click to edit master title style fall, 2011 - privacy&security - virginia tech – computer...
TRANSCRIPT
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Cryptographic Security
Secret Sharing, Vanishing Data
1
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
How can a group of individuals share a secret?Requirements:
some information is confidential the information is only available when any k of the n
members of group collaborate (k <= n)• k = n implies unanimity• k >= n/2 implies simple majority• k = 1 implies independence
Assumptions The secret is represented as a number The number may be the secret or a (cryptographic)
key that is used to decrypt the secret
2
Secret Sharing
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
General idea: Secret data D is divided in n pieces D1,…Dn Knowledge of k or more Di pieces makes D easily computable Knowledge of k-1 or fewer pieces leaves D completely
unknowable Terminology
This is called a (k,n) threshold scheme Uses
Divided authority (requires multiple distinct approvals from among a set of authorities)
Cooperation under mutual suspicion (secret only disclosed with sufficient agreement)
3
Secret Sharing
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Mathematics A polynomial of degree n-1 is of the form
Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, if
then
4
Secret Sharing
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Given D, k, and n Construct a random k-1 degree polynomial
5
Simple (k,n) Threshold Scheme
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Given D, k, and n Construct a random k-1 degree polynomial
Distribute the n pieces as (i, Di)Any k of the n pieces can be used to find the unique
polynomial and discover a0 (equivalently solve for q(0) )
Finding the polynomial is called polynomial interpolation
6
Simple (k,n) Threshold Scheme
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Suppose k=2, n=3, and D=34Choose a random k-1 degree polynomial:
Generate n values:
The n pieces are (1,46), (2,58), and (3,70)
7
Example
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations:
8
Example
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Given a set of k+1 data points (x0,y0)…(xk,yk)A k degree polynomial for these points is
where
Dennis Kafura – CS5204 – Operating Systems
9
What’s Lagrange Got To Do With It?
Joseph Louis Lagrange
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Motivation Many forms of data (e.g., email) are archived by
service providers for reliability/availability Data stored “in the cloud” beyond user control Such data creates a target for intruders, and may
persist beyond useful lifetime to the user’s detriment through disclosure of personal information
Recreates “forget-ability” and/or deniability Protect against retroactive data disclosure
Innovation: “vanishing data object” (VDO)
10
Vanishing Data
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
VDO permanently unreadable after a period Is readable by legitimate users during the
period Allows attacker to retroactively know the
VDO and all persistent cryptographic keys
11
Vanishing Data
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO and all
persistent cryptographic keysDoes not require
explicit action by the user or storage service to render the data unreadable
changes to any of the stored copies of the data secure hardware any new services (leverage existing services)
12
Vanishing Data
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 13
Example Applications
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Key elements Threshold secret sharing Distributed hash tables (DHT) P2P systems
• Availability• Scale, geographic distribution, decentralization• Churn
– Median lifetime minutes/hours– 2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze)– extended to desired period by background refresh
• VUZE– Open-source P2P system – using bittorrent protocol
14
Vanish Architecture
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Operation Locator is a pseudorandom number generator keyed
by L; used to select random locations in the DHT for storing the VDO
VDO is encrypted with key K N shares of K are created and then K is erased VDO = (L, C, N, threshold)
15
Vanish Architecture
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 16
Setting Parameters
Use threshold=90%Use N=50
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Tradeoff Larger threshold values provide more security Larger threshold values provide shorter lifetimes
17
Setting Parameters
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Prepush – Vanish proactively creates and distributes data keys
18
Performance Measurement
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Decapsulate VDO prior to expiration Further encrypt data using traditional encryption
schemesEavesdrop on net connection
Use DHT that encrypts traffic between nodes Compose with system (like TOR) to tunnel interactions
with DHT through remote machinesIntegrate in DHT
Eavesdrop on store/lookup operations• Possible but extremely expensive to attacker (see next)
Standard attacks on DHTs• Adopt standard solution
19
Attack Vectors and Defenses