Presentation is loading. Please wait.

Presentation is loading. Please wait.

Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer.

Published byRoger O’Connor’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer."— Presentation transcript:

1 Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer Science and A.I. Laboratory ACM Workshop on Scalable Trusted Computing 2007 November 2007

2 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 2) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Overview Goal: Trusted Storage using Untrusted Servers Constraints –User has several devices –Devices can be online/offline at different times –Devices cannot depend on communicating directly with each other –Examples: *User with multiple mobile devices *Multiple mobile users sharing some data Problem: How do you immediately detect forking and replay attacks? Our Paper: How to minimize trusted computing base –and specifically, implement it using TPM 1.2 (without trusted OS)

3 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 3) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $500 Hash(“… $500” )

4 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 4) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” )

5 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 5) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers Problem: –privacy –authenticity –Freshness ? store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” )

6 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 6) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers Problem: –privacy –authenticity –Freshness ? store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” ) Hash(“… $500” ) Hash(“… $100” )

7 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 7) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers Problem: –privacy –authenticity –Freshness ? How do you guarantee freshness if client’s devices are offline and can’t communicate with each other? store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” ) Hash(“… $500” ) Hash(“… $100” )

8 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 8) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Solution: “Time-stamping” using Monotonic Counters Trick: Dedicate a monotonic counter for Alice –For each update, client device (e.g., device 1) *increments counter *Signs note with new counter value –To read and verify, client device (e.g., device 2) *gets current counter value *gets signed note *Verifies that counter value is same as value in signed note –This ensures client receives most recent note store/update retrieve: data Alice’s device 1 Alice’s device 2 Untrusted Virtual Storage Server Note to self! At time t5, I owed Bob $100 Note to self! At time t2, I owed Bob $500

9 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 9) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks store/update retrieve: data + current time Alice’s device 1 Alice’s device 2 Untrusted Virtual Storage Server Note to self! At time t5, I owed Bob $100 Current Secure Clock Time is t5 Note to self! At time t5, I owed Bob $100 Note to self! At time t2, I owed Bob $500 Server can’t replay because timestamp will not match current time Trick: Dedicate a monotonic counter for Alice –For each update, client device (e.g., device 1) *increments counter *Signs note with new counter value –To read and verify, client device (e.g., device 2) *gets current counter value *gets signed note *Verifies that counter value is same as value in signed note –This ensures client receives most recent note Solution: “Time-stamping” using Monotonic Counters

10 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 10) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Device A1Device A2Device A3 (SK A,PK A ) (SK B,PK B ) Device B1Device B2 Alice: … data A …ctrID A ctrVal A Sign SK A (…) Bob: … data B …ctrID B ctrVal B Sign SK B (…) Charlie: … data C …ctrID C ctrVal C Sign SK C (…) … Storage Server (Untrusted) File Records (in untrusted storage) timestamp … Retrieve and Update Requests … Counter A maintained by Alice’s trusted device(s) Counter B maintained by Bob’s trusted device(s) Multi-User System Data is stored in untrusted server(s) –signed and timestamped Each User (or file) has its own counter Problem: –Who keeps the counter? Some possible solutions 1.use a trusted device that is always online 2.require majority of devices to be always online 3.only guarantee fork consistency

11 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 11) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Device A1 Device A2Device A3 (SK A,PK A ) Storage Server(s) TPM (Trusted) monotonic counter AIK (SK AIK,PK AIK ) Virtual Counter Records (in untrusted storage) Virtual Counter Manager (Untrusted) Counter A : ctrVal A Counter B : ctrVal B … … … Logs … Read and Increment Requests … confirm A confirm B … PK AIK Our Approach Use untrusted Virtual Counter Manager, but with a Trusted Timestamping Device (TTD) –software and hardware of manager need not be trusted Our technique –allows single TTD to implement many “virtual” counters (for different users) –can be implemented with TPM 1.2 (SK B,PK B ) Device B2 Device B1

