need for privacy enhancing technologies 1 what is challenging about standard encryption?
TRANSCRIPT
Need for Privacy Enhancing Technologies
1
What is challenging about standard encryption?
Challenge: Privacy versus Data Utilization Dilemma
Client
Storage on the cloudSensitive data!
Outsource the data
SEARCH? ANALYZE?
(encrypted)
Standard Encryption
CAN’T SEARCH!CAN’T ANALYZE!
2
IMPACT
Searchable Encryption (Generic Framework)
3
f1 fn
Client
Cloud
. .
.c1 cn. .
.Extract keywords
w1 wn. . .
t1
Data Structu
ret1 tn. . .
Searchable Representation
Search keyword: w1 t1
Trapdoors
tn. . .
t1
Update file: fi (zi,V)
(zi,V)
c1
f1
Curtmola et al. (CCS 2006) (+) Efficient encrypted searches (-) No update on files (addition/removal not possible)
Variants of CCS 2006 with various properties: Ranked, multi-keyword, wildcard, … (-) No update and inefficient
Kamara et. al. (CCS 2012) (+) Updates: New files can be added/removed (-) Update leaks information (insecure updates)
Kamara et. al. (FC 2013) (+) Secure updates (-) Searchable words are fixed (cannot add a new keyword later) (-) Extremely large cloud storage (multi TBs, impractical)
4
Prior Work on Searchable Encryption (Milestones)
A. A. Yavuz, J. Guajardo, A. Ragi “Dynamic and Parallelizable Symmetric Searchable Encryption with Secure Updates”
Patent filed (disclosure allowed 10^5 keywords, 10^6 files, compared to Kamara et. al. FC
2013:
5120 times smaller storage at the cloud
20 times faster update
680 times smaller communication overhead
Both files and keywords can be added/removed securely
Contribution: A New Dynamic Symmetric SE Scheme
5
Searchable Representation: Binary matrix I Row i, {1,…,m} keyword wi, column j, {1,…,n} file fj
If I[i,j]=1 then keyword wi appears in file fj, otherwise not
Integrates index and inverted index, simple yet efficient Search via row operations inverted index Update via column operations index
(i,j) 1 2 . . . n
1 1 0 1 0 0 0
2 1 0 0 0 0 1
. 0 0 1 0 0 0
. 0 0 0 1 0 1
. 0 0 1 1 0 0
m 0 0 0 0 0 1
6
Our Scheme: Searchable Representation
Files f1 f2 . . . fn Keywords
w1
w2
. . . wm
(i,j) 1 2 . . . 128 . . . 256 … n
1 0 0 . . . 1 . . . 0 . . . 1
2 0 0 . . . 0 . . . 1 . . . 0
. 1 0 . . . 0 . . . 0 . . . 1
m 1 0 . . . 0 . . . 1 . . . 1
7
Our Scheme: Map keyword/file to the matrix Keyword w {1,…, m} and file f {1, … , n} : Dynamic and
efficient Map a keyword to a row i:
Open address hash tables: Collision-free (one-to-one), O(1) access
Map a file to column j:
TF 1, z100
2,z250
. . . 128,zl
… 257,zr
… n,z6
TW
1,t55
2, t300
.
m, t2
and )(1
)TF(zjfMACz fkf
}10m{1,..., number bit 160 , )( 6
1 xkx wMACt
)( xtTWi
Derive row key
Encrypt each row i with ri (AES 128 CTR mode)
Our Scheme: Encrypt Searchable Representation
(i,j)
1 . . . 128
. . .
256
. . .
n
1 0 . . . 1 . . .
0 . . . 1
. 1 . . . 0 . . .
0 . . . 0
. 0 . . . 1 . . .
0 . . . 1
m 1 . . . 0 . . .
1 . . . 1
),*],1[(,*]1['1
stIEI r
),*],[(,*][' stmIEmImr
Achieving Dynamic Keywords: Static schemes: Derived keys from keywords
Break static relation between keys and keywords
)( iki wKDFr
via a tolink ),||(2
TWw rpadiKDFr iki
8
rand. is ),||(2
padpadiKDFr ki
r1
rm
.
.
.
Search keyword w on I’ :
Our Scheme: Search on Encrypted Representation
)||( .3
, 2.
),( .1
2
1
padiKDFr
)TW(ti
wMACt
ki
w
kw
9
Client
TF)TWI ,,( 'Cloud
Decrypt i’th row of I’[i,*] with ri I[i,*]I’ 1 . . . 12
8 . . .
n
1 0 . . . 1 . . .
1
. 1 . . . 0 . . .
0
i 0 . . . 1 . . .
1
m 1 . . . 0 . . .
