Presentation is loading. Please wait.

Presentation is loading. Please wait.

Need for Privacy Enhancing Technologies 1 What is challenging about standard encryption?

Published byBernadette Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Need for Privacy Enhancing Technologies 1 What is challenging about standard encryption?"— Presentation transcript:

1 Need for Privacy Enhancing Technologies 1 What is challenging about standard encryption?

2 Challenge: Privacy versus Data Utilization Dilemma Client Storage on the cloud Sensitive data! Outsource the data SEARCH? ANALYZE? (encrypted) Standard Encryption CAN’T SEARCH! CAN’T ANALYZE! 2 IMPACT

3 Searchable Encryption (Generic Framework) 3 f1f1 fnfn Client Cloud... c1c1 cncn Extract keywords w1w1 wnwn... t1t1 Data Structure t1t1 tntn... Searchable Representation Search keyword: w 1  t 1 Trapdoors tntn... t1t1 Update file: f i  (z i, V) (z i, V) c1c1 f1f1

4  Curtmola et al. (CCS 2006) (+) Efficient encrypted searches (-) No update on files (addition/removal not possible)  Variants of CCS 2006 with various properties: Ranked, multi-keyword, wildcard, … (-) No update and inefficient  Kamara et. al. (CCS 2012) (+) Updates: New files can be added/removed (-) Update leaks information (insecure updates)  Kamara et. al. (FC 2013) (+) Secure updates (-) Searchable words are fixed (cannot add a new keyword later) (-) Extremely large cloud storage (multi TBs, impractical) 4 Prior Work on Searchable Encryption (Milestones)

5  A. A. Yavuz, J. Guajardo, A. Ragi “Dynamic and Parallelizable Symmetric Searchable Encryption with Secure Updates” Patent filed (disclosure allowed  10^5 keywords, 10^6 files, compared to Kamara et. al. FC 2013:  5120 times smaller storage at the cloud  20 times faster update  680 times smaller communication overhead  Both files and keywords can be added/removed securely Contribution: A New Dynamic Symmetric SE Scheme 5

6  Searchable Representation: Binary matrix I Row i, {1,…,m}  keyword w i, column j, {1,…,n}  file f j If I[i,j]=1 then keyword w i appears in file f j, otherwise not  Integrates index and inverted index, simple yet efficient  Search via row operations  inverted index  Update via column operations  index (i,j)12...n 110 1000 210 0001.00 1000.00 0101.00 1100 m000001 6 Our Scheme: Searchable Representation Files f 1 f 2... f n Keywords w 1 w 2... w m

7 (i,j)12...128...256 …n 100...1 0 1 200 0 1 0.10 0 0 1 m10 0 1 1 7 Our Scheme: Map keyword/file to the matrix  Keyword w  {1,…, m} and file f  {1, …, n} : Dynamic and efficient  Map a keyword to a row i:  Open address hash tables:  Collision-free (one-to-one), O(1) access  Map a file to column j: TF1, z 100 2,z 250...128,z l … 257, z r … n,z 6 TW 1,t 55 2, t 300. m, t 2

8  Derive row key  Encrypt each row i with r i (AES 128 CTR mode) Our Scheme: Encrypt Searchable Representation (i,j)1...128...256...n 10 1 0 1.1 0 0 0.0 1 0 1 m1 0 1 1  Achieving Dynamic Keywords: Static schemes: Derived keys from keywords  Break static relation between keys and keywords 8 r1r1 rmrm......

9 Search keyword w on I’ : Our Scheme: Search on Encrypted Representation 9 Client Cloud Decrypt i’th row of I’[i,*] with r i  I[i,*] I’1...128...n 10 1 1.1 0 0 i0 1 1 m1 0 1 I[i,j]=1 then ciphertext c j contains t w I1..55..253254..n i10101001 c 1 c 55 c 253 c n Decrypt with k 4 Get f 1,f 55,…,f n

10 Add a new file f to I’ : Our Scheme: Update on Encrypted Representation 10 Client Cloud Replace new column with j’th column of I’ I’1...j n 10 1 1.1 0 0.0 1 1 m1 0 1 0 … 1 1 0 1 … 0 0 … 1 1 0 1 … 0 E(.)

