cs2 a searchable cryptographic cloud
play

CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara - PowerPoint PPT Presentation

Oct 18, 2022 •519 likes •960 views

CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom Roeder (MSR) Cloud Computing Cloud Computing o Main concern o will my data be safe? o will anyone see it? o can anyone modify it?

  1. CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom Roeder (MSR)

  2. Cloud Computing

  3. Cloud Computing o Main concern o will my data be safe? o will anyone see it? o can anyone modify it? o Security solutions o VM isolation o Single-tenant servers o Access control o … o Cloud provides stronger security than self-hosting [Molnar-Schecter-10] o Q : but what if I don’t trust the cloud operator ?

  4. Cloud Storage ?

  5. Traditional Approach AEncK AEncK AEncK AEncK ? AEncK

  6. Search-based Access o File-based access is hard (esp. for large data) o Search-based access is preferred o Web search o Desktop search o Apple Spotlight, Google Desktop, Windows Desktop o Enterprise search

  7. Two Simple Solutions to Search AEncK AEncK ? id 2 AEncK AEncK Large comm. Large local complexity storage Q : can we achieve the best of both?

  8. Outline o Motivation o CS2 building blocks o Symmetric searchable encryption o Search authenticators o Proofs of storage o CS2 Protocols o for standard search o for assisted search o Experiments

  9. CS2 Building Blocks

  10. Searchable Symmetric Encryption [SWP01] EncK tw EncK EncK

  11. Searchable Symmetric Encryption o [Goldreich-Ostrovsky-96] We need new SSE! o  : hides everything o  : interactive o [Song-Wagner-Perrig-01] o  : non-interactive o  : static, linear search time, leaks information o [Goh03, Chang-Mitzenmacher-05] o  : non-interactive, dynamic o  : linear search time, non-adaptive security (CKA1-security) o [Curtmola-Garay-K-Ostrovsky-06] o  : non-interactive, sub-linear search (optimal), adaptive security o  : static

  12. Proofs of Storage [ABC+07, JK07] C π

  13. Proofs of Storage o [ABC+07,JK07,SW08,DVW09,AKK09] o  : efficient o  : static o [APMT08] We need new PoS! o  : efficient and dynamic o  : bounded verifications o [EKPT09] o  : efficient, dynamic, unlimited verification o  : patented

  14. Search Authenticator 𝑥 π

  15. Search Authenticators o [GGP10,CVK10,CVK11] o  : general-purpose o  : inefficient (due to FHE) & static o [CRR11] We need new VC/SA! o  : general-purpose, efficient o  : requires two non-colluding clouds o [BGV11] o  : proof generation is linear & static

  16. Outline o Motivation o CS2 building blocks o Symmetric searchable encryption o Search authenticators o Proofs of storage o CS2 Protocols o for standard search o for assisted search o Experiments

  17. SSE-1 [CGKO06] MSFT 1. Build inverted/reverse index F2 F10 F11 GOOG F2 F8 F14 AAPL Posting list F1 F2 IBM F4 F10 F12 2. Randomly permute array & nodes GOOG F11 F8 F2 F10 IBM F1 F4 F12 F10 AAPL F2 F2 F14 # MSFT

  18. SSE-1 [CGKO06] GOOG 2. Randomly permute array & nodes F11 F8 F2 F10 IBM F1 F4 F12 F10 AAPL F2 F2 F14 # MSFT 3. Encrypt nodes GOOG IBM AAPL MSFT

  19. SSE-1 [CGKO06] GOOG 3. Encrypt nodes IBM AAPL MSFT Enc( • ) 4. ‚Hash‛ keyword & encrypt pointer F K (GOOG) Enc( • ) F K (IBM) Enc( • ) F K (AAPL) Enc( • ) F K (MSFT)

  20. Limitations of SSE-1 o Non-adaptively secure ⇒ adaptive security o Idea #1 [Chase-K-10] o replace encryption scheme with symmetric non-committing encryption o only requires a PRF + XOR o  : doesn’t work for dynamic data o Idea #2 o Use RO + XOR

  21. Limitations of SSE-1 o Static data ⇒ dynamic data o Problem #1: o given new file F N = (AAPL, …, MSFT) o append node for F to list of every w i in F MSFT 1. Over unencrypted index F2 F10 F11 FN GOOG F2 F8 F14 AAPL F1 F2 FN Enc( • ) IBM F4 F10 F12 F K (GOOG) Enc( • ) F K (IBM) 2. Over encrypted index ??? Enc( • ) F K (AAPL) Enc( • ) F K (MSFT)

