Secure Outsourcing Computation Li Xiong Outline Cloud computing - - PowerPoint PPT Presentation

Li Xiong

Secure Outsourcing Computation

CS573 Data Privacy and Security

Outline

• Cloud computing
• Computing on encrypted data
• Homomorphic encryption

What is Cloud Computing?

Cloud computing

• Type of computing that relies on sharing computing

resources rather than having local servers or personal devices to handle applications

• New computing paradigm, involving data and/or

computation outsourcing, with

– Infinite and elastic resource scalability

• Ability to quickly scale in/out service

– On demand “just-in-time” provisioning – No upfront cost … pay-as-you-go

• That is, use as much or as less you need, use only

when you want, and pay only what you use,

3

Cloud Service Models

• Cloud computing means selling “X as a service”
• Cloud Software as a Service (SaaS)

– Use provider’s applications over a network – User doesn’t manage or control the network, servers, OS, storage or applications

• Cloud Platform as a Service (PaaS)

– Users deploy their consumer-created applications using programming language tools supported by the provider

• n a cloud

– Users control their apps – Users don’t manage underlying cloud infrastructure, network, servers, OS, storage

4

Cloud Service Models (Cont.)

• Cloud Infrastructure as a Service (IaaS)

– Rent processing, storage, network capacity, and

• ther fundamental computing resources

– Consumers gets access to the infrastructure to deploy their stuff – Don’t manage or control the infrastructure – Do manage or control the OS, storage, apps, selected network components

5

Cloud computing architecture

6

e.g., Web browser SaaS , e.g., Google Docs PaaS, e.g., Google AppEngine IaaS, e.g., Amazon EC2 Elastic Computing Cloud: web service that provides resizable compute capacity in the cloud

Cloud Deployment Models

• Private cloud

– Operated solely for an organization (single org only) – managed by the org or a 3rd party, – on or off premise

• Community cloud

– shared infrastructure for specific community that has shared concerns

• (e.g., mission, security requirements, policy, and compliance

considerations)

– several orgs that have shared concerns, – managed by org or a 3rd party

7

Cloud Deployment Models (Cont.)

• Public cloud

– available to the general public or a large industry group – Sold to the public, mega-scale infrastructure

• Hybrid cloud

– composition of two or more clouds – bound by standard or proprietary technology that enables data and application portability

8

So, if cloud computing is so great, why aren’t everyone doing it?

9

Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks

Companies are still afraid to use clouds

10

[Chow09ccsw]

General Security Challenges

• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be examined
• Loss of physical control

11

Anatomy of fear …

Confidentiality

– Will the sensitive data stored on a cloud remain confidential? Will cloud compromises leak confidential client data (i.e., fear of loss of control

• ver data)

– Will the cloud provider itself be honest and won’t peek into the data?

12

Anatomy of fear …

Integrity

– How do I know that the cloud provider is doing the computations correctly? – How do I ensure that the cloud provider really stored my data without tampering with it?

13

Anatomy of fear …

Availability

– Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? – What happens if cloud provider goes out of business?

14

Anatomy of fear …

Privacy issues raised via massive data mining

– Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients

15

Anatomy of fear …

Increased attack surface

– Entity outside the organization now stores and computes data, and so – Attackers can now target the communication link between cloud provider and client – Cloud provider employees can be phished

16

Anatomy of fear …

Legal quagmire and transitive trust issues

– Who is responsible for complying with regulations (e.g., HIPAA)? – If cloud provider subcontracts to third party clouds, will the data still be secure?

What we need is to …

• Adapt well known techniques for resolving

some cloud security issues

• Perform new research and innovate to make

clouds secure

Traditional systems security vs Cloud Computing Security

Securing a traditional system Securing a cloud

19

Traditional systems security vs Cloud Computing Security

Securing a house Securing a motel Owner and user are

• ften the same entity

Owner and users are almost invariably distinct entities Analogy

20

Traditional systems security vs Cloud Computing Security

Securing a house Securing a motel Biggest user concerns Securing perimeter Checking for intruders Securing assets Biggest user concern Securing room against (the bad guy in next room | hotel owner)

21

Data Privacy and Security in Cloud: Overview

• Novel attacks
• Trustworthy cloud architectures
• Data integrity and availability
• Computation integrity
• Data and computation privacy
• Data forensics
• Misbehavior detection
• Malicious use of clouds

22

Co-tenancy in clouds creates new attack vectors

A cloud is shared by multiple users Malicious users can now legally be in the same infrastructure Misusing co-tenancy, attackers can launch side channel attacks on victims

Example: the Topology attack on Amazon EC2 (“Hey You! Get

• ff of my Cloud …” CCS 2009)

Research question: How to prevent attackers from exploiting co-tenancy in attacking the infrastructure and/or other clients?

