improving speed and security in updatable encryption
play

Improving Speed and Security in Updatable Encryption Systems Dan - PowerPoint PPT Presentation

Sep 02, 2023 •512 likes •1.5k views

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

  1. Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems

  2. Key Rotation

  3. Key Rotation

  4. Good Reasons to Rotate Keys Recommended by NIST (Special Publication 800-57) 1.

  5. Good Reasons to Rotate Keys Recommended by NIST (Special Publication 800-57) 1. Recommended by Google (cloud.google.com/kms/docs/key-rotation) 2.

  6. Good Reasons to Rotate Keys Recommended by NIST (Special Publication 800-57) 1. Recommended by Google (cloud.google.com/kms/docs/key-rotation) 2. Required by PCI DSS (PCI DSS 3.6.4) 3.

  7. Good Reasons to Rotate Keys Recommended by NIST (Special Publication 800-57) 1. Recommended by Google (cloud.google.com/kms/docs/key-rotation) 2. Required by PCI DSS (PCI DSS 3.6.4) 3. …But Why?

  8. Good Reasons to Rotate Keys Reasons to rotate keys for data stored in the cloud: - Compromised keys need to be taken out of use - Proactive refresh of keys - Access control enforcement

  9. How to Rotate Keys in the Cloud? Idea 1: send keys to cloud

  10. How to Rotate Keys in the Cloud? Idea 1: send keys to cloud

  11. How to Rotate Keys in the Cloud? Idea 1: send keys to cloud

  12. How to Rotate Keys in the Cloud? Idea 1: send keys to cloud No Security!!

  13. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload

  14. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload

  15. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload

  16. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload

  17. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload

  18. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload Note: cloud must be trusted not to keep old ciphertexts

  19. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload High communication and client computation cost!

  20. How to Rotate Keys in the Cloud? Idea 2: download, re-encrypt, upload Can we do better? High communication and client computation cost!

  21. Updatable Encryption [BLMR13, EPRS17, LT18, KLR19, BDGJ19] Client sends small update token Server updates ciphertext without learning key or data

  22. Our Contributions & Roadmap Improvements over prior security definitions ● Additional requirements for security Two new constructions of updatable encryption ● From Nested AES: very fast, only supports bounded updates ● From KH-PRF based on RLWE: ~500x faster than prior work Performance evaluation and comparison to prior work Recommendations for usage

  23. Security and Functionality Goals 1. Adversary without access to any key does not learn data

  24. Security and Functionality Goals 1. Adversary without access to any key does not learn data 2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying

  25. Security and Functionality Goals 1. Adversary without access to any key does not learn data 2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying 3. Client-server communication small

  26. Security and Functionality Goals 1. Adversary without access to any key does not learn data 2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying 3. Client-server communication small 4. Client computation small

  27. Security and Functionality Goals 1. Adversary without access to any key does not learn data 2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying 3. Client-server communication small 4. Client computation small Limitations 1. Server computation will be linear

  28. Security and Functionality Goals 1. Adversary without access to any key does not learn data 2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying 3. Client-server communication small 4. Client computation small Limitations 1. Server computation will be linear 2. Adversary with ongoing access to key updates will still get data

  29. Defining Security [EPRS17] Four properties to achieve: - Correctness - Compactness - Confidentiality - Integrity

  30. Defining Security [EPRS17] Four properties to achieve: - Correctness - Compactness - Confidentiality - Integrity

  31. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext

  32. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext

  33. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext

  34. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext

  35. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext

  36. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Our definitions additionally require hiding ciphertext age from attacker

  37. Confidentiality Key 1 Key 2 Key 3 Key 4 Update Update Update Token 3-4 Token 1-2 Token 2-3 Our definitions additionally require hiding ciphertext age from attacker

  38. Building Updatable Encryption [BLMR13, EPRS17]

  39. Building Updatable Encryption [BLMR13, EPRS17] Ciphertext header Ciphertext Body header header Body Body ...

  40. Building Updatable Encryption [BLMR13, EPRS17] Ciphertext header Header Ciphertext Body header header Body Body ...

  41. Building Updatable Encryption [BLMR13, EPRS17] Ciphertext header Header Rekey Token Ciphertext Body header header Body Body ...

