Iron: Functional encryption using Intel SGX

Similar documents
Crypto Background & Concepts SGX Software Attestation

IND-CCA2 secure cryptosystems, Dan Bogdanov

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

White-box Cryptomania

Security in Data Science

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

Notes for Lecture 14

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

SiTP Dec Cryptography for IoT. Dan Boneh Stanford University

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

Isolating Operating System Components with Intel SGX

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Cryptography. Andreas Hülsing. 6 September 2016

Application to More Efficient Obfuscation

Intel Software Guard Extensions

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

Upgrading to Functional Encryption

Encryption from the Diffie-Hellman assumption. Eike Kiltz

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Security of Identity Based Encryption - A Different Perspective

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Eleos: Exit-Less OS Services for SGX Enclaves

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

CIS 4360 Secure Computer Systems SGX

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

Binding keys to programs using Intel SGX remote attestation

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018

Secure Set Intersection with Untrusted Hardware Tokens

Authenticated Encryption

Publicly Verifiable Secret Sharing for Cloud-based Key Management

Sanctum: Minimal HW Extensions for Strong SW Isolation

OS Security IV: Virtualization and Trusted Computing

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Privacy, Discovery, and Authentication for the Internet of Things

Functional Encryption from (Small) Hardware Tokens

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

On the Security of a Certificateless Public-Key Encryption

Functional Encryption from (Small) Hardware Tokens

Lecture Embedded System Security Trusted Platform Module

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Public-Key Cryptography

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Lecture 8: Cryptography in the presence of local/public randomness

Brief Introduction to Provable Security

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Information Security CS526

Attribute-Based Encryption. Allison Lewko, Microsoft Research

Formal Methods for Assuring Security of Computer Networks

symmetric cryptography s642 computer security adam everspaugh

CPS 510 final exam, 4/27/2015

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

Obliviate: A Data Oblivious File System for Intel SGX. Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee

Somewhat Homomorphic Encryption

More crypto and security

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Hardware Enclave Attacks CS261

Massively Parallel Hardware Security Platform

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18

Lecture 3.4: Public Key Cryptography IV

TUX : Trust Update on Linux Kernel

Design and Implementation of the Ascend Secure Processor. Ling Ren, Christopher W. Fletcher, Albert Kwon, Marten van Dijk, Srinivas Devadas

Multi-Theorem Preprocessing NIZKs from Lattices

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Stateful Key Encapsulation Mechanism

Secure Multiparty Computation

CloudSky: A Controllable Data Self-Destruction System for Untrusted Cloud Storage Networks

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Simple Password-Hardened Encryption Services

Timed-Release Certificateless Encryption

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

An Exploration of Group and Ring Signatures

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

SGXBounds Memory Safety for Shielded Execution

Privacy, Discovery, and Authentication for the Internet of Things

Overview of Cryptography

A Punctured Programming Approach to Adaptively Secure Functional Encryption

Trojan-tolerant Hardware & Supply Chain Security in Practice

Recommendations for TEEP Support of Intel SGX Technology

VIAF: Verification-based Integrity Assurance Framework for MapReduce. YongzhiWang, JinpengWei

CODESSEAL: Compiler/FPGA Approach to Secure Applications

Cryptographic Hash Functions

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Transcription:

Iron: Functional encryption using Intel SGX Sergey Gorbunov University of Waterloo Joint work with Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh.

Motivation DNA_A DB = Database of DNA sequences DNA_B DB DB DB Challenges: 1. Ensure privacy of users DNA sequences in the DB. 2. Selectively enable services (i.e. computations) over private data in DB 2

FE to the Rescue ct = Enc(mpk, DB) mpk, msk F1 sk F1 F2 CT sk F2 CT CT CT CT CT F1(DB) F2(DB) sk F1 sk F2 sk F3 F3(DB) 3

FE Definition [Boneh, Sahai, Waters 11] (mpk, msk) Setup(1 n ) ct Enc(mpk, X) sk F Keygen(msk, F) F(X) Dec(sk F, ct) Authority (NIH) Data Owner (may not be NIH) Authority Service / Data User 4

FE Security - Informal Simulation (SIM): Adversary given (sk F1, sk F2,, sk Fq ) and Enc(mpk, X), learns only F1(X), F2(X),, Fq(X) Indistinguishability (IND): Adversary given access to (sk F1, sk F2,, sk Fq ), cannot distinguish between Enc(mpk, X 0 ) and Enc(mpk, X 1 ) where F i (X 0 ) = F i (X 1 ) for all i. 5

FE Security semi-formal [BSW11,O N10] Real World Ideal World FE scheme Sim Adv F1, F2, Adv F1, F2, SK F1, SK F2, SK F1, SK F2, X F1(X), F2(X), MPK ct MPK ct st st (X, st) c (X, st) 6