23

Today’s cloud architectures act like big black boxes

24

Clients have no idea of or control over what is happening inside the cloud Clients are forced to trust cloud providers completely Research Question: How do we design cloud computing architectures that are semi-transparent and provide clients with control over security?

Existing Approaches: TCCP (uses TPM), CloudProof

Today’s clouds provide no guarantee about outsourced data

Amazon’s Terms of services

25

Today’s clouds provide no guarantee about outsourced data

Research Question: How can clients get assurance/proofs that the cloud provider is actually storing data, is not tampering with data, and can make the data available on-demand? Problem: Dishonest cloud providers can throw data away or lose data. Malicious intruders can delete or tamper with data. Clients need reassurance that the outsourced data is available, has not been tampered with, and remains confidential.

26

Example Approaches: Provable Data Possession (PDP), Proof of Retrievability (PoR), HAIL

Ensuring confidentiality of data in

• utsourced computation is difficult

27

Most type of computations require decrypting data before any computations If the cloud provider is not trusted, this may result in breach of confidentiality Research Question: How can we ensure confidentiality of data and computations in a cloud?

Existing Approaches: Homomorphic encryption, TCCP

Clients have no way of verifying computations outsourced to a Cloud

28

Scenario User sends her data processing job to the cloud. Clouds provide dataflow operation as a service (e.g., MapReduce, Hadoop etc.) Problem: Users have no way of evaluating the correctness of results

Research question: How can we verify the accuracy of outsourced computation?

Existing Approaches: Runtime Attestation, Majority voting, Redundant operations

Clouds can be used for malicious purposes

Adversaries can rent clouds temporarily to create a large scale botnet very quickly Clouds can be used for spamming, Denial of service, brute force password breaking, and other attacks Research question: How can we rapidly detect misbehavior

• f clients in a cloud?

Example: WPACracker.com – a password cracking service that claims to test 300,000,000 words in 20 minutes for $17, using a cloud

29 Botnets compromise computers whose security defenses have been breached and control ceded to a third party.

30

[Cloud Computing] is a security nightmare and it can't be handled in traditional ways.

John Chambers CISCO CEO

Data Outsourcing

• Data owner outsources its data and processing

functionalities to a cloud in order to reduced management cost and less overhead of data storage etc…

• Security implication

– Cloud cannot be fully trusted – How to outsource (delegate) the computation? – What about privacy of the outsourced computation?

Standard solution

• Data owners encrypt their data before
• utsourced to a cloud
• Perfectly solves any privacy issues
• Key challenge:

– Cannot perform any computation on the encrypted data

Naïve approach

• Disadvantages:
• The cloud cannot perform any algebraic operations
• Utilize cloud as just a storage medium
• User involves in heavy computations, impractical especially

for mobile users and large databases

• Key management

Yet…

The world was black and white

Yet…

The world was black and white

The only thing anyone did with encrypted data was … … decrypt it.

Yet…

Encryption =

What else can we do with encrypted data, anyway?

Function

f x

search query Google search Search results

x f(x)

WANT PRIVACY!

Computing on Encrypted Data

What else can we do with encrypted data, anyway?

Function

f x Enc(x) Enc(f(x))

WANT PRIVACY!

Computing on Encrypted Data

Wouldn’t it be nice to be able to…

• Encrypt my data in the cloud
• While still allowing the cloud to search/sort/edit/…

this data on my behalf

• Keeping the data in the cloud in encrypted form

– Without needing to ship it back and forth to be decrypted

Computing on Encrypted Data

Wouldn’t it be nice to be able to…

• Encrypt my queries to the cloud
• While still allowing the cloud to process them
• Cloud returns encrypted answers

– that I can decrypt

Computing on Encrypted Data

• Basic idea

– Client encrypts his data 𝑦 and sends encryption 𝐹(𝑦) to the server – The server performs some computation (evaluate function 𝑔) and returns the encrypted result to the client – The client decrypts the result to find out the answer but the server learns nothing about the data that he computed on

• Way to perform computations on encrypted data

– Homomorphic encryption

Encrypted Cloud Computing

Alice Server (Cloud) (Input: data x, secret key sk) “I want 1) the cloud to process my data 2) even though it is encrypted.

