Building an Anonymous Public Storage Utility...Title Wesley Leggette SDC 2013.pptx Author Wesley Leggette Created Date 20130916153249Z

2013 Storage Developer Conference. Copyright © 2013 Cleversafe, Inc. All Rights Reserved.

Building an Anonymous Public Storage Utility

Wesley Leggette Cleversafe


Utility Storage

r  Many different target audiences r Business

r Content distribution r Off-site backup r Archival

r Consumer r Content sharing r Collaboration r Backup

2


Consumers… Secret Consumers

r  An end user with something to hide r  Options today

r Object Storage service (S3, Azure) r Online backup service (Crashplan, Carbonite) r Online sharing (Dropbox, Google Drive) r Roll-your-own (OpenStack deployment)

r  (We’re talking about reliable systems)

3


Requirements

r  Want: r Secure r Reliable r Available r Convenient r (cost effective) r (scalable) r …

r  Anonymous! 4

r  Need: r Encrypt Data r Store Data r Be Online r Have Good

Interfaces r … r Pay for it!


Typical Solutions Today

5

Storage

Payment

Auth

MerchantPayment Processor

Records

Records

Customer


6

Storage

Payment Auth

Merchant

Customer Customer

Storage

Payment

Auth

Merchant


Storing everything in one place

r  Usually single company in charge of: r Authentication r Encryption r Access Control r Billing Information r Storage

r  All data controlled by one company r Technical vulnerabilities: hacking, disclosures r Centralized records: subpoenas, warrants

7


Anonymous system building blocks

8

Customer

Authentication ProviderPayment Processor

Records Auth

Storage Provider

StoragePseudonymous

Records Random Identity

1 2 3

4


Payment

9

r  Create anonymous money r  Enforced through technology,

not policy r  Spending it cannot reveal who

bought it r  Solution:

r  National currency à Bitcoin r  …Zerocoin

Customer

Payment Processor

Records

1


Authentication

10

r  Map pseudonym to credentials r Make it convenient to use r Random identity + encryption

keys r Can also support real names

r  Secures… r Authentication keys (PKI) r Encryption keys

r  Solution: r Hidden Identity Mapping r Distributed Keys r Key Recovery Service

Customer

Authentication Provider

Auth Pseudonymous Records

2


Storage

11

r  Store encrypted data anonymously r Data tied to storage account r Pay for it with anonymous

currency r  Solution:

r Anonymous Storage Account r Token Based Payment r Token Based Redemption Payment

Processor

Records

Storage Provider

Storage Random Identity

3

4

Customer


Bitcoin and Zerocoin

12


Bitcoin

r  A distributed currency based on public key cryptography, digital signatures, proof of work

r  Balances stored in a block chain r Essentially a public ledger of all transactions r All transactions identifiable by public key

r  Not truly anonymous r  “Following The Bitcoins: How We Got Busted

Buying Drugs On Silk Road’s Black Market” Economic Policy Journal 7 Sep. 2013

r  http://www.economicpolicyjournal.com/2013/09/follow-bitcoins-how-we-got-busted.html

13


Anonymizing Options

r  Hiding your identity by being careful r TOR r Multiple public keys

r  Mixing services (laundering) r Relies on large amount of transactions r Assumes service is trustworthy, legal

r  Legal, trustworthy, persistent currency exchange r They will keep records!

r  System must prevent linking payer and payee

14


Zerocoin

r  Miers, Garman, et. al. John Hopkins University r  Built on top of Bitcoin “transaction network” r  Adds “placeholder” r  Generates “zerocoin” that can be transferred

15

ZerocoinProcess

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Anony

mized C

oin ZerocoinProcess

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain


Redeeming for Bitcoins

r  Anonymously redeem zerocoins for bitcoins? r  No link between placeholder and zerocoin r  Does not reveal which placeholder created the zerocoin

r  Digital commitments, one-way accumulators, zero-knowledge proofs r  Paper:

r  http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf

16

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

Bitcoin Transaction

Chain

?


Hidden Identity Mapping

Truly anonymized storage accounts

17



18

Customer


Records Auth

Storage Provider

StoragePseudonymous


1 2 3

4



r  Create storage account with random id r How to remember the ID?

r  Dispersed Keys r A method to store data securely r Store random account id with keys

r  Key Recovery Service r A method to recover lost local information r Store random account id with recovery data

19



20

Storage Provider

34E07868-90FE-49C7-A8E0-E8F8F5396AFA/11234434E07868-90FE-49C7-A8E0-E8F8F5396AFA/52643434E07868-90FE-49C7-A8E0-E8F8F5396AFA/982345

account_id: E5D4853C-9C6E-44E2-B180-F4978F6FEC9Astorage_container: 34E07868-90FE-49C7-A8E0-E8F8F5396AFAcredits_remaining: 1345

Customer

Authentication Provider

Auth

Secret Share

[email protected] --> E5D4853C-9C6E-44E2-B180-F4978F6FEC9A


Distributed Keys

From password to distributed secret

21


Goal: Store Data Securely

r  Storing encrypted data on storage provider

r  After encrypting, one has to protect a key r How does one store the key privately and

reliably?

