Key Regression Fu, Kamara, Kohno Divya Muthukumaran Content - PowerPoint PPT Presentation

Key Regression Fu, Kamara, Kohno Divya Muthukumaran

Content Distribution  Content publishers -> Content distribution  Outsourcing storage and distribution  Content distribution Networks:  Akamai  SpeedEra  MirrorImage..  Access Control ?

Storage System Players  Possible attacks? Owners r w Writer Readers s Storage Server

Storage System Players  Possible attacks? Owners  On the stored data r w  On the wire  Kinds of attacks Readers Writers  Leak attacks  Change  Destroy Storage Server

Storage System Players  Enrypt-on-the-wire Owners  Trust the server r w  Encrypt-on-disk  Store encrypted Writer Readers s  Untrusted Server Storage Server

Storage System Players  Security Primitives Owners  Authentication r w  Authorization  Securing data on disk Writer Readers s  Securing data on the wire  Key distribution  Revocation Storage Server

PLUTUS  Untrusted server  Trusted client  Decentralized key distribution  Client based – customizable  Encrypt-on-disk  Server verifies writes  Integrity + Prevent readers from Writing  Asymmetric Encryption

System Overview File Owners Readers Writers

System Overview File Owners + File Verify + File Sign key (e,N) Key (d,N) Readers Writers Lockbox

System Overview File Group Owners + File Verify + File Sign key (e,N) Key (d,N) Readers Writers

Revocation: Get out and Stay out!  Expensive for Encrypt-on-disk system. Why?  Re-encryption  all content with new key  Re-Distribute  new keys to all the readers and writers

Lazy Revocation  Delay the encryption  Because revoked users could have cached the data available earlier  For the clients  Too many keys to be maintained  A new key after each revocation  File Groups:  Multiple keys associated with a single file group

File Group 13

Key Rotation  Wind and Unwind keys  Only owners can wind keys (Forward)  Readers can unwind keys(Backward)  How?  RSA  Owners : : K v +1 = K d v mod N . is the file-lockbox key associated  Readers: then K w − 1 = K e w mod N 14

Key Rotation K id mod N K jd mod N K ld mod N Ki Kj Kl Km K ie mod N K je mod N K le mod N 15

What is wrong with this?  Pseudo Randomness!!  Given K l can you say anything about it?  If you are a revoked user , you have K i  UnWind K l  If you get Ki you have the current key Kl  Else Ki’ is not Ki. So what you have is not the current key Kl.  Pseudo randomness Vs Predictability. 16

Why is Pseudo-randomness Important?  How can you attack the system?  Cannot use these keys output by key rotation to key other crypto constructs like symmetric encryption schemes and MACs 17

The Fi  Member states : stm i  Do not give key directly  K i derived from stm i No path from K l to stm i !! Can distinguish future member states from random. 18

Key Rotation Vs Regression K id mod N K jd mod N K ld mod N Ki Kj Kl Km 19

Construction  Four algorithms  Setup - Random oracle H ,publisher state stp  Wind - stp, <stp’, stm i >  Unwind - stm i, stm i-1  Key derivation - stm i, K i  Constructs  KR-SHA  KR-AES  KR-RSA 20

Proving Hardness  Theorem: Key regression scheme built with a secure PRG(pseudo-random bit generator) is KR-Secure  Reduce each of the KR-AES,KR-SHA, KR-RSA to a KR-PRG  QED 21

Implementation & Evaluation  Integrated key regression into a secure file system  Key regression significantly reduces the bandwidth requirements of the publisher while distributing keys  KR-AES can perform more than four times as many unwinds/sec than KR-SHA1 22

Real-World applications  Efficient Low cost subscription models  Plenty of multimedia content distributed over p2p  Distributing software 23

Take Away ?  Your Idea can be described in 2 lines. But if you can formally prove it you got yourself a 39 page paper! 24