user keys the user has not provided 6. If the probability of undisclosed keys is high, deniability is low, and vice versa. 16

17 E XTRACTING INFORMATION FROM THE SEQUENCE OF ACCESSES TO THE STORE I 17 Attacker profiles the system to extract t ypical access sequences when the user is accessing a file MixSFS 48517329 xxx58438947 23791

18 E XTRACTING INFORMATION FROM THE SEQUENCE OF ACCESSES TO THE STORE II 18 Attacker profiles the system to extract: Typical access sequences when the user is idle (dummy traffic) Establish a baseline for dummy traffic Analyze accesses to store and find strong correlations (unlikely to be generated by dummy traffic) For big files, the area that goes over the baseline is much bigger than for dummy traffic (i.e., distinguishable)

19 S ECURITY METRICS : UNOBSERVABILITY Prior to coercion: we define unobservability (U) as the probability of a file operation being undetectable by the adversary; i.e., the sequence of store accesses generated by a file operation is considered by the adversary as dummy traffic 19

20 S ECURITY METRICS : DENIABILITY 20 After coercion Percentage of empty blocks in pool compared to the percentage in the whole store Worst case scenario: coercion occurs immediately after a hidden file access – large number of “empty” blocks in the pool We define deniability (D) as the probability that the evidence collected by the adversary (before and after coercion) has been generated by dummy traffic (i.e., no evidence of hidden files).

21 C ONCLUSIONS AND OPEN QUESTIONS Conclusions Hard to protect against traffic analysis, even using constant rate dummy traffic Hard to conceal file accesses with dummy traffic that selects locations uniformly at random When files occupy more blocks, access to them is harder to conceal Open questions More sophisticated pattern recognition algorithms may extract more info from the sequence of accesses Design of smarter traffic analysis strategies Can such a system be implemented in practice? 21

22 Thank you! 22

Download ppt "A F RAMEWORK FOR THE A NALYSIS OF M IX -B ASED S TEGANOGRAPHIC F ILE S YSTEMS Claudia Diaz, Carmela Troncoso, Bart Preneel K.U.Leuven / COSIC Cambridge,"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.

Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
White-Box Cryptography

White-Box Cryptography
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
File Systems.

File Systems.
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Fall 2008CS 334: Computer Security1 Crypto Conclusion Message Authentication Codes Key Management.

Fall 2008CS 334: Computer Security1 Crypto Conclusion Message Authentication Codes Key Management.
File System Analysis.

File System Analysis.
1 Steganographic File Systems Claudia Diaz ESAT/COSIC (K.U.Leuven)

1 Steganographic File Systems Claudia Diaz ESAT/COSIC (K.U.Leuven)
Active Learning and Collaborative Filtering

Active Learning and Collaborative Filtering
1 On Protecting Private Information in Social Networks: A Proposal Bo Luo 1 and Dongwon Lee 2 1 The University of Kansas, 2 The Pennsylvania.

1 On Protecting Private Information in Social Networks: A Proposal Bo Luo 1 and Dongwon Lee 2 1 The University of Kansas, 2 The Pennsylvania.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Encrypted File System (EFS) Sankara Narayanan. CSE 785 Computer Security, Syracuse University, NY Spring 2003 – 2004.

Encrypted File System (EFS) Sankara Narayanan. CSE 785 Computer Security, Syracuse University, NY Spring 2003 – 2004.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Cryptography and Network Security Chapter 11. Chapter 11 – Message Authentication and Hash Functions At cats' green on the Sunday he took the message.

Cryptography and Network Security Chapter 11. Chapter 11 – Message Authentication and Hash Functions At cats' green on the Sunday he took the message.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Similar presentations

Ads by Google