- 118 Views
- Uploaded on
- Presentation posted in: General

Cryptographic Security

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Secret Sharing

- How can a group of individuals share a secret?
- Requirements:
- some information is confidential
- the information is only available when any k of the n members of group collaborate (k <= n)
- k = n implies unanimity
- k >= n/2 implies simple majority
- k = 1 implies independence

- Assumptions
- The secret is represented as a number
- The number may be the secret or a (cryptographic) key that is used to decrypt the secret

Dennis Kafura – CS5204 – Operating Systems

Secret Sharing

- General idea:
- Secret data D is divided in n pieces D1,…Dn
- Knowledge of k or more Di pieces makes D easily computable
- Knowledge of k-1 or fewer pieces leaves D completely unknowable

- Terminology
- This is called a (k,n) threshold scheme

- Uses
- Divided authority (requires multiple distinct approvals from among a set of authorities)
- Cooperation under mutual suspicion (secret only disclosed with sufficient agreement)

Dennis Kafura – CS5204 – Operating Systems

Secret Sharing

- Mathematics
- A polynomial of degree n-1 is of the form
- Just as 2 points determine a straight line (a polynomial of degree 1), n+1 points uniquely determine a polynomial of degree n. That is, ifthen

Dennis Kafura – CS5204 – Operating Systems

Simple (k,n) Threshold Scheme

- Given D, k, and n
- Construct a random k-1 degree polynomial

Dennis Kafura – CS5204 – Operating Systems

Simple (k,n) Threshold Scheme

- Given D, k, and n
- Construct a random k-1 degree polynomial

- Distribute the n pieces as (i, Di)
- Any k of the n pieces can be used to find the unique polynomial and discover a0 (equivalently solve for q(0) )
- Finding the polynomial is called polynomial interpolation

Dennis Kafura – CS5204 – Operating Systems

Example

Suppose k=2, n=3, and D=34

Choose a random k-1 degree polynomial:

Generate n values:

The n pieces are (1,46), (2,58), and (3,70)

Dennis Kafura – CS5204 – Operating Systems

Example

Given 2 pieces (1,46) and (3,70) find the secret, D, by solving the simultaneous equations:

Dennis Kafura – CS5204 – Operating Systems

Vanishing Data

- Motivation
- Many forms of data (e.g., email) are archived by service providers for reliability/availability
- Data stored “in the cloud” beyond user control
- Such data creates a target for intruders, and may persist beyond useful lifetime to the user’s detriment through disclosure of personal information
- Recreates “forget-ability” and/or deniability
- Protect against retroactive data disclosure

- Innovation: “vanishing data object” (VDO)

Dennis Kafura – CS5204 – Operating Systems

Vanishing Data

VDO permanently unreadable after a period

Is readable by legitimate users during the period

Allows attacker to retroactively know the VDO and all persistent cryptographic keys

Dennis Kafura – CS5204 – Operating Systems

Vanishing Data

- VDO permanently unreadable after a period
- Is readable by legitimate users during the period
- Allows attacker to retroactively know the VDO and all persistent cryptographic keys
- Does not require
- explicit action by the user or storage service to render the data unreadable
- changes to any of the stored copies of the data
- secure hardware
- any new services (leverage existing services)

Dennis Kafura – CS5204 – Operating Systems

Example Applications

Dennis Kafura – CS5204 – Operating Systems

Vanish Architecture

- Key elements
- Threshold secret sharing
- Distributed hash tables (DHT) P2P systems
- Availability
- Scale, geographic distribution, decentralization
- Churn
- Median lifetime minutes/hours
- 2.4 min (Kazaa), 60 min (Gnutella), 5 hours (Vuze)
- extended to desired period by background refresh

- VUZE
- Open-source P2P system
- using bittorrent protocol

Dennis Kafura – CS5204 – Operating Systems

Vanish Architecture

- Operation
- Locator is a pseudorandom number generator keyed by L; used to select random locations in the DHT for storing the VDO
- VDO is encrypted with key K
- N shares of K are created and then K is erased
- VDO = (L, C, N, threshold)

Dennis Kafura – CS5204 – Operating Systems

Setting Parameters

- Tradeoff
- Larger threshold values provide more security
- Larger threshold values provide shorter lifetimes

Dennis Kafura – CS5204 – Operating Systems

Performance Measurement

Prepush – Vanish proactively creates and distributes data keys

Dennis Kafura – CS5204 – Operating Systems

Attack Vectors and Defenses

- Decapsulate VDO prior to expiration
- Further encrypt data using traditional encryption schemes

- Eavesdrop on net connection
- Use DHT that encrypts traffic between nodes
- Compose with system (like TOR) to tunnel interactions with DHT through remote machines

- Integrate in DHT
- Eavesdrop on store/lookup operations
- Possible but extremely expensive to attacker (see next)

- Standard attacks on DHTs
- Adopt standard solution

- Eavesdrop on store/lookup operations

Dennis Kafura – CS5204 – Operating Systems

Parameters and security

Assuming 5% of the DHT nodes are compromised what is the probability of VDO compromise?

Dennis Kafura – CS5204 – Operating Systems