Security and accounting for Storage Service Provider

Transcription

1 Security and accounting for Storage Service Provider Yongdae Kim Collaborators: N. Hopper, J. Weissman, A. Chandra Students: V. Kher, I. Osipkov, S. Hong, J. Kim University of Minnesota Supported by DISC, NSF CAREER Grant CNS , ETRI (Korea)

2 Organization Introduction to SSP Secure File Sharing in SSP Temporal Access Control in SSP Proxy Re-encryption for SSP Accounting and Metering in SSP Distributed Accounting in P2P File Archiving System If time permits 2

3 What is SSP? Storage Service Provider (SSP) is a company that provides computer storage space and related management services. SSPs also offer periodic backup, archiving and the ability to consolidate data from multiple company locations so that data can be effectively shared. Enterprise SSP offers managed storage services backup, fault tolerance, high availability, security, fire protection, 24-hour service for organizations that do not want to manage these services on their own. 3

4 By Doug Chandler, IDC analyst Why more storage companies are getting into services? Many customers are looking for help at the strategic level: storage architecture and planning the tactical level: data backup assistance Many storage vendors are seeing their product sales growth slipping, as storage hardware becomes commoditized, so they re looking for other ways to drive revenue. What s the future of the storage utility or Storage Service Provider (SSP) model? Early on appealed directly to Internet companies The pay-by-the-drink pricing appealed to these customers, as well as the ability to scale up quickly if needed. When the dot.coms went away, the SSP market became much tougher, because enterprise firms haven t yet bought into this model. The future of the pure SSP model is uncertain, but we think, more firms will become comfortable with outsourcing not only storage but a lot of their infrastructure needs. 4

5 Storage service provider revival? Randy Kerns, ComputerWorld Past Failure Few years ago, some start-ups attempted SSP. This experiment was, in a word, unsuccessful. So why did it fail? the industry went into a severe economic downturn then. It may also be that the economics were really not that compelling. Reluctance of businesses to turn over the control of their data to someone else. Revival Why? The economic downturn seems to have ended. The demand for capacity continues unabated Business continuity is required to protect operations from local or regional interruptions. Regulatory requirements are having a great impact on storage. Examples Sun announces fixed price service. IBM, HP Remote replication: Amerivault, Arsenal Digital, EVault, Iron Mountain 5

6 Summary: Why (not) Storage Service Provider? Why Business continuity is required to protect operations from local or regional interruptions. Regulatory requirements are having a great impact on storage. No worry about storage management such as backups, high availability, fault-tolerance, fire protection, file sharing Don t need to hire expert for long-term Why not? Reluctance of businesses to turn over the control of their data to someone else. From my perspective, SECURITY! 6

7 So in this talk On-going work on Storage Security in UMN Mostly from Career Award Proposal In SSP model, Key Management for File Sharing Temporal Access Control Proxy Re-encryption Accounting 7

8 File Sharing and Trust in SSP Information is more valuable than subscription fee. At least, the subscriber does not want SSP to read their data. E2E encryption Any data should be encrypted in a trusted domain and decrypted in a trusted domain. (SFS by Hughes) Or client (writer) encrypts and client (reader) decrypts. Client has key management overhead. Secure against insider (admin) misuse. SSP Does not have read permission! No need for read access control. It always has write permission! They have to, since customer paid to get service. Key Management for File Sharing 8

9 Goals Secure file sharing system with end-to-end encryption Group sharing Data confidentiality Efficient revocation Lesser overhead of key distribution and re-encryption Other issues Ensure data integrity User s sign modifications Non-repudiation Key recovery Key Management for File Sharing 9

10 Communication vs. Data Confidentiality Communication security is well-understood. Storage is a broadcast channel. Ephemeral key for encryption Don t use long term key. Compromise of a long-term key leads to compromise of all past ciphertext. Not applicable in storage! Can t use Diffie-Hellman protocol since parties may not be on-line. Group key management needs to provide forward/backward security. Revoked members should not be able to decrypt future messages. Impossible in storage, since we have to re-encrypt all data available to the member. New member should not be able to decrypt past messages. Impossible in storage! Lazy re-encryption: Re-encrypt the data, only when data is modified. Key Management for File Sharing 10

11 A Simple Solution A 1 has (r, w) permission, A 2 has r permission on file F. Meta-data: E PKA1 (K), E PKA2 (K), S SKA1 (F) Encrypted Data: E K (F) Any reader can decrypt! Non-repudiation and data integrity are guaranteed. A 2 revoked, A 3 gets r permission. No data change yet. [E PKA1 (K), E PKA3 (K), S SKA1 (F)], E K (F) A 2 revoked, A 3 gets r permission. Data change. [E PKA1 (K ), E PKA3 (K ), S SKA1 (F )], E K (F ) Key Management for File Sharing 11

12 LockBox: Save storage space/computation! When group of users have same permission [E PKA1 (K 1, K 2 ), E PKA3 (K 1, K 2 ), S SKA1 (F 1 ), S SKA1 (F 2 )] E K1 (F 1 ), E K2 (F 2 ) When any file changes, lock box changes. Still many public key operations! Key Management for File Sharing 12

