Privacy, Security and Cloud

 Security Concerns:

  Data leakage

  Data handling on the provider (Correct storage

procedure, correct deletion)

  Correct Computation

  Legal issue

  …

 Attackers:

  Outsider

(Ristenpart et Al. - 2009)

 Ristenpart et Al. studied data leakage on

Amazon EC2.

 Threat model:

  There is a single trusted cloud maintainer that

manage a public multi-tenant cloud.

  The attacker is a normal.

EC2 Internals

  EC2 uses Xen hyp. Domain0, it manages

guest image, physical resources accesses ecc…

 In EC2 Dom0 route packets to VMs and

reports itself as hop in traceroute.

 Ec2 offers five instances: small, medium,

large, … (small is a single virtual core…)

 Network: availability zones do not share

 Different VM share the same Ph.Inf. It is

possible for an attacker to achieve co-residence:

  Since Dom0 appears in trace-route there is a

“free” and deterministic co-residence check.

 There are some bias in VM assignment

 The strong placement locality can be

exploited by an attacker to achieve co-residence.

 Cross-VM information leakage:

  The contention on buffers may be used as:

 Covert Channel: [Xu et Al-2011] carefully studies the

achievable bitrate of L2 cache contention using different protocols.

 Estimate the load on the target VM-machine

 [RTSS09] teach us that blind trust in not

the best option.

 We assume that cloud provider/s is/are

not trusted:

  Two adversaries:

 Honest-but-curious  Malicious (byzantine)

Avoid data leakage

 The only way to ensure privacy of

outsourced data is to encrypt them but:

  The naïve encryption rule out any form of

computation over data.

  Over the years have been developed many

techniques to overcome that:

  Partial-Homomorphic: RSA (multiplicative), Paillier

(additive).

  Specific computation only: Searchable data

encryption, Order preserving ecc…

Homomorphic Encryption

 Breakthrough in Cryptography:

  Gentry STOC-09 shows how to achieve

fully-homomorphic encryption using ideal lattices-bootstrap theorem.

 In June 2010 D.G.H.V. shows how to

achieve Fully-H.E. over integers

Fully H.E. over the Integers

 We have a circuit C \in Ce and a function

evaluate, a scheme (Dec,Enc,Evaluate) is homomorphic (w.r.t Ce) if given a tuple of Ciphertexts c=(c1,..cn) we have:

Dec[sk,Evaluate(pk,C,c)]=C(m1,…mn)

 To rule out trivial scheme there is the

compactness property:

  There exist a fixed polynomial bound b(n) so

that for any condition (sk,pk, C, c) the size of Eval[pk,C,c] < b(n).

 Steps to achieve a non trivial Fully-H.E:

  Find a somewhat homomorphic private

encryption scheme that respect some conditions.

  Turn the scheme in circular secure public key

scheme

  Use the bootstrap theorem [Gentry-09] on the

 Let us start with a simple private key

encryption scheme:

  KeyGen:

  Encrypt(p,m):

Problems

 For each call to Evaluate we have:

  Ciphertext Grows: double the bit each

multiplication  violate compactness

  Noise Grows: for each addition and

multiplication the terms that are not multiple of p grows. Noise > p/2  violate correctness.

 Public Key

Approximated-GCD problem

 Given an oracle for a randomly

chosen p output p.

 Given an adversary A that breaks the

presented scheme in p.t. with advantage e it is possible to build an adversary A’ that breaks A-GCD in p.t. with probability p(e).

Win == get p

A Q LSB Oracle

z1=zq1p+zr1 c=(m+zb+S*Pk) a Binary GCD (z=qp+r,q) Pk:{x0,x1,…x,_n} z2=zq2p+zr2 zb

m <- {0,1}

S<-{0,1}^{n}

Bootstrap - intuition

 If the scheme is able to evaluate is own

decryption procedure C_d then it is possible to use C_d to “decript” a

E(m,Pk1) while it is encrypted under key Pk1 using the E(k1,Pk1).

 Performance is (but for how long?

No-bootstrap Result-2012) the main drawback of Fully-H.E.