22


Distributed Keys

r  Distributed Keys enable end users to recover a private key from any location on the network r It bridges the gap between password

authentication and PKI authentication r Seems like password authentication to end users r Seems like PKI authentication to service providers

r  Unlike more naïve approaches, nothing enabling an offline attack exists at any location r Breach of authentication server yields nothing!

23


Distributed Keys Architecture

24

User device

username: jsmith01

password: ********



25

User device

Dispersed Credentials Protocol



26

User device

Recovered Key



27

User device

PKI Authentication

Recovered Key



28

User device

Recovered Key


Comparison of Mechanisms

Password PKI DK

1. No single point of failure

2. No single point of compromise

3. Enables access from any location

4. Easy to use

5. Immune to offline brute-force attacks *

6. Credentials are not disclosed during use

7. Immune to physical theft

* Requires a threshold number of simultaneous compromises

29


How it Works

r  We found that through a combination of various cryptographic protocols, an authentication system with almost ideal properties could be formed r Server-assisted strong secret generation

r Warwick Ford and Burton S. Kaliski Jr. (2000)

r Secret Sharing r Adi Shamir and George Blakley (1979)

r Encryption and Digital Signatures

30


Auth Server 1

Auth Server 2

Auth Server N

Distributed Key Storage

31

...

strong-key1

password

eN f(password)2e

mod p

private key

Secret Sharing Scheme

share1

share2

shareN

...

e1 e2 ...

strong-key2

strong-keyN

...

Cipher

Cipher

Cipher

SK1{share1}

SK2{share2}

SKN{shareN}

e1

SK1{share1}

e2

SK2{share2}

eN

SKN{shareN}

User’s Device

Random Number

Generator


Auth Server 1

Auth Server 2

Auth Server K

Distributed Key Retrieval (1 of 2)

32

...

User’s Device

blinded-pass1

password

bK f(password)2b

mod p b1 b2 ...

blinded-pass2

blinded-passK

...

e1

SK1{share1}

e2

SK2{share2}

eK

SKK{shareK}

(blinded-pass1)e

mod p

blinded-SK1

(blinded-pass1)e

mod p

(blinded-passK)e

mod p

blinded-SKK

(blinded-pass2)e

mod p

blinded-SK2

SK1{share1} blinded-SK1


SKK{shareK} blinded-SKK

... ...

Random Number

Generator


Distributed Key Retrieval (2 of 2)

33

User’s Device

bK b1 b2 ...

(blinded-SK1)v

mod p SK1{share1}

blinded-SK1


SKK{shareK}

blinded-SKK

vK v1 v2 ...

b*v = 1 mod q

(blinded-SK2)v

mod p

(blinded-SKK)v

mod p

strong-key1

strong-key2

strong-keyK

Cipher share1

share2

shareK

...

private key

Secret Sharing Scheme

Cipher

Cipher

...


Key Recovery Service

Cooperative encryption key recovery

34


Key Recovery Service

r  Distributed keys provide online storage r  What happens if users forget their passwords?

r Data encrypted (by user) with encryption keys r Only authentication keys identify users

r  Key Recovery Service r Peer-based key recovery+password reset r System mediates recovery requests to users r No data is revealed to server during recovery

35


36

Need for a Key Recovery Service

r  In 1979 Adi Shamir (the S in RSA) proposed a method for sharing secrets in a way that satisfies the competing goals of security and reliability.

Much like an IDA, one chooses a number of shares and a threshold needed for recovery. If each share is given to an individual, a threshold number of them must come together to compute the secret.

r  This method is both secure and reliable:

Secure: Multiple shares would need to be compromised by an attacker to recover the secret. It takes a conspiracy of individuals holding shares to get the secret. Reliable: Even if some individuals lose their shares or are unavailable, as long as a threshold exists the secret is still recoverable.

Shamir’s Secret Sharing Scheme


Design of Key Recovery Service

37

Using the Key Recovery System

•  Account Creation

•  Recovery Request

•  Private Key Recovery


Account Creation

38


Recovery Request

39


Verifying Recovery Request

40

r  Recovery requests verified by each user r  Verification manual; can use “request fingerprint”

r  Threshold of requests must be authorized r  Encrypted shares stored in central location


Private Key Recovery

41


Token Based Payment Plan

Pay as you go, with anonymous currency

42



43

Customer


Records Auth

Storage Provider

StoragePseudonymous


1 2 3

4


Token Based Payment Plan

r  Billing model largely the same r  Form of currency is different r  Failure to pay… data eventually just deleted

44


45

Pooled Assets

Customers Vendors

Credit DebitJohn Smith ..................... $ 100.00 Alice Granger .................. $ 63.00

Acme Storage, Inc. ............. $ 50.00Fast Fast Storage, LLC ......... $ 72.00

r  Storage processor keeps full records of one side of transaction

r  Anonymity through many-to-many customer to vendor relationship


Conclusions

46


Conclusion

r  A storage service that provides anonymity… r Should be as reliable and convenient as

existing systems r Must rely on technology, not spotty record

keeping, to preserve anonymity r  The technology to create this platform exists today

r Anonymous currencies r Anonymous authentication r Anonymous data storage

47


48

Documents

Building an Anonymous Public Storage Utility...Title Wesley Leggette SDC 2013.pptx Author Wesley Leggette Created Date 20130916153249Z