  22. Limitations of SSE-1 o Static data ⇒ dynamic data o Problem #2: o When deleting a file F 2 = (AAPL, …, MSFT) o delete all nodes for F 2 in every list MSFT 1. Over unencrypted index F2 F10 F11 GOOG F2 F8 F14 AAPL F1 F2 Enc( • ) IBM F4 F10 F12 F K (GOOG) Enc( • ) F K (IBM) 2. Over encrypted index ??? Enc( • ) F K (AAPL) Enc( • ) F K (MSFT)

  23. Limitations of SSE-1 o Static data ⇒ dynamic data o Idea #1 o Memory management over encrypted data o Encrypted free list o Idea #2 o List manipulation over encrypted data o Use homomorphic encryption (here just XOR) so that pointers can be updated obliviously o Idea #3 o d eletion is handled using an ‚dual‛ SSE scheme o given deletion/search token for F 2 , returns pointers to F 2 ‘s nodes o then add them to the free list homomorphically

  24. Outline o Motivation o Related work & our approach o CS2 building blocks o Symmetric searchable encryption o Search authenticators o Proofs of storage o CS2 Protocols o for standard search o for assisted search o Experiments

  25. Limitations of Verifiable Computation o Inefficient ⇒ practical o Idea #1 o Design special-purpose scheme (i.e., just for verifying search) o Idea #2 o Use Merkle Tree ‚on top‛ of inverted index o For keyword w: we efficiently verify its posting list and associated files o Generating proof is O(w*) instead of O(n) o Static ⇒ dynamic o Idea #1 o Replace bottom hash with incremental hash [Bellare-Goldreich-Goldwasser94, Bellare-Micciancio97] o

  26. Search Authenticators 1. Build inverted/reverse index MSFT F2 F10 F11 GOOG F2 F8 F14 AAPL F1 F2 IBM F4 F10 F12 IH IH IH IH F2 F2 F1 F4 F10 F8 F10 2. Build Merkle tree w/ IH at leaves F2 F11 F14 F12 Problem: hash functions are not hiding! MSFT GOOG AAPL IBM

  27. Search Authenticators 2’. Build Merkle tree w/ IH at leaves over encrypted files Problem: server has file encryptions so he can 1. IH a set of files 2. check result against a leaf hash 3. determine if files contain common keyword IH IH IH IH MSFT GOOG AAPL IBM

  28. Search Authenticators 2’’. Build Merkle tree w/ IH at leaves over keyed hash of encrypted files Problem: server has file encryptions so he can 1. IH a set of files 2. check result against a leaf hash 3. determine if files contain common keyword IH IH IH IH F K ( ) F K ( ) F K ( ) MSFT GOOG AAPL IBM

  29. Proofs of Storage

  30. CS2 Protocols

  31. CS2 Protocols o Standard search o User searches for w o Server returns documents w/ w o Relatively straightforward combination of (dynamic) SSE, PoS & SA o Assisted search o User searches for w o Server returns summaries of files with w o User chooses a subset to retrieve o Server returns subset of files with w o More complex combination of (dynamic) SSE, PoS, SA + CRHF o Search can be more efficient (since less data is returned)

  32. CS2 Protocols o Definitions in ideal/real-world model o Cloud storage w/ standard search o Cloud storage w/ assisted search o  o easier to use within larger protocols (i.e., hybrid security models ) o Single definition for all desired properties o guarantees composition of underlying primitives is OK o  : definitions & proofs are complicated o Protocols make black-box use of primitives o  : modularity -- replace underlying primitives

  33. Experiments

  34. Implementation o C++ o Microsoft Cryptography API: Next Generation o RO: SHA256 o PRFs: HMAC-SHA256 o SKE: 128-bit AES/CBC o Bignum library o Prime fields o We test only the crypto overhead o No file transfers over network o No reading from disk o No indexing costs

  35. Experiments o Intel Xeon CPU 2.26 GHz o Windows Server 2008 o 4 datasets o Email (enron): 4MB, 11MB, 16MB o ≈ every byte is a word o Office docs: 8MB, 100MB, 250MB, 500MB o Relatively few keywords o Media (MP3,WMA, JPG,...): 8MB, 100MB, 250MB, 500MB o Barely any keywords o Average over 10 executions

  36. STORE o Total o Distribution o Email (16MB): 2 mins o Verifiability: 2/3 of cost o Office (500MB) :1.5 mins o SSE: 1/3 cost o Media (500MB): 30 s o PoS: negl o Email (16GB): 40/15 hours

  37. SEARCH o Total o Distribution o Email (16MB): 0.5 secs o Client verification: 80% o Office (500MB): 0.1 secs o Client decryption: 10% o Media (500MB): 0.025 secs o Server search + proof: 10%

  38. CHECK o Total o Distribution o Email (16MB): 12 secs o Server Proof: 95% o Office (500MB): 12 secs o Client verify: 5% o Media (500MB): 12 secs

