WP1: Private Membership Test & WP2: Secure Cloud Storage and Deduplication Jian Liu, Sandeep Tamrakar
WP1: Private Membership Test& WP2: Secure Cloud Storage and
Deduplication
Jian Liu, Sandeep Tamrakar
2
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
3
Screening Malware
c
Mobile device A
Malware DB
hAPK
4
Private Membership Test
c
x1 x2 x3 … xn
x?
Current solutions for private information retrieval:• Multiple independent servers: unrealistic in commercial setting• Single server: expensive in both computation and communication
Mobile device A
The problem: How to preserve end user privacy for anti-malware clients that look up cloud-hosted databases?
Malware DB
5
Bloom Filter: efficient structure for membership test
x1 x2 x3 … xn
0 1 1 0 1 0 1 0 1 0
hash functions
filter
h1 h2 h3
x
h1 h2 h3
Insert
Check
• Relatively small storage• Query efficiently • False Positives
6
Typical Parameters for Android Malware
• Size of the dataset: 221 samples • False positive rate: 10-3
• Number of hash functions: 10• Size of the bloom filter: 225 bits
7
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage and deduplication– Crypto– Trusted Hardware– Easy-to-use Key Management
8
Solution 1: Encrypted Bloom Filter
c
x1 x2 x3 … xn
x?
{Hi}
1 0 1 … 0
Meskanen T, Liu J, Niemi V. Private Membership Test for Bloom Filters.
E(1) E(0) E(1) … E(0)
KBlind Decryption
E(1)
K1
9
Details of Solution 1
For each bit bi in the bloom filter:Find the smallest k s.t. Jacobi(H(k||i), N) = 1• If H(k||i) is QRN then E(bi) = bi
• Else if H(k||i) is QNRN then E(bi) = 1 – bi
(H(k||i) is QRN iff Jacobi(H(k||i), p) = Jacobi(H(k||i), q) = 1)
c
N = p*q
E(bi)
Find the smallest k s.t. Jacobi(H(k||i), N) = 1calculate: z = H(k||i, N)*r mod N where r is a random square
z
z is QRN or QNRN
• bi = E(bi) if z is QRN
• bi = 1-E(bi) if z is QNRN
Building/Deploying Encrypted Bloom Filter
Lookup
10
Solution 2: Bloom Filter of Encrypted Records
c
x1 x2 x3 … xn
x?
E(x1) E(x2) E(x3) … E(xn)
Nojima R, Kadobayashi Y. Cryptographically Secure Bloom-Filters[J]. Transactions on Data Privacy, 2009, 2(2): 131-139.
k
{Hi}
1 0 1 … 0
Blind Signature
x k
E(x)
11
Solution 3: Bloom Filter with hidden hash functions
c
x1 x2 x3 … xn
x?
{Hi}
1 0 1 … 0
Oblivious Pseudorandom Function
x {Hi}
{Hi(x)}
Nojima R, Kadobayashi Y. Cryptographically Secure Bloom-Filters[J]. Transactions on Data Privacy, 2009, 2(2): 131-139.
12
Comparison
Solution1 Solution2 Solution3
Preprocessing 225 Jacobi 225 RSA -
Online (Server) 20 Jacobi 1 exp., 1 mod. 200 OTsAnd 2 exp.
Online (Client) 20 Jacobi 1 exp., 2 mod.
13
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
14
Private Membership Test with Trusted Hardware
• Trusted Execution Environment (TEE)s are ubiquitous– Available on Smartphones– Available for servers
• Can we achieve a practical solution for Private Membership Test?
• Designed a solution that operates as a trusted third party inside TEE at the lookup server.
15
Overview of Operations
PKs: Public key of the Lookup Servert : constant time (1 round of Bloom Filter processing)
Lookup Server
TEE
Request 1
Request 2
Request n
BF Position Generator
Requests processed in
parallel
EPKs(H(data1))
EPKs(H(data2))
EPKs(H(datan)
Response1
Response2
Responsen
t
t
t
BF Chunk1
BF Chunk 2
BF Chunk 3
BF Chunk n
16
Typical Parameters
• Low-cost hardware (dual-core ARMv7, 1GHz).• Implemented using <t-base API on TrustZone.
• Size of the database: • False positive rates: 10-3
• Number of hash functions: 10• Size of the bloom filter:
221 Samples 226 samples
225 bits 230 bits
• One complete round of BF processing time: ~170 ms• Process up to 128 parallel requests
17
Private Membership Test
The problem: How to preserve end user privacy for anti-malware clients that look up cloud-hosted databases?
Our approach: Build a private membership test scheme based on Bloom filters using (a) cryptography and (b) trusted hardware.
Results so far: (a) Using Goldwasser-Micali homomorphic encryption scheme (paper, poster) (b) mediated by Trusted H/W (poster/demo)
Work Package 1
What?
WP leads: Jian Liu and Sandeep Tamrakar
18
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
19
Deduplication
cClient side deduplication
Server side deduplicationSide Channel!
20
Deduplication on Encrypted Data
c
SK_APK_A
?
