Sieve: Cryptographically Enforced Access Control … Cryptographically Enforced Access Control for...

95
Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds Frank Wang (MIT CSAIL), James Mickens (Harvard), Nickolai Zeldovich (MIT CSAIL), Vinod Vaikuntanathan (MIT CSAIL) 1

Transcript of Sieve: Cryptographically Enforced Access Control … Cryptographically Enforced Access Control for...

Sieve:CryptographicallyEnforcedAccessControlforUserDatainUntrustedClouds

FrankWang(MITCSAIL),JamesMickens(Harvard),NickolaiZeldovich(MITCSAIL),

VinodVaikuntanathan(MITCSAIL)

1

Motivation

2

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

Motivation

2

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

Motivation

2

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

Motivation

2

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Problem:Curiousstorageproviderorexternalattacker

3

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Problem:Curiousstorageproviderorexternalattacker

3

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

NaïveApproach:EncryptDataunder1key

4

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

NaïveApproach:EncryptDataunder1key

4

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

NaïveApproach:EncryptDataunder1key

4

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

NaïveApproach:EncryptDataunder1key

4

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Howdoestheuserselectivelydiscloseherdata?

AnotherApproach:Encrypteachpieceofdataindividually

5

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

AnotherApproach:Encrypteachpieceofdataindividually

5

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

AnotherApproach:Encrypteachpieceofdataindividually

5

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

AnotherApproach:Encrypteachpieceofdataindividually

5

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Contributions• Sieve:anewplatformthatallowsuserstoselectivelyandsecurelydisclosetheirdata– Sieveprotectsagainstservercompromise– Sievehideskeymanagementfromusers– Reasonableperformance– Sievesupportsrevocation– Sievesallowsuserstorecoverfromdeviceloss– Goodforwebservicesthatanalyzeuserdata

6

Outline• Sieve– Protocol– Optimizations– Revocation– DeviceLoss

• Implementation• Evaluation

7

SieveOverview

8

SieveOverview

8

StorageProviderUser Webservices

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial(Year<2013AND

Type=Fitness)

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial (Year<2013AND

Type=Fitness)

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial (Year<2013AND

Type=Fitness)

Location=US,Year=2012,Type=fitness

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial (Year<2013AND

Type=Fitness)

Location=US,Year=2012,Type=fitness

SieveOverview

8

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial (Year<2013AND

Type=Fitness)

Location=US,Year=2012,Type=fitness

ThreatModel• Storageproviderisapassiveadversary– Adversarycanreadalldata– Followsprotocol

• Webservicestrustedwithuserdatatheyaregivenaccessto

• Userandherdevicestrusted9

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

Policy:(Year<2013ANDtype=Fitness)

private

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

(Year<2013ANDType=Fitness)

Policy:(Year<2013ANDtype=Fitness)

private

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

(Year<2013ANDType=Fitness)

Policy:(Year<2013ANDtype=Fitness)

private

Attributes:Location=US,Year=2012,Type=fitness

public

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Policy:(Year<2013ANDtype=Fitness)

private

Attributes:Location=US,Year=2012,Type=fitness

public

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Policy:(Year<2013ANDtype=Fitness)

private

Attributes:Location=US,Year=2012,Type=fitness

public

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Policy:(Year<2013ANDtype=Fitness)

private

Attributes:Location=US,Year=2012,Type=fitness

public

Ourapproach:Attribute-basedencryption(ABE)

• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions

10

GenerateDecKey

Encrypt

Decrypt

Note:attributesandpolicyareincleartext

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Location=US,Year=2012,Type=fitness

(Year<2013ANDType=Fitness)

Policy:(Year<2013ANDtype=Fitness)

private

Attributes:Location=US,Year=2012,Type=fitness

public

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

ABEEncrypt

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

ABEEncrypt

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

(Year<2013ANDType=Fitness)

ABEEncrypt

ABEGenerateDecKey

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

(Year<2013ANDType=Fitness)

ABEEncrypt

ABEGenerateDecKey

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

(Year<2013ANDType=Fitness)