  (To achieve circuit privacy we need garbled circuits)

 Other problem can be solved in a more

efficient way (or only using) other techniques

 Yao Garbled Circuit (1986)

  Good introduction: http://www.cs.illinois.edu/class/

fa09/cs598man/slides/AC-F09-Lect16-yao.pdf

 Using Garbled Circuit it is possible to

achieve circuit privacy and secure two party computation.

  Fairplay

Data Handling

 Many services offer the capability to store

data on cloud (Amazon S3, SkyDrive,

Dropbox…), how we can ensure that the cloud maintainer handle this data

properly?

 Two issues:

Integrity

 We have a huge dataset (>10 TB) and we

want to outsource it. Since we do not trust the maintainer we want to devise an

integrity mechanism.

 Naïve: compute MAC on dataset,

drawbacks?

 Solution:

  Remote Data Checking using Provable Data

Server

Client

< F={b1,b2,…..,bf}, T > Client sends F and T to S

Server Client Verification Phase Init Phase Request: O(1) Response: O(1)

MR-PDP

 It is possible to extend PDP to k-replicas :

 Naïve way 1: use the same PDP k times.

  Vulnerable to coalition

 Naïve way 2: use different PDP using k

different enconding.

  Expensive O(nk*Tagtime)

 Idea create k different file that are

“related” and securely obfuscated.

 For each replica we pick a random u.

Using a PRF F for each original block b_i we create b’_i=b_i+F(u|i)

Data deletion

 Law impose to securely delete sensitive

information. (Medical Records- Credit Card Number)

 A way to do that is to securely wipe

(overwrite) data.

 This is not viable on cloud storage:

 This issue has been addressed recently:

  FADE (Tang et Al. 2010)

  FadeVersion (Rahumed et Al 2011). ADEC

(Tezuka et Al. March 2012)

 The rationale behind all this system is

ADEC

E(F1,k1) E(F2,k2) E(F3,k3) E(F4,k4) E(F4,k4) E(F5,k5) E(F6,k6) V2 V1 V1 metadata E(<k1,k2,k3,k4>,kv1) h1,h2,h3,h4 V2 metadata E(<k4,k5,k6>,kv2) h1,h2,h3,h4 Cloud: S3, SkyDrive, iCloud, ...

Oblivious m-Assignment

 Assignment Algorithm are fundamental in

many field: Resource Sharing, Channel Assignment.

 Cloud maintainers know the assignment of

resource to clients:

  Is it possible to coordinate concurrent entities

such that each one knows is resource but do not know the other assignments?

  fairness?

Model

Problem Definition

 Oblivious assignment with m Slots (O-mA)

is specified by the following properties:

  Unique Assignment (Safety)

  Lockout Avoidance (Liveness)

  Oblivious Assignment (Obliviousness): if a slot

r_j is assigned to an honest process p_j no

other process is deterministically aware of this assignment

 Strong O-mA:

Solvability Issues

 Permission algorithms are not suitable for

solve O-mA

 In permission algorithms a process ask if

it is safe to access CS…

 Perpetual Circulating Token: The trivial

 Ensure Fairness: Rotating Leader can

enter in CS.

 The other processes must have a non zero

probability to gain CS.

 Must be not possible to distinguish (in

Assignment Phase

1

2

E(t1,PPk) E(t2,PPk)

...

1 2 3 4 (pm,PPk) E(tx,PPk) ... E(t_{n-1},PPk-2) n E(t1,PPk-2) ... E(t_{x-1},PPk-2) E(t_{x+1},PPk-2)

1

2

(p_2,PK2)

E(tx,PPk)

... (p_3,Pk3)

1 2 3 4 E(tx,PPk) ... n (p_3,Pk3) (p_{n-1},Pk_{n-1}) (p_2,Pk2) tx

Rel. Phase

1 2 ... E(0,PPk-2) E(0,PPk-2) tx E(b,PPk-2) ... E(0,PPk-2) E(b,PPk-2) b= released? xor

1 2 3 4 ... n 0 0 b ...

 What is the number of winner ticket

20 40 60 80 100 b 10

20 30 40

w=40 w=30 w=20 w=10

0.4 0.6 0.8 1.0

w=40 w=30 w=20 w=10

20 40 60 80 100 r 0.2 0.4 0.6 0.8 1.0 p=0.95 p=0.5 w=50 w=40 w=30 w=20 w=10