Previous Results FE for Boolean formulas/inner products [GPSW06, LOSTW10, AFV11, ABDP15, BJK15, ALS16, KLM+16, BCFG17, ] Various standard assumptions: LWE, pairings, etc. Somewhat efficient General functions/circuits [GGHRSW14, ABSV15, Wat16, BKS16, BNPW16, ] х х Non-standard assumptions (multi-linear maps, obfuscation) Very inefficient [ACLL 15] 7

Can we build an efficient, provably-secure FE scheme for arbitrary functions from a plausible assumption? 8

Our Results Thm: We present efficient, provably-secure FE for arbitrary functions assuming existence of secure hardware (Intel SGX) modules. We model and argue the security under strong simulation notion. No restriction on the complexity of functions: need to be written in C/C++. We demonstrate practical efficiency with a prototype implementation and benchmark against known crypto FE constructions.

Outline Motivation and our results Background on secure hardware (Intel SGX) Construction overview Proof insights Implementation details and performance

Intel SGX Overview Goal: provide secure execution environment on an untrusted remote host, assuming only security of a processor enabled with a set of encryption routines (Intel SGX). Untrusted Host Container: Program code Stack Libraries Internal states Data pages Memory User program/data User program/data CPU Only the CPU is tamper safe from the adversary Standard CPU Logic + Hardware Module + Encryption Routines (SGX) (steady state, post-setup) 11

Intel SGX Overview Encrypted user-level memory container User-level = cannot do syscalls, IO, network communication, etc. Physically encrypted pages of program code and data in memory Key is protected on the CPU and cannot be extracted, encrypts/decrypts container pages before execution 12

Intel SGX Overview Property 1: Attestation A party can verify that it is communicating with a program running in the encrypted container on a platform associated with a key pair (pk, sk) Verification wrt a public measurement of the program (hash) Local attestation: two containers running on the same node can attest each other Remote attestation: a remote user can attest that a specific program is running inside a secure container 13

Intel SGX Overview Memory pk Attest(pk, P, Proof P ) Proof P Proof P User program P User program/data Proof P = Sign(sk, H(P)) pk, sk CPU User program/data 14

Intel SGX Overview Property 2: Isolated execution Confidentiality: black-box execution of a program Internal state of the program is hidden from adversary Integrity: Adversary cannot change execution state/data/program, Cannot modify the output of the program on a given input 15

Intel SGX Overview Memory Input X pk P(X), Proof P(X) Verify(pk, P(X), Proof P(X) ) User program P Proof P(X) = Sign(sk, P(X)) pk, sk CPU User program/data 16

SGX Formal Algorithms Setup(1 n ) (sk, pk) Load sk (P) Proof P Attest(pk, P, Proof P ) 0/1 Run sk (X) (P(X), Proof P(X) ) Verify(pk, P(X), Proof P(X) ) 0/1 17

SGX Initialization and Runtime Goal: secure verifiable computation outsourcing of a program P on input X. pk P, X Load(P) Proof P Memory pk, sk Attest(pk, P, Proof P ) Sec. channel User program P P(X), Proof P(X) CPU X P(X), Proof P(X) Verify(pk, P(X), Proof P(X) ) 18

SGX The Good Shielded execution of unmodified Windows apps [BPH14] Secure MapReduce computations [SCF+15, DSC+15, OCF+15] Secure Linux containers [ATG+16, STT+17] An authenticated data feed for smart contracts [ZCC+16] Secure distributed data analytics (Spark SQL) [ZDB+17] Other CPU manufacturers have their own version of SGX (AMD SEV) Easy to use, develop, integrate, etc. Becoming a building block for many secure applications! 19

SGX The Ugly Programs running inside encrypted containers are subject to sidechannel attacks: Page-fault attacks [XCP15] Synchronization bugs [WKPK16] Branch shadowing [SLK+17] Cache attacks [BMD+17, SWG+17] Lots of academic work providing stronger security guarantees and mitigating SGX side-channels [CLD16, SLKP16, LSG+16, WKPK16, SLK+17, SGF17]. 20

SGX The Ugly Cont. Intel is trusted for the HW implementation Cannot change the working function inside the encrypted container after it is loaded/attested Small working memory (~90MB) No system calls/io/network communication 21

System vs Model vs Proof IPSec Disk encryption 22

Outline Motivation and our results Background on secure hardware (Intel SGX) Construction overview Proof insights Implementation details and performance

Our Construction (simplified) Building blocks: SGX (on data user node) public-key encryption (p.setup, p.enc, p.dec) signature scheme (s.setup, s.sign, s.verify) 24

