cs2 a searchable cryptographic cloud
play

CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara - PowerPoint PPT Presentation

Oct 18, 2022 •519 likes •960 views

CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom Roeder (MSR) Cloud Computing Cloud Computing o Main concern o will my data be safe? o will anyone see it? o can anyone modify it?

  1. CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom Roeder (MSR)

  2. Cloud Computing

  3. Cloud Computing o Main concern o will my data be safe? o will anyone see it? o can anyone modify it? o Security solutions o VM isolation o Single-tenant servers o Access control o … o Cloud provides stronger security than self-hosting [Molnar-Schecter-10] o Q : but what if I don’t trust the cloud operator ?

  4. Cloud Storage ?

  5. Traditional Approach AEncK AEncK AEncK AEncK ? AEncK

  6. Search-based Access o File-based access is hard (esp. for large data) o Search-based access is preferred o Web search o Desktop search o Apple Spotlight, Google Desktop, Windows Desktop o Enterprise search

  7. Two Simple Solutions to Search AEncK AEncK ? id 2 AEncK AEncK Large comm. Large local complexity storage Q : can we achieve the best of both?

  8. Outline o Motivation o CS2 building blocks o Symmetric searchable encryption o Search authenticators o Proofs of storage o CS2 Protocols o for standard search o for assisted search o Experiments

  9. CS2 Building Blocks

  10. Searchable Symmetric Encryption [SWP01] EncK tw EncK EncK

  11. Searchable Symmetric Encryption o [Goldreich-Ostrovsky-96] We need new SSE! o  : hides everything o  : interactive o [Song-Wagner-Perrig-01] o  : non-interactive o  : static, linear search time, leaks information o [Goh03, Chang-Mitzenmacher-05] o  : non-interactive, dynamic o  : linear search time, non-adaptive security (CKA1-security) o [Curtmola-Garay-K-Ostrovsky-06] o  : non-interactive, sub-linear search (optimal), adaptive security o  : static

  12. Proofs of Storage [ABC+07, JK07] C π

  13. Proofs of Storage o [ABC+07,JK07,SW08,DVW09,AKK09] o  : efficient o  : static o [APMT08] We need new PoS! o  : efficient and dynamic o  : bounded verifications o [EKPT09] o  : efficient, dynamic, unlimited verification o  : patented

  14. Search Authenticator 𝑥 π

  15. Search Authenticators o [GGP10,CVK10,CVK11] o  : general-purpose o  : inefficient (due to FHE) & static o [CRR11] We need new VC/SA! o  : general-purpose, efficient o  : requires two non-colluding clouds o [BGV11] o  : proof generation is linear & static

  16. Outline o Motivation o CS2 building blocks o Symmetric searchable encryption o Search authenticators o Proofs of storage o CS2 Protocols o for standard search o for assisted search o Experiments

  17. SSE-1 [CGKO06] MSFT 1. Build inverted/reverse index F2 F10 F11 GOOG F2 F8 F14 AAPL Posting list F1 F2 IBM F4 F10 F12 2. Randomly permute array & nodes GOOG F11 F8 F2 F10 IBM F1 F4 F12 F10 AAPL F2 F2 F14 # MSFT

  18. SSE-1 [CGKO06] GOOG 2. Randomly permute array & nodes F11 F8 F2 F10 IBM F1 F4 F12 F10 AAPL F2 F2 F14 # MSFT 3. Encrypt nodes GOOG IBM AAPL MSFT

  19. SSE-1 [CGKO06] GOOG 3. Encrypt nodes IBM AAPL MSFT Enc( • ) 4. ‚Hash‛ keyword & encrypt pointer F K (GOOG) Enc( • ) F K (IBM) Enc( • ) F K (AAPL) Enc( • ) F K (MSFT)

  20. Limitations of SSE-1 o Non-adaptively secure ⇒ adaptive security o Idea #1 [Chase-K-10] o replace encryption scheme with symmetric non-committing encryption o only requires a PRF + XOR o  : doesn’t work for dynamic data o Idea #2 o Use RO + XOR