1
),*],['(,*][ stiIDiIir
I[i,j]=1 then ciphertext cj contains twI 1 .. 55 .. 25
3 254
.. n
i 1 0 1 0 1 0 0 1
TF)TWkkkk ,,,,,( 4321
c1 c55 c253
cn
Decrypt with k4
Get f1,f55,…,fn
),( iri
Add a new file f to I’ :
Our Scheme: Update on Encrypted Representation
l2 ww , , , wf 1
10
Client
TF)TWI ,,( 'Cloud
Replace new column with j’th column of I’
I’ 1 . . . j . . .
n
1 0 . . . 1 . . .
1
. 1 . . . 0 . . .
0
. 0 . . . 1 . . .
1
m 1 . . . 0 . . .
1
)(MACk .1
1t 2t lt...
(.)TW
1a 2ala...
)||1(21 padKDFr k
)||(2
padmKDFr km
0
…
1
1
0
1
…
0
1a
2a
)(
)(
zTFj
fMACz1k
la
0
…
1
1
0
1
…
0
E(.)
File Update
Security SecureUpdate
Keyword Universe
UpdateComm.
Update time Index Size
Kamara FC 2013
Yes CKA2+ Yes Fixed (2 z k) O(n log2(m)) O(n/plog2(m))
(2zk) O(nm)
1000 MB 20 58000 GB
Our Scheme
Yes CKA2+ Yes Dynamic bO(n) O(n/p) O(nm)
1.5 MB 1 12 GB
11
n=10^5 keywords, z=32 bit (pointer size)m=10^6 files, n’=10^3, *# of keywords existing in an updated filek=80 security parameter, b= 128 bits, symmetric block size p=4 CPU cores r=200 (# of files containing keyword
Dynamic keyword universe
Secure and efficient update
Smallest index size with CKA2+ security
Comparison with State-of-Art
12
Operation Avg time (msec)
#keyword : 1,000,000
#file : 5,000
Avg time (msec)
#keyword : 200,000
#file : 50,000
Avg time (msec)
#keyword : 2,000#file :
2,000,000
Build Index 822.6 493 461
Search Keyword
0.01 0.27 10.02
Add File 2772 472 8.83
Delete File 2362 329 8.77
Implementation ( Benchmarking Results )
Enron email dataset, Ubuntu 13.10 OS, 4 GB RAM, Intel i5 processor, 256 GB harddisk
All operations are practical
Search under a msec, and only 10 msec for 2 millions of files
Update various 8 msec to 2 sec
Security Analysis of Our DSSE (Very Brief)
13
Confidentiality focus (integrity/auth can be added)
Access Pattern: File identifiers that satisfy a search query (search results)
Search Pattern: History of searches (whether a search token used at past)
IND-CKA2 (Adaptive Chosen Keyword Attacks): Given {I’, c0,..,cn, z0, …,zn, t0,…,tm}, no adversary can learn any information about f0,…,fn and w0,…,wm other than the access and search pattern, even if queries are adaptive.
Theorem 1: Our DSSE scheme (L1,L2)-secure in ROM based on IND-CKA2, where L1 and L2 leak access and search pattern, respectively.
Real and simulated views are indistinguishable due to PRF and IND-CPA cipher.
14
C/C++
Own Lines of code : 10528
Tomcrypt API Symmetric Key Encryption: AES-CTR 128-bit MAC: CMAC-128 Key Derivation Function : CMAC-128 File encryption : CCM (Counter with CBC-MAC)
Intel AESNI sample library For AES implementation using assembly language
instructions. As KDF, we further exploit AES-ASM by using CMAC.
