Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer.

Slides:

Advertisements

Similar presentations

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Advertisements

Chapter 14 – Authentication Applications

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

1 Security in Wireless Protocols Bluetooth, , ZigBee.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

Location Based Trust for Mobile User – Generated Content : Applications, Challenges and Implementations Presented By : Anand Dipakkumar Joshi USC.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

Wide-area cooperative storage with CFS

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Secure File Storage Nathanael Paul CRyptography Applications Bistro March 25, 2004.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Computer Science Public Key Management Lecture 5.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Virtual Monotonic Counters and Count-Limited Objects Using a TPM without a Trusted OS Luis F. G. Sarmenta Joint work with: Marten van Dijk.

An Intelligent Broker Architecture for Context-Aware Systems A PhD. Dissertation Proposal in Computer Science at the University of Maryland Baltimore County.

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

On P2P Collaboration Infrastructures Manfred Hauswirth, Ivana Podnar, Stefan Decker Infrastructure for Collaborative Enterprise, th IEEE International.

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Prateek Basavaraj April 9 th 2014.

Project Presentation Students: Yan Michalevsky Asaf Cidon Supervisors: Alexander Shraer Assoc. Prof. Idit Keidar.

EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.

Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.

Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.

Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.

Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.

Presented by: Sanketh Beerabbi University of Central Florida.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

Presented by Sharan Dhanala

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Digital Rights Management and Trusted Computing Kari Kostiainen T Special Course in Operating System Security April 13 th 2007.

The Trusted Execution Module: Commodity General-Purpose Trusted Computing Victor Costan, Luis F. G. Sarmenta, Marten van Dijk, and Srini Devadas Massachusetts.

m-Privacy for Collaborative Data Publishing

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Semantic Web in Context Broker Architecture Presented by Harry Chen, Tim Finin, Anupan Joshi At PerCom ‘04 Summarized by Sungchan Park

SELS: A Secure List Service Himanshu Khurana, Adam Slagell, Rafael Bonilla NCSA, University of Illinois Appeared in the ACM Symposium of Applied.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

CMSC 818J: Privacy enhancing technologies Lecture 2.

Clouding with Microsoft Azure

Key management issues in PGP

Tutorial on Creating Certificates SSH Kerberos

Providing Secure Storage on the Internet

Luis F. G. Sarmenta Marten van Dijk

AEGIS: Secure Processor for Certified Execution

Building an Encrypted and Searchable Audit Log

Presentation transcript:

Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer Science and A.I. Laboratory ACM Workshop on Scalable Trusted Computing 2007 November 2007

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 2) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Overview Goal: Trusted Storage using Untrusted Servers Constraints –User has several devices –Devices can be online/offline at different times –Devices cannot depend on communicating directly with each other –Examples: *User with multiple mobile devices *Multiple mobile users sharing some data Problem: How do you immediately detect forking and replay attacks? Our Paper: How to minimize trusted computing base –and specifically, implement it using TPM 1.2 (without trusted OS)

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 3) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $500 Hash(“… $500” )

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 4) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” )

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 5) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers Problem: –privacy –authenticity –Freshness ? store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” )

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 6) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers Problem: –privacy –authenticity –Freshness ? store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” ) Hash(“… $500” ) Hash(“… $100” )

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 7) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Trusted Storage on Untrusted Servers The Goal: –multiple clients with multiple devices, storing data on multiple untrusted servers Problem: –privacy –authenticity –Freshness ? How do you guarantee freshness if client’s devices are offline and can’t communicate with each other? store/update retrieve Alice’s device 1Alice’s device 2 Untrusted Virtual Storage Server Note to self! I owe Bob $100 Note to self! I owe Bob $500 (old note) Hash(“… $100” ) Hash(“… $500” ) Hash(“… $100” )

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 8) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Solution: “Time-stamping” using Monotonic Counters Trick: Dedicate a monotonic counter for Alice –For each update, client device (e.g., device 1) *increments counter *Signs note with new counter value –To read and verify, client device (e.g., device 2) *gets current counter value *gets signed note *Verifies that counter value is same as value in signed note –This ensures client receives most recent note store/update retrieve: data Alice’s device 1 Alice’s device 2 Untrusted Virtual Storage Server Note to self! At time t5, I owed Bob $100 Note to self! At time t2, I owed Bob $500

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 9) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks store/update retrieve: data + current time Alice’s device 1 Alice’s device 2 Untrusted Virtual Storage Server Note to self! At time t5, I owed Bob $100 Current Secure Clock Time is t5 Note to self! At time t5, I owed Bob $100 Note to self! At time t2, I owed Bob $500 Server can’t replay because timestamp will not match current time Trick: Dedicate a monotonic counter for Alice –For each update, client device (e.g., device 1) *increments counter *Signs note with new counter value –To read and verify, client device (e.g., device 2) *gets current counter value *gets signed note *Verifies that counter value is same as value in signed note –This ensures client receives most recent note Solution: “Time-stamping” using Monotonic Counters

