Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA

Published byWarren Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA"— Presentation transcript:

1 Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA {jajodia@gmu.edu} 2 Presenter, Université Paris Dauphine, Lamsade {witold.litwin@dauphine.fr} 3 Thomas Schwarz, UCU, Montevideo {tschwarz@ucu.edu.uy}jajodia@gmu.eduwitold.litwin@dauphine.frtschwarz@ucu.edu.uy 1 Welcome message

2 What ? New schemes for encryption key backup at Escrow’s site Back up of high quality encryption keys E.g. AES (256b) Brute-force recovery intentionally possible – In the absence of key creator (owner) But only over a large cloud – 10K+ nodes Thus not at Escrow’s own site 2

3 What ? Legal recovery can be fast – E.g. Max 10 min on 10K-node cloud Once all nodes are available Unwelcome recovery is unlikely – E.g. 70 days at escrow’s processor – Illegal use of 10K-nodes is implausible Cloud providers do everything they can against Easily traceable if happens 3

4 Why High quality key loss danger is Achilles’ heel of modern crypto – Makes many folks refraining of any encryption – Other loose many tears if unthinkable happens The schemes should benefit numerous applications 4

5 How Key owner chooses inhibitive timing of 1-node (brute-force) recovery – Presumably unwelcome at escrow’s own site – E.g. 70 days Consequently, fixes a large integer M called backup decryption complexity Creates the backup as 2-share noised secret – One actual share of a noised secret is hidden among a large number of fake noise shares Sends the backup to Escrow 5

6 How Key requestor asks Escrow to recover data in acceptable max recovery time R – Once all requested nodes are available – E.g. R = 10 min Escrow sends R and the noised share (within the noise) to the cloud – The cloud cannot disclose the key RE NS scheme at the cloud partitions the recovery calculation over the cloud – To fit the timing for sure – Say partitions it over 10K nodes 6

7 How The cloud reports back to Escrow the actual share(s) Escrow recovers the key from both shares – Clasical XORing Send the recovered key to Requestor – Not forgetting the bill – E.g. 150$ at Amazon for 10K-node wide EMR calculus (mid-2012) 7

8 What Else ? Client Side Encryption Server Side Recovery – Static Scheme – Scalable Scheme Related Work Conclusion  Details in Res. Rep. : http://www.lamsade.dauphine.fr/~litwin/Recoverable%20Encry ption_10.pdf 8

9 Client Side Encryption Client X backs up key S X estimates 1-node inhibitive time D – Say 70 days D depends on trust to Escrow D also determines minimal cloud size N for future recovery in any time acceptable time R – Fixed by recovery requestor E.g. 10 min – X expects N > D / R 9

10 Client Side Key Encryption X creates a shared secret for S – Basically 2-share secret with share s 0 random and – s 1 = s 0 XOR S Common knowledge – S = s 0 XOR s 1 X transforms the secret into a noised one – X makes s 0 a noised share in noise space I = 0,1…M-1 – For some M that X chooses as follows M is Encryption Complexity 10

11 Shared Secret / Noised (Shared) Secret 11 = S S0S0 XOR S = S0S0 Noise shares Noise shares Noised share Noise in I Hint H (s 0 ) S1S1 S1S1 H is one way hash SHA 256 by default

12 Client Side Encryption Choice of Encryption Complexity X determines throughput T – # of match attempts H (s) ?= h = H (s 0 ) per time unit 1 Sec by default X sets M to M = Int (DT). – M = 2 40 ÷ 2 50 in practice 12

13 Client Side Encryption X randomly chooses m  I = [0,1…M[ Calculates base noise share f = s 0 – m Creates noised share s 0 n = (f, M, h). Sends backup S’ = (s 0 n, s 1 ) to Escrow 13

14 Escrow Side Recovery Escrow E receives legitimate request of S recovery in time R at most E chooses either static or scalable scheme E sends data S” = (s 0 n, R) to some cloud node with request for processing accordingly – Keeps s 1 out of the cloud 14

15 Static Scheme Node Load L n : # of noises among M assigned to node n for match attempts Throughput T n : # of match attempts node n can process / sec Bucket (node) capacity B n : # of match attempts node n can process / time R – B n = R T n Load factor  n = L n / B n 15

