NFC Application Security Sandeep Tamrakar Aalto University, 2013-11-21.
WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep...
-
Upload
junior-robbins -
Category
Documents
-
view
219 -
download
0
Transcript of WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep...
![Page 1: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/1.jpg)
WP1: Private Membership Test& WP2: Secure Cloud Storage and
Deduplication
Jian Liu, Sandeep Tamrakar
![Page 2: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/2.jpg)
2
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
![Page 3: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/3.jpg)
3
Screening Malware
c
Mobile device A
Malware DB
hAPK
![Page 4: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/4.jpg)
4
Private Membership Test
c
x1 x2 x3 … xn
x?
Current solutions for private information retrieval:• Multiple independent servers: unrealistic in commercial setting• Single server: expensive in both computation and communication
Mobile device A
The problem: How to preserve end user privacy for anti-malware clients that look up cloud-hosted databases?
Malware DB
![Page 5: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/5.jpg)
5
Bloom Filter: efficient structure for membership test
x1 x2 x3 … xn
0 1 1 0 1 0 1 0 1 0
hash functions
filter
h1 h2 h3
x
h1 h2 h3
Insert
Check
• Relatively small storage• Query efficiently • False Positives
![Page 6: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/6.jpg)
6
Typical Parameters for Android Malware
• Size of the dataset: 221 samples • False positive rate: 10-3
• Number of hash functions: 10• Size of the bloom filter: 225 bits
![Page 7: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/7.jpg)
7
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage and deduplication– Crypto– Trusted Hardware– Easy-to-use Key Management
![Page 8: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/8.jpg)
8
Solution 1: Encrypted Bloom Filter
c
x1 x2 x3 … xn
x?
{Hi}
1 0 1 … 0
Meskanen T, Liu J, Niemi V. Private Membership Test for Bloom Filters.
E(1) E(0) E(1) … E(0)
KBlind Decryption
E(1)
K1
![Page 9: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/9.jpg)
9
Details of Solution 1
For each bit bi in the bloom filter:Find the smallest k s.t. Jacobi(H(k||i), N) = 1• If H(k||i) is QRN then E(bi) = bi
• Else if H(k||i) is QNRN then E(bi) = 1 – bi
(H(k||i) is QRN iff Jacobi(H(k||i), p) = Jacobi(H(k||i), q) = 1)
c
N = p*q
E(bi)
Find the smallest k s.t. Jacobi(H(k||i), N) = 1calculate: z = H(k||i, N)*r mod N where r is a random square
z
z is QRN or QNRN
• bi = E(bi) if z is QRN
• bi = 1-E(bi) if z is QNRN
Building/Deploying Encrypted Bloom Filter
Lookup
![Page 10: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/10.jpg)
10
Solution 2: Bloom Filter of Encrypted Records
c
x1 x2 x3 … xn
x?
E(x1) E(x2) E(x3) … E(xn)
Nojima R, Kadobayashi Y. Cryptographically Secure Bloom-Filters[J]. Transactions on Data Privacy, 2009, 2(2): 131-139.
k
{Hi}
1 0 1 … 0
Blind Signature
x k
E(x)
![Page 11: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/11.jpg)
11
Solution 3: Bloom Filter with hidden hash functions
c
x1 x2 x3 … xn
x?
{Hi}
1 0 1 … 0
Oblivious Pseudorandom Function
x {Hi}
{Hi(x)}
Nojima R, Kadobayashi Y. Cryptographically Secure Bloom-Filters[J]. Transactions on Data Privacy, 2009, 2(2): 131-139.
![Page 12: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/12.jpg)
12
Comparison
Solution1 Solution2 Solution3
Preprocessing 225 Jacobi 225 RSA -
Online (Server) 20 Jacobi 1 exp., 1 mod. 200 OTsAnd 2 exp.
Online (Client) 20 Jacobi 1 exp., 2 mod.
