Privacy, Security and Cloud

Privacy, Security and Cloud Giuseppe Di Luna July 2, 2012 Giuseppe Di Luna 2012 1

July 2, 2012 Giuseppe Di Luna 2012 2

July 2, 2012 Giuseppe Di Luna 2012 3

Security Concerns: Data leakage Data handling on the provider (Correct storage procedure, correct deletion) Correct Computation Legal issue Attackers: Outsider Insider (Within Cloud Provider) July 2, 2012 Giuseppe Di Luna 2012 4

(Ristenpart et Al. - 2009) Ristenpart et Al. studied data leakage on Amazon EC2. Threat model: There is a single trusted cloud maintainer that manage a public multi-tenant cloud. The attacker is a normal. The goal is to obtain sensitive information from a target service hosted on the p.c. July 2, 2012 Giuseppe Di Luna 2012 5

EC2 Internals EC2 uses Xen hyp. Domain0, it manages guest image, physical resources accesses ecc In EC2 Dom0 route packets to VMs and reports itself as hop in traceroute. Ec2 offers five instances: small, medium, large, (small is a single virtual core ) Network: availability zones do not share the same ph.inf. July 2, 2012 Giuseppe Di Luna 2012 6

Different VM share the same Ph.Inf. It is possible for an attacker to achieve coresidence: Since Dom0 appears in trace-route there is a free and deterministic co-residence check. There are some bias in VM assignment [RTSS09]: Different instance from the same account will by assigned to different Ph. Mac. Strong Placement locality from diff. accounts July 2, 2012 Giuseppe Di Luna 2012 7

The strong placement locality can be exploited by an attacker to achieve coresidence. Cross-VM information leakage: The contention on buffers may be used as: Covert Channel: [Xu et Al-2011] carefully studies the achievable bitrate of L2 cache contention using different protocols. Estimate the load on the target VM-machine July 2, 2012 Giuseppe Di Luna 2012 8

[RTSS09] teach us that blind trust in not the best option. We assume that cloud provider/s is/are not trusted: Two adversaries: Honest-but-curious Malicious (byzantine) Case study: Avoid data leakage (Homomorphic Enc.) Enforce correct data handling (PDS- PDD) Anonymous assignment of resources July 2, 2012 Giuseppe Di Luna 2012 9

Avoid data leakage The only way to ensure privacy of outsourced data is to encrypt them but: The naïve encryption rule out any form of computation over data. Over the years have been developed many techniques to overcome that: Partial-Homomorphic: RSA (multiplicative), Paillier (additive). Specific computation only: Searchable data encryption, Order preserving ecc General Computation: Secure Function Evaluation, fully-homomorphic encryption. July 2, 2012 Giuseppe Di Luna 2012 10

Homomorphic Encryption Breakthrough in Cryptography: Gentry STOC-09 shows how to achieve fullyhomomorphic encryption using ideal latticesbootstrap theorem. In June 2010 D.G.H.V. shows how to achieve Fully-H.E. over integers In January 2012 B.G.V. shows how to achieve (levelled) Fully-H.E. without use bootstrap. July 2, 2012 Giuseppe Di Luna 2012 11

Fully H.E. over the Integers We have a circuit C \in Ce and a function evaluate, a scheme (Dec,Enc,Evaluate) is homomorphic (w.r.t Ce) if given a tuple of Ciphertexts c=(c1,..cn) we have: Dec[sk,Evaluate(pk,C,c)]=C(m1, mn) To rule out trivial scheme there is the compactness property: There exist a fixed polynomial bound b(n) so that for any condition (sk,pk, C, c) the size of Eval[pk,C,c] < b(n). July 2, 2012 Giuseppe Di Luna 2012 12

Steps to achieve a non trivial Fully-H.E: Find a somewhat homomorphic private encryption scheme that respect some conditions. Turn the scheme in circular secure public key scheme Use the bootstrap theorem [Gentry-09] on the basic public scheme. July 2, 2012 Giuseppe Di Luna 2012 13

Let us start with a simple private key encryption scheme: KeyGen: Encrypt(p,m): Decrypt: July 2, 2012 Giuseppe Di Luna 2012 14