16 Static Scheme Notice our data storage oriented vocabulary Observe that node n respects R iff  n ≤ 1 Observe that the cloud respects R iff for every n we have  n ≤ 1 This is true for both static and scalable scheme presented later on 16

17 Static Scheme Init Phase Node C that got S” from E becomes coordinator Calculates  (M) = L (M) / B (C) – Usually  (M) >> 1 Defines N as  (M)  – Implicitly considers the cloud as homogenous 17

18 Static Scheme 18 Intended for a homogenous Cloud – All nodes provide the same throughput

19 Static Scheme Map Phase Node C asks for allocation of N-1 nodes Associates logical address n = 1, 2…N-1 with each node & 0 for itself Sends out for each node n data (n, a 0, P) – a 0 is its own physical address, e.g., IP – P specifies Reduce phase 19

20 Static Scheme Reduce Phase P requests node n to attempt matches for every noise share s = (f + m) such that n = m mod N In practice, e.g., while m < M: – Node 0 loops over m = 0, N, 2N… – Node 1 loops over m = 1, N+1, 2N+1… – ….. – Node N – 1 loops over m = (you guess) 20

21 Static Scheme Node n that gets the successful match sends s to C Otherwise node n enters Termination C asks every node to terminate – Details depend on actual cloud C forwards s as s 0 to E 21

22 Static Scheme E discloses the secret S and sends S to Requestor – Bill included E.g., up to 400$ on CloudLayer for – D = 70 days – R = 10 min – Both implied N = 10K with private option 22

23 Static Scheme Observe N ≥ D / R and N  D / R – If the initial estimate of T by key owner holds Average recovery time on the lucky node is R / 2 – Since every noise is equally likely to be the lucky one Individual cost can be offset by key insurance service – Perhaps 4$/y per key per subscriber in our ex., i.e., peanuts. Assuming 1% of clients performs actual recovery per year 23

24 Static Scheme See Res. Report for details, i.e., Numerical examples Correctness – The scheme really partitions I. – Whatever is N and s 0, one and only one node finds s 0 – Average recovery time is R/2 24

25 Static Scheme Safety – No disclosure method can in practice be faster than the scheme – Dictionary attack, inverted file of hints… Other properties 25

26 Scalable Scheme Intended for heterogenous clouds – different node throughputs – basically only locally known E.g. – Private or hybrid cloud – Public cloud without so-called private node option 26

27 Scalable Scheme Heterogeneous cloud – Node throughputs may differ 27

28 Scalable Scheme Init phase similar up to  (M) calculus – Basically  (M) >> 1 – Also we note it now  0 I If  > 1 we say that node overflows Node 0 sets then its node level j to j = 0 and splits – Requests node 2 j = 1 – Sets j to j = 1 – Sends to node 1, (S”, j, a 0 ) 28

29 Scalable Scheme As result – There are N = 2 nodes – Node 0 and node 1 have each M / 2 match attempts to process – Iff both load factors are no more than 1 Usually it would not be the case 29

30 Scalable Scheme Recursive distributed rule – Each node n splits until  n ≤ 1 – Each split increases node level j n to j n + 1 – Each new node n’ gets j n’ = j n initially Node 0 splits thus perhaps into 1,2,4… until  0 ≤ 1 Node 1 starts with j= 1 and splits into 3,5,9… until  1 ≤ 1 Node 2 starts with j= 1, splitting into 4,6,10… until  2 ≤ 1 Your general rule here Node with smaller T splits more times and vice versa 30

31 Scalable Scheme If cloud is homogenous, the address space is contiguous Otherwise, it is not – No problem – Unlike for a extensible or linear hash data structure 31

32 Scalable Scheme Reduce phase – Every node n at level j attempts matches for every k  [0, M-1] such that n = k mod 2 j. If node 0 split three times, in Reduce phase it will attempt to match noised shares (f + k) with k = 0, 8, 16… If node 1 split four times, it will attempt to match noised shares (f + k) with k = 1, 17, 33… Etc 32

33 Scalable Scheme N ≥ D / R – If S owner initial estimate holds For homogeneous cloud it is 30% greater on the average and twice as big at worst Cloud cost may still be cheaper – No need for private option Versatility may still make it preferable besides Average recovery time remains R /2 33

34 Scalable Scheme See again Res. Report for – Numerical ex. – Correctness – Safety – … – Details of perf. analysis remain future work 34