![Page 13: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/13.jpg)
13
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
![Page 14: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/14.jpg)
14
Private Membership Test with Trusted Hardware
• Trusted Execution Environment (TEE)s are ubiquitous– Available on Smartphones– Available for servers
• Can we achieve a practical solution for Private Membership Test?
• Designed a solution that operates as a trusted third party inside TEE at the lookup server.
![Page 15: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/15.jpg)
15
Overview of Operations
PKs: Public key of the Lookup Servert : constant time (1 round of Bloom Filter processing)
Lookup Server
TEE
Request 1
Request 2
Request n
BF Position Generator
Requests processed in
parallel
EPKs(H(data1))
EPKs(H(data2))
EPKs(H(datan)
Response1
Response2
Responsen
t
t
t
BF Chunk1
BF Chunk 2
BF Chunk 3
BF Chunk n
![Page 16: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/16.jpg)
16
Typical Parameters
• Low-cost hardware (dual-core ARMv7, 1GHz).• Implemented using <t-base API on TrustZone.
• Size of the database: • False positive rates: 10-3
• Number of hash functions: 10• Size of the bloom filter:
221 Samples 226 samples
225 bits 230 bits
• One complete round of BF processing time: ~170 ms• Process up to 128 parallel requests
![Page 17: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/17.jpg)
17
Private Membership Test
The problem: How to preserve end user privacy for anti-malware clients that look up cloud-hosted databases?
Our approach: Build a private membership test scheme based on Bloom filters using (a) cryptography and (b) trusted hardware.
Results so far: (a) Using Goldwasser-Micali homomorphic encryption scheme (paper, poster) (b) mediated by Trusted H/W (poster/demo)
Work Package 1
What?
WP leads: Jian Liu and Sandeep Tamrakar
![Page 18: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/18.jpg)
18
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
![Page 19: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/19.jpg)
19
Deduplication
cClient side deduplication
Server side deduplicationSide Channel!
![Page 20: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/20.jpg)
20
Deduplication on Encrypted Data
c
SK_APK_A
?
Convergent Encryption• Calculate the hash of each file• Use the hash to encrypt the file• Same file will get the same ciphertextSuffers from the offline bruteforce guessing attack
Douceur, John R., et al. "Reclaiming space from duplicate files in a serverless distributed file system." Distributed Computing Systems, 2002. Proceedings. 22nd International Conference on. IEEE, 2002.
KaKb
![Page 21: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/21.jpg)
21
State of the Art: Independent Key Server
c
SK_APK_A
Oblivious key generation Oblivious key generation
Bellare, Mihir, Sriram Keelveedhi, and Thomas Ristenpart. "DupLESS: server-aided encryption for deduplicated storage." Proceedings of the 22nd USENIX conference on Security. USENIX Association, 2013.
Goal: prevent offline brute-force guessing attacks
Unrealistic inbusiness settings
Suffers from onlinebrute-force guessing attacks
KaKb
![Page 22: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/22.jpg)
22
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
![Page 23: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/23.jpg)
23
Crypto-based Solution
c
SK_APK_A
Oblivious Key Sharing
KaKb
![Page 24: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/24.jpg)
24
Oblivious Key Sharing Protocol
c
Fb, (pk, sk)Fa, K
Fb Fa
kb ka
Password Authenticated Key Exchange (PAKE)
kbL, Cb= Enc(pk,kbR+r) kaL, Ca= Enc(pk, K+kaR)
If kaL = kbL, e = Ca – Cb = Enc(pk, K-r)Else, e = Enc(pk, r’)
e
K’ = Dec(sk, e)+r
…
Use rate limitingto bound the number of protocol runs: prioritizing popular files.