Somewhat Homomorphic July 2, 2012 Giuseppe Di Luna 2012 15

Problems For each call to Evaluate we have: Ciphertext Grows: double the bit each multiplication violate compactness Noise Grows: for each addition and multiplication the terms that are not multiple of p grows. Noise > p/2 violate correctness. How do we handle this problems? July 2, 2012 Giuseppe Di Luna 2012 16

Public Key Encrypt: July 2, 2012 Giuseppe Di Luna 2012 17

Approximated-GCD problem Given an oracle chosen p output p. for a randomly Given an adversary A that breaks the presented scheme in p.t. with advantage e it is possible to build an adversary A that breaks A-GCD in p.t. with probability p(e). July 2, 2012 Giuseppe Di Luna 2012 18

Win == get p D(p) Pk:{x0,x1, x,_n} z1=zq1p+zr1 z2=zq2p+zr2 Q LSB Oracle m <- {0,1} zb Binary GCD S<-{0,1}^{n} c=(m+zb+s*pk) A (z=qp+r,q) LSB(zq1) = a xor parity(z1) xor m a A A is able to break the chipper so if we give A E(a) it return us a D(p) Oracle in A-GCD July 2, 2012 Giuseppe Di Luna 2012 19

Bootstrap - intuition If the scheme is able to evaluate is own decryption procedure C_d then it is possible to use C_d to decript a E(m,Pk1) while it is encrypted under key Pk1 using the E(k1,Pk1). July 2, 2012 Giuseppe Di Luna 2012 20

Performance is (but for how long? Nobootstrap Result-2012) the main drawback of Fully-H.E. (To achieve circuit privacy we need garbled circuits) Other problem can be solved in a more efficient way (or only using) other techniques July 2, 2012 Giuseppe Di Luna 2012 21

Yao Garbled Circuit (1986) Good introduction: http://www.cs.illinois.edu/class/ fa09/cs598man/slides/ac-f09-lect16-yao.pdf Using Garbled Circuit it is possible to achieve circuit privacy and secure two party computation. Fairplay Pinkas and Lindel (2007) [Malicious Adv.] July 2, 2012 Giuseppe Di Luna 2012 22

Data Handling Many services offer the capability to store data on cloud (Amazon S3, SkyDrive, Dropbox ), how we can ensure that the cloud maintainer handle this data properly? Two issues: Check integrity of dataset Ensure data deletion July 2, 2012 Giuseppe Di Luna 2012 23

Integrity We have a huge dataset (>10 TB) and we want to outsource it. Since we do not trust the maintainer we want to devise an integrity mechanism. Naïve: compute MAC on dataset, drawbacks? Solution: Remote Data Checking using Provable Data Possession - Ateniese et Al. May 2011 July 2, 2012 Giuseppe Di Luna 2012 24

Init Phase < F={b1,b2,..,bf}, T > Client sends F and T to S Client Server Verification Phase Request: O(1) Client Server Client Time: O( c) c <= f Client Space: O(1)!! Response: O(1) Server Time: O( c) July 2, 2012 Giuseppe Di Luna 2012 25

Init July 2, 2012 Giuseppe Di Luna 2012 26

July 2, 2012 Giuseppe Di Luna 2012 27

MR-PDP In order to have fault tolerance we need: July 2, 2012 Giuseppe Di Luna 2012 28

It is possible to extend PDP to k-replicas : Naïve way 1: use the same PDP k times. Vulnerable to coalition Naïve way 2: use different PDP using k different enconding. Expensive O(nk*Tagtime) A slight modification makes the previous scheme correct for multiple colluding replicas without increase the computational cost. July 2, 2012 Giuseppe Di Luna 2012 29

Idea create k different file that are related and securely obfuscated. For each replica we pick a random u. Using a PRF F for each original block b_i we create b _i=b_i+f(u i) The tags are the same. July 2, 2012 Giuseppe Di Luna 2012 30

Data deletion Law impose to securely delete sensitive information. (Medical Records- Credit Card Number) A way to do that is to securely wipe (overwrite) data. This is not viable on cloud storage: There is no deletion proof! No proof is bad (We are paranoid) July 2, 2012 Giuseppe Di Luna 2012 31

