Building an Anonymous Public Storage Utility Wesley Leggette Cleversafe

Transcription

1 Building an Anonymous Public Storage Utility Wesley Leggette Cleversafe

2 Utility Storage r Many different target audiences r Business r Content distribution r Off-site backup r Archival r Consumer r Content sharing r Collaboration r Backup 2

3 Consumers Secret Consumers r An end user with something to hide r Options today r Object Storage service (S3, Azure) r Online backup service (Crashplan, Carbonite) r Online sharing (Dropbox, Google Drive) r Roll-your-own (OpenStack deployment) r (We re talking about reliable systems) 3

4 Requirements r Want: r Secure r Reliable r Available r Convenient r (cost effective) r (scalable) r r Anonymous! r Need: r Encrypt Data r Store Data r Be Online r Have Good Interfaces r r Pay for it! 4

5 Typical Solutions Today Customer Merchant Payment Payment Processor Auth Records Storage Records 5

6 Customer Customer Merchant Merchant Payment Auth Payment Auth Storage Storage 6

7 Storing everything in one place r Usually single company in charge of: r Authentication r Encryption r Access Control r Billing Information r Storage r All data controlled by one company r Technical vulnerabilities: hacking, disclosures r Centralized records: subpoenas, warrants 7

8 Anonymous system building blocks Customer Payment Processor Authentication Provider Storage Provider Records Auth Pseudonymous Records Storage Random Identity 4 8

9 Payment 1 Customer Payment Processor Records r Create anonymous money r r r r r Enforced through technology, not policy Spending it cannot reveal who bought it Solution: National currency à Bitcoin Zerocoin 9

10 Authentication 2 Customer Authentication Provider Auth Pseudonymous Records r Map pseudonym to credentials r Make it convenient to use r Random identity + encryption keys r Can also support real names r Secures r Authentication keys (PKI) r Encryption keys r Solution: r Hidden Identity Mapping r Distributed Keys r Key Recovery Service 10

11 Storage 3 4 Customer Storage Provider Storage Payment Processor Random Identity r Store encrypted data anonymously r Data tied to storage account r Pay for it with anonymous currency r Solution: r Anonymous Storage Account r Token Based Payment r Token Based Redemption Records 11

12 Bitcoin and Zerocoin 12

13 Bitcoin r A distributed currency based on public key cryptography, digital signatures, proof of work r Balances stored in a block chain r Essentially a public ledger of all transactions r All transactions identifiable by public key r Not truly anonymous r Following The Bitcoins: How We Got Busted Buying Drugs On Silk Road s Black Market Economic Policy Journal 7 Sep r 13

14 Anonymizing Options r Hiding your identity by being careful r TOR r Multiple public keys r Mixing services (laundering) r Relies on large amount of transactions r Assumes service is trustworthy, legal r Legal, trustworthy, persistent currency exchange r They will keep records! r System must prevent linking payer and payee 14

15 Zerocoin Bitcoin Transaction Chain Bitcoin Transaction Chain Bitcoin Transaction Chain Zerocoin Process Anonymized Coin Zerocoin Process Bitcoin Transaction Chain Bitcoin Transaction Chain Bitcoin Transaction Chain r Miers, Garman, et. al. John Hopkins University r Built on top of Bitcoin transaction network r Adds placeholder r Generates zerocoin that can be transferred 15

16 Redeeming for Bitcoins Bitcoin Transaction Chain Bitcoin Transaction Chain Bitcoin Transaction Chain? Bitcoin Transaction Chain Bitcoin Transaction Chain Bitcoin Transaction Chain r r r Anonymously redeem zerocoins for bitcoins? r No link between placeholder and zerocoin r Does not reveal which placeholder created the zerocoin Digital commitments, one-way accumulators, zero-knowledge proofs Paper: r 16

17 Hidden Identity Mapping Truly anonymized storage accounts 17

19 Hidden Identity Mapping r Create storage account with random id r How to remember the ID? r Dispersed Keys r A method to store data securely r Store random account id with keys r Key Recovery Service r A method to recover lost local information r Store random account id with recovery data 19

20 Hidden Identity Mapping Customer --> E5D4853C-9C6E-44E2-B180-F4978F6FEC9A Authentication Provider Auth Storage Provider account_id: E5D4853C-9C6E-44E2-B180-F4978F6FEC9A storage_container: 34E FE-49C7-A8E0-E8F8F5396AFA credits_remaining: 1345 Secret Share 34E FE-49C7-A8E0-E8F8F5396AFA/ E FE-49C7-A8E0-E8F8F5396AFA/ E FE-49C7-A8E0-E8F8F5396AFA/

21 Distributed Keys From password to distributed secret 21

22 Goal: Store Data Securely r Storing encrypted data on storage provider r After encrypting, one has to protect a key r How does one store the key privately and reliably? 22

