COMPOSABLE AND ROBUST OUTSOURCED STORAGE

Transcription

1 SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland

2 Motivation Server/Database Clients Write Read block 2

3 Outsourced Storage: Security Goals Server/Database In general: Insecure 3

4 Outsourced Storage: Security Goals Server/Database - Detect malicious modifications - Detect rollbacks of valid data blocks 4

5 Outsourced Storage: Security Goals Server/Database?? #i - Confidentiality of the content 5

6 Outsourced Storage: Security Goals Server/Database???? Alice s server memory should look like a black box to the server provider: - Leaks at most number of accesses - Hides access pattern and content - No undetected modifications possible 6

7 Applications of a Storage Abstraction Use the storage abstraction in cryptographic protocols Store and retrieve information Design and prove entire networked file systems Conduct a modular proof in a composable framework Assume an outsourced storage resource as hybrid Construct stronger from weaker resources 7

8 Composability 1 Insecure Secured Database 2 Application 8

9 Robustness Abort-on-Error is a common mechanism (eg, TLS sessions) 9

10 Robustness Abort-on-Error is a common mechanism (eg, TLS sessions) Different with outsourced storage Recovery, memory dump, In general: access whatever is there (eg, after a failure or security breach) Solutions: Distribute, Replicate, or: Robust Storage Protocols However: Robustness could compromise security! 10

11 Constructions C Server Storage Local Mem W S The real world 11

12 Constructions Protocol W Server Storage Local Mem S The real world 12

13 Constructions W W Protocol Server Storage S C Secure Storage S sim Local Mem The real world The ideal world 13

14 A New Model for Outsourced Storage We design a formal model for composable and robust outsourced storage We capture various client-side security provisions including composable retrievability guarantees We design robust schemes that ensure these guarantees and review the security of existing schemes 14

15 Basic Server-Memory Resource (Write, i, x) (Read, i) x n-2 n-1 n SMR 15

16 Basic Server-Memory Resource (Write, i, x) (Read, i) x n-2 n-1 n (Write, i, x) getaccesshistory (w,i 1,x 1 ),, (r,i k,x k ) SMR 16

17 Basic Server-Memory Resource Enable/Disable server write-access (Write, i, x) (Read, i) x n-2 n-1 n (Write, i, x) getaccesshistory (w,i 1,x 1 ),, (r,i k,x k ) SMR 17

18 Basic Server-Memory Resource Direct interaction with resources at interface W: Enable/Disable server write-access - Not a hard-coded adversarial (Write, capability i, x) - But this typical worstcase is also covered (Read, i) - Specific form of robustness is modeled x n-2 n-1 n SMR (Write, i, x) getaccesshistory (w,i 1,x 1 ),, (r,i k,x k ) 18

19 Authentic Server-Memory Resource Enable/Disable server write-access (Write, i, x) (Read, i) x / ε ε n-2 n-1 n (Delete, i) (Restore, i) getaccesshistory (w,i 1,x 1 ),, (r,i k,x k ) asmr 19

20 Confidential Server-Memory Resource Enable/Disable server write-access (Write, i, x) (Read, i) x / ε n-2 n-1 n (Delete, i) (Restore, i) getaccesshistory (w, i 1, ꓕ),, (r, i k, ꓕ) csmr 20

21 Secure Server-Memory Resource Enable/Disable server write-access ε (Write, i, x) (Read, i) with probability α n-2 n-1 n Set Corruption-Parameter α getaccesshistory # of accesses x otherwise ssmr 21

22 Secure Server-Memory Resource Guarantees: Enable/Disable server write-access ε - No targeted corruptions Uniform (Write, bad i, x) influence - No access pattern leakage (Read, i) n-2 n-1 n with probability α Set Corruption-Parameter α getaccesshistory # of accesses x otherwise ssmr 22

23 Auditable Server-Memory Resource Enable/Disable server write-access (Write, i, x) (Read, i) audit n-2 n-1 n TRUE if most recent memory FALSE otherwise 23

24 Auditable Server-Memory Resource Enable/Disable server write-access - Can also (Write, i, x) 1 be a 2probabilistic 3 retrievability guarantee (Read, - i) Useful case: if server writeaccess is currently disabled audit n-2 n-1 n TRUE if most recent memory FALSE otherwise 24

25 Protocols Basic Authentic Confidential Secure 25

26 Protocols Basic Authentic Confidential Secure - Message-Authentication Codes + Authentication Trees (eg, Blum) 26

27 Protocols Basic Authentic Confidential Secure - Symmetric Encryption 27

28 Protocols Basic Authentic Confidential Secure - Strengthened Oblivious RAM (eg, Path-ORAM + Error Handling) 28

29 Protocols - Audits Basic Authentic Confidential Secure Basic & Auditable Authentic & Auditable Confidential & Auditable Secure & Auditable 29

