Vanish: Increasing Data Privacy with Self-Destructing Data Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and Henry M. Levy, USENIX Security Symposium (Usenix), 2009. Presentation by Sruthi Chiluka
Dec 31, 2015
Vanish: Increasing Data Privacy with Self-Destructing Data
Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and Henry M. Levy, USENIX Security Symposium (Usenix), 2009.
Presentation bySruthi Chiluka
University of Central Florida
Overview
Introduction Example scenario Goals Other candidate Approaches Vanish Implementation DHT Implementation Types of DHT Vanish application Conclusion
University of Central Florida
INTRODUCTION
What is Vanish? - Vanish is a self destructing system which is broadly applicable in today's Web-centered world.
Where user's sensitive data can persist in the cloud even after the user account termination with the help of self destructing framework users can regain control over their confidential data such as (e-mails, facebook messages or any web contents created or posted).
University of Central Florida
Contd..
Vanish protects the privacy of past, archived data- such as copies of emails maintained by email provider against all kinds of legal, malicious and accidental attacks.
All the copies of data including the pristine copy becomes obliterate after a specific amount of duration, without any user's involvement to perform any action or any third party association to perform the deletion.
University of Central Florida
Example Scenario
How can Alice be sure that sensitive data sent over electronic mail system is secure?Services may retain data for long after user tries to delete
University of Central Florida
ISP
Files/Emails can re-emerge years later
It is possible to retrieve archived data months/years later.Emails are frequently cached or archived by the email provider on their local back up systems, ISP’s etc.Therefore there is a chance of risk exposure in future to unintended parties.
University of Central Florida
Goals
Destruction after Time out.
Accessible until Time out.
Leverage existing Infrastructures.
No secure hardware
No Privacy risks
University of Central Florida
Other Vulnerable Approaches
Most obvious approach is to do manual deleting by installing CRON job.
Protection using PGP does not work against adversaries.
Forward secrecy encryption can be violated by caching, backup archives or court orders.
University of Central Florida
Contd..
Emphemeizer solution - Untrustworthy Centralized Third party Services
University of Central Florida
Self Destructing Data Mold
ISP
File/document is destroyed after specific time out period making all copies of data unreadable including the pristine copy.
University of Central Florida
Vanish Data Object(VDO)
It encapsulates user’s data and prevents its content from storing at intermediate hops and becoming source of retroactive attacks.
It will become unreadable even if connectivity is removed from storage site.
While user encapsulates data in VDO he/she would be knowing the approximate time period to be set to the VDO.
University of Central Florida
Vanish Implementation
Vanish is used to leverage existing, decentralized, large scale Distribution Hash Tables.
Encrypt the data with a key and store the key in a high-churn globally-distributed DHT system
Once it reaches the timeout value, the key would be erased from the DHT and forever lost. The data will not be readable without the key
University of Central Florida
What is Distributed Hash Table(DHT)? Distributed hash table works on peer to peer network(P2P is a
decentralized and distributed network) that provides look up service similar to hash table.
Each node in the network is associated with an index or node ID
Using Hashing a node can find out index corresponding to the specific content
Numerous DHT’s exist in the Internet like Vuze, Mainline and KAD.
University of Central Florida
DHT Implementation
Key Hash Function buckets
John
Smith
521-9876
00010203...131415
University of Central Florida
Vanish usage of DHTVanish takes data content D and encapsulates it into a VDO V.
It encrypts D with a random key K and produces cipher text C
It then splits the key into N shares suppose K1,k2....kn.
After computing the shares it picks up random access key L as seed of random generator to generated the Indices I1,I2...In
Final VDO comprises of (L,C,N threshold)
University of Central Florida
Vuze Mechanism over OPEN DHT
Vuze DHT Open to be joined by any users Millions plus nodes, geographical distributed through the High churn, user leaving and entering within the network Fixed 8 hours timeout
Open DHT Restricted membership Variable time out up to 1 week
University of Central Florida
How Data Time out Works
The DHT nodes churn or internally cleanse themselves, thereby rendering the protected data unavailable over time.
It would be difficult to determine retroactively which nodes where responsible for storing a given piece of data in past.
Keyloses make all data copies permanently unreadable.
University of Central Florida
Defense against Retro active attacks.
Upload data
Copies Archived
Time out
time
Retro active
attack begins
University of Central Florida
Vanish Applications
Firefox plug-in (Included in release of Vanish) Thunderbird plug-in (Developed by the community two
weeks after release ) Self-destructing files Self-destructing trash-bin
University of Central Florida
Contd..
University of Central Florida
VDO decapsulated Prior to Expiration?
An attacker might try to obtain the copy of VDO and revoke its privacy prior to its expiration.
Further decapsulate VDO’s using further traditional encryption schemes like PGP,GPG which are supported by fire vanish application.
By the time user is forced to furnish PGP private keys VDO is expired.
University of Central Florida
Performance Evaluation
Measurements use an Intel T2500 DUO with 2GBRAM,Java 1.6 and broadband network.
Single Vuze DHT took 4 minutes to store 50 shares by employing several vuze operations time could be lowered to 32 seconds for 50 shares
The graph shows getting DHT shares are relatively fast when compared to storing VDO’s
University of Central Florida
CONCLUSION
Disadvantages of Vanish Fixed time out challenges in Vuze based DHT.
For much larger data sizes encryption/decryption becomes complicated.
No defense provided against certain attacks like denial of service which would prevent reading data for life time.
University of Central Florida
THANK YOU…