  39. ADD o Total o Distribution o Email (16MB): 1.5 secs o Email (16MB) o 40% client auth state update o Office (500MB): 1.5 secs o 40% server auth update o Media (500MB): 1.5 secs o 20% add token

  40. DELETE o Total o Distribution o Email (16MB): 1.5 secs o 40% server auth update o Office (500MB): 0.7 secs o 40% client auth update o Media (500MB): negl o 20% server index update

  41. Summary o New Crypto o Dynamic and CKA2-secure SSE with sub-linear search o Sub-linear verifiable computation for search o Unbounded dynamic PDP o New Protocols o Ideal/real-world definitions for secure cloud storage o Protocol for standard search o Protocol for assisted search o Implementation & experiments o First experimental results for sub-linear SSE o Identified verification as bottleneck o Office docs seem to be the best workload

  42. Questions?

Recommend

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of Searchable Encryption Searchable Encryption Constructions of Song, Wagner and Perrig Discussion Related Work Conjunctive Keyword

753 views • 51 slides
Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor:

Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor:

Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor: Professor Dan C. Marinescu University of Central Florida September 16, 2017 Mohammad Ahmadian (UCF) Secure NoSQL September 16, 2017 1 / 48 Goal

1.31k views • 79 slides
Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de lArmement - Maitrise de lInformation & Universit de Rennes 1 ECRYPT NET Workshop - Crypto for the Cloud & Implementation - 28/06/2017

793 views • 43 slides
Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography

Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography

Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography Group Microsoft Research Applications/Scenarios Secure Outsourcing for Business Electronic Health Records Interactive Scientific Publishing

452 views • 4 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait Searchable Symmetric Encryption Allows a user to store a collection of encrypted documents and

350 views • 24 slides
FORWARD PRIVATE SEARCHABLE ENCRYPTION & BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION & BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION & BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE Searchable Encryption Outsource data securely keep search functionalities Generic Solutions Fully Homomorphic Encryption, MPC, ORAM

578 views • 37 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh

Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh

Security of Searchable Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh Networks Lewis U Cornell Tech Outsourced storage and searching client cloud provider give me all records containing

508 views • 36 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice Minaud RHUL ISG seminar, November 24th 2016 Plan 1. Symmetric Searchable Encryption. 2. Leakage and Forward-Privacy. 3. Sophos and Diane schemes. 4.

479 views • 45 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w No other

1.62k views • 116 slides
Exploi'ng Leakage in Searchable Encryp'on and Machine

Exploi'ng Leakage in Searchable Encryp'on and Machine

Exploi'ng Leakage in Searchable Encryp'on and Machine Learning Tom Ristenpart Covering joint work with : David Cash, Paul Grubbs, Jason Perry

875 views • 56 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

1.19k views • 106 slides
Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come from? Why Cloud? Cloud for small, medium, enterprise, and government Barriers to adoption Embracing Cloud Social Mobile Cloud

972 views • 45 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803 It is also important that a receiver is assured Computer and Network Security that the data it receives has come from the sender and has not been

617 views • 5 slides
Basic Problem Making the Sky Searchable: I show you a picture of the night sky. Fast

Basic Problem Making the Sky Searchable: I show you a picture of the night sky. Fast

4/27/16 Basic Problem Making the Sky Searchable: I show you a picture of the night sky. Fast Geometric Hashing for Automated Astrometry Sam Roweis, Dustin Lang & Keir Mierle University of Toronto David Hogg & Michael Blanton

165 views • 13 slides
SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud

SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud

SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud Tour of the buzzwords, myths and realities Whats in store for me, the boss, the company, the industry? Your cloud, our cloud their

224 views • 19 slides
Seny Kamara Tarik Moataz Bob 2 Bob 2 I cant search! Bob 2 Many Approaches Stream

Seny Kamara Tarik Moataz Bob 2 Bob 2 I cant search! Bob 2 Many Approaches Stream

Boolean Searchable Symmetric Encryption with Worst-Case Sub-Linear Complexity Seny Kamara Tarik Moataz Bob 2 Bob 2 I cant search! Bob 2 Many Approaches Stream ciphers [SWP00] Bucketing [HILM02] Structured and searchable

1.2k views • 104 slides
Towards Searchable and Verifjable Blockchain Cheng Xu Ce Zhang April 8, 2019 Department of

Towards Searchable and Verifjable Blockchain Cheng Xu Ce Zhang April 8, 2019 Department of

Towards Searchable and Verifjable Blockchain Cheng Xu Ce Zhang April 8, 2019 Department of Computer Science Hong Kong Baptist University Background Blockchain is a distributed ledger maintained by a community of (untrusted) users

895 views • 47 slides

More recommend