  21. Limitations of SSE-1 o Static data ⇒ dynamic data o Problem #1: o given new file F N = (AAPL, …, MSFT) o append node for F to list of every w i in F MSFT 1. Over unencrypted index F2 F10 F11 FN GOOG F2 F8 F14 AAPL F1 F2 FN Enc( • ) IBM F4 F10 F12 F K (GOOG) Enc( • ) F K (IBM) 2. Over encrypted index ??? Enc( • ) F K (AAPL) Enc( • ) F K (MSFT)

  22. Limitations of SSE-1 o Static data ⇒ dynamic data o Problem #2: o When deleting a file F 2 = (AAPL, …, MSFT) o delete all nodes for F 2 in every list MSFT 1. Over unencrypted index F2 F10 F11 GOOG F2 F8 F14 AAPL F1 F2 Enc( • ) IBM F4 F10 F12 F K (GOOG) Enc( • ) F K (IBM) 2. Over encrypted index ??? Enc( • ) F K (AAPL) Enc( • ) F K (MSFT)

  23. Limitations of SSE-1 o Static data ⇒ dynamic data o Idea #1 o Memory management over encrypted data o Encrypted free list o Idea #2 o List manipulation over encrypted data o Use homomorphic encryption (here just XOR) so that pointers can be updated obliviously o Idea #3 o d eletion is handled using an ‚dual‛ SSE scheme o given deletion/search token for F 2 , returns pointers to F 2 ‘s nodes o then add them to the free list homomorphically

  24. Outline o Motivation o Related work & our approach o CS2 building blocks o Symmetric searchable encryption o Search authenticators o Proofs of storage o CS2 Protocols o for standard search o for assisted search o Experiments

  25. Limitations of Verifiable Computation o Inefficient ⇒ practical o Idea #1 o Design special-purpose scheme (i.e., just for verifying search) o Idea #2 o Use Merkle Tree ‚on top‛ of inverted index o For keyword w: we efficiently verify its posting list and associated files o Generating proof is O(w*) instead of O(n) o Static ⇒ dynamic o Idea #1 o Replace bottom hash with incremental hash [Bellare-Goldreich-Goldwasser94, Bellare-Micciancio97] o

  26. Search Authenticators 1. Build inverted/reverse index MSFT F2 F10 F11 GOOG F2 F8 F14 AAPL F1 F2 IBM F4 F10 F12 IH IH IH IH F2 F2 F1 F4 F10 F8 F10 2. Build Merkle tree w/ IH at leaves F2 F11 F14 F12 Problem: hash functions are not hiding! MSFT GOOG AAPL IBM

  27. Search Authenticators 2’. Build Merkle tree w/ IH at leaves over encrypted files Problem: server has file encryptions so he can 1. IH a set of files 2. check result against a leaf hash 3. determine if files contain common keyword IH IH IH IH MSFT GOOG AAPL IBM

  28. Search Authenticators 2’’. Build Merkle tree w/ IH at leaves over keyed hash of encrypted files Problem: server has file encryptions so he can 1. IH a set of files 2. check result against a leaf hash 3. determine if files contain common keyword IH IH IH IH F K ( ) F K ( ) F K ( ) MSFT GOOG AAPL IBM

  29. Proofs of Storage

  30. CS2 Protocols

  31. CS2 Protocols o Standard search o User searches for w o Server returns documents w/ w o Relatively straightforward combination of (dynamic) SSE, PoS & SA o Assisted search o User searches for w o Server returns summaries of files with w o User chooses a subset to retrieve o Server returns subset of files with w o More complex combination of (dynamic) SSE, PoS, SA + CRHF o Search can be more efficient (since less data is returned)

  32. CS2 Protocols o Definitions in ideal/real-world model o Cloud storage w/ standard search o Cloud storage w/ assisted search o  o easier to use within larger protocols (i.e., hybrid security models ) o Single definition for all desired properties o guarantees composition of underlying primitives is OK o  : definitions & proofs are complicated o Protocols make black-box use of primitives o  : modularity -- replace underlying primitives