Encpk[f(x)] Encpk(x) function f f(x)

Run Eval[ f, Encpk(x) ] = Encpk[f(x)]

This could be encrypted too.

Delegation: Should cost less for Alice to encrypt x and decrypt f(x) than to compute f(x) herself.

RSA

RSA: The first and most popular asymmetric encryption

𝐹 𝑛 = 𝑛𝑓 (mod 𝑜) D 𝑑 = 𝑑𝑒 (mod 𝑜)

Computing on Encrypted Data

Some people noted the algebraic structure in RSA… 𝐹 𝑛1 = 𝑛1𝑓 𝐹 𝑛2 = 𝑛2𝑓

Ergo … 𝐹 𝑛1 × 𝐹 𝑛2

= 𝑛1𝑓 × 𝑛2𝑓 = (𝑛1 × 𝑛2)𝑓 = 𝐹(𝑛1 × 𝑛2) 𝐹 𝑛1 × 𝐹 𝑛2 = 𝐹(𝑛1 × 𝑛2)

Multiplicative Homomorphism

Computing on Encrypted Data

RSA is multiplicatively homomorphic 𝐹 𝑛1 = 𝑛1𝑓 𝐹 𝑛2 = 𝑛2𝑓

Ergo … 𝐹 𝑛1 × 𝐹 𝑛2

= 𝑛1𝑓 × 𝑛2𝑓 = (𝑛1 × 𝑛2)𝑓 = 𝐹(𝑛1 × 𝑛2) 𝐹 𝑛1 × 𝐹 𝑛2 = 𝐹(𝑛1 × 𝑛2)

Multiplicative Homomorphism

Computing on Encrypted Data

RSA is multiplicatively homomorphic 𝐹 𝑛1 = 𝑛1𝑓 𝐹 𝑛2 = 𝑛2𝑓

Ergo … 𝐹 𝑛1 × 𝐹 𝑛2

= 𝑛1𝑓 × 𝑛2𝑓 = (𝑛1 × 𝑛2)𝑓 = 𝐹(𝑛1 × 𝑛2) 𝐹 𝑛1 × 𝐹 𝑛2 = 𝐹(𝑛1 × 𝑛2)

Multiplicative Homomorphism (but not additively homomorphic)

Computing on Encrypted Data

Other Encryptions were additively homomorphic

𝐹 𝑛1 + 𝐹 𝑛2 = 𝐹(𝑛1 + 𝑛2)

Additive Homomorphism (but not multiplicatively homomorphic)

Computing on Encrypted Data

What people really wanted was the ability to do arbitrary computing on encrypted data… … and this required the ability to compute both sums and products … … on the same encrypted data set!

Computing on Encrypted Data

XOR

0 XOR 0 1 XOR 0 0 XOR 1 1 XOR 1 1 1

AND

0 AND 0 1 AND 0 0 AND 1 1 AND 1 1

Why SUMs and PRODUCTs?

SUM

=

PRODUCT

=

Computing on Encrypted Data

XOR

0 XOR 0 1 XOR 0 0 XOR 1 1 XOR 1 1 1

AND

0 AND 0 1 AND 0 0 AND 1 1 AND 1 1

Because {XOR,AND} is Turing-complete …

… any function is a combination of XOR and AND gates

Computing on Encrypted Data

Because {XOR,AND} is Turing-complete …

… any function is a combination of XOR and AND gates

Example: Indexing a database 1 1 DB index i = i1i0 return DBi i0 i1

DB3 DB2 DB0 DB1

Computing on Encrypted Data

Because {XOR,AND} is Turing-complete …

… if you can compute sums and products on encrypted bits … you can compute ANY function on encrypted inputs

E(x1) E(x2) E(x3) E(x4) E(x3 AND x4) E(x1 XOR x2) E(f(x1,x2,x3,x4))

Homomorphic encryption

• The ability to perform computations on the

ciphertext without decrypting it first

• A specific algebraic operation performed on

the plaintext is equivalent to another (possibly different) algebraic operation performed on the ciphertext

53

Homomorphic Encryption (HE)

• Procedures: KeyGen, Encrypt, Decrypt, Eval
• Semantic Security: same as for basic encryption

– It is infeasible to find two messages whose encryptions can be distinguished

• Correctness: For any function f in “supported”

family F: c1 ← Encpk(m1) … ct ← Encpk(mt) c* ← Evalpk(f, c1, …, ct) Decsk(c*) = f(m1, …, mt)

• Compactness: complexity of decrypting c* does not

depend on complexity of f

An Analogy: Alice’s Jewelry Store

 Alice wants workers to assemble raw materials into jewelry  But Alice is worried about theft:

She wants workers to process raw materials without having access.

