Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Building an Anonymous Public Storage Utility
Wesley Leggette Cleversafe
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Utility Storage
r Many different target audiences r Business
r Content distribution r Off-site backup r Archival
r Consumer r Content sharing r Collaboration r Backup
2
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Consumers… Secret Consumers
r An end user with something to hide r Options today
r Object Storage service (S3, Azure) r Online backup service (Crashplan, Carbonite) r Online sharing (Dropbox, Google Drive) r Roll-your-own (OpenStack deployment)
r (We’re talking about reliable systems)
3
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Requirements
r Want: r Secure r Reliable r Available r Convenient r (cost effective) r (scalable) r …
r Anonymous! 4
r Need: r Encrypt Data r Store Data r Be Online r Have Good
Interfaces r … r Pay for it!
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Typical Solutions Today
5
Storage
Payment
Auth
MerchantPayment Processor
Records
Records
Customer
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
6
Storage
Payment Auth
Merchant
Customer Customer
Storage
Payment
Auth
Merchant
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Storing everything in one place
r Usually single company in charge of: r Authentication r Encryption r Access Control r Billing Information r Storage
r All data controlled by one company r Technical vulnerabilities: hacking, disclosures r Centralized records: subpoenas, warrants
7
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Anonymous system building blocks
8
Customer
Authentication ProviderPayment Processor
Records Auth
Storage Provider
StoragePseudonymous
Records Random Identity
1 2 3
4
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Payment
9
r Create anonymous money r Enforced through technology,
not policy r Spending it cannot reveal who
bought it r Solution:
r National currency à Bitcoin r …Zerocoin
Customer
Payment Processor
Records
1
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Authentication
10
r Map pseudonym to credentials r Make it convenient to use r Random identity + encryption
keys r Can also support real names
r Secures… r Authentication keys (PKI) r Encryption keys
r Solution: r Hidden Identity Mapping r Distributed Keys r Key Recovery Service
Customer
Authentication Provider
Auth Pseudonymous Records
2
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Storage
11
r Store encrypted data anonymously r Data tied to storage account r Pay for it with anonymous
currency r Solution:
r Anonymous Storage Account r Token Based Payment r Token Based Redemption Payment
Processor
Records
Storage Provider
Storage Random Identity
3
4
Customer
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Bitcoin and Zerocoin
12
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Bitcoin
r A distributed currency based on public key cryptography, digital signatures, proof of work
r Balances stored in a block chain r Essentially a public ledger of all transactions r All transactions identifiable by public key
r Not truly anonymous r “Following The Bitcoins: How We Got Busted
Buying Drugs On Silk Road’s Black Market” Economic Policy Journal 7 Sep. 2013
r http://www.economicpolicyjournal.com/2013/09/follow-bitcoins-how-we-got-busted.html
13
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Anonymizing Options
r Hiding your identity by being careful r TOR r Multiple public keys
r Mixing services (laundering) r Relies on large amount of transactions r Assumes service is trustworthy, legal
r Legal, trustworthy, persistent currency exchange r They will keep records!
r System must prevent linking payer and payee
14
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Zerocoin
r Miers, Garman, et. al. John Hopkins University r Built on top of Bitcoin “transaction network” r Adds “placeholder” r Generates “zerocoin” that can be transferred
15
ZerocoinProcess
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Anony
mized C
oin ZerocoinProcess
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Redeeming for Bitcoins
r Anonymously redeem zerocoins for bitcoins? r No link between placeholder and zerocoin r Does not reveal which placeholder created the zerocoin
r Digital commitments, one-way accumulators, zero-knowledge proofs r Paper:
r http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf
16
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
Bitcoin Transaction
Chain
?
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Hidden Identity Mapping
Truly anonymized storage accounts
17
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Anonymous system building blocks
18
Customer
Authentication ProviderPayment Processor
Records Auth
Storage Provider
StoragePseudonymous
Records Random Identity
1 2 3
4
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Hidden Identity Mapping
r Create storage account with random id r How to remember the ID?
r Dispersed Keys r A method to store data securely r Store random account id with keys
r Key Recovery Service r A method to recover lost local information r Store random account id with recovery data
19
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Hidden Identity Mapping
20
Storage Provider
34E07868-90FE-49C7-A8E0-E8F8F5396AFA/11234434E07868-90FE-49C7-A8E0-E8F8F5396AFA/52643434E07868-90FE-49C7-A8E0-E8F8F5396AFA/982345
account_id: E5D4853C-9C6E-44E2-B180-F4978F6FEC9Astorage_container: 34E07868-90FE-49C7-A8E0-E8F8F5396AFAcredits_remaining: 1345
Customer
Authentication Provider
Auth
Secret Share
[email protected] --> E5D4853C-9C6E-44E2-B180-F4978F6FEC9A
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys
From password to distributed secret
21
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Goal: Store Data Securely
r Storing encrypted data on storage provider
r After encrypting, one has to protect a key r How does one store the key privately and
reliably?
22
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys
r Distributed Keys enable end users to recover a private key from any location on the network r It bridges the gap between password
authentication and PKI authentication r Seems like password authentication to end users r Seems like PKI authentication to service providers
r Unlike more naïve approaches, nothing enabling an offline attack exists at any location r Breach of authentication server yields nothing!