Convergent Encryption• Calculate the hash of each file• Use the hash to encrypt the file• Same file will get the same ciphertextSuffers from the offline bruteforce guessing attack
Douceur, John R., et al. "Reclaiming space from duplicate files in a serverless distributed file system." Distributed Computing Systems, 2002. Proceedings. 22nd International Conference on. IEEE, 2002.
KaKb
21
State of the Art: Independent Key Server
c
SK_APK_A
Oblivious key generation Oblivious key generation
Bellare, Mihir, Sriram Keelveedhi, and Thomas Ristenpart. "DupLESS: server-aided encryption for deduplicated storage." Proceedings of the 22nd USENIX conference on Security. USENIX Association, 2013.
Goal: prevent offline brute-force guessing attacks
Unrealistic inbusiness settings
Suffers from onlinebrute-force guessing attacks
KaKb
22
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
23
Crypto-based Solution
c
SK_APK_A
Oblivious Key Sharing
KaKb
24
Oblivious Key Sharing Protocol
c
Fb, (pk, sk)Fa, K
Fb Fa
kb ka
Password Authenticated Key Exchange (PAKE)
kbL, Cb= Enc(pk,kbR+r) kaL, Ca= Enc(pk, K+kaR)
If kaL = kbL, e = Ca – Cb = Enc(pk, K-r)Else, e = Enc(pk, r’)
e
K’ = Dec(sk, e)+r
…
Use rate limitingto bound the number of protocol runs: prioritizing popular files.
E(K’, Fb)
25
Simulation - datasets
• Media Dataset
– Use Android app popularity dataset as proxy
– 7,396,235 uploads
– 178,396 distinct files
• Enterprise Dataset
– Debian Popularity Contest
– 217,927,332 uploads
– 143,949 are distinct
26
Simulation – results
• Average number of PAKE runs = (Total number of PAKE runs) / (Total number of upload requests)• Deduplication Percentage = 1 – (Number of all files in storage) / (Total number of upload
requests)
28
Prototype and Performance
• Node.js for the Web framework, Redis for the database• SHA-256, AES-256-CBC, GMP Library (C)
29
Summary of Crypto-based Solution
• First single server scheme that simultaneously enables deduplication and strong encryption
• Better security gurantees than previous work
• Deduplicaiton effectiveness: close to perfect
• Overhead: negligible for large files
30
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
31
State of the Art: Independent Key Server
Oblivious key generation Oblivious key generation
Independent Key Server
c
File B File A
Unrealistic inbusiness settings
KaKb
32
State of the Art: Independent Key Server
c
Trusted Execution Environment
HOST
# = hash of File A
File B File A
Ka
# =
hash
of F
ile B
Kb
Unrealistic inbusiness settings
34
Deduplication using Trusted Hardware
• Key Server runs in ARM TrustZone• <t-base API (Trustonic)
• Used Smartphone that can be plugged as HSM• Key fetching time: 1.4 sec• Additional bandwidth: 280 bytes
35
Outline
• WP1: Private membership test– Crypto– Trusted Hardware
• WP2: Secure cloud storage– Deduplication
• Crypto• Trusted Hardware
– Easy-to-use Key Management
36
Easy-to-use Key Management
• Users access their data from multiple devices• cloud storage to share / synchronize data among devices
• To preserve privacy in the cloud, data is encrypted• State of the art: encryption keys derived from passwords• File updates require re-encrypting whole file
• Easy-to-use key management• Client-generated strong keys• Consistent and simple user interaction for key distribution
• Efficient file updates
37
Key Distribution
Mobile device A
c
Encrypted content
Key distribution channel discovered automatically
Pknew, AuthKnew
Encrypt with PKnew
Camera / Display: QR code display / key board: passcode
Old Device New Device
38
Problem: Updating encrypted file
<< File size
≈ File size
P- =Updated file Original file
E- =Encrypted updated file Encrypted original file
39
c
Encrypted Original file
Solution: Synchronization approach
Updated file Original file Diff file
Encrypted diff file
decrypt
Diff file
+Original file Updated file
40
c
cEncrypted original file
Deduplication with diff files
User A User B
1 2 3Diff file 1 Diff file 2 Diff file 3
Changes from User B
KoriKb
41
Current status - OmniShare
• Client side encryption with strong keys
• Easy to use key distribution scheme– Key exchange via:
• Camera / Display: QR code
• display / key board: passcode
• Work with popular cloud storage services like Dropbox
• Available on Android & Windows
https://se-sy.org/projects/omnishare/
42
Client-encrypted cloud storage in real lifeThe problem: How to reconcile the need for strong client-side encryption with real life constraints?
(a) deduplication (business constraint)
(b) use of multiple devices (usability constraint)
Our approach: (a) use trusted hardware or cryptographic protocols; (b) design an intuitive key management scheme
Results so far: (a) Secure deduplication w/o additional servers (draft paper, poster/demo), via key server in trusted h/w (b) OmniShare (poster/demo)
Work Package 2
What?
WP leads: Jian Liu and Sandeep Tamrakar