  33. Experiments

  34. Implementation o C++ o Microsoft Cryptography API: Next Generation o RO: SHA256 o PRFs: HMAC-SHA256 o SKE: 128-bit AES/CBC o Bignum library o Prime fields o We test only the crypto overhead o No file transfers over network o No reading from disk o No indexing costs

  35. Experiments o Intel Xeon CPU 2.26 GHz o Windows Server 2008 o 4 datasets o Email (enron): 4MB, 11MB, 16MB o ≈ every byte is a word o Office docs: 8MB, 100MB, 250MB, 500MB o Relatively few keywords o Media (MP3,WMA, JPG,...): 8MB, 100MB, 250MB, 500MB o Barely any keywords o Average over 10 executions

  36. STORE o Total o Distribution o Email (16MB): 2 mins o Verifiability: 2/3 of cost o Office (500MB) :1.5 mins o SSE: 1/3 cost o Media (500MB): 30 s o PoS: negl o Email (16GB): 40/15 hours

  37. SEARCH o Total o Distribution o Email (16MB): 0.5 secs o Client verification: 80% o Office (500MB): 0.1 secs o Client decryption: 10% o Media (500MB): 0.025 secs o Server search + proof: 10%

  38. CHECK o Total o Distribution o Email (16MB): 12 secs o Server Proof: 95% o Office (500MB): 12 secs o Client verify: 5% o Media (500MB): 12 secs

  39. ADD o Total o Distribution o Email (16MB): 1.5 secs o Email (16MB) o 40% client auth state update o Office (500MB): 1.5 secs o 40% server auth update o Media (500MB): 1.5 secs o 20% add token

  40. DELETE o Total o Distribution o Email (16MB): 1.5 secs o 40% server auth update o Office (500MB): 0.7 secs o 40% client auth update o Media (500MB): negl o 20% server index update

  41. Summary o New Crypto o Dynamic and CKA2-secure SSE with sub-linear search o Sub-linear verifiable computation for search o Unbounded dynamic PDP o New Protocols o Ideal/real-world definitions for secure cloud storage o Protocol for standard search o Protocol for assisted search o Implementation & experiments o First experimental results for sub-linear SSE o Identified verification as bottleneck o Office docs seem to be the best workload

  42. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of Searchable Encryption Searchable Encryption Constructions of Song, Wagner and Perrig Discussion Related Work Conjunctive Keyword

753 views • 51 slides
Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor:

Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor:

Searchable Security Scheme for Cloud NoSQL Mohammad Ahmadian ahmadian@knights.ucf.edu Advisor: Professor Dan C. Marinescu University of Central Florida September 16, 2017 Mohammad Ahmadian (UCF) Secure NoSQL September 16, 2017 1 / 48 Goal

1.31k views • 79 slides
Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de lArmement - Maitrise de lInformation & Universit de Rennes 1 ECRYPT NET Workshop - Crypto for the Cloud & Implementation - 28/06/2017

793 views • 43 slides
Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography

Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography

Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography Group Microsoft Research Applications/Scenarios Secure Outsourcing for Business Electronic Health Records Interactive Scientific Publishing

452 views • 4 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait Searchable Symmetric Encryption Allows a user to store a collection of encrypted documents and

350 views • 24 slides
FORWARD PRIVATE SEARCHABLE ENCRYPTION & BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION & BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION & BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE Searchable Encryption Outsource data securely keep search functionalities Generic Solutions Fully Homomorphic Encryption, MPC, ORAM

578 views • 37 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh

Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh

Security of Searchable Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh Networks Lewis U Cornell Tech Outsourced storage and searching client cloud provider give me all records containing

508 views • 36 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice Minaud RHUL ISG seminar, November 24th 2016 Plan 1. Symmetric Searchable Encryption. 2. Leakage and Forward-Privacy. 3. Sophos and Diane schemes. 4.