12 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 12) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Device A1 Device A2Device A3 (SK A,PK A ) Storage Server(s) TPM (Trusted) monotonic counter AIK (SK AIK,PK AIK ) Virtual Counter Records (in untrusted storage) Virtual Counter Manager (Untrusted) Counter A : ctrVal A Counter B : ctrVal B … … … Logs … Read and Increment Requests … confirm A confirm B … PK AIK Our Approach Idea: 1.for each increment (of any virtual counter), TTD does an IncSign(X), where X contains counter ID of counter being incremented 2.To prove freshness of counter value, VCM must produce a log of increment certificates up to the current time Basic idea was presented in STC 06 New –implementation and experimental results –use of sharing, time-multiplexing to improve performance –fast-read and fast-increment vs. read/increment with validation (SK B,PK B ) Device B2 Device B1

13 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 13) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks glbClk = T ctrID = D ctrVal = t 0 confirmation certificate for D At glbClk =T counter D’s value is equal to t 0 t 2 T+1 ……. other increment certificates t 1 -1 t 1 t 2 -1 t 1 +1 ……. other increment certificates increment certificate for D ctrID ≠ D ctrID = D ctrVal = t 0 increment certificate for D ctrID ≠ D ctrID = D ctrVal = t 1 t 0 is counter D’s most recent value, counter D’s value after its increment is equal to t 1 t 1 is counter D’s most recent value, counter D’s value after its increment is equal to t 2

14 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 14) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks t n-1 +1 ……. other increment certificates t n -1 t n t now -1 t n +1 ……. other increment certificates increment certificate for D ctrID ≠ D ctrID = D ctrVal = t n-1 ctrID ≠ D t n-1 is counter D’s most recent value, counter D’s value after its increment is equal to t n t now read certificate for global clock counter D did not increment for t n < glbClk ≤ t now t n-1 increment certificate for D ctrID = D ctrVal = t n-2 t n-2 is counter D’s most recent value, counter D’s value after its increment is equal to t n-1

15 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 15) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks New Variations Time Multiplexing –A virtual monotonic counter can only be incremented during certain slots of the global counter in the TTD Sharing –The same value of the global counter can be used for (shared among) multiple virtual counters Validation –If not critical, then a client may not yet need a validation –If a client wants to validate, then he can immediately do so and immediately detect any forking and replay attacks that may have happened now or in the past

16 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 16) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks (a) No multiplexing Experimental Results

17 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 17) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks (b) Multiplexing with period 8 Experimental Results

18 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 18) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks (c) Multiplexing with period 16 Experimental Results

19 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 19) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Conclusions We can do trusted storage on untrusted servers and be able to immediately detect forking and replay attacks by using an untrusted server with a trusted timestamping device TTD can be implemented using existing TPM 1.2 Sharing, multiplexing, and validation allow for performance improvement Our experiments showed a single server with a single TPM was able to handle 100’s of virtual counters

20 Marten van Dijk, ACM STC 2007, 11/2/07, (slide 20) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks For more info Web site: –http://projects.csail.mit.edu/tchttp://projects.csail.mit.edu/tc –TPM/J (Java-based programming tools for the TPM): http://projects.csail.mit.edu/tc/tpmj/ http://projects.csail.mit.edu/tc/tpmj/ Papers –paper in ACM Scalable Trusted Computing Workshop (STC ’06) (under CCS) –MIT CSAIL TR 2006-064 (Sept. 2006) has some more details *http://hdl.handle.net/1721.1/33966http://hdl.handle.net/1721.1/33966

Download ppt "Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer."

Similar presentations

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Location Based Trust for Mobile User – Generated Content : Applications, Challenges and Implementations Presented By : Anand Dipakkumar Joshi USC.

Location Based Trust for Mobile User – Generated Content : Applications, Challenges and Implementations Presented By : Anand Dipakkumar Joshi USC.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.

Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Similar presentations

Ads by Google