BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris Thomas Ristenpart Ian Miers Mughees Usenix Security 2018 1
Compelled Access Setting file 1 file 2 file 3 2
Compelled Access Setting file 1 file 2 file 3 3
Compelled Access Setting file 1 file 2 e.g., border crossing, file 3 airport security, police checkpoints 4
Compelled Access Setting file 1 file 2 e.g., border crossing, file 3 airport security, police checkpoints e.g., journalists, dissidents, activists 5
Compelled Access Setting > 50% increase file 1 file 2 e.g., border crossing, file 3 airport security, police checkpoints e.g., journalists, dissidents, activists 6
Contributions ● BurnBox: Cloud storage secure in compelled access setting Allow users to honestly comply with authorities while preserving ○ confidentiality Secure deletion: permanently delete files ○ Temporary revocation: self-revoke access to files temporarily ○ ● Formal compelled access security notions and analysis ● Proof-of-concept prototype 7
Deniable/Steganographic file systems hide files by [CDNO96, ANS98, deceiving authority ADW97, Truecrypt] Real Duress file 1 file 2 file 3 8
Deniable/Steganographic file systems hide files by [CDNO96, ANS98, deceiving authority ADW97, Truecrypt] file 1 file 2 file 3 9
Deniable/Steganographic file systems hide files by [CDNO96, ANS98, deceiving authority ADW97, Truecrypt] file 1 fake 1 file 2 fake 2 file 3 fake 3 10
Deniable/Steganographic file systems hide files by [CDNO96, ANS98, deceiving authority ADW97, Truecrypt] Limitation: High usability burden where deception is inherent to security Maintenance of “realistic-looking” fake content ● Ability to convincingly lie about duress key ● file 1 fake 1 file 2 fake 2 file 3 fake 3 11
Deniable/Steganographic file systems hide files by [CDNO96, ANS98, deceiving authority ADW97, Truecrypt] Limitation: High usability burden where deception is inherent to security Maintenance of “realistic-looking” fake content ● Is this really Ability to convincingly lie about duress key ● your key? file 1 fake 1 file 2 fake 2 file 3 fake 3 12
Deniable/Steganographic file systems hide files by [CDNO96, ANS98, deceiving authority ADW97, Truecrypt] Limitation: High usability burden where deception is inherent to security Maintenance of “realistic-looking” fake content ● Is this really Ability to convincingly lie about duress key ● your key? file 1 fake 1 file 2 fake 2 file 3 fake 3 13
A Different Approach 1. Allow users to honestly comply at compelled access checkpoints 14
A Different Approach 1. Allow users to honestly comply at compelled access checkpoints Strawman: burner device or full wipe of device 15
A Different Approach 1. Allow users to honestly comply at compelled access checkpoints Strawman: burner device or full wipe of device BurnBox: selective temporary self-revocation of sensitive files 16
A Different Approach 1. Allow users to honestly comply at compelled access checkpoints Strawman: burner device or full wipe of device BurnBox: selective temporary self-revocation of sensitive files 2. Designed specifically for use with the cloud BurnBox: secure against passive cloud adversaries 17
Threat Model Untrusted Cloud Storage Write-only store ● Passive attacker ● file 1 file 2 file 3 18
Threat Model Untrusted Cloud Storage Write-only store ● Passive attacker ● file 1 file 2 file 3 19
Threat Model Untrusted Cloud Storage Write-only store ● Passive attacker ● file 1 file 2 file 3 20
Threat Model Untrusted Cloud Storage Write-only store ● Passive attacker ● Compelling Agent Access to local device ● User passwords ● Cloud history ● file 1 file 2 file 3 21
Threat Model Untrusted Cloud Storage Write-only store ● Passive attacker ● Offline Restoration Cache Inaccessible to ● Compelling Agent compelling agent Access to local device Inaccessible to user ● ● User passwords during checkpoint ● Cloud history ● file 1 file 2 file 3 22
BurnBox Overview file 1 file 2 file 3 23
BurnBox Overview Offline Restoration Cache Local Device file 1 file 2 file 3 24
BurnBox Overview Untrusted Cloud Storage f0c531 39731a 0dea2d file 1 file 2 file 3 25
BurnBox Overview Before Compelled Access User selectively deletes and revokes sensitive files f0c531 39731a 0dea2d file 1 file 2 file 3 26