  42. Building Updatable Encryption [BLMR13, EPRS17] Ciphertext header Header Rekey Token Ciphertext Body header header Body Body ...

  43. Building Updatable Encryption [BLMR13, EPRS17] Ciphertext header Header Rekey Token Ciphertext Body header header Body Body ...

  44. Building Updatable Encryption [BLMR13, EPRS17] “Ciphertext-dependent” model Ciphertext header Header Rekey Token Ciphertext Body header header Body Body ...

  45. Updatable Encryption from Nested AES Very fast, simple scheme Only requires authenticated encryption (AES-GCM) and a PRG

  46. Updatable Encryption from Nested AES Very fast, simple scheme Only requires authenticated encryption (AES-GCM) and a PRG Caveats: Only works for a bounded number of re-encryptions, decided at - encryption time - Decryption time will be linear in the number of re-encryptions

  47. Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Header key

  48. Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Body key used for this lock held in ciphertext header Header key

  49. Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Header key

  50. Updatable Encryption from Nested AES Ciphertext header Body key Ciphertext header Ciphertext Body Header key

  51. Updatable Encryption from Nested AES Ciphertext header Ciphertext header Ciphertext Body Header key

  52. Updatable Encryption from Nested AES Ciphertext header Ciphertext header Body key Ciphertext header Ciphertext Body Header key

  53. Updatable Encryption from Nested AES Ciphertext header Ciphertext header Ciphertext header Ciphertext Body Header key

  54. Updatable Encryption from Nested AES Re-Encryption: wrap previous layer Ciphertext header Decryption: unwrap all layers Ciphertext header Ciphertext header Ciphertext Body

  55. Updatable Encryption from Nested AES Re-Encryption: wrap previous layer Ciphertext header Decryption: unwrap all layers Ciphertext header Ciphertext header Issue: leaks ciphertext age Ciphertext Body

  56. Updatable Encryption from Nested AES Re-Encryption: wrap previous layer Ciphertext header Decryption: unwrap all layers Ciphertext header Ciphertext header Issue: leaks ciphertext age Ciphertext Body Note: this satisfies prior definitions

  57. Updatable Encryption from Nested AES How to hide ciphertext age? Ciphertext header Ciphertext header Ciphertext header Ciphertext Body

  58. Updatable Encryption from Nested AES How to hide ciphertext age? Ciphertext header Ciphertext header Idea 1: pad up to fixed max size Ciphertext header with random data Ciphertext Body

  59. Updatable Encryption from Nested AES How to hide ciphertext age? Ciphertext header Ciphertext header Idea 1: pad up to fixed max size Ciphertext header with random data But this ruins integrity Ciphertext Body

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

1.2k views • 109 slides
Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure Updatable Encryption with Integrity Protection. EUROCRYPT 2019 M Klooss, A Lehmann, A Rupp Updatable Encryption with Post-Compromise Security. EUROCRYPT

1.08k views • 46 slides
Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM Research Zurich Motivation | Outsourced Storage Data owner stores encrypted data at (untrusted) data host symmetric encryption Proactive

763 views • 24 slides
Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and Technology (NTNU), Norway 2 Bergische Universitt Wuppertal, Germany 1 Colin Boyd 1 Gareth T. Davies 2 Kristian Gjsteen 1 Yao Jiang 1 Table of contents

578 views • 46 slides
Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung Korea University, US Naval Academy, Korea

993 views • 26 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang, Heiner Litz, David R. Cheriton Stanford University DAMON14 Database Indexing Databases use precomputed indexes to speed up processing avoid

518 views • 18 slides
Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania IBM PLDay 09 2 2 Pennsylvania yanks voter site after data leak Passport applicant finds massive privacy breach Privacy issue

728 views • 40 slides
Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Do you care about Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance Enhancement for Encryption and Decryption June 11. & 12. 2007 Amsterdam An ECRYPT/VAMPIRE workshop on software speeds for

300 views • 4 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should not reveal the persons height Shafi Goldwasser and Silvio Micali, 1982 1 Design of Encryption Algorithms Encryption algorithms are

421 views • 7 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the

5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the

5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the new Prompt Payment Applicability of Prompt Payment Construction Act The Proper Invoice Payment Terms Certification of

357 views • 9 slides
TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals are *NOT* At rest encryption Best practices for web/HTTP going to encryption How perfectly and good we are- we made

