Cryptographic Security

Secret Sharing, Vanishing Data

1Dennis Kafura – CS5204 – Operating Systems

Cryptographic Security - 2

Dennis Kafura – CS5204 – Operating Systems

Secret Sharing

How can a group of individuals share a secret? Requirements:

some information is confidential the information is only available when any k of the n

members of group collaborate (k <= n) k = n implies unanimity k >= n/2 implies simple majority k = 1 implies independence

Assumptions The secret is represented as a number The number may be the secret or a (cryptographic) key

that is used to decrypt the secret

2

Cryptographic Security - 2

Secret Sharing

General idea: Secret data D is divided in n pieces D1,…Dn Knowledge of k or more Di pieces makes D easily

computable Knowledge of k-1 or fewer pieces leaves D completely

unknowable

Terminology This is called a (k,n) threshold scheme

Uses Divided authority (requires multiple distinct approvals

from among a set of authorities) Cooperation under mutual suspicion (secret only

disclosed with sufficient agreement)

Dennis Kafura – CS5204 – Operating Systems 3

Cryptographic Security - 2

Secret Sharing

Mathematics A polynomial of degree n-1 is of the form

Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, if

then

Dennis Kafura – CS5204 – Operating Systems 4

Cryptographic Security - 2

Simple (k,n) Threshold Scheme

Given D, k, and n Construct a random k-1 degree polynomial

Dennis Kafura – CS5204 – Operating Systems 5

Cryptographic Security - 2

Simple (k,n) Threshold Scheme

Given D, k, and n Construct a random k-1 degree polynomial

Distribute the n pieces as (i, Di) Any k of the n pieces can be used to find the

unique polynomial and discover a0 (equivalently solve for q(0) )

Finding the polynomial is called polynomial interpolation

Dennis Kafura – CS5204 – Operating Systems 6

Cryptographic Security - 2

Example

Suppose k=2, n=3, and D=34 Choose a random k-1 degree polynomial:

Generate n values:

The n pieces are (1,46), (2,58), and (3,70)

Dennis Kafura – CS5204 – Operating Systems 7

Cryptographic Security - 2

Example

Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations:

Dennis Kafura – CS5204 – Operating Systems 8

Cryptographic Security - 2

Vanishing Data

Motivation Many forms of data (e.g., email) are archived by service

providers for reliability/availability Data stored “in the cloud” beyond user control Such data creates a target for intruders, and may persist

beyond useful lifetime to the user’s detriment through disclosure of personal information

Recreates “forget-ability” and/or deniability Protect against retroactive data disclosure

Innovation: “vanishing data object” (VDO)

Dennis Kafura – CS5204 – Operating Systems 9

Cryptographic Security - 2

Vanishing Data

VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO

and all persistent cryptographic keys

Dennis Kafura – CS5204 – Operating Systems 10

Cryptographic Security - 2

Vanishing Data

VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO

and all persistent cryptographic keys Does not require

explicit action by the user or storage service to render the data unreadable

changes to any of the stored copies of the data secure hardware any new services (leverage existing services)

Dennis Kafura – CS5204 – Operating Systems 11

Cryptographic Security - 2

Example Applications

Dennis Kafura – CS5204 – Operating Systems 12

Cryptographic Security - 2

Vanish Architecture

Key elements Threshold secret sharing Distributed hash tables (DHT) P2P systems

Availability Scale, geographic distribution, decentralization Churn

Median lifetime minutes/hours 2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze) extended to desired period by background refresh

VUZE Open-source P2P system using bittorrent protocol

Dennis Kafura – CS5204 – Operating Systems 13

Cryptographic Security - 2

Vanish Architecture

Operation Locator is a pseudorandom number generator keyed by

L; used to select random locations in the DHT for storing the VDO

VDO is encrypted with key K N shares of K are created and then K is erased VDO = (L, C, N, threshold)

Dennis Kafura – CS5204 – Operating Systems 14

Cryptographic Security - 2

Setting Parameters

Dennis Kafura – CS5204 – Operating Systems 15

Use threshold=90% Use N=50

Cryptographic Security - 2

Setting Parameters

Tradeoff Larger threshold values provide more security Larger threshold values provide shorter lifetimes

Dennis Kafura – CS5204 – Operating Systems 16

Cryptographic Security - 2

Performance Measurement

Prepush – Vanish proactively creates and distributes data keys

Dennis Kafura – CS5204 – Operating Systems 17

Cryptographic Security - 2

Attack Vectors and Defenses

Decapsulate VDO prior to expiration Further encrypt data using traditional encryption

schemes

Eavesdrop on net connection Use DHT that encrypts traffic between nodes Compose with system (like TOR) to tunnel interactions

with DHT through remote machines

Integrate in DHT Eavesdrop on store/lookup operations

Possible but extremely expensive to attacker (see next) Standard attacks on DHTs

Adopt standard solution

Dennis Kafura – CS5204 – Operating Systems 18

Cryptographic Security - 2

Parameters and security

Assuming 5% of the DHT nodes are compromised what is the probability of VDO compromise?

Dennis Kafura – CS5204 – Operating Systems 19