11 File Update SecuritySecure Update Keyword Universe Update Comm. Update timeIndex Size Kamara FC 2013 YesCKA2+YesFixed (2  z  k) O(n  log2(m))O(n/p  log2(m))(2  z  k  )  O(n  m) 1000 MB2058000 GB Our Scheme YesCKA2+YesDynamicbO(n)O(n/p) O(n  m) 1.5 MB112 GB 11 n=10^5 keywords, z=32 bit (pointer size) m=10^6 files, n’=10^3, *# of keywords existing in an updated file k=80 security parameter, b= 128 bits, symmetric block size p=4 CPU cores r=200 (# of files containing keyword  Dynamic keyword universe  Secure and efficient update  Smallest index size with CKA2+ security Comparison with State-of-Art

12 12 OperationAvg time (msec) #keyword : 1,000,000 #file : 5,000 Avg time (msec) #keyword : 200,000 #file : 50,000 Avg time (msec) #keyword : 2,000 #file : 2,000,000 Build Index 822.6493461 Search Keyword 0.010.2710.02 Add File27724728.83 Delete File23623298.77 Implementation ( Benchmarking Results ) Enron email dataset, Ubuntu 13.10 OS, 4 GB RAM, Intel i5 processor, 256 GB harddisk  All operations are practical  Search under a msec, and only 10 msec for 2 millions of files  Update various 8 msec to 2 sec

13 Security Analysis of Our DSSE (Very Brief) 13  Confidentiality focus (integrity/auth can be added)  Access Pattern: File identifiers that satisfy a search query (search results)  Search Pattern: History of searches (whether a search token used at past)  IND-CKA2 (Adaptive Chosen Keyword Attacks): Given {I’, c 0,..,c n, z 0, …,z n, t 0,…,t m }, no adversary can learn any information about f 0,…,f n and w 0,…,w m other than the access and search pattern, even if queries are adaptive.  Theorem 1: Our DSSE scheme (L1,L2)-secure in ROM based on IND- CKA2, where L1 and L2 leak access and search pattern, respectively.  Real and simulated views are indistinguishable due to PRF and IND-CPA cipher.

14 14  C/C++  Own Lines of code : 10528  Tomcrypt API Symmetric Key Encryption: AES-CTR 128-bit MAC: CMAC-128 Key Derivation Function : CMAC-128 File encryption : CCM (Counter with CBC-MAC)  Intel AESNI sample library For AES implementation using assembly language instructions. As KDF, we further exploit AES-ASM by using CMAC.  Hash tables, Google open source static C++ data structure Implementation Details of Our DSSE

15 Outline  Privacy Enhancing Technologies for Big Data Analytics Privacy versus data utilization dilemma A new searchable encryption scheme  Efficient Security Mechanisms for Smart-Infrastructures Security challenges: Smart-grid, inter/intra car systems Fast and scalable authentication: ER, ETA, PISB, ESCAR, patents  Heart of Secure Systems: Protecting Audit Logs (PhD Thesis) Research challenges and contributions  Research Agenda @ OSU Towards Secure Smart-Infrastructures Towards Practical PETs 15

16  Reliable Cyber-Physical Systems (e.g., smart-grid) are vital Susceptible: Northeast blackout (2003), 50 million people, $10 billion cost Attacks: False data injection [Yao CCS09’], over 200 cyber-attacks in 2013  Vulnerability: Commands and measurements are not authenticated  Requirements for a security method Real-time  Extremely fast processing (a few ms) Limited bandwidth  Compact Several components  Scalability  Limitations of Existing Methods PKC is not yet feasible (computation, storage, tag size) Symmetric crypto is not scalable (key management ) Security Challenges for Smart-Infrastructures 16

17 Security Challenges for Smart-Infrastructures (II) Fast, compact and scalable security is needed! 17 Internet ECU  Vulnerability: Commands and measurements are not authenticated  Security for Inter-car Networks Manipulate direction/velocity, crashes  Security for Intra-car Networks Large attack surface [Usenix '11] ECUs of break/acceleration, airbag  Challenges Strict safety requirements Limited bandwidth, real-time processing  The state-of-art cannot address (as discussed)

18 Contributions: Secure Intra-car Systems (I) 18  Motivation: Secure communication among ECUs in the car  Challenges: Safety requirements, extremely limited resources  Contributions A. A. Yavuz, J. Guajardo, “Efficient UMACs for CAN systems via key update mechanisms”, May 2012 (patent) J. Guajardo, A. A. Yavuz, “Bandwidth Efficient Symmetric Encryption Methods”, June 2012 (patent) A. A. Yavuz, “Signal-based Automotive Communication Security and Its Interplay with Safety Requirements", Embedded Security in Cars Conference, Germany, November 2012 (with B. Glas, J. Guajardo, H. Hacioglu, M. Ihle, K. Wehefritz)  Impact: Embedded crypto software, deployment for OEMs (2018) Customers: GM, BMW