529 views • 18 slides
Fast Regularization Paths via Coordinate Descent Trevor Hastie Stanford University joint work

Fast Regularization Paths via Coordinate Descent Trevor Hastie Stanford University joint work

useR! 2009 Trevor Hastie, Stanford Statistics 1 Fast Regularization Paths via Coordinate Descent Trevor Hastie Stanford University joint work with Jerome Friedman and Rob Tibshirani. useR! 2009 Trevor Hastie, Stanford Statistics 2 Linear

351 views • 33 slides
Whats Calculus? Answer: Next semester! (Fundamental Theorem of Calculus, by Newton and

Whats Calculus? Answer: Next semester! (Fundamental Theorem of Calculus, by Newton and

Whats Calculus? Answer: Next semester! (Fundamental Theorem of Calculus, by Newton and Leibniz.) Virtually all of modern science uses calculus! Physics, engineering, statistics, biology (modeling), etc. This semester: Differential Calculus.

552 views • 17 slides
High-speed and Programmable Networks ECE/CS598HPN Instructor: Radhika Mittal History of

High-speed and Programmable Networks ECE/CS598HPN Instructor: Radhika Mittal History of

High-speed and Programmable Networks ECE/CS598HPN Instructor: Radhika Mittal History of Internet 1876: Alexander Graham Bell invented telephone. History of Internet 1876: Alexander Graham Bell invented telephone. Such a design cannot scale!

580 views • 22 slides
NUMFabric: Fast and Flexible Bandwidth Allocation in Datacenters Kanthi Nagaraj (Stanford),

NUMFabric: Fast and Flexible Bandwidth Allocation in Datacenters Kanthi Nagaraj (Stanford),

NUMFabric: Fast and Flexible Bandwidth Allocation in Datacenters Kanthi Nagaraj (Stanford), Dinesh Bharadia(M.I.T.), Mohammad Alizadeh (M.I.T.), Hongzi Mao (M.I.T.), Sandeep Chinchali (Stanford) and Sachin Katti(Stanford) Sigcomm 2016

450 views • 25 slides
DENSELY CONNECTED CONVOLUTIONAL NETWORKS Gao Huang*, Zhuang Liu*, Laurens van der Maaten, Kilian

DENSELY CONNECTED CONVOLUTIONAL NETWORKS Gao Huang*, Zhuang Liu*, Laurens van der Maaten, Kilian

Best paper award DENSELY CONNECTED CONVOLUTIONAL NETWORKS Gao Huang*, Zhuang Liu*, Laurens van der Maaten, Kilian Q. Weinberger Cornell University Tsinghua University Facebook AI Research CVPR 2017 CONVOLUTIONAL NETWORKS LeNet AlexNet VGG

626 views • 23 slides
Context This talk is about software for finite field arithmetic ( + . . . ; most

Context This talk is about software for finite field arithmetic ( + . . . ; most

The mp F q library and implementing curve-based key exchanges (yet another finite field library) Emmanuel Thom e, Pierrick Gaudry p. 1/21 Context This talk is about software for finite field arithmetic ( + . . . ; most

539 views • 25 slides
Fast-SCNN: Fast Semantic Segmentation Network Rudra PK Poudel Stephan Liwicki Roberto Cipolla

Fast-SCNN: Fast Semantic Segmentation Network Rudra PK Poudel Stephan Liwicki Roberto Cipolla

Fast-SCNN: Fast Semantic Segmentation Network Rudra PK Poudel Stephan Liwicki Roberto Cipolla Cambridge Research Laboratory Toshiba Research Europe, UK BMVC 2019 R. Poudel et al. (CRL) Fast-SCNN: Fast Semantic Segmentation Network BMVC 2019

252 views • 24 slides
Slides and Flumes L-Resin Transfer Moulding (L-RTM) Sliden Roll Technology Flume Slides

Slides and Flumes L-Resin Transfer Moulding (L-RTM) Sliden Roll Technology Flume Slides

Slides and Flumes L-Resin Transfer Moulding (L-RTM) Sliden Roll Technology Flume Slides Flume Slide Special Effects L-Resin Transfer Moulding (L-RTM) Hippo offer a fantastic range of fmume slides including L-RTM (Light- Resin Transfer

420 views • 6 slides

More recommend