Cryptographic Security
description
Transcript of Cryptographic Security
Cryptographic Security
Secret Sharing, Vanishing Data
1Dennis Kafura – CS5204 – Operating Systems
Cryptographic Security - 2
Dennis Kafura – CS5204 – Operating Systems
Secret Sharing How can a group of individuals share a secret? Requirements:
some information is confidential the information is only available when any k of the n
members of group collaborate (k <= n) k = n implies unanimity k >= n/2 implies simple majority k = 1 implies independence
Assumptions The secret is represented as a number The number may be the secret or a (cryptographic) key
that is used to decrypt the secret
2
Cryptographic Security - 2
Secret Sharing General idea:
Secret data D is divided in n pieces D1,…Dn Knowledge of k or more Di pieces makes D easily
computable Knowledge of k-1 or fewer pieces leaves D completely
unknowable Terminology
This is called a (k,n) threshold scheme Uses
Divided authority (requires multiple distinct approvals from among a set of authorities)
Cooperation under mutual suspicion (secret only disclosed with sufficient agreement)
Dennis Kafura – CS5204 – Operating Systems 3
Cryptographic Security - 2
Secret Sharing Mathematics
A polynomial of degree n-1 is of the form
Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, if
then
Dennis Kafura – CS5204 – Operating Systems 4
Cryptographic Security - 2
Simple (k,n) Threshold Scheme
Given D, k, and n Construct a random k-1 degree polynomial
Dennis Kafura – CS5204 – Operating Systems 5
Cryptographic Security - 2
Simple (k,n) Threshold Scheme
Given D, k, and n Construct a random k-1 degree polynomial
Distribute the n pieces as (i, Di) Any k of the n pieces can be used to find the
unique polynomial and discover a0 (equivalently solve for q(0) )
Finding the polynomial is called polynomial interpolation
Dennis Kafura – CS5204 – Operating Systems 6
Cryptographic Security - 2
Example
Suppose k=2, n=3, and D=34 Choose a random k-1 degree polynomial:
Generate n values:
The n pieces are (1,46), (2,58), and (3,70)
Dennis Kafura – CS5204 – Operating Systems 7
Cryptographic Security - 2
Example
Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations:
Dennis Kafura – CS5204 – Operating Systems 8
Cryptographic Security - 2
Vanishing Data
Motivation Many forms of data (e.g., email) are archived by service
providers for reliability/availability Data stored “in the cloud” beyond user control Such data creates a target for intruders, and may persist
beyond useful lifetime to the user’s detriment through disclosure of personal information
Recreates “forget-ability” and/or deniability Protect against retroactive data disclosure
Innovation: “vanishing data object” (VDO)
Dennis Kafura – CS5204 – Operating Systems 9
Cryptographic Security - 2
Vanishing Data VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO
and all persistent cryptographic keys
Dennis Kafura – CS5204 – Operating Systems 10
Cryptographic Security - 2
Vanishing Data VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO
and all persistent cryptographic keys Does not require
explicit action by the user or storage service to render the data unreadable
changes to any of the stored copies of the data secure hardware any new services (leverage existing services)
Dennis Kafura – CS5204 – Operating Systems 11
Cryptographic Security - 2
Example Applications
Dennis Kafura – CS5204 – Operating Systems 12
Cryptographic Security - 2
Vanish Architecture
Key elements Threshold secret sharing Distributed hash tables (DHT) P2P systems
Availability Scale, geographic distribution, decentralization Churn
Median lifetime minutes/hours 2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze) extended to desired period by background refresh
VUZE Open-source P2P system using bittorrent protocol
Dennis Kafura – CS5204 – Operating Systems 13
Cryptographic Security - 2
Vanish Architecture
Operation Locator is a pseudorandom number generator keyed by
L; used to select random locations in the DHT for storing the VDO
VDO is encrypted with key K N shares of K are created and then K is erased VDO = (L, C, N, threshold)
Dennis Kafura – CS5204 – Operating Systems 14
Cryptographic Security - 2
Setting Parameters
Dennis Kafura – CS5204 – Operating Systems 15
Use threshold=90% Use N=50
Cryptographic Security - 2
Setting Parameters
Tradeoff Larger threshold values provide more security Larger threshold values provide shorter lifetimes
Dennis Kafura – CS5204 – Operating Systems 16
Cryptographic Security - 2
Performance Measurement
Prepush – Vanish proactively creates and distributes data keys
Dennis Kafura – CS5204 – Operating Systems 17
Cryptographic Security - 2
Attack Vectors and Defenses
Decapsulate VDO prior to expiration Further encrypt data using traditional encryption
schemes Eavesdrop on net connection
Use DHT that encrypts traffic between nodes Compose with system (like TOR) to tunnel interactions
with DHT through remote machines Integrate in DHT
Eavesdrop on store/lookup operations Possible but extremely expensive to attacker (see next)
Standard attacks on DHTs Adopt standard solution
Dennis Kafura – CS5204 – Operating Systems 18
Cryptographic Security - 2
Parameters and security
Assuming 5% of the DHT nodes are compromised what is the probability of VDO compromise?
Dennis Kafura – CS5204 – Operating Systems 19