Privacy, Security and Cloud

Transcription

1 Privacy, Security and Cloud Giuseppe Di Luna July 2, 2012 Giuseppe Di Luna

2 July 2, 2012 Giuseppe Di Luna

3 July 2, 2012 Giuseppe Di Luna

4 Security Concerns: Data leakage Data handling on the provider (Correct storage procedure, correct deletion) Correct Computation Legal issue Attackers: Outsider Insider (Within Cloud Provider) July 2, 2012 Giuseppe Di Luna

5 (Ristenpart et Al ) Ristenpart et Al. studied data leakage on Amazon EC2. Threat model: There is a single trusted cloud maintainer that manage a public multi-tenant cloud. The attacker is a normal. The goal is to obtain sensitive information from a target service hosted on the p.c. July 2, 2012 Giuseppe Di Luna

6 EC2 Internals EC2 uses Xen hyp. Domain0, it manages guest image, physical resources accesses ecc In EC2 Dom0 route packets to VMs and reports itself as hop in traceroute. Ec2 offers five instances: small, medium, large, (small is a single virtual core ) Network: availability zones do not share the same ph.inf. July 2, 2012 Giuseppe Di Luna

7 Different VM share the same Ph.Inf. It is possible for an attacker to achieve coresidence: Since Dom0 appears in trace-route there is a free and deterministic co-residence check. There are some bias in VM assignment [RTSS09]: Different instance from the same account will by assigned to different Ph. Mac. Strong Placement locality from diff. accounts July 2, 2012 Giuseppe Di Luna

8 The strong placement locality can be exploited by an attacker to achieve coresidence. Cross-VM information leakage: The contention on buffers may be used as: Covert Channel: [Xu et Al-2011] carefully studies the achievable bitrate of L2 cache contention using different protocols. Estimate the load on the target VM-machine July 2, 2012 Giuseppe Di Luna

9 [RTSS09] teach us that blind trust in not the best option. We assume that cloud provider/s is/are not trusted: Two adversaries: Honest-but-curious Malicious (byzantine) Case study: Avoid data leakage (Homomorphic Enc.) Enforce correct data handling (PDS- PDD) Anonymous assignment of resources July 2, 2012 Giuseppe Di Luna

10 Avoid data leakage The only way to ensure privacy of outsourced data is to encrypt them but: The naïve encryption rule out any form of computation over data. Over the years have been developed many techniques to overcome that: Partial-Homomorphic: RSA (multiplicative), Paillier (additive). Specific computation only: Searchable data encryption, Order preserving ecc General Computation: Secure Function Evaluation, fully-homomorphic encryption. July 2, 2012 Giuseppe Di Luna

11 Homomorphic Encryption Breakthrough in Cryptography: Gentry STOC-09 shows how to achieve fullyhomomorphic encryption using ideal latticesbootstrap theorem. In June 2010 D.G.H.V. shows how to achieve Fully-H.E. over integers In January 2012 B.G.V. shows how to achieve (levelled) Fully-H.E. without use bootstrap. July 2, 2012 Giuseppe Di Luna

12 Fully H.E. over the Integers We have a circuit C \in Ce and a function evaluate, a scheme (Dec,Enc,Evaluate) is homomorphic (w.r.t Ce) if given a tuple of Ciphertexts c=(c1,..cn) we have: Dec[sk,Evaluate(pk,C,c)]=C(m1, mn) To rule out trivial scheme there is the compactness property: There exist a fixed polynomial bound b(n) so that for any condition (sk,pk, C, c) the size of Eval[pk,C,c] < b(n). July 2, 2012 Giuseppe Di Luna

13 Steps to achieve a non trivial Fully-H.E: Find a somewhat homomorphic private encryption scheme that respect some conditions. Turn the scheme in circular secure public key scheme Use the bootstrap theorem [Gentry-09] on the basic public scheme. July 2, 2012 Giuseppe Di Luna

14 Let us start with a simple private key encryption scheme: KeyGen: Encrypt(p,m): Decrypt: July 2, 2012 Giuseppe Di Luna

