Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider � Ariel J. Feldman � Princeton � UPenn � Joint work with: � Aaron Blankstein, Michael J. Freedman, and Edward W. Felten � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 1 �
Online social networks are centralized � Pro: Availability, reliability, global accessibility, convenience � Con: 3 rd party involved in every social interaction � Must trust provider for confidentiality & integrity � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 2 �
Threats to confidentiality � • Theft by attackers � Ars Technica. Mar. 11, 2011 � • Accidental leaks � EFF. Apr. 28, 2010 � PC World. Dec. 6, 2011 � • Privacy policy changes � WSJ. Feb. 22, 2012 � Google Transparency Report Jan. – Jun. 2011 � • Government pressure � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 3 �
Threats to integrity � Server � Simple: Corrupting messages � 1 � 2 � 3 � 1 � 3 � 2 � Complex: Server equivocation � Alice � Bob � Equivocation in the wild: � (e.g to disguise censorship) � http://songshinan.blog.caixin.com/archives/22322 (translated by Google) � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 4 �
Limits of prior work � 1. Cryptographic � Don’t protect integrity � 2. Decentralized � Trust a Run your OR � provider � own server � (who you may not know either) ¡ (sacrifice availability, convenience, etc.) ¡ Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 5 �
Frientegrity’s approach � Provider � Benefit from a centralized provider � Support common features � Server � Server � Server � Server � (e.g. walls, feeds, friends, FoFs, followers) � Assume untrusted provider � Client � Client � Client � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 6 �
Enforce confidentiality � Provider � Provider only observes Server � Server � encrypted data � Encrypted � State � state � (Need dynamic access control and key distribution) � Client � Client � Client � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 7 �
Verify integrity � Provider � Clients verify that the provider: � Server � Server � • Hasn’t corrupted individual updates � • Hasn’t equivocated � • Enforced access control on writes � Client � Client � Client � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 8 �
Scalability challenges � Long histories; only want tail � … Don’t verify whole history each time � Many objects (walls, comment threads, photos, etc.) � Support sharding � Many friends and FoFs � O(log n) “(un)friending” � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 9 �
Frientegrity overview � Server 2 � Server 1 � Alice’s profile � Server n � Checked for Alice’s photo album � equivocation � Alice’s ACL � Comment thread � Alice’s wall � Optionally Bob’s profile � entangled � Read Alice’s wall � 1. Latest updates � 2. Proof of no equivocation � Bob � 3. Proof of ACL enforcement � Verify & 4. Decryption keys � decrypt � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 10 �
Detecting equivocation � Enforce fork* consistency [LM07] � Server � • Honest server: linearizability � • Malicious server: Alice and Bob 1 � 2 � 3 � 1 � 3 � 2 � detect equivocation after exchanging 2 messages � Alice � Bob � • Compare histories � Provider can still fork the clients, but can’t unfork � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 11 �
Comparing histories � Previously: use a hash chain � op 0 � op 1 � op 2 � op 3 � op 4 � op 5 � op 6 � op 7 � h n = H(h n-1 || op n ) � Hash chains are O(n) � (and must download the whole history) � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 12 �
Objects in Frientegrity � Let C 15 be a server- h root commits to signed commitment to entire history � h root up to op 15 � h i = H(h leftChild(i) || h rightChild(i) ) � op 6 � op 0 � op 1 � op 2 � op 3 � op 4 � op 5 � op 7 � op 8 � op 10 � op 11 � op 12 � op 13 � op 14 � op 15 � op 9 � History tree [CW09] � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 13 �
Objects (cont.) � Is C 8 consistent C 15 � with C 15 ? � op 0 � op 1 � op 8 � op 14 � op 15 � op 9 � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 14 �
Verifying an object � Alice’s ops � Bob’s ops � Charlie’s ops � Clients collaborate to verify the history � op 6 � op 0 � op 1 � op 2 � op 3 � op 4 � op 5 � op 7 � op 8 � op 10 � op 11 � op 12 � op 13 � op 14 � op 15 � op 9 � C 0 � C 4 � C 8 � C 11 � Is C 11 consistent with C 15 ? � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 15 �
Tolerating malicious users � Alice’s ops � Bob’s ops � Bob’s ops � Charlie’s ops � Tolerate up to f malicious users � op 0 � op 1 � op 8 � op 10 � op 11 � op 12 � op 13 � op 14 � op 15 � op 9 � op 15 � C 9 � C 11 � C 11 � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 16 �
Access control � Server � Alice’s photo album � Prove ACL enforcement � Alice’s ACL � Comment thread � Alice’s wall � Efficient key distribution � O(log n) “(un)friending” � Bob � Verify & decrypt � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 17 �
Proving ACL enforcement � Server � h i = H(h leftChild(i) || h rightChild(i) ) � h root signed by Alice � Alice’s photo album � Alice’s ACL � David ¡ Comment thread � Alice’s wall � Bob ¡ Sean ¡ Alice ¡ Charlie ¡ Emma ¡ Persistent authenticated Bob � dictionary � Verify & decrypt � [AGT01] � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 18 �
Efficient key distribution � Server � E k3 (k 1 ) || E k4 (k 1 ) � k 0 = k alice_friend � Alice’s photo album � Alice’s ACL � David, k 0 ¡ David ¡ Comment thread � Alice’s wall � Bob ¡ Sean, k 2 ¡ Sean ¡ Bob, k 1 ¡ Emma, k 5 ¡ Alice, k 3 ¡ Alice ¡ Charlie, k 4 ¡ Charlie ¡ Emma ¡ E charlie_pk (k 4 ) � Bob � Key graph � Verify & [WGL98] � decrypt � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 19 �
Adding a friend � E k5 (k 2 ) || E k6 (k 2 ) � Server � Alice’s photo album � Alice’s ACL � David, k 0 ¡ Comment thread � Alice’s wall � Sean, k 2 ¡ Bob, k 1 ¡ Emma, k 5 ¡ Zack, k 6 ¡ Alice, k 3 ¡ Charlie, k 4 ¡ E zack_pk (k 6 ) � Bob � Verify & decrypt � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 20 �
Removing a friend � k 0 ’ = k alice_friend ’ � Server � Alice’s photo album � Alice’s ACL � David, k 0 ¡ David, k 0 ’ ¡ Comment thread � Alice’s wall � Sean, k 2 ¡ Bob, k 1 ’ ¡ Bob, k 1 ¡ Emma, k 5 ¡ Alice, k 3 ¡ Charlie, k 4 ¡ Zack, k 6 ¡ Bob � Verify & decrypt � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 21 �
Efficient enough in practice? � Setup � • Java client & server � • Simulate basic Facebook features (each user has wall & ACL) � • 2048-bit RSA sign & verify batched via spliced signatures [CW10] � • Experiments on LAN (8-core 2.4 GHz Intel Xeon E5620s, Gigabit network) � Measurements � • Latency of reads & writes to objects � • Latency of ACL changes � • Throughput (in paper) � • Effect of tolerating malicious users � Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 22 �
Object read & write latency � 14 Write Constant cost Response Latency (ms) 12 Read of signatures 10 Frientegrity � dominates � 8 6 (collaborative 4 verification) � 2 0 0 5K 10K 15K 20K 25K Object History Size 1000 Read Response Latency (ms) 800 Write 600 Hash chain � 400 200 0 0 500 1000 1500 Object History Size Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 23 �
Latency of ACL changes � 35 30 Response Latency (ms) 25 20 15 10 5 Add User Revoke User 0 0 200 400 600 800 1000 ACL Size Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 24 �
Tolerating malicious users � • 50 writers � • 5000 operations � Power Response Latency (ms) Uniform 1000 100 10 0 10 20 30 40 50 f + 1 Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 � 25 �
Recommend
More recommend