35 Related Work RE for outsourced LH* files CSCP for outsourced LH* records sharing SharePoint Crypto puzzles One way hash with trapdoor 30-year old excitement around Clipper chip Botnets 35

36 Conclusion Key safety is Achilles’ heel of cryptography Key loss or key disclosure ? That is The Question RE NS schemes alleviate the dilemma Future work – Deeper formal analysis – Experiments – Variants Especially that called « multiple noising » – Raising average recovery time towards R Other consequences of principle « Big Calculations » = « Big Data » ? 36

37 Thanks for Your Attention 37 Witold LITWIN & al * * Early stage discussions with J. Katz, UMD, helped to shape the noised secret idea

Download ppt "Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA"

Similar presentations

Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA

Recoverable Encryption through Noised Secret over Large Cloud Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax, VA
Searching for Data Relationship between searching and sorting Simple linear searching Linear searching of sorted data Searching for string or numeric data.

Searching for Data Relationship between searching and sorting Simple linear searching Linear searching of sorted data Searching for string or numeric data.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Scalable Content-Addressable Network Lintao Liu 2001.11.19.

Scalable Content-Addressable Network Lintao Liu
Top k Knapsack Joins and Closure Early Results Witold LITWIN & Thomas Schwarz U. Paris Dauphine, France

Top k Knapsack Joins and Closure Early Results Witold LITWIN & Thomas Schwarz U. Paris Dauphine, France
Key Recovery Using Noised Secret Sharing with Discounts Over Large Clouds Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax,

Key Recovery Using Noised Secret Sharing with Discounts Over Large Clouds Sushil Jajodia 1, W. Litwin 2 & Th. Schwarz 3 1 George Mason University, Fairfax,
Hash-based Indexes CS 186, Spring 2006 Lecture 7 R &G Chapter 11 HASH, x. There is no definition for this word -- nobody knows what hash is. Ambrose Bierce,

Hash-based Indexes CS 186, Spring 2006 Lecture 7 R &G Chapter 11 HASH, x. There is no definition for this word -- nobody knows what hash is. Ambrose Bierce,
Hash-Based Indexes The slides for this text are organized into chapters. This lecture covers Chapter 10. Chapter 1: Introduction to Database Systems Chapter.

Hash-Based Indexes The slides for this text are organized into chapters. This lecture covers Chapter 10. Chapter 1: Introduction to Database Systems Chapter.
Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 Hash-Based Indexes Chapter 11.

Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 Hash-Based Indexes Chapter 11.
Quick Review of Apr 10 material B+-Tree File Organization –similar to B+-tree index –leaf nodes store records, not pointers to records stored in an original.

Quick Review of Apr 10 material B+-Tree File Organization –similar to B+-tree index –leaf nodes store records, not pointers to records stored in an original.
©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree.
File Processing - Indirect Address Translation MVNC1 Hashing Indirect Address Translation Chapter 11.

File Processing - Indirect Address Translation MVNC1 Hashing Indirect Address Translation Chapter 11.
Sushil Jajodia, George Mason U Witold Litwin, U Paris Dauphine Thomas Schwarz, S.J., U Católica Uruguay.

Sushil Jajodia, George Mason U Witold Litwin, U Paris Dauphine Thomas Schwarz, S.J., U Católica Uruguay.
Chapter 7 Memory Management Operating Systems: Internals and Design Principles, 6/E William Stallings Dave Bremer Otago Polytechnic, N.Z. ©2009, Prentice.

Chapter 7 Memory Management Operating Systems: Internals and Design Principles, 6/E William Stallings Dave Bremer Otago Polytechnic, N.Z. ©2009, Prentice.
Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort

Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.
1 Hash-Based Indexes Yanlei Diao UMass Amherst Feb 22, 2006 Slides Courtesy of R. Ramakrishnan and J. Gehrke.

1 Hash-Based Indexes Yanlei Diao UMass Amherst Feb 22, 2006 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
Signature Based Concurrency Control Thomas Schwarz, S.J. JoAnne Holliday Santa Clara University Santa Clara, CA 95053

Signature Based Concurrency Control Thomas Schwarz, S.J. JoAnne Holliday Santa Clara University Santa Clara, CA 95053
Hash Tables1 Part E Hash Tables   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Hash Tables1 Part E Hash Tables  

Similar presentations

Ads by Google