13 Using Symmetric Binomial Used for Sensor Network Security Assumption: Group of users know each other s id. Goal: Any two users can compute a shared key without using PKC. Setup: server randomly generates a bivariate t-degree polynomial f(x,y) = (from i,j=0 to t) a ij x i y j mod q, ( q is a prime number ) such that f(x,y)=f(y,x). For each user A i, the setup server distributes f(a i,y). User A i will compute f(a i, A j ) and user A j will compute f(a j, A i ) by evaluating f(a j,y) at point A i. f(a j,a i )=f(a i,a j ) Unconditionally secure and t-collusion resistant Key Management for File Sharing 13

14 Applying Binomial to LockBox Let K 12 = f(a 1, A 2 ), K 13 = f(a 1, A 3 ) When group of users have same permission [E K12 (K 1, K 2 ), E K13 (K 1, K 2 )], E K1 (F 1 ), E K2 (F 2 ) Pros No public key operation. User s storage is small. Issues What should be t? How much trust we can give to users? Key Management for File Sharing 14

15 Other Possible Approaches Scalable approaches (scale up to 1,000,000 users) Group key distribution Group of k users can share a key in a centralized environment Each user needs to compute log k hash functions to compute a lock-box key. Join and leave are efficient: log k hash operation. Space overhead: 2k (Still smaller than PKC) Broadcast encryption Group of k users can share a key in a centralized, stateless environment User key storage is relatively big: log k Leave is efficient: log k hash operation. Space overhead: 2 r (r: number of revoked users) Key Management for File Sharing 15

16 Organization Introduction to SSP Secure File Sharing in SSP Temporal Access Control in SSP Proxy Re-encryption for SSP Accounting and Metering in SSP Distributed Accounting in P2P File Archiving System If time permits 16

17 Temporal Access Control in SSP Problem Setting Alice wants to have control over her private information She wants to store it with a highly available storage provider, which she could access from anywhere Storage provider should not know what she is storing Alice - Minimal computation Alice should be able to let the people she like access some information for a limited period of time Temporal Access Control in SSP 17

18 Basic Architecture Authorization Private Information Storage Private Information Retrieval Temporal Access Control in SSP Private Information Update 18

19 Existing Approaches Access Control List (ACL): Owner defines an ACL and gives it to the PIP PIP should be trusted. Else encrypt the data implies more key management issues Kerberos : Owner has to play AS Problems same as above + Owner has to be online Lockbox: encrypt the file with symmetric key and encrypt the symmetric key with public key of users who will be granted access (used in Storage Security) Owner has to be online to provide access to new user! Once the authorization expires update the lockbox, has to contact PIP! Temporal Access Control in SSP 19

20 Time-Lock Puzzle Owner encrypts info and dies: he wants it to be decrypted no earlier than 30 days after Solution 1: force receiver to do intensive computation that will take no less than 30 days. Note: cannot be parallelizable!! Solution 2: give it to a trusted agent who will decrypt it after 30 days Solution 3: agent has PK i /SK i pair for day i and all public keys are published but secret keys are revealed incrementally Our solution CoPRA Temporal Access Control in SSP 20

21 Temporal Access Control Extension of Time-Lock Puzzle Owner puts data on untrusted storage provider At any time in the future, owner can make unscheduled updates Owner is able to give access to anyone for any number of days well ahead of time Once access for a future period has been obtained, user never has to contact owner again Storage provider is not involved in access control: it uploads data to anyone who requests it Temporal Access Control in SSP 21

22 Challenge How can the PIP do updates without owner interference? There exists a function f such that Homomorphic encryption! f(k 1, E k (m)) = E k1 (m) Temporal Access Control in SSP 22

23 Applications Private Information on the Internet We will be able to realize privacy on the Internet using our approach. For example Alice purchasing products from a website could provide authorization to some information, with which the website could contact a PIP. At this point we can limit future access only. Disclosure of Medical History Information A patient gives a doctor access to its information up to a certain day. It only makes sense that doctor should be able to obtain the old history as well, but should not be able to spy on patient in the future. Time Released Cryptography Only at some point of time, you can read my information! Military: Orders: need-to-know pre-compiled orders. Today you must be in Iraq, tomorrow in Afghanistan and the next day in Pakistan. Old info does not matter since troop deployments are public, but enemy cannot find out tomorrow s deployment place. Temporal Access Control in SSP 23

24 Organization Introduction to SSP Secure File Sharing in SSP Temporal Access Control in SSP Proxy Re-encryption for SSP Accounting and Metering in SSP Distributed Accounting in P2P File Archiving System If time permits 24

25 Proxy Re-encryption Alice stores encrypted files at storage provider SP and wants to give read-only access to Bob 1, Bob 2,. Naïve approach Alice encrypts file F (E K (F)) and stores it in SP. Alice also tells Key Server KS to give read access to B 1, B 2. B 1 downloads E K (F). B 1 asks KS for decryption key. SK encrypts K with Bob s key and sends it to Bob. SK: Key Translator To prevent insider misuse, it is desirable that KS should not be able to read data. Proxy re-encryption problem Proxy Re-encryption 25

