Upload
dinhdat
View
220
Download
2
Embed Size (px)
Citation preview
Sieve:CryptographicallyEnforcedAccessControlforUserDatainUntrustedClouds
FrankWang(MITCSAIL),JamesMickens(Harvard),NickolaiZeldovich(MITCSAIL),
VinodVaikuntanathan(MITCSAIL)
1
Motivation
2
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Problem:Curiousstorageproviderorexternalattacker
3
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Problem:Curiousstorageproviderorexternalattacker
3
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
NaïveApproach:EncryptDataunder1key
4
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
NaïveApproach:EncryptDataunder1key
4
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
NaïveApproach:EncryptDataunder1key
4
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
NaïveApproach:EncryptDataunder1key
4
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Howdoestheuserselectivelydiscloseherdata?
AnotherApproach:Encrypteachpieceofdataindividually
5
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
AnotherApproach:Encrypteachpieceofdataindividually
5
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
AnotherApproach:Encrypteachpieceofdataindividually
5
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
AnotherApproach:Encrypteachpieceofdataindividually
5
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Contributions• Sieve:anewplatformthatallowsuserstoselectivelyandsecurelydisclosetheirdata– Sieveprotectsagainstservercompromise– Sievehideskeymanagementfromusers– Reasonableperformance– Sievesupportsrevocation– Sievesallowsuserstorecoverfromdeviceloss– Goodforwebservicesthatanalyzeuserdata
6
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial(Year<2013AND
Type=Fitness)
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial (Year<2013AND
Type=Fitness)
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial (Year<2013AND
Type=Fitness)
Location=US,Year=2012,Type=fitness
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial (Year<2013AND
Type=Fitness)
Location=US,Year=2012,Type=fitness
SieveOverview
8
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial (Year<2013AND
Type=Fitness)
Location=US,Year=2012,Type=fitness
ThreatModel• Storageproviderisapassiveadversary– Adversarycanreadalldata– Followsprotocol
• Webservicestrustedwithuserdatatheyaregivenaccessto
• Userandherdevicestrusted9
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
Policy:(Year<2013ANDtype=Fitness)
private
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
(Year<2013ANDType=Fitness)
Policy:(Year<2013ANDtype=Fitness)
private
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
(Year<2013ANDType=Fitness)
Policy:(Year<2013ANDtype=Fitness)
private
Attributes:Location=US,Year=2012,Type=fitness
public
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Policy:(Year<2013ANDtype=Fitness)
private
Attributes:Location=US,Year=2012,Type=fitness
public
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Policy:(Year<2013ANDtype=Fitness)
private
Attributes:Location=US,Year=2012,Type=fitness
public
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Policy:(Year<2013ANDtype=Fitness)
private
Attributes:Location=US,Year=2012,Type=fitness
public
Ourapproach:Attribute-basedencryption(ABE)
• Assumethatuser-specificABEpublic/privatekeypair• Threemainfunctions
10
GenerateDecKey
Encrypt
Decrypt
Note:attributesandpolicyareincleartext
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Location=US,Year=2012,Type=fitness
(Year<2013ANDType=Fitness)
Policy:(Year<2013ANDtype=Fitness)
private
Attributes:Location=US,Year=2012,Type=fitness
public
SievewithABE
11
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
ABEEncrypt
SievewithABE
11
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
ABEEncrypt
SievewithABE
11
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
(Year<2013ANDType=Fitness)
ABEEncrypt
ABEGenerateDecKey
SievewithABE
11
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
(Year<2013ANDType=Fitness)
ABEEncrypt
ABEGenerateDecKey
SievewithABE
11
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
(Year<2013ANDType=Fitness)
Location=US,Year=2012,Type=fitness
ABEEncrypt
ABEGenerateDecKey
SievewithABE
11
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
Location=US,Year=2012,Type=fitness
Year=2015,Type=financial
(Year<2013ANDType=Fitness)
Location=US,Year=2012,Type=fitness
ABEEncrypt
ABEGenerateDecKey ABEDecrypt
ReduceABEOperations• ABEisapublic-keycryptosystemsoslowerthansymmetrickeycryptography
• Optimizations– HybridEncryption– Storage-baseddatastructure
13
HybridEncryption
Data
Metadatablock
14
symmetric
ABE
symmetricGUIDIndexAttr1Attr2Attr3Attr4Attr5
metameta
metameta
meta
IndexGUID1GUID2GUID3GUID4GUID5
datadatadatadata
data
HybridEncryption
Data
Metadatablock
14
symmetric
ABE
symmetricGUIDIndexAttr1Attr2Attr3Attr4Attr5
metameta
metameta
meta
IndexGUID1GUID2GUID3GUID4GUID5
datadatadatadata
data
HybridEncryption
Data
Onlyhavetoperformsymmetrickeyoperationsinfuture
Metadatablock