19 Contributions: Secure Smart- Infrastructures (II)  A. A. Yavuz, “Emergent Response (ER): An Efficient and Scalable Real- time Broadcast Authentication for Command and Control Messages“ Patent + IEEE Transactions Information Sec. 19  A. A. Yavuz, “Practical Immutable Signatures (PISB)”, LNCS DBSec 2013 Immutable and 40 times faster than state-of-art Idea: Leverage SA-RSA to compute umbrella signature on C-RSA, eliminates interaction, more efficient  A. A. Yavuz, “Efficient and Tiny Authentication (ETA)”, ACM WiSec 2013 A magnitude of times more efficient than RSA/ECDSA Smallest key/signature sizes (240 bits, 320 bits) Idea: Tailor Schnorr signatures, O(1) size pre-computation tokens, proof in ROM to DLP

20 Rapid Authentication – Motivation and Preliminary Work  Fast Broadcast Authentication: Minimum end-to-end crypto delay  Limitations of the State-of Art  Online-offline and OTSs: Very large signature and key sizes  DLP-based Methods (DSA tokens): Signer efficient but verifier costly  RSA/Rabin: Verifier efficient but signer costly  Both signer and verifier efficiency with a compact signature? 20  Pre-computation for RSA without linear overhead?  Both signer and verifier efficient!  Condensed-RSA (C-RSA) aggregates RSA signatures

21 Rapid Authentication – Basic Idea  Messages have structure by some protocols: Can be leveraged? 21 Source IP (32 bits)Destination IP (32 bits)Command (6 bits)Value (6 bits)Options (5 bits) 256.256.256.256 1024 signatures Pre-compute Signature tables 256.256.256.256 1024 signatures cmd1, …,cmd64 64 signatures val1, …,val64 64 signatures 1) Pre-compute RSA signatures on each sub-message in fields (offline phase) Source IP (32 bits)Destination IP (32 bits)Command (6 bits)Value (6 bits)Options (5 bits) 75.146.76.234128.19.43.235“increase”“level 5”“voltage” opt1, …,opt32 32 signatures 2) C-RSA pre-computed signatures according to message (online signing) 3) Verify Condensed-RSA signature 75.146.76.234128.19.43.235“increase”“level 5”“voltage”

22 Improved RA: Structure-Free RA (SCRA) 22 Sign messages without assuming structure or length (Message||s), |s|=80 one-time rand. num. HASH Function any length 160 bits (truncate) Field 1 (8 bits) Field 2 (8 bits) Field 10 (8 bits) …………  Problems: Structured message, table might be large Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu 10.10 (MIRACL library) Execution times in µsec Pre-compute signature table (offline)

Download ppt "Need for Privacy Enhancing Technologies 1 What is challenging about standard encryption?"

Similar presentations

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10 1.

Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10 1.
January 11, 20001 Csci 2111: Data and File Structures Week1, Lecture 1 Introduction to the Design and Specification of File Structures.

January 11, Csci 2111: Data and File Structures Week1, Lecture 1 Introduction to the Design and Specification of File Structures.
多媒體網路安全實驗室 Towards Secure and Effective Utilization over Encrypted Cloud Data 報告人 : 葉瑞群 日期 :2012/05/09 出處 :IEEE Transactions on Knowledge and Data Engineering.

多媒體網路安全實驗室 Towards Secure and Effective Utilization over Encrypted Cloud Data 報告人 : 葉瑞群 日期 :2012/05/09 出處 :IEEE Transactions on Knowledge and Data Engineering.
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260

10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, and J.D. Tygar – University of California, Berkeley.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, and J.D. Tygar – University of California, Berkeley.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.

SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Introduction to Network Security Dr. Attila Altay Yavuz Big Picture and Organization.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Introduction to Network Security Dr. Attila Altay Yavuz Big Picture and Organization.
1 Telematics/Networkengineering Confidential Transmission of Lossless Visual Data: Experimental Modelling and Optimization.

1 Telematics/Networkengineering Confidential Transmission of Lossless Visual Data: Experimental Modelling and Optimization.

Similar presentations

Ads by Google