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 10) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Device A1Device A2Device A3 (SK A,PK A ) (SK B,PK B ) Device B1Device B2 Alice: … data A …ctrID A ctrVal A Sign SK A (…) Bob: … data B …ctrID B ctrVal B Sign SK B (…) Charlie: … data C …ctrID C ctrVal C Sign SK C (…) … Storage Server (Untrusted) File Records (in untrusted storage) timestamp … Retrieve and Update Requests … Counter A maintained by Alice’s trusted device(s) Counter B maintained by Bob’s trusted device(s) Multi-User System Data is stored in untrusted server(s) –signed and timestamped Each User (or file) has its own counter Problem: –Who keeps the counter? Some possible solutions 1.use a trusted device that is always online 2.require majority of devices to be always online 3.only guarantee fork consistency

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 11) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Device A1 Device A2Device A3 (SK A,PK A ) Storage Server(s) TPM (Trusted) monotonic counter AIK (SK AIK,PK AIK ) Virtual Counter Records (in untrusted storage) Virtual Counter Manager (Untrusted) Counter A : ctrVal A Counter B : ctrVal B … … … Logs … Read and Increment Requests … confirm A confirm B … PK AIK Our Approach Use untrusted Virtual Counter Manager, but with a Trusted Timestamping Device (TTD) –software and hardware of manager need not be trusted Our technique –allows single TTD to implement many “virtual” counters (for different users) –can be implemented with TPM 1.2 (SK B,PK B ) Device B2 Device B1

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 12) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Device A1 Device A2Device A3 (SK A,PK A ) Storage Server(s) TPM (Trusted) monotonic counter AIK (SK AIK,PK AIK ) Virtual Counter Records (in untrusted storage) Virtual Counter Manager (Untrusted) Counter A : ctrVal A Counter B : ctrVal B … … … Logs … Read and Increment Requests … confirm A confirm B … PK AIK Our Approach Idea: 1.for each increment (of any virtual counter), TTD does an IncSign(X), where X contains counter ID of counter being incremented 2.To prove freshness of counter value, VCM must produce a log of increment certificates up to the current time Basic idea was presented in STC 06 New –implementation and experimental results –use of sharing, time-multiplexing to improve performance –fast-read and fast-increment vs. read/increment with validation (SK B,PK B ) Device B2 Device B1

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 13) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks glbClk = T ctrID = D ctrVal = t 0 confirmation certificate for D At glbClk =T counter D’s value is equal to t 0 t 2 T+1 ……. other increment certificates t 1 -1 t 1 t 2 -1 t 1 +1 ……. other increment certificates increment certificate for D ctrID ≠ D ctrID = D ctrVal = t 0 increment certificate for D ctrID ≠ D ctrID = D ctrVal = t 1 t 0 is counter D’s most recent value, counter D’s value after its increment is equal to t 1 t 1 is counter D’s most recent value, counter D’s value after its increment is equal to t 2

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 14) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks t n-1 +1 ……. other increment certificates t n -1 t n t now -1 t n +1 ……. other increment certificates increment certificate for D ctrID ≠ D ctrID = D ctrVal = t n-1 ctrID ≠ D t n-1 is counter D’s most recent value, counter D’s value after its increment is equal to t n t now read certificate for global clock counter D did not increment for t n < glbClk ≤ t now t n-1 increment certificate for D ctrID = D ctrVal = t n-2 t n-2 is counter D’s most recent value, counter D’s value after its increment is equal to t n-1

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 15) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks New Variations Time Multiplexing –A virtual monotonic counter can only be incremented during certain slots of the global counter in the TTD Sharing –The same value of the global counter can be used for (shared among) multiple virtual counters Validation –If not critical, then a client may not yet need a validation –If a client wants to validate, then he can immediately do so and immediately detect any forking and replay attacks that may have happened now or in the past

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 16) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks (a) No multiplexing Experimental Results

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 17) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks (b) Multiplexing with period 8 Experimental Results

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 18) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks (c) Multiplexing with period 16 Experimental Results

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 19) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks Conclusions We can do trusted storage on untrusted servers and be able to immediately detect forking and replay attacks by using an untrusted server with a trusted timestamping device TTD can be implemented using existing TPM 1.2 Sharing, multiplexing, and validation allow for performance improvement Our experiments showed a single server with a single TPM was able to handle 100’s of virtual counters

Marten van Dijk, ACM STC 2007, 11/2/07, (slide 20) Offline Untrusted Storage w/ Immediate Detection of Replay Attacks For more info Web site: – –TPM/J (Java-based programming tools for the TPM): Papers –paper in ACM Scalable Trusted Computing Workshop (STC ’06) (under CCS) –MIT CSAIL TR (Sept. 2006) has some more details *