30 Protocols - Audits Basic Authentic Confidential Secure Basic & Auditable Standard Techniques: - Erasure Codes - Random Sampling - Parameter Estimation - Hash-Based (under stronger assumptions) Authentic & Auditable Confidential & Auditable Secure & Auditable 30

31 Special Case: Achieving Secure Storage (Read, i) Protocol (i,x) Authentic & Confidential Server Memory Resource 31

32 Special Case: Achieving Secure Storage (Read, i) 1) Create pseudorandom access sequence to server locations 2) Re-structure part of memory (i,x) Authentic & Confidential Server Memory Resource 32

33 The Issue with Side-Channels Authentic & Confidential Server Memory Resource 1 Bob deletes part of the storage where he assumes that Alice stores her logical block i 33

34 The Issue with Side-Channels Authentic & Confidential Server Memory Resource 2 Assume Alice makes a sequence of requests ε ε 34

35 The Issue with Side-Channels Access 1: Fail Access 2: OK Authentic & Confidential Server Memory Resource ε ε 3 Assume Bob learns which requests by Alice failed to retrieve a block 35

36 The Issue with Side-Channels Authentic & Confidential Server Memory Resource (i,x) 4 If Alice s protocol allows Bob to guess correctly with some bias, then the error pattern reveals information on the access pattern! 36

37 Summary and Outlook We present a security model for outsourced storage following a modular approach building a hiearchy of storage resources We show how to achieve each of the storage resources with concrete protocols Our strongest notion provides a very high level of security and supports audits Existing protocols often fail to provide this level of security 37

38 CRYPTOGRAPHY: SECURE STORAGE Session-ID CRYP-R14

39 SESSION ID: CRYP-R14 SECURE DEDUPLICATION OF ENCRYPTED DATA: REFINED MODEL AND NEW CONSTRUCTIONS Jian Liu PhD Candidate Aalto University

40 Cloud Storage 40

41 Deduplication F F c 41

42 Secure Deduplication of Encrypted Data (SDoE)?? K B K A F F c 42

43 Convergent encryption? K K F F Convergent Encryption: eg, K = h(f) c Offline brute-force attack by a corrupt storage server J R Douceur, et al Reclaiming space from duplicate files in a serverless distributed file system In ICDCS 02 43

44 DupLESS: Independent Key Server Online brute-force attack by a corrupt storage server Who will run the independent key server? K B K A F B F A c Oblivious PRF Oblivious PRF K B = K A iff F A = F B M Bellare, S Keelveedhi, and T Ristenpart DupLESS: server-aided encryption for deduplicated storage USENIX 13 K B 44 K A

45 PAKE-based SDoE Attacks from malicous clients K B 13-bit 13-bit K A SK_A PK_A F B F A c PAKE-based Key Sharing K B = K A iff F A = F B J Liu, N Asokan, and P Pinkas Secure deduplication of Encrypted Data Without Additional Independent Servers CCS 15 K B 45 K A

46 Contributions Formal security model for SDoE Two single-server SDoE that are provable secure Realistic simulations 46

47 Password Authenticated Key Exchange (PAKE) PW B PW A PW B PW A Password Authenticated Key Exchange (PAKE) k B k A k B = k A iff PW B =PW A 48

48 c SDoE (1) F C = F*g K F, K H(F ) Password Authenticated Key Exchange (PAKE) H(F) K = e-k BR (k =s if F = F) k B k A k BL, k AL, S+k AR, S-K e F g K F g K g S-K = F g S = F g K if k AL = k BL e = S + k AR else e = r 49 S was uniformly chosen by Alice Ser can just drop this if deduplication happens Ser will keep F*gK for the first uploader, and K K for the following uploaders

49 c SDoE (2) F C = F ÅH(K) F, K H(F ) Password Authenticated Key Exchange (PAKE) H(F) K = e Åk BR (k =s if F = F) k B k A k BL, k AL, S Å k AR, S ÅK e R ÅK, F ÅH(R ) (S ÅK) Å (K ÅR) = K ÅR, F ÅH(R) if k AL = k BL e = S Åk AR else e = r 50 S was uniformly chosen by Alice

50 Simulation - dataset Android application popularity: uploads, distinct Extend 5x by Synthetic Minority Over-sampling Technique (SMOTE) Model the real-world upload stream Assuming the upload requests of a single file follows normal distribution The number of copies of a file uploaded at time point t is The total number of files uploaded at time point t is y i = 1 s i 2p e- (t-u i ) 2 2s i 2 N(m,s 2 ) x i 51

51 Simulation Rate Limiting 52

52 Simulation Offline Rate 53

53 Deduplication percentage % Simulation Popularity threshold Deduplication percentage with different popularity thresholds Deduplication percentage with rate limit 50(50) and offline rate 05, no popularity threshold Popularity thresholds 54

54 Q & A 55