23 Distributed Keys r Distributed Keys enable end users to recover a private key from any location on the network r It bridges the gap between password authentication and PKI authentication r Seems like password authentication to end users r Seems like PKI authentication to service providers r Unlike more naïve approaches, nothing enabling an offline attack exists at any location r Breach of authentication server yields nothing! 23

24 Distributed Keys Architecture User device username: jsmith01 password: ******** 24

25 Distributed Keys Architecture Dispersed Credentials Protocol User device 25

26 Distributed Keys Architecture User device Recovered Key 26

27 Distributed Keys Architecture PKI Authentication User device Recovered Key 27

28 Distributed Keys Architecture User device Recovered Key 28

29 Comparison of Mechanisms Password PKI DK 1. No single point of failure 2. No single point of compromise 3. Enables access from any location 4. Easy to use 5. Immune to offline brute-force attacks * 6. Credentials are not disclosed during use 7. Immune to physical theft * Requires a threshold number of simultaneous compromises 29

30 How it Works r We found that through a combination of various cryptographic protocols, an authentication system with almost ideal properties could be formed r Server-assisted strong secret generation r Warwick Ford and Burton S. Kaliski Jr. (2000) r Secret Sharing r Adi Shamir and George Blakley (1979) r Encryption and Digital Signatures 30

31 Distributed Key Storage private key User s Device e 1 share 1 SK 1 {share 1 } Secret Sharing Scheme share 2... share N Auth Server 1 Cipher Random Number Generator password SK 1 {share 1 } e 2 SK 2 {share 2 } e 1 e 2... e N f(password) 2e mod p Cipher SK 2 {share 2 } Auth Server 2... strong-key 1 strong-key 2... strong-key N Cipher SK N {share N } e N SK N {share N } Auth Server N 31

32 Distributed Key Retrieval (1 of 2) User s Device (blinded-pass 1 ) e mod p e 1 blinded-sk 1 SK 1 {share 1 } SK 1 {share 1 } blinded-sk 2 SK 2 {share 2 } blinded-sk K SK K {share K } blinded-sk 1 Auth Server 1 Random Number Generator password (blinded-pass 1 2 ) e mod p e 2 SK 2 {share 2 } b 1 b 2... b K f(password) 2b mod p blinded-sk 2... Auth Server 2 blinded-pass 1 blinded-pass 2... (blinded-pass K ) e mod p e K SK K {share K } blinded-pass K blinded-sk K Auth Server K 32

33 Distributed Key Retrieval (2 of 2) b 1 b 2... b K User s Device b*v = 1 mod q (blinded-sk 1 ) v mod p v 1 v 2... v K SK 1 {share 1 } strong-key 1 Cipher share 1 blinded-sk 1 blinded-sk 2... (blinded-sk 2 ) v mod p SK 2 {share 2 } share 2... share K blinded-sk K strong-key 2 (blinded-sk K ) v mod p Cipher SK K {share K } Secret Sharing Scheme strong-key K Cipher private key 33

34 Key Recovery Service Cooperative encryption key recovery 34

35 Key Recovery Service r Distributed keys provide online storage r What happens if users forget their passwords? r Data encrypted (by user) with encryption keys r Only authentication keys identify users r Key Recovery Service r Peer-based key recovery+password reset r System mediates recovery requests to users r No data is revealed to server during recovery 35

36 Need for a Key Recovery Service Shamir s Secret Sharing Scheme r In 1979 Adi Shamir (the S in RSA) proposed a method for sharing secrets in a way that satisfies the competing goals of security and reliability. Much like an IDA, one chooses a number of shares and a threshold needed for recovery. If each share is given to an individual, a threshold number of them must come together to compute the secret. r This method is both secure and reliable: Secure: Multiple shares would need to be compromised by an attacker to recover the secret. It takes a conspiracy of individuals holding shares to get the secret. Reliable: Even if some individuals lose their shares or are unavailable, as long as a threshold exists the secret is still recoverable. 36

37 Design of Key Recovery Service Using the Key Recovery System Account Creation Recovery Request Private Key Recovery 37

38 Account Creation 38

39 Recovery Request 39

40 Verifying Recovery Request r Recovery requests verified by each user r Verification manual; can use request fingerprint r Threshold of requests must be authorized r Encrypted shares stored in central location 40

41 Private Key Recovery 41

42 Token Based Payment Plan Pay as you go, with anonymous currency 42

44 Token Based Payment Plan r Billing model largely the same r Form of currency is different r Failure to pay data eventually just deleted 44

45 Credit John Smith... $ Alice Granger... $ Debit Acme Storage, Inc.... $ Fast Fast Storage, LLC... $ Customers Vendors Pooled Assets r r Storage processor keeps full records of one side of transaction Anonymity through many-to-many customer to vendor relationship 45

46 Conclusions 46

47 Conclusion r A storage service that provides anonymity r Should be as reliable and convenient as existing systems r Must rely on technology, not spotty record keeping, to preserve anonymity r The technology to create this platform exists today r Anonymous currencies r Anonymous authentication r Anonymous data storage 47

48 48