Our Construction (simplified) Data Owner mpk Authority F Data User SGX Enc(mpk, X) ct 1) p.enc(pk p, X) ct Setup(1 k ) (mpk, msk) 1) s.setup(1 k ) (vk s, sk s ) 2) p.setup(1 k ) (pk p, sk p ) 3) mpk = (pk p, vk s ), msk = (sk p, sk s ) Dec(sk F, ct) F(X) (next slide) Keygen(msk, F) sk F 1) s.sign(sk s, F) sk F 25

Dec(sk F, ct) F(X): Authority msk = (sk p, sk s ) F Attest Sec. channel Data User ct, mpk = (pk p, pk s ) SGX Encrypted Container Problems: 1) Enc. container cannot talk over network? sk p Verify sk F Decrypt X Output F(X) 2) Which function to attest in enc. container? 26

Dec(sk F, ct) F(X): 1) Enc. container cannot talk over network? Authority msk = (sk p, sk s ) F Data User ct, mpk = (pk p, pk s ) Attest Sec. channel sk p IO S H I M SGX Encrypted Container Verify sk F Decrypt X Output F(X) 27

Dec(sk F, ct) F(X): 2) Which function to attest in enc. container? Authority msk = (sk p, sk s ) F Attest Sec. channel Data User ct, mpk = (pk p, pk s ) IO SGX Encrypted Container Define: P(mpk, ct, sk F ): 1) Establish secure channel 2) Verify sk F 3) Decrypt X 4) Output F(X) sk p S H I M Verify sk F Decrypt X Output F(X) Load and attest P 28

Dec(sk F, ct) F(X): 2) Which function to attest in enc. container? Authority msk = (sk p, sk s ) F ct, mpk = (pk p, pk s ) Data User Attest P Sec. channel sk p IO S H I M P(mpk, ct, sk F ): Establishes secure channel Verifies sk F Decrypt X Launches enclave F Local attests enclave F Attest F sec. channel F : Establish sec. channel X Compute F(X)

Q & A Q: Adversary controls the IO Shim layer. Can she/he modify: 1. The secret key sk F 2. Program loaded P 3. The encryption of the secret key sk p and observe output F(X) to learn information about sk p? A: 1. No, follows by security of signature scheme 2. No, follows by attestation property of SGX 3. Channel must be protected with CCA2 properties.

Q & A Q: How does the proof work? Authority msk = (sk p, sk s ) f Data User ct, mpk = (pk p, pk s ) Attest Sec. channel IO SGX Encrypted Container sk p S H I M sk F sk p F(X) Need to simulate! F(X)

Q & A Q: How does the proof work? A: Authority msk = (sk p, sk s ) f Attest Sec. channel F(X), sk p Data User ct, mpk = (pk p, pk s ) IO S H I M SGX Encrypted Container sk F sk p F(X) In simulation, F(X) comes from the authority via sec. channel (enc(0) in the real game) Indistinguishability of enc(0) and enc(f(x)) follows by sec. channel (not readily. need to use dual-encryption tech.) F(X)

Q & A Q: What is function description and how does authority validate it? A: An arbitrary C/C++ program code that is given to the authority. Authority can inspect the code, compile into sgx-enabled executable and sign the executable. sk F = (executable, signature of the executable).

Q & A Q: SGX is vulnerable to side-channels? A: Yes, while inspecting the code of a function F, the authority can ensure that it side-channel free or augment it into such form before compiling. Program P needs to be built side-channel free once and for all. (Side-channel free: e.g., constant time.)

Q & A Q: What happens if the data user restarts the node? A: SGX has a mechanism to seal enclave secrets on persistent storage with a hardware-derived key.

Outline Motivation and our results Background on secure hardware (Intel SGX) Construction overview Proof insights Implementation details and performance

Implementation Intel i5, 16 GB RAM, Intel SGX SDK 1.6 for Windows Crypto Algorithms: PKE Signature ElGamal (MSR_ECClib.lib) + AES-GCM ECDSA (sgx_tcrypto.lib) Supported functions Any function that can be loaded into an enclave And resist side-channels 37

Implementation We implement oblivious IBE, ORE, 3-DNF, simple linear regression By implementing data comparisons in registers, constant time, code-independent accesses [OSF+16] IBE : ct Enc(ID, X) X Dec(sk ID, ct) Order(X, Y) : Output 1 if x > y, else 0 3-DNF(X,Y,Z) : Output (x 1 y 1 z 1 ) (x n y n z n ) n-bit vectors SimpLinReg({a i, b i }) : Output the best-fit (α, β) such that b i = α + β a i 38

Evaluation FE.Setup FE.KeyGen : 130 ms (60 ms for KMEnclave creation) : 10 ms FE.Decrypt: 39

Evaluation 40

Thank you! 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback