1. HAIL (High-Availability and Integrity Layer) for Cloud Storage Kevin Bowers and Alina Oprea RSA Laboratories Joint work with Ari Juels

2. 2 Cloud Storage Provider Client Storage server Web server Cloud storage Pros: Lower cost Easier management Enables sharing and access from anywhere Cons: Loss of control No guarantees of data availability Provider failures

3. 3 Amazon S3 systems failure downs Web 2.0 sites Twitterers lose their faces, others just want their data back Computer World, July 21, 2008 Customers Shrug Off S3 Service Failure At about 7:30 EST this morning, S3, Amazon.com’s online storage service, went down. The 2-hour service failure affected customers worldwide. Wired, Feb. 15, 2008 Loss of customer data spurs closure of online storage service 'The Linkup‘ Network World, Nov 8, 2008 Spectacular Data Loss Drowns Sidekick Users October 10, 2009 Temporary unavailability Permanent data loss How do we increase users’ confidence in the cloud?

4. 4 Outline Proofs of Retrievability –Constructions and practical aspects –Limitations HAIL goals and adversarial model HAIL protocol design –Encoding layer –Decoding layer –Challenge-response protocol –Redistribution of shares in case of failures HAIL parameter tradeoffs Open problems

5. 5 PORs: Proofs of Retrievability Client outsources a file F to a remote storage provider Client would like to ensure that her file F is retrievable The simple approach: client periodically downloads F This is resource-intensive! What about spot-checking instead? –Sample a few file blocks periodically –If file is not stored locally, need verification mechanism (e.g., MACs for each file block)

6. 6 Spot-checking Cloud Storage Provider Client F MAC k [B 4 ] B1B1 B4B4 B7B7 T1T1 T2T2 T3T3 T1T1 T2T2 T3T3 k

7. 7 Spot-checking Cloud Storage Provider Client F B4B4 B7B7 T1T1 T2T2 T3T3 B1B1 T1T1 B1B1 Small corruptions go undetected k

8. 8 Error correcting code Cloud Storage Provider Client F Parity blocks Corrects small corruption k

9. 9 ECC + MAC Cloud Storage Provider Client F T2T2 T3T3 T1T1 T4T4 B1B1 B4B4 B7B7 P1P1 Parity blocksMACs over file and parity blocks k Detect large corruption through spot checking Corrects small corruption through ECC

10. 10 Query aggregation Cloud Storage Provider Client Challenge k Response Parity blocks F MACs over aggregation of blocks

11. 11 Practical considerations Applying such an ECC to all of F is impractical Instead, we can stripe the ECC If adversary knows the stripe structure, she can corrupt selectively…

12. 12 Selective corruption Adversary targets a particular stripe File can not be recovered The probability that the client detects the corruption through sampling is small if stripes are small Practical code parameters encode hundreds of bytes at a time (e.g., Reed-Solomon (255, 223, 32))

13. 13 Adversarial codes: hide ECC stripes Do secret, randomized partitioning of F into stripes –E.g. use secret key to generate pseudorandom permutation and then choose stripes sequentially Encrypt and permute parity blocks The encoding is still systematic But adversary does not know where stripes are, so… adversary cannot feasibly target a stripe!

14. 14 POR papers Proofs of Retrievability (PORs) –Juels-Kaliski 2007 Proofs of Data Possession (PDPs) –Burns et al. 2007 –Erway et al. 2009 Unlimited queries using homomorphic MACs –Shacham-Waters 2008 –Ateniese, Kamara and Katz 2009 Fully general query aggregation in PORs –Bowers, Juels and Oprea 2009 –Dodis, Vadhan and Wichs 2009

15. 15 When PORs fail Cloud Storage Provider Client F F k ChallengeResponse decoder Unrecoverable

16. 16 Outline Proofs of Retrievability –Constructions and practical aspects –Limitations HAIL goals and adversarial model HAIL protocol design –Encoding layer –Decoding layer –Challenge-response protocol –Redistribution of shares in case of failures HAIL parameter tradeoffs Open problems

17. 17 HAIL goals Resilience against cloud provider failure and temporary unavailability Use multiple cloud providers to construct a reliable cloud storage service out of unreliable components –RAID (Reliable Array of Inexpensive Disks) for cloud storage under adversarial model Provide clients or third party auditing capabilities –Efficient proofs of file availability by interacting with cloud providers

18. 18 RAID (Redundant Array of Inexpensive Disks) B1B1 B2B2 B3B3 P 1 =B 1  B 2  B 3 Data blockParity block Data block X B1B3P1B1B3P1 Shift from monolithic, high-performance drives to cheaper drives with redundancy Stripe

19. 19 RAID in the Cloud Provider AProvider BProvider C Provider D Fuse together cheap cloud providers to provide high- quality (reliable) abstraction –E.g., Memopal offers $0.02 / GB / Month storage on a 5-year contract vs. Amazon at $0.15 / GB / Month

20. 20 …But the cloud is adversarial! Provider AProvider BProvider C Provider D RAID designed for benign failures (drive crashes) Static adversaries are not realistic A mobile adversary moves from provider to provider –System failures and corruptions over time –Corrupts a threshold of providers in each epoch (b out of n)

21. 21 Mobile adversary Provider AProvider BProvider C Provider D Combination of proactive and reactive models –Separate each server into code base and storage base  Code base of servers cleaned at beginning of epoch (e.g., through reboot)  At most b out of n server have corrupted code in each epoch –Challenge-responses used for detection of failure  Corrupted storage recovered when failure is detected

