Key Regression Fu, Kamara, Kohno Divya Muthukumaran
Content Distribution Content publishers -> Content distribution Outsourcing storage and distribution Content distribution Networks: Akamai SpeedEra MirrorImage.. Access Control ?
Storage System Players Possible attacks? Owners r w Writer Readers s Storage Server
Storage System Players Possible attacks? Owners On the stored data r w On the wire Kinds of attacks Readers Writers Leak attacks Change Destroy Storage Server
Storage System Players Enrypt-on-the-wire Owners Trust the server r w Encrypt-on-disk Store encrypted Writer Readers s Untrusted Server Storage Server
Storage System Players Security Primitives Owners Authentication r w Authorization Securing data on disk Writer Readers s Securing data on the wire Key distribution Revocation Storage Server
PLUTUS Untrusted server Trusted client Decentralized key distribution Client based – customizable Encrypt-on-disk Server verifies writes Integrity + Prevent readers from Writing Asymmetric Encryption
System Overview File Owners Readers Writers
System Overview File Owners + File Verify + File Sign key (e,N) Key (d,N) Readers Writers Lockbox
System Overview File Group Owners + File Verify + File Sign key (e,N) Key (d,N) Readers Writers
Revocation: Get out and Stay out! Expensive for Encrypt-on-disk system. Why? Re-encryption all content with new key Re-Distribute new keys to all the readers and writers
Lazy Revocation Delay the encryption Because revoked users could have cached the data available earlier For the clients Too many keys to be maintained A new key after each revocation File Groups: Multiple keys associated with a single file group
File Group 13
Key Rotation Wind and Unwind keys Only owners can wind keys (Forward) Readers can unwind keys(Backward) How? RSA Owners : : K v +1 = K d v mod N . is the file-lockbox key associated Readers: then K w − 1 = K e w mod N 14
Key Rotation K id mod N K jd mod N K ld mod N Ki Kj Kl Km K ie mod N K je mod N K le mod N 15
What is wrong with this? Pseudo Randomness!! Given K l can you say anything about it? If you are a revoked user , you have K i UnWind K l If you get Ki you have the current key Kl Else Ki’ is not Ki. So what you have is not the current key Kl. Pseudo randomness Vs Predictability. 16
Why is Pseudo-randomness Important? How can you attack the system? Cannot use these keys output by key rotation to key other crypto constructs like symmetric encryption schemes and MACs 17
The Fi Member states : stm i Do not give key directly K i derived from stm i No path from K l to stm i !! Can distinguish future member states from random. 18
Key Rotation Vs Regression K id mod N K jd mod N K ld mod N Ki Kj Kl Km 19
Construction Four algorithms Setup - Random oracle H ,publisher state stp Wind - stp, <stp’, stm i > Unwind - stm i, stm i-1 Key derivation - stm i, K i Constructs KR-SHA KR-AES KR-RSA 20
Proving Hardness Theorem: Key regression scheme built with a secure PRG(pseudo-random bit generator) is KR-Secure Reduce each of the KR-AES,KR-SHA, KR-RSA to a KR-PRG QED 21
Implementation & Evaluation Integrated key regression into a secure file system Key regression significantly reduces the bandwidth requirements of the publisher while distributing keys KR-AES can perform more than four times as many unwinds/sec than KR-SHA1 22
Real-World applications Efficient Low cost subscription models Plenty of multimedia content distributed over p2p Distributing software 23
Take Away ? Your Idea can be described in 2 lines. But if you can formally prove it you got yourself a 39 page paper! 24
Recommend
More recommend