E(K’, Fb)
![Page 25: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/25.jpg)
25
Simulation - datasets
• Media Dataset
– Use Android app popularity dataset as proxy
– 7,396,235 uploads
– 178,396 distinct files
• Enterprise Dataset
– Debian Popularity Contest
– 217,927,332 uploads
– 143,949 are distinct
![Page 26: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/26.jpg)
26
Simulation – results
• Average number of PAKE runs = (Total number of PAKE runs) / (Total number of upload requests)• Deduplication Percentage = 1 – (Number of all files in storage) / (Total number of upload
requests)
![Page 27: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/27.jpg)
28
Prototype and Performance
• Node.js for the Web framework, Redis for the database• SHA-256, AES-256-CBC, GMP Library (C)
![Page 28: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/28.jpg)
29
Summary of Crypto-based Solution
• First single server scheme that simultaneously enables deduplication and strong encryption
• Better security gurantees than previous work
• Deduplicaiton effectiveness: close to perfect
• Overhead: negligible for large files
![Page 29: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/29.jpg)
30
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
![Page 30: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/30.jpg)
31
State of the Art: Independent Key Server
Oblivious key generation Oblivious key generation
Independent Key Server
c
File B File A
Unrealistic inbusiness settings
KaKb
![Page 31: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/31.jpg)
32
State of the Art: Independent Key Server
c
Trusted Execution Environment
HOST
# = hash of File A
File B File A
Ka
# =
hash
of F
ile B
Kb
Unrealistic inbusiness settings
![Page 32: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/32.jpg)
34
Deduplication using Trusted Hardware
• Key Server runs in ARM TrustZone• <t-base API (Trustonic)
• Used Smartphone that can be plugged as HSM• Key fetching time: 1.4 sec• Additional bandwidth: 280 bytes
![Page 33: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/33.jpg)
35
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
![Page 34: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/34.jpg)
36
Easy-to-use Key Management
• Users access their data from multiple devices• cloud storage to share / synchronize data among devices
• To preserve privacy in the cloud, data is encrypted• State of the art: encryption keys derived from passwords• File updates require re-encrypting whole file
• Easy-to-use key management• Client-generated strong keys• Consistent and simple user interaction for key distribution
• Efficient file updates
![Page 35: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/35.jpg)
37
Key Distribution
Mobile device A
c
Encrypted content
Key distribution channel discovered automatically
Pknew, AuthKnew
Encrypt with PKnew
Camera / Display: QR code display / key board: passcode
Old Device New Device
![Page 36: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/36.jpg)
38
Problem: Updating encrypted file
<< File size
≈ File size
P- =Updated file Original file
E- =Encrypted updated file Encrypted original file
![Page 37: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/37.jpg)
39
c
Encrypted Original file
Solution: Synchronization approach
Updated file Original file Diff file
Encrypted diff file
decrypt
Diff file
+Original file Updated file
![Page 38: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/38.jpg)
40
c
cEncrypted original file
Deduplication with diff files
User A User B
1 2 3Diff file 1 Diff file 2 Diff file 3
Changes from User B
KoriKb
![Page 39: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/39.jpg)
41
Current status - OmniShare
• Client side encryption with strong keys
• Easy to use key distribution scheme– Key exchange via:
• Camera / Display: QR code
• display / key board: passcode
• Work with popular cloud storage services like Dropbox
• Available on Android & Windows
https://se-sy.org/projects/omnishare/
![Page 40: WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar.](https://reader033.fdocuments.in/reader033/viewer/2022051401/56649e6b5503460f94b68e55/html5/thumbnails/40.jpg)
42
Client-encrypted cloud storage in real lifeThe problem: How to reconcile the need for strong client-side encryption with real life constraints?
(a) deduplication (business constraint)
(b) use of multiple devices (usability constraint)
Our approach: (a) use trusted hardware or cryptographic protocols; (b) design an intuitive key management scheme
Results so far: (a) Secure deduplication w/o additional servers (draft paper, poster/demo), via key server in trusted h/w (b) OmniShare (poster/demo)
Work Package 2
What?
WP leads: Jian Liu and Sandeep Tamrakar