Presentation on theme: "Hourglass Schemes: How to Prove that Cloud Files Are Encrypted"— Presentation transcript:
1Hourglass Schemes: How to Prove that Cloud Files Are Encrypted Emil StefanovUC BerkeleyJoint work with:Marten van DijkAri JuelsAlina OpreaRSA LabsRonald RivestNikos TriandopoulosMITRSA Labs
2Public Cloud Computing EnterpriseEnterpriseUserPool of shared resourcesAvailable on demandHighly scalable2
3A Major Drawback Large attack surface Thousands of computersDozens of storage systems and interfacesAmazon alone: S3, EBS, Instance Storage, Glacier, Storage Gateway, CloudFront, RDS, DynamoDB, ElastiCache, CloudSearch, SQSShared resources among thousands of tenantsMany possibilities for accidental data leakage.
4Defending Against Accidental Data Leakage ???leakageSimple view:Just encrypt your data in the cloud.Problem solved?
5Defending Against Accidental Data Leakage ???leakageMore realistic view:Often want to use the cloud for more than just raw storage.Why? Want to outsource storage AND computation (services).In that case, the cloud needs access to your decrypted data.
6Encrypt at Rest & Decrypt on the Fly ???leakageServices Front EndStorage Back EndSplit the cloud into computation front-end and storage back-endAlready the case in many clouds (e.g., Amazon, Azure)Storage backend only sees encrypted data.Computation front-end decrypts data on the flyOnly accesses the data it really needs at any one timeCan be combined with tight access control and logging.Key servers
7Encrypt at Rest & Decrypt on the Fly ???leakage complies with government regulationsServices Front EndStorage Back EndProtects against data leakage by the storage back-end infrastructure.Limits the amount of data leakage by the front-end at any one time.Common practice.Much better than no encryption.
8Plaintext is simpler for the cloud to manage. The ProblemHow can we be reasonably sure that the cloud is encrypting data at rest?Plaintext is simpler for the cloud to manage.Lack of visibilityUsers only see results (e.g., web pages) from the front-end. What is happening internally?Download data and check encryption?The cloud can always just encrypt on the fly.Seems impossible!
9Our SolutionEconomically motivate the cloud to encrypt data at rest.Impose financial penalties on misbehaving cloud providers.We ensure that an economically rational cloud provider, encrypts data at rest.Misbehaving cloud must use double storage.Must store both decrypted and encrypted file.
10Our Solution: Hourglass Schemes encryptionhourglassOriginal FileEncrypted FileEncapsulated Fileclient verifies encryptionclient assistsclient verifies by periodically challenging random file blocksclient uploads fileThe client never needs to permanently store and manage keys.
11Intuition Hourglass property: costly to compute “on the fly” encryptionhourglassOriginal FileEncrypted FileEncapsulated FileHourglass property: costly to compute “on the fly”client checksadversarial cloud wants to only storeSo an adversarial cloud must store both files.Double the storage!
12Hourglass Framework: More than a Scheme Modular ComponentsEncodings:Hourglass functions:EncryptionButterflyWatermarkingPermutationFile BindingsRSA
13Encodings Encryption: 𝑮=𝑬 𝑭 Watermarking: 𝑮=𝑭||Tag Embed a tag into the fileTag says that the file is stored on a specific cloudTag signed by the cloudEvidence of data leakage origin.File Binding: 𝑮= 𝑭 𝟏 | 𝑭 𝟐 |…|| 𝑭 𝒎Combine multiple files into one encoding.E.g., embedded license.
14encoding (e.g., encryption) Hourglass FunctionsCostly to apply “on the fly”Impose a resource lower bound on the cloud to compute: 𝑮→𝑯, and hence 𝑭→𝑯𝑯𝑭𝑮encoding (e.g., encryption)hourglassOriginal FileEncrypted FileEncapsulated File
15Hourglass Function: RSA …𝑭:𝑭 𝟏𝑭 𝟐𝑭 𝟑𝑭 𝟒𝑭 𝒏Apply encoding (encryption, watermarking, file binding)…𝑮:𝑮 𝟏𝑮 𝟐𝑮 𝟑𝑮 𝟒𝑮 𝒏Client computes𝑯 𝒊 =RSA−Sign 𝑮 𝒊 using random RSA private key.…𝑯:𝑯 𝟏𝑯 𝟐𝑯 𝟑𝑯 𝟒𝑯 𝒏Cloud can always recover the plaintext 𝐹:𝐺 𝑖 =RSA−RecoverMessage 𝐻 𝑖 (using client’s public RSA key)𝐹 𝑖 =Decode 𝐺 𝑖Resource bound: computationCompletely infeasible for cloud: 𝐹→𝐻It doesn’t have the RSA signing key to do 𝐺→𝐻
16Hourglass Function: Permutation …𝑭:𝑭 𝟏𝑭 𝟐𝑭 𝟑𝑭 𝟒𝑭 𝒏Apply encoding (encryption, watermarking, file binding)…𝑮:𝑮 𝟏𝑮 𝟐𝑮 𝟑𝑮 𝟒𝑮 𝒏Randomly permute the blocks of 𝐺 to form 𝐻. No cryptographic operations.Operates on tiny blocks.…𝑯:𝑯 𝟏𝑯 𝟐𝑯 𝟑𝑯 𝟒𝑯 𝒏Client later challenges the cloud for sequential ranges of 𝐻.Sequential range in 𝑯 Random blocks in 𝑭Resource bound: disk seeksA misbehaving cloud (that only stores 𝐹) will need to do many random accesses to respond to a challenge.
17Hourglass Function: Butterfly w = a known key PRP over a pair of file blocks𝑮 𝟏𝑮 𝟐𝑮 𝟑𝑮 𝟒𝑮 𝟓𝑮 𝟔𝑮 𝟕𝑮 𝟖𝑯 𝟏𝑯 𝟐𝑯 𝟑𝑯 𝟒𝑯 𝟓𝑯 𝟔𝑯 𝟕𝑯 𝟖
19Comparison of Hourglass Functions Ran on Amazon EC2 (using a quadruple-extra-large high-memory instance and EBS Storage).
20Challenge-Response Protocol The client challenges the cloud for blocks of the encapsulated file 𝐻.At random unpredictable timesFew challenges, e.g., 𝑂 log 𝑛Cloud must respond quickly.Doable by an external auditor.Auditor doesn’t see the plaintext 𝐹.…𝑯:𝑯 𝟏𝑯 𝟐𝑯 𝟒𝑯 𝟒𝑯 𝒏
21Limitations Assume files are not accessed to often. Great for archiving files.File updates are costly.RSA hourglass function allows for updates.Other hourglass functions must be re-applied to the entire file.Works mainly for large files.
22Conclusions Able to motivate the cloud to encrypt files are rest. Several techniquesEncryption, watermarking, file binding.Different hourglass functions with performance-assumption tradeoffs.Economic models sometimes prevail where traditional cryptographic techniques cannot.