15 Somewhat Homomorphic July 2, 2012 Giuseppe Di Luna

16 Problems For each call to Evaluate we have: Ciphertext Grows: double the bit each multiplication violate compactness Noise Grows: for each addition and multiplication the terms that are not multiple of p grows. Noise > p/2 violate correctness. How do we handle this problems? July 2, 2012 Giuseppe Di Luna

17 Public Key Encrypt: July 2, 2012 Giuseppe Di Luna

18 Approximated-GCD problem Given an oracle chosen p output p. for a randomly Given an adversary A that breaks the presented scheme in p.t. with advantage e it is possible to build an adversary A that breaks A-GCD in p.t. with probability p(e). July 2, 2012 Giuseppe Di Luna

19 Win == get p D(p) Pk:{x0,x1, x,_n} z1=zq1p+zr1 z2=zq2p+zr2 Q LSB Oracle m <- {0,1} zb Binary GCD S<-{0,1}^{n} c=(m+zb+s*pk) A (z=qp+r,q) LSB(zq1) = a xor parity(z1) xor m a A A is able to break the chipper so if we give A E(a) it return us a D(p) Oracle in A-GCD July 2, 2012 Giuseppe Di Luna

20 Bootstrap - intuition If the scheme is able to evaluate is own decryption procedure C_d then it is possible to use C_d to decript a E(m,Pk1) while it is encrypted under key Pk1 using the E(k1,Pk1). July 2, 2012 Giuseppe Di Luna

21 Performance is (but for how long? Nobootstrap Result-2012) the main drawback of Fully-H.E. (To achieve circuit privacy we need garbled circuits) Other problem can be solved in a more efficient way (or only using) other techniques July 2, 2012 Giuseppe Di Luna

22 Yao Garbled Circuit (1986) Good introduction: fa09/cs598man/slides/ac-f09-lect16-yao.pdf Using Garbled Circuit it is possible to achieve circuit privacy and secure two party computation. Fairplay Pinkas and Lindel (2007) [Malicious Adv.] July 2, 2012 Giuseppe Di Luna

23 Data Handling Many services offer the capability to store data on cloud (Amazon S3, SkyDrive, Dropbox ), how we can ensure that the cloud maintainer handle this data properly? Two issues: Check integrity of dataset Ensure data deletion July 2, 2012 Giuseppe Di Luna

24 Integrity We have a huge dataset (>10 TB) and we want to outsource it. Since we do not trust the maintainer we want to devise an integrity mechanism. Naïve: compute MAC on dataset, drawbacks? Solution: Remote Data Checking using Provable Data Possession - Ateniese et Al. May 2011 July 2, 2012 Giuseppe Di Luna

25 Init Phase < F={b1,b2,..,bf}, T > Client sends F and T to S Client Server Verification Phase Request: O(1) Client Server Client Time: O( c) c <= f Client Space: O(1)!! Response: O(1) Server Time: O( c) July 2, 2012 Giuseppe Di Luna

26 Init July 2, 2012 Giuseppe Di Luna

27 July 2, 2012 Giuseppe Di Luna

28 MR-PDP In order to have fault tolerance we need: July 2, 2012 Giuseppe Di Luna

29 It is possible to extend PDP to k-replicas : Naïve way 1: use the same PDP k times. Vulnerable to coalition Naïve way 2: use different PDP using k different enconding. Expensive O(nk*Tagtime) A slight modification makes the previous scheme correct for multiple colluding replicas without increase the computational cost. July 2, 2012 Giuseppe Di Luna

30 Idea create k different file that are related and securely obfuscated. For each replica we pick a random u. Using a PRF F for each original block b_i we create b _i=b_i+f(u i) The tags are the same. July 2, 2012 Giuseppe Di Luna

31 Data deletion Law impose to securely delete sensitive information. (Medical Records- Credit Card Number) A way to do that is to securely wipe (overwrite) data. This is not viable on cloud storage: There is no deletion proof! No proof is bad (We are paranoid) July 2, 2012 Giuseppe Di Luna