23
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys Architecture
24
User device
username: jsmith01
password: ********
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys Architecture
25
User device
Dispersed Credentials Protocol
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys Architecture
26
User device
Recovered Key
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys Architecture
27
User device
PKI Authentication
Recovered Key
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Keys Architecture
28
User device
Recovered Key
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Comparison of Mechanisms
Password PKI DK
1. No single point of failure
2. No single point of compromise
3. Enables access from any location
4. Easy to use
5. Immune to offline brute-force attacks *
6. Credentials are not disclosed during use
7. Immune to physical theft
* Requires a threshold number of simultaneous compromises
29
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
How it Works
r We found that through a combination of various cryptographic protocols, an authentication system with almost ideal properties could be formed r Server-assisted strong secret generation
r Warwick Ford and Burton S. Kaliski Jr. (2000)
r Secret Sharing r Adi Shamir and George Blakley (1979)
r Encryption and Digital Signatures
30
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Auth Server 1
Auth Server 2
Auth Server N
Distributed Key Storage
31
...
strong-key1
password
eN f(password)2e
mod p
private key
Secret Sharing Scheme
share1
share2
shareN
...
e1 e2 ...
strong-key2
strong-keyN
...
Cipher
Cipher
Cipher
SK1{share1}
SK2{share2}
SKN{shareN}
e1
SK1{share1}
e2
SK2{share2}
eN
SKN{shareN}
User’s Device
Random Number
Generator
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Auth Server 1
Auth Server 2
Auth Server K
Distributed Key Retrieval (1 of 2)
32
...
User’s Device
blinded-pass1
password
bK f(password)2b
mod p b1 b2 ...
blinded-pass2
blinded-passK
...
e1
SK1{share1}
e2
SK2{share2}
eK
SKK{shareK}
(blinded-pass1)e
mod p
blinded-SK1
(blinded-pass1)e
mod p
(blinded-passK)e
mod p
blinded-SKK
(blinded-pass2)e
mod p
blinded-SK2
SK1{share1} blinded-SK1
SK2{share2} blinded-SK2
SKK{shareK} blinded-SKK
... ...
Random Number
Generator
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Distributed Key Retrieval (2 of 2)
33
User’s Device
bK b1 b2 ...
(blinded-SK1)v
mod p SK1{share1}
blinded-SK1
SK2{share2} blinded-SK2
SKK{shareK}
blinded-SKK
vK v1 v2 ...
b*v = 1 mod q
(blinded-SK2)v
mod p
(blinded-SKK)v
mod p
strong-key1
strong-key2
strong-keyK
Cipher share1
share2
shareK
...
private key
Secret Sharing Scheme
Cipher
Cipher
...
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Key Recovery Service
Cooperative encryption key recovery
34
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Key Recovery Service
r Distributed keys provide online storage r What happens if users forget their passwords?
r Data encrypted (by user) with encryption keys r Only authentication keys identify users
r Key Recovery Service r Peer-based key recovery+password reset r System mediates recovery requests to users r No data is revealed to server during recovery
35
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
36
Need for a Key Recovery Service
r In 1979 Adi Shamir (the S in RSA) proposed a method for sharing secrets in a way that satisfies the competing goals of security and reliability.
Much like an IDA, one chooses a number of shares and a threshold needed for recovery. If each share is given to an individual, a threshold number of them must come together to compute the secret.
r This method is both secure and reliable:
Secure: Multiple shares would need to be compromised by an attacker to recover the secret. It takes a conspiracy of individuals holding shares to get the secret. Reliable: Even if some individuals lose their shares or are unavailable, as long as a threshold exists the secret is still recoverable.
Shamir’s Secret Sharing Scheme
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Design of Key Recovery Service
37
Using the Key Recovery System
• Account Creation
• Recovery Request
• Private Key Recovery
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Account Creation
38
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Recovery Request
39
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Verifying Recovery Request
40
r Recovery requests verified by each user r Verification manual; can use “request fingerprint”
r Threshold of requests must be authorized r Encrypted shares stored in central location
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Private Key Recovery
41
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Token Based Payment Plan
Pay as you go, with anonymous currency
42
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Anonymous system building blocks
43
Customer
Authentication ProviderPayment Processor
Records Auth
Storage Provider
StoragePseudonymous
Records Random Identity
1 2 3
4
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Token Based Payment Plan
r Billing model largely the same r Form of currency is different r Failure to pay… data eventually just deleted
44
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
45
Pooled Assets
Customers Vendors
Credit DebitJohn Smith ..................... $ 100.00 Alice Granger .................. $ 63.00
Acme Storage, Inc. ............. $ 50.00Fast Fast Storage, LLC ......... $ 72.00
r Storage processor keeps full records of one side of transaction
r Anonymity through many-to-many customer to vendor relationship
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Conclusions
46
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
Conclusion
r A storage service that provides anonymity… r Should be as reliable and convenient as
existing systems r Must rely on technology, not spotty record
keeping, to preserve anonymity r The technology to create this platform exists today
r Anonymous currencies r Anonymous authentication r Anonymous data storage
47
2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.
48