Hash tables, Google open source static C++ data structure
Implementation Details of Our DSSE
Outline
Privacy Enhancing Technologies for Big Data Analytics Privacy versus data utilization dilemma A new searchable encryption scheme
Efficient Security Mechanisms for Smart-Infrastructures Security challenges: Smart-grid, inter/intra car systems Fast and scalable authentication: ER, ETA, PISB, ESCAR, patents
Heart of Secure Systems: Protecting Audit Logs (PhD Thesis)
Research challenges and contributions
Research Agenda @ OSU Towards Secure Smart-Infrastructures Towards Practical PETs
15
Reliable Cyber-Physical Systems (e.g., smart-grid) are vital
Susceptible: Northeast blackout (2003), 50 million people, $10
billion cost Attacks: False data injection [Yao CCS09’], over 200 cyber-attacks in 2013
Vulnerability: Commands and measurements are not authenticated
Requirements for a security method Real-time Extremely fast processing (a few ms) Limited bandwidth Compact Several components Scalability
Limitations of Existing Methods PKC is not yet feasible (computation, storage, tag size) Symmetric crypto is not scalable (key management)
Security Challenges for Smart-Infrastructures
16
Security Challenges for Smart-Infrastructures (II)
Fast, compact and scalable security is needed! 17
Internet
ECU ECU
ECU
Vulnerability: Commands and measurements are not authenticated
Security for Inter-car Networks Manipulate direction/velocity, crashes
Security for Intra-car Networks Large attack surface [Usenix '11] ECUs of break/acceleration, airbag
Challenges Strict safety requirements Limited bandwidth, real-time processing
The state-of-art cannot address (as discussed)
Contributions: Secure Intra-car Systems (I)
18
Motivation: Secure communication among ECUs in the car
Challenges: Safety requirements, extremely limited resources
Contributions A. A. Yavuz, J. Guajardo, “Efficient UMACs for CAN systems via key update mechanisms”, May 2012 (patent)
J. Guajardo, A. A. Yavuz, “Bandwidth Efficient Symmetric Encryption Methods”,
June 2012 (patent)
A. A. Yavuz, “Signal-based Automotive Communication Security and Its Interplay with Safety Requirements", Embedded Security in Cars Conference, Germany, November 2012 (with B. Glas, J. Guajardo, H. Hacioglu, M. Ihle, K. Wehefritz)
Impact: Embedded crypto software, deployment for OEMs (2018)
Customers: GM, BMW
Contributions: Secure Smart- Infrastructures (II)
A. A. Yavuz, “Emergent Response (ER): An Efficient and Scalable Real-time Broadcast Authentication for Command and Control Messages“
Patent + IEEE Transactions Information Sec.19
A. A. Yavuz, “Practical Immutable Signatures (PISB)”, LNCS DBSec 2013
Immutable and 40 times faster than state-of-art Idea: Leverage SA-RSA to compute umbrella signatureon C-RSA, eliminates interaction, more efficient
A. A. Yavuz, “Efficient and Tiny Authentication (ETA)” , ACM WiSec 2013
A magnitude of times more efficient than RSA/ECDSA Smallest key/signature sizes (240 bits, 320 bits) Idea: Tailor Schnorr signatures, O(1) size pre-computation tokens, proof in ROM to DLP
Rapid Authentication – Motivation and Preliminary Work
Fast Broadcast Authentication: Minimum end-to-end crypto delay
Limitations of the State-of Art Online-offline and OTSs: Very large signature and key sizes DLP-based Methods (DSA tokens): Signer efficient but verifier costly RSA/Rabin: Verifier efficient but signer costly
Both signer and verifier efficiency with a compact signature?
20
Pre-computation for RSA without linear overhead? Both signer and verifier efficient!
(n,e) pkd)(nskm,m k1 ,, and , messagesGiven
k
1ik1, mod n)H(m d
i
k
1ik1, mod mod)( n)H(mn i
e
Condensed-RSA (C-RSA) aggregates RSA signatures
Rapid Authentication – Basic Idea Messages have structure by some protocols: Can be leveraged?
21
Source IP (32 bits) Destination IP (32 bits)
Command (6 bits) Value (6 bits) Options (5 bits)
256.256.256.2561024 signatures
Pre-computeSignature tables
256.256.256.2561024 signatures
cmd1, … ,cmd6464 signatures
val1, … ,val6464 signatures
1) Pre-compute RSA signatures on each sub-message in fields (offline phase)
Source IP (32 bits) Destination IP (32 bits)
Command (6 bits) Value (6 bits) Options (5 bits)
75.146.76.234 128.19.43.235 “increase” “level 5” “voltage”
opt1, … ,opt3232 signatures
2) C-RSA pre-computed signatures according to message (online signing)
3) Verify Condensed-RSA signature
),...,( 1023,00,00 1 23
4
75.146.76.234 128.19.43.235 “increase” “level 5” “voltage”
234,075,0 ,...,235,1128,1 ,..., 1,2 5,3
2,4
nvoltageHHne mod)]4||"(")0||75([mod
Improved RA: Structure-Free RA (SCRA)
22
Sign messages without assuming structure or length
(Message||s), |s|=80 one-time rand. num.
HASHFunction
any length
160 bits (truncate)
Field 1 (8 bits) Field 2 (8 bits) Field 10 (8 bits)…………
)||255||1(
)||0||1(
255,1
0,1
rRSA
rRSA
sk
sk
)||255||2(
)||0||2(
255,2
0,2
rRSA
rRSA
sk
sk
)||255||10(
)||0||10(
255,10
0,10
rRSA
rRSA
sk
sk
Problems: Structured message, table might be large
),( s
Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu 10.10 (MIRACL library)
Execution times in µsec
Pre-computesignature table(offline)