This issue has been addressed recently: FADE (Tang et Al. 2010) FadeVersion (Rahumed et Al 2011). ADEC (Tezuka et Al. March 2012) The rationale behind all this system is simple July 2, 2012 Giuseppe Di Luna 2012 32

ADEC E(F1,k1) E(F2,k2) E(F3,k3) E(F4,k4) V1 Cloud: S3, SkyDrive, icloud,... E(F4,k4) E(F5,k5) E(F6,k6) V2 V1 metadata E(<k1,k2,k3,k4>,kv1) h1,h2,h3,h4 V2 metadata E(<k4,k5,k6>,kv2) h1,h2,h3,h4 hash hash hash Seed m kv1 kv2 kv3 Deletion July 2, 2012 Giuseppe Di Luna 2012 33

Oblivious m-assignment Assignment Algorithm are fundamental in many field: Resource Sharing, Channel Assignment. Cloud maintainers know the assignment of resource to clients: Is it possible to coordinate concurrent entities such that each one knows is resource but do not know the other assignments? fairness? What kind of obliviousness is possible to ensure? July 2, 2012 Giuseppe Di Luna 2012 34

Model -The system is synchronous most of the time. -No faults July 2, 2012 Giuseppe Di Luna 2012 35

Problem Definition Oblivious assignment with m Slots (O-mA) is specified by the following properties: Unique Assignment (Safety) Lockout Avoidance (Liveness) Oblivious Assignment (Obliviousness): if a slot r_j is assigned to an honest process p_j no other process is deterministically aware of this assignment Strong O-mA: Strong Oblivious Assignment: Fixed a process p_j no one knows if p_j has got a resource. July 2, 2012 Giuseppe Di Luna 2012 36

Solvability Issues Permission algorithms are not suitable for solve O-mA In permission algorithms a process ask if it is safe to access CS Perpetual Circulating Token: The trivial algorithm do not solve SO-mA if C>=2. July 2, 2012 Giuseppe Di Luna 2012 37

Ensure Fairness: Rotating Leader can enter in CS. The other processes must have a non zero probability to gain CS. Must be not possible to distinguish (in p.t.) between two different assignment. July 2, 2012 Giuseppe Di Luna 2012 38

Assignment Phase E(t1,PPk) E(t2,PPk)... E(t_{n-1},PPk) 1 2 n 3 4 July 2, 2012 Giuseppe Di Luna 2012 39

1 E(tx,PPk) 2 (pm,ppk) E(t1,PPk-2)... E(t_{x-1},PPk-2) E(t_{x+1},PPk-2)... E(t_{n-1},PPk-2) n 3 4 July 2, 2012 Giuseppe Di Luna 2012 40

E(tx,PPk) 1 2 (p_2,pk2) (p_3,pk3)... (p_{n-1},pk_{n-1}) n 3 4 E(ty,PPk-3) July 2, 2012 Giuseppe Di Luna 2012 41

tx (p_2,pk2) E(tx,PPk) (p_3,pk3)... 1 2 (p_{n-1},pk_{n-1}) n 3 4 E(ty,PPk-3) July 2, 2012 Giuseppe Di Luna 2012 42

Rel. Phase b= released? E(0,PPk-2) xor E(b,PPk-2) tx E(0,PPk-2)... E(b,PPk-2)... 1 2 E(0,PPk-2) n 3 4 July 2, 2012 Giuseppe Di Luna 2012 43

0... b... 0 Knows released tickets 1 2 n 3 4 July 2, 2012 Giuseppe Di Luna 2012 44

What is the number of winner ticket assigned to waiting processes? July 2, 2012 Giuseppe Di Luna 2012 45

40 30 w=10 w=20 20 w=30 10 w=40 20 40 60 80 100 b July 2, 2012 Giuseppe Di Luna 2012 46

1.0 0.8 w=10 0.6 w=20 w=30 0.4 w=40 0.2 w=50 4 6 8 10 r July 2, 2012 Giuseppe Di Luna 2012 47

1.0 0.8 w=10 w=20 0.6 w=30 w=40 0.4 w=50 p=0.5 0.2 p=0.95 20 40 60 80 100 r July 2, 2012 Giuseppe Di Luna 2012 48

July 2, 2012 Giuseppe Di Luna 2012 49