26 High-Level Approach (Ateniese et. Al.) Alice computes tok Bob which is a function of Bob s public key and Alice s secret key The token is stored at KS Given ciphertext E K (F) and tok Bob, KS can re-encrypt so that Bob can decrypt using his secret key f(e K (F), tok Bob ) = E PK (F) Goals: Each file is encrypted using a different key and can be decrypted without updating token SP cannot decrypt any files Collusion-safe Proxy Re-encryption 26

27 Protocol Description Proxy Re-encryption 27

28 Problems and Goals Collusion When Bob and SP collaborate (without giving Bob s private), SP can decrypt any file! Goals: Even with access to the token, Bob cannot extract anything that allows others to decrypt unless his secret key is compromised The above should be true even when Bob colludes with others who were given their own tokens Proxy Re-encryption 28

29 Organization Introduction to SSP Secure File Sharing in SSP Temporal Access Control in SSP Proxy Re-encryption for SSP Accounting and Metering in SSP Distributed Accounting in P2P File Archiving System If time permits 29

30 Uncheatable Accounting and Secure Metering Bandwidth? Storage? IP Network SSPs Cheating incentives Consumer attempts to deny consumption Producer attempts to increase consumption At least, SSP computes cost of I/O as well as storage usage. It would be more beneficial if SSP can prove Bob (also to the public) how much they spend. Pricing model. Uncheatable Accounting and Secure Metering 30

31 Uncheatable Accounting Applications Pricing, predicting trends Naïve solution Third party intervention Expensive and time consuming Can still result in disputes Not provable Need a solution Both parties can prove usage without third party intervention Uncheatable Accounting and Secure Metering 31

32 Goals Accounting for bandwidth and storage Number of bytes read and written Consumer should not be able to repudiate usage Producer should not be able to overstate usage No third party intervention Minimal accounting and verification overhead on the accountant Minimal overhead on the SSP as well as the consumers Uncheatable Accounting and Secure Metering 32

33 A Naïve Approach Signature per access Order of release of signature matters One signature per access One verification per access Huge verification burden on the accountant Main challenge: efficiency Exploring and evaluating potential approaches Uncheatable Accounting and Secure Metering 33

34 Organization Introduction to SSP Secure File Sharing in SSP Temporal Access Control in SSP Proxy Re-encryption for SSP Accounting and Metering in SSP Distributed Accounting in P2P File Archiving System If time permits 34

35 Distributed Accounting in P2P File Archiving Why P2P? Cheap off-the-shelf components Expensive RAID disks may not be needed Naturally distributed Geographically distributed: power outage resistance Variety of system software and hardware Robust to Failures Availability Bartering (perhaps transitive) can be used to obtain remote storage, i.e. no money is needed! A lot of storage space, decent bandwidth Why don t we help each other to provide reliability and availability? Distributed Accounting in P2P File Archiving 35

36 Challenges of P2P Trust No one is trusted initially No TTP exists to mediate grievances Identity Persistence Peers may change identities by changing IP addresses for example Peers may be able to maintain several identities (Sybil attack) Tendency to free-load Empirical measurements: Study at PARC Distributed Accounting in P2P File Archiving 36

37 Challenges of P2P Service Provision Are the files being stored? QoS Need reputation system Identify and Contain the bad guys Need accounting system Did he really provide service to others or he is just lying? Collusion and Sybil attacks Distributed Accounting in P2P File Archiving 37

38 Existing Approaches: Samsara Alice wants to store file F at Bob Alice sends F Bob sends token, same size as F Token can be forwarded but it has to be stored somewhere Chain can be formed with only one token If chain turns into circle, token is dropped Problems: If token is real file, it may return to Bob which makes no sense In a chain, if someone drops a file, chain-reaction follows No chain: large storage overhead 100% bandwidth overhead!!! Other problems as well, but interesting overall Can use probabilistic file dropping: Can be exploited by free-loaders Distributed Accounting in P2P File Archiving 38

39 Existing Approaches: Pastry-Based Details: Every node publishes its capacity allocated for others, files stored for others and files stored remotely for node itself If A stores file F at B, B uses Anonymous Communication to check that A does not lie to others. All requests for storage follow this protocol. Occasionally, a node chooses another random node (using DHT) and audits its books one level deep to make sure it really stores files Problems: If node fails, all its files will be dropped immediately Distributed Accounting in P2P File Archiving 39

40 Ideal Goal Store your files on the network as much as you contribute to the network. More formally C(A) > S t (A) for all node A at any time t, where C(A) is A s storage space contribution to the network S t (A) is size of total storage space A is using at time t. Requirements Should be able to handle on-line/off-line nature of P2P system Efficiency: Communication, Computation, (additional) Storage Robustness against collusion: Assuming that majority of the nodes are honest (cooperative) Should provide a mechanism that ensures my file is stored! Distributed Accounting in P2P File Archiving 40

41 More coming up! We have ideas and we will implement on top of wellknown P2P file sharing system Distributed Accounting in P2P File Archiving 41

42 Suggestions/Questions? Still actively on-going! Many other applications Medical information system ERP SSP If you have any security problems and questions, please let us know. except Jim :-) 42