32 This issue has been addressed recently: FADE (Tang et Al. 2010) FadeVersion (Rahumed et Al 2011). ADEC (Tezuka et Al. March 2012) The rationale behind all this system is simple July 2, 2012 Giuseppe Di Luna

33 ADEC E(F1,k1) E(F2,k2) E(F3,k3) E(F4,k4) V1 Cloud: S3, SkyDrive, icloud,... E(F4,k4) E(F5,k5) E(F6,k6) V2 V1 metadata E(<k1,k2,k3,k4>,kv1) h1,h2,h3,h4 V2 metadata E(<k4,k5,k6>,kv2) h1,h2,h3,h4 hash hash hash Seed m kv1 kv2 kv3 Deletion July 2, 2012 Giuseppe Di Luna

34 Oblivious m-assignment Assignment Algorithm are fundamental in many field: Resource Sharing, Channel Assignment. Cloud maintainers know the assignment of resource to clients: Is it possible to coordinate concurrent entities such that each one knows is resource but do not know the other assignments? fairness? What kind of obliviousness is possible to ensure? July 2, 2012 Giuseppe Di Luna

35 Model -The system is synchronous most of the time. -No faults July 2, 2012 Giuseppe Di Luna

36 Problem Definition Oblivious assignment with m Slots (O-mA) is specified by the following properties: Unique Assignment (Safety) Lockout Avoidance (Liveness) Oblivious Assignment (Obliviousness): if a slot r_j is assigned to an honest process p_j no other process is deterministically aware of this assignment Strong O-mA: Strong Oblivious Assignment: Fixed a process p_j no one knows if p_j has got a resource. July 2, 2012 Giuseppe Di Luna

37 Solvability Issues Permission algorithms are not suitable for solve O-mA In permission algorithms a process ask if it is safe to access CS Perpetual Circulating Token: The trivial algorithm do not solve SO-mA if C>=2. July 2, 2012 Giuseppe Di Luna

38 Ensure Fairness: Rotating Leader can enter in CS. The other processes must have a non zero probability to gain CS. Must be not possible to distinguish (in p.t.) between two different assignment. July 2, 2012 Giuseppe Di Luna

39 Assignment Phase E(t1,PPk) E(t2,PPk)... E(t_{n-1},PPk) 1 2 n 3 4 July 2, 2012 Giuseppe Di Luna

40 1 E(tx,PPk) 2 (pm,ppk) E(t1,PPk-2)... E(t_{x-1},PPk-2) E(t_{x+1},PPk-2)... E(t_{n-1},PPk-2) n 3 4 July 2, 2012 Giuseppe Di Luna

41 E(tx,PPk) 1 2 (p_2,pk2) (p_3,pk3)... (p_{n-1},pk_{n-1}) n 3 4 E(ty,PPk-3) July 2, 2012 Giuseppe Di Luna

42 tx (p_2,pk2) E(tx,PPk) (p_3,pk3) (p_{n-1},pk_{n-1}) n 3 4 E(ty,PPk-3) July 2, 2012 Giuseppe Di Luna

43 Rel. Phase b= released? E(0,PPk-2) xor E(b,PPk-2) tx E(0,PPk-2)... E(b,PPk-2) E(0,PPk-2) n 3 4 July 2, 2012 Giuseppe Di Luna

44 0... b... 0 Knows released tickets 1 2 n 3 4 July 2, 2012 Giuseppe Di Luna

45 What is the number of winner ticket assigned to waiting processes? July 2, 2012 Giuseppe Di Luna

46 40 30 w=10 w=20 20 w=30 10 w= b July 2, 2012 Giuseppe Di Luna

47 w= w=20 w= w= w= r July 2, 2012 Giuseppe Di Luna

48 w=10 w= w=30 w= w=50 p= p= r July 2, 2012 Giuseppe Di Luna

49 July 2, 2012 Giuseppe Di Luna