479 views • 45 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w No other

1.62k views • 116 slides
Exploi'ng Leakage in Searchable Encryp'on and Machine

Exploi'ng Leakage in Searchable Encryp'on and Machine

Exploi'ng Leakage in Searchable Encryp'on and Machine Learning Tom Ristenpart Covering joint work with : David Cash, Paul Grubbs, Jason Perry

875 views • 56 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

1.19k views • 106 slides
The Tor Project Our mission is to be the global resource for technology, advocacy, research and

The Tor Project Our mission is to be the global resource for technology, advocacy, research and

The Tor Project Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 1 2 3 4 5 We h a v e a p r

640 views • 33 slides
Using Google Earth for Remote Teaching GSA / NAGT June 16, 2020 Digital Field Tools 11:00 am

Using Google Earth for Remote Teaching GSA / NAGT June 16, 2020 Digital Field Tools 11:00 am

Using Google Earth for Remote Teaching GSA / NAGT June 16, 2020 Digital Field Tools 11:00 am MDT Webinar Series 1:00 pm EDT Using Google Earth for Remote Teaching Presenters: Steve Whitmeyer (James Madison University) Drew L askowski

292 views • 27 slides
Logging in to Google Classroom & Clever Getting Started Your child was provided with a

Logging in to Google Classroom & Clever Getting Started Your child was provided with a

Logging in to Google Classroom & Clever Getting Started Your child was provided with a secure login and password that is unique to them. Check with his/her teacher to obtain this private information. Your child will use this login to

517 views • 12 slides
From a pipeline to a government cloud Toby Lorne SRE @ GOV.UK Platform-as-a-Service

From a pipeline to a government cloud Toby Lorne SRE @ GOV.UK Platform-as-a-Service

From a pipeline to a government cloud Toby Lorne SRE @ GOV.UK Platform-as-a-Service www.toby.codes github.com/tlwr github.com/alphagov From a pipeline to a government cloud How the UK government deploy a Platform-as-a-Service using

978 views • 75 slides
Multilingual Europe As A Challenge for Language Technology Ryan McDonald Google NLU team

Multilingual Europe As A Challenge for Language Technology Ryan McDonald Google NLU team

Multilingual Europe As A Challenge for Language Technology Ryan McDonald Google NLU team Google Linguistics team Universal Dependencies Group Europe & the Internet 54% 32% 14% other ~600M internet users (~80% internet penetration)

566 views • 21 slides
Data Visualisation with Google Fusion Tables Workshop Exercises Dr Luc Small | 12 April 2017 |

Data Visualisation with Google Fusion Tables Workshop Exercises Dr Luc Small | 12 April 2017 |

Data Visualisation with Google Fusion Tables Workshop Exercises Dr Luc Small | 12 April 2017 | 1.5 Data Visualisation with Google Fusion Tables Page 1 of 33 1 Introduction Google Fusion Tables is shaping up to be a powerful and accessible data

695 views • 33 slides
HTTP 2.0 WebRTC Why now? What is it? Ilya Grigorik - @igrigorik Web Performance Engineer

HTTP 2.0 WebRTC Why now? What is it? Ilya Grigorik - @igrigorik Web Performance Engineer

HTTP 2.0 WebRTC Why now? What is it? Ilya Grigorik - @igrigorik Web Performance Engineer Google "a protocol designed for low-latency transport of content over the World Wide Web" Improve end-user perceived latency Address the

923 views • 57 slides
OAKS ACADEMIC TECHNOLOGY AWARD Rebecca L. Cooney, MS Clinical Associate Professor The Edward R.

OAKS ACADEMIC TECHNOLOGY AWARD Rebecca L. Cooney, MS Clinical Associate Professor The Edward R.

OAKS ACADEMIC TECHNOLOGY AWARD Rebecca L. Cooney, MS Clinical Associate Professor The Edward R. Murrow College of Communication 2019 award recipient P roduce. L earn. A chieve. N etwork. AWARD OVERVIEW OAKS ACADEMIC TECHNOLOGY AWARD

562 views • 10 slides

More recommend