22. 22 HAIL protocols File encoding –Distribute a file across n storage providers –Add redundancy to tolerate provider failures –Small state stored locally by client (including secret key) File decoding –Recover original file by contacting a threshold of providers –Tolerate provider failures or unavailability Challenge-response protocol –Executed a number of times per epoch –Enables clients to perform integrity checks by contacting a threshold of providers –Detects failures early and enhances data availability Share redistribution –When failure detected, clients reconstruct shares from redundancy encoded in other providers

23. 23 Outline Proofs of Retrievability –Constructions and practical aspects –Limitations HAIL goals and adversarial model HAIL protocol design –Encoding layer –Decoding layer –Challenge-response protocol –Redistribution of shares in case of failures HAIL parameter tradeoffs Open problems

24. 24 First idea: file replication with POR F Provider A Provider B Provider C Client POR Challenge POR Response POR Challenge POR Response POR Challenge FF F Parity MACs Parity MACs Parity MACs

25. 25 File replication with POR: Issues Client MACs Provider A Provider B Provider C FF F Parity MACs Parity MACs Compute different MACs per provider Large encoding overhead Large storage overhead due to replication F

26. 26 Use redundancy across servers F Sample and check consistency across providers FFF Provider A Provider B Provider C Client Block i FiFi FiFi FiFi

27. 27 Small-corruption attack FFF Provider A Provider B Provider C Client FiFi FiFi FiFi The probability that client samples the corrupted block is low File can not be recovered after [n/b] epochs

28. 28 Replication with server code Provider A Provider B Provider C Client FF F Parity Still vulnerable to small-corruption attack, once corruption exceeds the error correction rate of server code Large storage overhead due to replication

29. 29 Dispersal erasure code PAPA PBPB PCPC PDPD PEPE F Stripe Dispersal code parityOriginal file F Primary servers (k) Secondary servers (n-k) File can be recovered from any k available servers For encoding efficiency, use striping for 128-bit blocks 128 bit F1F1 F2F2 F3F3

30. 30 Two encoding layers PAPA PBPB PCPC PDPD PEPE Server code Dispersal code parity F1F1 F2F2 F3F3 Dispersal code reduces storage overhead of replication with similar availability guarantees Server code improves resilience to small-corruption attack

31. 31 Checking for correct encoding PAPA PBPB PCPC PDPD PEPE Client Check that stripe is a codeword in dispersal code

32. 32 Aggregation of stripes PAPA PBPB PCPC PDPD PEPE Client Check that linear combination of stripes is a codeword 1 α α2α2

33. Comparison 33 F Parity MACs F Parity MACs F Parity MACs File replication with POR HAIL:Two encoding layers (dispersal and server code) - Large storage overhead due to replication - Redundant MACs for POR - Large encoding overhead - Verifiable by client only + Increased lifetime + Optimal storage overhead for given availability level + Uses cross-server redundancy for verifying responses + Reasonable encoding overhead + Public verifiability - Limited lifetime

34. 34 Increase protocol lifetime PAPA PBPB PCPC PDPD PEPE F1F1 F2F2 F3F3 Authenticate stripes with MACs One MAC per block - Large storage overhead - How can the MACs from multiple stripes be aggregated? MAC

35. 35 Integrity-protected dispersal code PAPA PBPB PCPC PDPD PEPE F1F1 F2F2 F3F3 Embed integrity information into parity blocks of dispersal code Can check linear combination of MACs knowing only linear combination of blocks + PRF k 1 (pos)

36. 36 HAIL protocols Encoding –Two layers of error correction: dispersal code and server code –Integrity-protected dispersal code used to reduce storage overhead –Server code is adversarial erasure code Decoding –Reverse of encoding, using two layers of error correction Tradeoffs: –Erasure dispersal code: tolerates n-m-1 failures per round, but decoding requires brute force in case of errors (do not know the positions of erasures) –Error-correcting dispersal code: tolerates up to b = (n-m-1)/2 failures per round

37. 37 HAIL protocols, cont Challenge-response –Executed in each time round a number of times –Challenge: a number of row positions –Response: aggregated row –Verification: response should be a codeword in dispersal code and composite MAC should be valid Redistribution of shares: –Invoked when corruption of a fragment is detected by challenge- response –Reconstruction done by client and involves downloading m correct file fragments

38. 38 HAIL availability

39. 39 Frequency of challenges

40. Encoding Performance HAIL requires two levels of encoding Order is important! 40

41. Encoding Security Security of the MAC depends on the size of the finite field used to perform Reed-Solomon encoding. Most Reed-Solomon codes are implemented over bytes, or at most 4-byte words (typical integer representation) 32-bit security is low from a cryptographic viewpoint Operating over larger symbols is slow –Larger encodings can be generated by combining several smaller encodings –Or, they can be implemented using extension fields To speed up larger symbol encoding, need fast operations in large Galois Fields –Work with Jianqiang Luo and Lihao Xu at Wayne State Univ. 41

42. Encoding Throughput Improvement 42

43. Decoding Throughput Improvement 43

44. Accelerated Encoding Throughput 44

45. Accelerated Decoding Throughput 45

46. Effect of Placement on Throughput 46

47. 47 Summary HAIL is an extension of RAID into the cloud High availability and tolerance to adversarial failures –Low storage overhead due to integrity-protected dispersal code Enables client-side integrity checks –Low bandwidth for challenge-response due to aggregation Papers: –K. Bowers, A. Juels, and A. Oprea. Proofs of Retrievability: Theory and Implementation. ACM CCSW ’09. –K. Bowers, A. Juels, and A. Oprea. HAIL: High Availability and Integrity Layer for Cloud Storage. ACM CCS ’09. http://www.rsalabs.com/ http://www.rsalabs.com