click to edit master title style fall, 2011 - privacy&security - virginia tech – computer...

Click to edit Master title style

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Cryptographic Security

Secret Sharing, Vanishing Data

1



How can a group of individuals share a secret?Requirements:

some information is confidential the information is only available when any k of the n

members of group collaborate (k <= n)• k = n implies unanimity• k >= n/2 implies simple majority• k = 1 implies independence

Assumptions The secret is represented as a number The number may be the secret or a (cryptographic)

key that is used to decrypt the secret

2

Secret Sharing



General idea: Secret data D is divided in n pieces D1,…Dn Knowledge of k or more Di pieces makes D easily computable Knowledge of k-1 or fewer pieces leaves D completely

unknowable Terminology

This is called a (k,n) threshold scheme Uses

Divided authority (requires multiple distinct approvals from among a set of authorities)

Cooperation under mutual suspicion (secret only disclosed with sufficient agreement)

3

Secret Sharing



Mathematics A polynomial of degree n-1 is of the form

Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, if

then

4

Secret Sharing



Given D, k, and n Construct a random k-1 degree polynomial

5

Simple (k,n) Threshold Scheme



Given D, k, and n Construct a random k-1 degree polynomial

Distribute the n pieces as (i, Di)Any k of the n pieces can be used to find the unique

polynomial and discover a0 (equivalently solve for q(0) )

Finding the polynomial is called polynomial interpolation

6

Simple (k,n) Threshold Scheme



Suppose k=2, n=3, and D=34Choose a random k-1 degree polynomial:

Generate n values:

The n pieces are (1,46), (2,58), and (3,70)

7

Example



Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations:

8

Example



Given a set of k+1 data points (x0,y0)…(xk,yk)A k degree polynomial for these points is

where

Dennis Kafura – CS5204 – Operating Systems

9

What’s Lagrange Got To Do With It?

Joseph Louis Lagrange



Motivation Many forms of data (e.g., email) are archived by

service providers for reliability/availability Data stored “in the cloud” beyond user control Such data creates a target for intruders, and may

persist beyond useful lifetime to the user’s detriment through disclosure of personal information

Recreates “forget-ability” and/or deniability Protect against retroactive data disclosure

Innovation: “vanishing data object” (VDO)

10

Vanishing Data



VDO permanently unreadable after a period Is readable by legitimate users during the

period Allows attacker to retroactively know the

VDO and all persistent cryptographic keys

11

Vanishing Data



VDO permanently unreadable after a period Is readable by legitimate users during the period Allows attacker to retroactively know the VDO and all

persistent cryptographic keysDoes not require

explicit action by the user or storage service to render the data unreadable

changes to any of the stored copies of the data secure hardware any new services (leverage existing services)

12

Vanishing Data


Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 13

Example Applications



Key elements Threshold secret sharing Distributed hash tables (DHT) P2P systems

• Availability• Scale, geographic distribution, decentralization• Churn

– Median lifetime minutes/hours– 2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze)– extended to desired period by background refresh

• VUZE– Open-source P2P system – using bittorrent protocol

14

Vanish Architecture



Operation Locator is a pseudorandom number generator keyed

by L; used to select random locations in the DHT for storing the VDO

VDO is encrypted with key K N shares of K are created and then K is erased VDO = (L, C, N, threshold)

15

Vanish Architecture


Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 16

Setting Parameters

Use threshold=90%Use N=50



Tradeoff Larger threshold values provide more security Larger threshold values provide shorter lifetimes

17

Setting Parameters



Prepush – Vanish proactively creates and distributes data keys

18

Performance Measurement



Decapsulate VDO prior to expiration Further encrypt data using traditional encryption

schemesEavesdrop on net connection

Use DHT that encrypts traffic between nodes Compose with system (like TOR) to tunnel interactions

with DHT through remote machinesIntegrate in DHT

Eavesdrop on store/lookup operations• Possible but extremely expensive to attacker (see next)

Standard attacks on DHTs• Adopt standard solution

19

Attack Vectors and Defenses



Assuming 5% of the DHT nodes are compromised what is the probability of VDO compromise?

20

Parameters and security

click to edit master title style fall, 2011 - privacy&security - virginia tech – computer...

Documents

master title stylefall

degree polynomial

secret data d

n pieces d1

n values

polynomial interpolation

unique polynomial

n members of group