 Alice puts raw materials in locked glovebox.  Workers assemble jewelry inside glovebox, using the gloves.  Alice unlocks box to get “results”.

Homomorphic Encryption

Somewhat Homomorphic Encryption (SWHE):

“Somewhat” means it works for some functions f

Enc[f(x)] Enc[x] f

Eval

 Pre-2009 schemes were somewhat homomorphic.

Homomorphic Encryption

Fully Homomorphic Encryption (FHE) [RAD78, Gen09]:

“Fully” means it works for all functions f

Enc[f(x)] Enc[x] f

Eval

Homomorphic encryption schemes

• Partially homomorphic encryption:

– homomorphic scheme where only one type of operation is possible (* or +)

• Multiplicative homomorphic – e.g. RSA
• Additive homomorphic, e.g. Paillier
• Somewhat homomorphic encryption:
• homomorphic scheme that can perform a limited number of

additions and multiplications

• Fully homomorphic encryption (FHE) (Gentry, 2010)

– Can perform an infinite number of additions and multiplications

58

Additive homomorphic

𝐹𝑞𝑙 and 𝐸𝑡𝑙 be the encryption and decryption functions. Given 𝑦, 𝑧 ∈ 𝑎𝑂, the AH-ENC system exhibits the following properties:

• Homomorphic Addition:

𝐸𝑡𝑙(𝐹𝑞𝑙(𝑦 + 𝑧)) = 𝐸𝑡𝑙(𝐹𝑞𝑙 (𝑦) ∗ 𝐹𝑞𝑙(𝑧))

• Homomorphic Multiplication
• Given a constant c and a ciphertext Epk(x)

𝐸𝑡𝑙(𝐹𝑞𝑙(𝑑 ∗ 𝑦)) = 𝐸𝑡𝑙 (𝐹𝑞𝑙(𝑦)𝑑 )

• Probabilistic: Let 𝑑1 = 𝐹𝑞𝑙(𝑦) and 𝑑2 = 𝐹𝑞𝑙(𝑧)

Probability for 𝑑1 ≠ 𝑑2 is very high even if 𝑦 = 𝑧

• Semantic Security:
• Given 𝐹𝑞𝑙(𝑦), an adversary cannot derive any information

about 𝑦

• Cloud stores my encrypted files: pk, Encpk(f1),…, Encpk(fn).
• Later, I want f3, but want to hide “3” from cloud.
• I send Encpk(3) to the cloud.
• Cloud runs Evalpk (F, Encpk(3), Encpk(f1),…, Encpk(fn)),

where F(n, {files}) is the function that outputs the nth file.

• It sends me the (encrypted) file f3.
• Paradox?: Can’t the cloud “see” it is sending the 3rd encrypted file?

By comparing the stored value Encpk(f3) to the ciphertext it sends?

HE Security: A Paradox?

Resolution of paradox: Semantic security implies:

• Many encryptions of f3,
• Hard to tell when two ciphertexts encrypt the same thing.

Comparison

• Partial HE is practical
• Paillier scheme can perform evaluations in milliseconds level
• However, PHEs only support one type of operation,
• e.g. additions for Paillier and multiplications for RSA
• Major problem of existing FHE schemes:
• Computation speed
• Size of ciphertext
• 780, 000 bits for encrypting a single bit
• Public key size ~ 2GB
• Bootstrapping takes 3-30 minutes

Slide partial credit: Improving the Efficiency of Homomorphic Encryption Schemes by Yin Hu, WORCESTER POLYTECHNIC INSTITUTE

Slides credits

– The Cloud Computing Paradigm, Hassan Takabi, University of Pittsburgh 2011 www.sis.pitt.edu/jjoshi/courses/IS2620/Spring11/Cloud_Hassan.ppt – Homomorphic Encryption Tutorial, Shai Halevi, IBM 2013 https://people.csail.mit.edu/shaih/pubs/Homomorphic-Encryption.survey.pptx – Fully Homomorphic Encryption I: SWHE, Shai Halevi, Simons Institute, Cryptography Boot Camp, 2015 https://simons.berkeley.edu/sites/default/files/docs/3014/1.swhe.pptx – Ragib Hasan, Johns Hopkins University – Homomorphic Encryption: WHAT, WHY, and HOW, Vinod Vaikuntanathan, University of Toronto