14
symmetric
ABE
symmetricGUIDIndexAttr1Attr2Attr3Attr4Attr5
metameta
metameta
meta
IndexGUID1GUID2GUID3GUID4GUID5
datadatadatadata
data
Storage-baseddatastructure• Extensionofhybridencryption
15
Datasymmetric
Datasymmetric
Datasymmetric
Storage-baseddatastructure• Extensionofhybridencryption
15
Datasymmetric
Datasymmetric
Datasymmetric
GUID GUID GUID
symmetric
Storage-baseddatastructure• Extensionofhybridencryption
15
Datasymmetric
Datasymmetric
Datasymmetric
GUID GUID GUID
symmetric
ABE
symmetricGUID
Storage-baseddatastructure• Extensionofhybridencryption
15
Datasymmetric
Datasymmetric
Datasymmetric
GUID GUID GUID
symmetric
ABE
symmetricGUID
Revocation
17
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Revocation
17
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Revocation
17
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
Revocation
17
NYMarathon
BostonMarathon
Insurance
FitBitCloudServer
type=race
type=running
type=fitness
• Webservicestillhascachedkeys• Needtore-encryptdata
Re-encryptionwithHybridEncryption
• Needtore-encryptmetadataanddata– Easytore-encryptmetadatablock– Howdowere-encryptdataobject?• Download,re-encrypt,andupload• Requiressubstantialbandwidthandclient-sidecomputation
18
Solution:KeyHomomorphism• Allowschangingkeyinencrypteddata– Symmetriccipherthatprovidesin-placere-encryption
• Doesnotlearnoldkey,newkey,orplaintext• Morespecificsonschemeareinthepaper
19
FullRevocationProcessDatasymmetric
ABE(attrs,epoch=0)
symmetric
20
MetadataBlock
symmetric
symmetricABE(attrs,epoch=1)
δ(,)
FullRevocationProcessDatasymmetric
ABE(attrs,epoch=0)
symmetric
20
MetadataBlock
symmetricsymmetricABE(attrs,epoch=1)
δ(,)
FullRevocationProcessDatasymmetric
ABE(attrs,epoch=0)
symmetric
20
MetadataBlock
Issuenewkeystowebserviceswhosedataaccesshasbeenchangedandaffectedbyrevocation
symmetricsymmetricABE(attrs,epoch=1)
δ(,)
Whatifauserlosesherdevice?• UserhasABEprivatekey• Lossofkeyrequiresresetofsystem– Re-encryptingallherdataandissuingnewkeys
• Isthereawayforausertorecoverfromdeviceloss?
22
Solution:Secretsharing• UsersplitsherABEprivatekeyacrossdevices• Requiresathresholdtoreconstructsecret– ReconstructbeforeusingABEprivatekey
• Whenadeviceislost,gathersdevicestoreconstructsecretandissuenew“shares”
23
SieveImplementation
25
Cryptography:• LibfencwithStanfordPBCforABE• AES(norevocation)andrandomizedcountermodewith
Ed448(revocation)
SieveImplementation
25
StorageProviderUser Webservices
Sieveuserclient Sievestoragedaemon Sievedataimport
• ~1000LoC• MongoDBand
BerkeleyDB
• ~1400LoC • Service-specific
Cryptography:• LibfencwithStanfordPBCforABE• AES(norevocation)andrandomizedcountermodewith
Ed448(revocation)
Evaluation• IsiteasytointegrateSieveintoexistingwebservices?
• CanwebservicesachievereasonableperformancewhileusingSieve?
26
EvaluationSetup• Multicoremachine,2.4GHzIntelXeon• Webserversranonmachine’sloopback–Minimizenetworklatency– Focusoncryptographicoverheads
27
CaseStudies• Integratedwith2opensourcewebservices– OpenmHealth,health:smalldata
• Visualizehealthdata• Oneweek’shealthdata:6KB
– Piwigo,photo:largedata• Editanddisplayphotos• Onephoto:375KB
28
EasytointegratewithSieve• Linesofcoderequiredforintegration– OpenmHealth:~200lines– Piwigo:~250lines
29
AcceptableperformanceforOpenmHealthandPiwigoSecond
s
0
1.5
3
4.5
6
OpenmHealth Piwigo
WriteRead
30
Ed448withkeycaching
Serverper-corethroughputisgood• OpenmHealth
– Storagewrite:50MB/s– Webserviceimport:70users/min(Ed448)
• Piwigo– Storagewrite:200MB/s– Webserviceimport:14photos/min(Ed448)
32
Revocationperformanceisreasonable
• Re-encryptametadatablock(10attrs):0.63s• Re-key100KBdatablock:0.66s• Generatenew10attributekey:0.46s
33
Secretsharingisfast• For5sharesandthresholdof2:– SplittingABEkeyrequires0.04ms– Reconstructingkeyrequires0.09ms
34
Summary• Required<250LoCtointegratewithcasestudies• Readandwritedatainreasonableamountoftime• Goodper-coreserverthroughputforstoragewritesandapplicationdataimports
• Revocationfunctionstake<1second• Secretsharingtakesnegligibletime
35
RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly
• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)
• AccessDelegationSchemes– OAuth,AAuth,Macaroons
36
RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly
• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)
• AccessDelegationSchemes– OAuth,AAuth,Macaroons
36
SolvedifferentproblemsthanSieve
RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly
• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)
• AccessDelegationSchemes– OAuth,AAuth,Macaroons
36
SolvedifferentproblemsthanSieve
Nocompleterevocationand/orabilitytorecoverfromdeviceloss
RelatedWork• UntrustedServers– ShadowCrypt,SUNDR,Depot,SPORC,CryptDB,DepSky,Bstore,Mylar,Privly
• ABEandPredicateEncryptionStorage– Persona,Priv.io,Catchet(ABE)– GORAM(Predicate)
• AccessDelegationSchemes– OAuth,AAuth,Macaroons
36
SolvedifferentproblemsthanSieve
Nocompleterevocationand/orabilitytorecoverfromdeviceloss
LesssecureandexpressivethanSieve