Key Regression Fu, Kamara, Kohno Divya Muthukumaran Content - - PowerPoint PPT Presentation

Key Regression

Fu, Kamara, Kohno Divya Muthukumaran

Content Distribution

 Content publishers -> Content

distribution

 Outsourcing storage and distribution

Content distribution Networks:

 Akamai  SpeedEra  MirrorImage..

 Access Control ?

Storage System Players

 Possible attacks?

Owners Readers Writer s r w Storage Server

Storage System Players

 Possible attacks?

 On the stored data  On the wire

 Kinds of attacks

 Leak attacks  Change  Destroy

Owners Readers Writers r w Storage Server

Storage System Players

 Enrypt-on-the-wire

 Trust the server

 Encrypt-on-disk

 Store encrypted  Untrusted Server

Owners Readers Writer s r w Storage Server

Storage System Players

 Security Primitives

 Authentication  Authorization  Securing data on disk  Securing data on the

wire

 Key distribution  Revocation

Owners Readers Writer s r w Storage Server

PLUTUS

 Untrusted server  Trusted client  Decentralized key distribution

Client based – customizable

 Encrypt-on-disk  Server verifies writes  Integrity + Prevent readers from Writing

Asymmetric Encryption

System Overview

Writers Readers File Owners

System Overview

Lockbox Writers Readers File + File Verify key (e,N) + File Sign Key (d,N) Owners

System Overview

Writers Readers File Group + File Verify key (e,N) + File Sign Key (d,N) Owners

Revocation: Get out and Stay out!

 Expensive for Encrypt-on-disk system.

Why?

Re-encryption

all content with new key

Re-Distribute

new keys to all the readers and writers

Lazy Revocation

 Delay the encryption

Because revoked users could have cached

the data available earlier

 For the clients

Too many keys to be maintained A new key after each revocation

 File Groups:

Multiple keys associated with a single file

group

13

File Group

Key Rotation

 Wind and Unwind keys

Only owners can wind keys (Forward) Readers can unwind keys(Backward)

 How?

RSA Owners : Readers:

14

: Kv+1 = Kd

v mod N.

is the file-lockbox key associated then Kw−1 = Ke

w mod N

Key Rotation

15

Ki Kj Kl Km Kid mod N Kld mod N Kjd mod N Kle mod N Kje mod N Kie mod N

What is wrong with this?

 Pseudo Randomness!!

Given Kl can you say anything about it? If you are a revoked user , you have Ki

 UnWind Kl

 If you get Ki you have the current key Kl

 Else Ki’ is not Ki. So what you have is not the current

key Kl.

 Pseudo randomness Vs Predictability.

16

Why is Pseudo-randomness Important?

 How can you attack the system?  Cannot use these keys output by key

rotation to key other crypto constructs like symmetric encryption schemes and MACs

17

The Fi

 Member states : stmi

 Do not give key directly  Ki derived from stmi

18

No path from Kl to stmi !!

Can distinguish future member states from random.

Key Rotation Vs Regression

19

Ki Kj Kl Km Kid mod N Kld mod N Kjd mod N

Construction

 Four algorithms

Setup - Random oracle H,publisher state stp Wind - stp, <stp’, stmi> Unwind - stmi, stmi-1 Key derivation - stmi, Ki

 Constructs

KR-SHA KR-AES KR-RSA

20

Proving Hardness

 Theorem: Key regression scheme built

with a secure PRG(pseudo-random bit generator) is KR-Secure

 Reduce each of the KR-AES,KR-SHA,

KR-RSA to a KR-PRG

QED

21

Implementation & Evaluation

 Integrated key regression into a secure file

system

 Key regression significantly reduces the

bandwidth requirements of the publisher while distributing keys

 KR-AES can perform more than four times

as many unwinds/sec than KR-SHA1

22

Real-World applications

 Efficient Low cost subscription models

Plenty of multimedia content distributed over

p2p

Distributing software

23

Take Away ?

 Your Idea can be described in 2 lines. But

if you can formally prove it you got yourself a 39 page paper!

24