Location=US,Year=2012,Type=fitness

ABEEncrypt

ABEGenerateDecKey

SievewithABE

11

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

Location=US,Year=2012,Type=fitness

Year=2015,Type=financial

(Year<2013ANDType=Fitness)

Location=US,Year=2012,Type=fitness

ABEEncrypt

ABEGenerateDecKey ABEDecrypt

ChallengeswithABE• Performance• Revocation• DeviceLoss

12

ReduceABEOperations• ABEisapublic-keycryptosystemsoslowerthansymmetrickeycryptography

• Optimizations– HybridEncryption– Storage-baseddatastructure

13

HybridEncryption

14

HybridEncryption

14

symmetric

HybridEncryption

Data

14

symmetric

HybridEncryption

Data

14

symmetric

ABE

symmetricGUID

HybridEncryption

Data

Metadatablock

14

symmetric

ABE

symmetricGUID

HybridEncryption

Data

Metadatablock

14

symmetric

ABE

symmetricGUIDIndexAttr1Attr2Attr3Attr4Attr5

metameta

metameta

meta

IndexGUID1GUID2GUID3GUID4GUID5

datadatadatadata

data

HybridEncryption

Data

Metadatablock

14

symmetric

ABE

symmetricGUIDIndexAttr1Attr2Attr3Attr4Attr5

metameta

metameta

meta

IndexGUID1GUID2GUID3GUID4GUID5

datadatadatadata

data

HybridEncryption

Data

Onlyhavetoperformsymmetrickeyoperationsinfuture

Metadatablock

14

symmetric

ABE

symmetricGUIDIndexAttr1Attr2Attr3Attr4Attr5

metameta

metameta

meta

IndexGUID1GUID2GUID3GUID4GUID5

datadatadatadata

data

Storage-baseddatastructure• Extensionofhybridencryption

15

Storage-baseddatastructure• Extensionofhybridencryption

15

Datasymmetric

Datasymmetric

Datasymmetric

Storage-baseddatastructure• Extensionofhybridencryption

15

Datasymmetric

Datasymmetric

Datasymmetric

GUID GUID GUID

symmetric

Storage-baseddatastructure• Extensionofhybridencryption

15

Datasymmetric

Datasymmetric

Datasymmetric

GUID GUID GUID

symmetric

ABE

symmetricGUID

Storage-baseddatastructure• Extensionofhybridencryption

15

Datasymmetric

Datasymmetric

Datasymmetric

GUID GUID GUID

symmetric

ABE

symmetricGUID

ChallengeswithABE• Performance• Revocation• DeviceLoss

16

Revocation

17

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Revocation

17

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Revocation

17

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

Revocation

17

NYMarathon

BostonMarathon

Insurance

FitBitCloudServer

type=race

type=running

type=fitness

• Webservicestillhascachedkeys• Needtore-encryptdata

Re-encryptionwithHybridEncryption

• Needtore-encryptmetadataanddata– Easytore-encryptmetadatablock– Howdowere-encryptdataobject?• Download,re-encrypt,andupload• Requiressubstantialbandwidthandclient-sidecomputation

18

Solution:KeyHomomorphism• Allowschangingkeyinencrypteddata– Symmetriccipherthatprovidesin-placere-encryption

• Doesnotlearnoldkey,newkey,orplaintext• Morespecificsonschemeareinthepaper

19

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

δ(,)

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

δ(,)

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

symmetric

δ(,)

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

symmetric

symmetricABE(attrs,epoch=1)

δ(,)

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

symmetricsymmetricABE(attrs,epoch=1)

δ(,)

FullRevocationProcessDatasymmetric

ABE(attrs,epoch=0)

symmetric

20

MetadataBlock

Issuenewkeystowebserviceswhosedataaccesshasbeenchangedandaffectedbyrevocation

symmetricsymmetricABE(attrs,epoch=1)

δ(,)

ChallengeswithABE• Performance• Revocation• DeviceLoss

21

Whatifauserlosesherdevice?• UserhasABEprivatekey• Lossofkeyrequiresresetofsystem– Re-encryptingallherdataandissuingnewkeys

• Isthereawayforausertorecoverfromdeviceloss?