BurnBox Overview Before Compelled Access User selectively deletes and revokes sensitive files f0c531 39731a 0dea2d file 1 revoke delete 27
BurnBox Overview Before Compelled Access User selectively deletes and revokes sensitive files f0c531 During Compelled Access Deleted files and revoked 39731a files are inaccessible and 0dea2d are cryptographically indistinguishable file 1 file 1 revoke delete 28
BurnBox Overview Before Compelled Access User selectively deletes and revokes sensitive files f0c531 During Compelled Access Deleted files and revoked 39731a files are inaccessible and 0dea2d are cryptographically indistinguishable After Compelled Access file 1 User restores access to revoked files with access revoke to restoration key delete 29
BurnBox Overview Before Compelled Access User selectively deletes and revokes sensitive files f0c531 During Compelled Access Deleted files and revoked 39731a files are inaccessible and 0dea2d are cryptographically indistinguishable After Compelled Access file 1 User restores access to revoked files with access file 2 to restoration key 30
Conventional client-side encryption f0c531 39731a 0dea2d Device State file 1 encryption encrypted filename key file file 2 f1.txt cc64c3 f0c531 file 3 f2.txt 5707dd 39731a f3.txt 1be052 0dea2d 31
Compelled access reveals local keys f0c531 39731a 0dea2d Device State file 1 encryption encrypted filename key file file 2 f1.txt cc64c3 f0c531 file 3 f2.txt 5707dd 39731a f3.txt 1be052 0dea2d 32
Delete rows of sensitive files f0c531 39731a 0dea2d Device State file 1 encryption encrypted filename key file file 2 f1.txt cc64c3 f0c531 file 3 f2.txt 5707dd 39731a f3.txt 1be052 0dea2d 33
Delete rows of sensitive files Problem 1: How to support revocation? f0c531 Problem 2: Secure deletion of persistent state is hard . 39731a 0dea2d Device State file 1 encryption encrypted filename key file file 2 f1.txt cc64c3 f0c531 file 3 f2.txt 5707dd 39731a f3.txt 1be052 0dea2d Forensic analysis 34
Revocation: use public-key encryption f0c531 39731a 0dea2d Device State file 1 encryption encrypted restoration filename key file ciphertext file 2 f1.txt cc64c3 f0c531 E(pk ,cc64c3 ) file 3 f2.txt 5707dd 39731a E(pk ,39731a ) f3.txt 1be052 0dea2d E(pk ,1be052 ) 35
Revocation: use public-key encryption f0c531 39731a 0dea2d Device State file 1 encryption encrypted restoration filename key file ciphertext file 2 Revoke f1.txt cc64c3 f0c531 E(pk ,cc64c3 ) file 3 f2.txt 5707dd 39731a E(pk ,39731a ) f3.txt 1be052 0dea2d E(pk ,1be052 ) 36
Revocation: use public-key encryption f0c531 39731a 0dea2d Device State file 1 encryption encrypted restoration filename key file ciphertext file 2 Revoke f1.txt cc64c3 f0c531 E(pk ,cc64c3 ) file 3 Delete f2.txt 5707dd 39731a E(pk ,39731a ) f3.txt 1be052 0dea2d E(pk ,000000 ) 37
Revocation: use public-key encryption Problem 1: How to support revocation? f0c531 Problem 2: Secure deletion of persistent state is hard . 39731a 0dea2d Device State file 1 encryption encrypted restoration filename key file ciphertext file 2 Revoke f1.txt cc64c3 f0c531 E(pk ,cc64c3 ) file 3 Delete f2.txt 5707dd 39731a E(pk ,39731a ) f3.txt 1be052 0dea2d E(pk ,000000 ) 38
Erasable Index File keys stored in append-only table ● f1.txt cc64c3... f2.txt 5707dd... f3.txt 1be052... f4.txt ca46b6... 39
Erasable Index File keys stored in append-only table ● Secure deletion of row keys with trusted hardware [RRBC13] ● Trusted hardware assumed to manage small “effaceable” storage ○ E.g., TPM, iOS/Android keystore APIs ○ effaceable storage f1.txt cc64c3... f2.txt 5707dd... f3.txt 1be052... key tree f4.txt ca46b6... 40
Erasable Index File keys stored in append-only table ● Secure deletion of row keys with trusted hardware [RRBC13] ● Trusted hardware assumed to manage small “effaceable” storage ○ E.g., TPM, iOS/Android keystore APIs ○ effaceable storage f1.txt cc64c3... f2.txt 5707dd... f3.txt 1be052... key tree f4.txt ca46b6... 41
Erasable Index File keys stored in append-only table ● Secure deletion of row keys with trusted hardware [RRBC13] ● Trusted hardware assumed to manage small “effaceable” storage ○ E.g., TPM, iOS/Android keystore APIs ○ effaceable storage f1.txt cc64c3... f2.txt 5707dd... f3.txt 1be052... key tree f4.txt ca46b6... 42
Recommend
More recommend