22

Solution:Secretsharing• UsersplitsherABEprivatekeyacrossdevices• Requiresathresholdtoreconstructsecret– ReconstructbeforeusingABEprivatekey

• Whenadeviceislost,gathersdevicestoreconstructsecretandissuenew“shares”

23

Outline• Sieve– Protocol– Optimizations– Revocation– DeviceLoss

• Implementation• Evaluation

24

SieveImplementation

25

Cryptography:• LibfencwithStanfordPBCforABE• AES(norevocation)andrandomizedcountermodewith

Ed448(revocation)

SieveImplementation

25

StorageProviderUser Webservices

Sieveuserclient Sievestoragedaemon Sievedataimport

• ~1000LoC• MongoDBand

BerkeleyDB

• ~1400LoC • Service-specific

Cryptography:• LibfencwithStanfordPBCforABE• AES(norevocation)andrandomizedcountermodewith

Ed448(revocation)

Evaluation• IsiteasytointegrateSieveintoexistingwebservices?

• CanwebservicesachievereasonableperformancewhileusingSieve?

26

EvaluationSetup• Multicoremachine,2.4GHzIntelXeon• Webserversranonmachine’sloopback–Minimizenetworklatency– Focusoncryptographicoverheads

27

CaseStudies• Integratedwith2opensourcewebservices– OpenmHealth,health:smalldata

• Visualizehealthdata• Oneweek’shealthdata:6KB

– Piwigo,photo:largedata• Editanddisplayphotos• Onephoto:375KB

28

EasytointegratewithSieve• Linesofcoderequiredforintegration– OpenmHealth:~200lines– Piwigo:~250lines

29

AcceptableperformanceforOpenmHealthandPiwigoSecond

s

0

1.5

3

4.5

6

OpenmHealth Piwigo

WriteRead

30

Ed448withkeycaching

PerformancegapbetweenAESandEd448Second

s

0

1.5

3

4.5

6

OpenmHealthEd448 OpenmHealthAES

WriteRead

31

Serverper-corethroughputisgood• OpenmHealth

– Storagewrite:50MB/s– Webserviceimport:70users/min(Ed448)

• Piwigo– Storagewrite:200MB/s– Webserviceimport:14photos/min(Ed448)

32

Revocationperformanceisreasonable

• Re-encryptametadatablock(10attrs):0.63s• Re-key100KBdatablock:0.66s• Generatenew10attributekey:0.46s

33

Secretsharingisfast• For5sharesandthresholdof2:– SplittingABEkeyrequires0.04ms– Reconstructingkeyrequires0.09ms

34

Summary• Required<250LoCtointegratewithcasestudies• Readandwritedatainreasonableamountoftime• Goodper-coreserverthroughputforstoragewritesandapplicationdataimports

• Revocationfunctionstake<1second• Secretsharingtakesnegligibletime

35

RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly

• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)

• AccessDelegationSchemes– OAuth,AAuth,Macaroons

36

RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly

• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)

• AccessDelegationSchemes– OAuth,AAuth,Macaroons

36

SolvedifferentproblemsthanSieve

RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly

• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)

• AccessDelegationSchemes– OAuth,AAuth,Macaroons

36

SolvedifferentproblemsthanSieve

Nocompleterevocationand/orabilitytorecoverfromdeviceloss

RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly

• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)

• AccessDelegationSchemes– OAuth,AAuth,Macaroons

36

SolvedifferentproblemsthanSieve

Nocompleterevocationand/orabilitytorecoverfromdeviceloss

LesssecureandexpressivethanSieve

Conclusions• Sieveisanewaccesscontrolsystemthatallowsuserstoselectivelyandsecurelyexposetheirprivateclouddatatowebservices

• EfficientlyuseABEtomanagekeysandpolicies• Completerevocationschemecompatiblewithhybridencryptionusingkeyhomomorphism

• Easytointegrateandreasonableperformance

37