Social Networking with Frientegrity: Privacy and Integrity with an - - PowerPoint PPT Presentation

social networking with frientegrity
SMART_READER_LITE
LIVE PREVIEW

Social Networking with Frientegrity: Privacy and Integrity with an - - PowerPoint PPT Presentation

May 03, 2023 380 likes •666 views

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J. Feldman Princeton UPenn Joint work with: Aaron Blankstein, Michael J. Freedman, and Edward W. Felten Social Networking with

slide-1
SLIDE 1

Social Networking with Frientegrity:


Privacy and Integrity with an Untrusted Provider

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 1

Joint work with:

Aaron Blankstein, Michael J. Freedman, and Edward W. Felten

Ariel J. Feldman

Princeton UPenn

slide-2
SLIDE 2

Online social networks are centralized

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 2

Pro: Availability, reliability, global accessibility, convenience Con: 3rd party involved in every social interaction Must trust provider for confidentiality & integrity

slide-3
SLIDE 3

Google Transparency Report Jan. – Jun. 2011

Threats to confidentiality

  • Theft by attackers
  • Accidental leaks
  • Privacy policy changes
  • Government pressure

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 3 PC World. Dec. 6, 2011

  • WSJ. Feb. 22, 2012
  • EFF. Apr. 28, 2010

Ars Technica. Mar. 11, 2011

slide-4
SLIDE 4

Threats to integrity

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 4

Simple: Corrupting messages Complex: Server equivocation

Server Alice

1 2 3

Bob

1 3 2

Equivocation in the wild:

http://songshinan.blog.caixin.com/archives/22322 (translated by Google)

(e.g to disguise censorship)

slide-5
SLIDE 5

Limits of prior work

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 5

  • 1. Cryptographic
  • 2. Decentralized

Run your

  • wn server

OR

Trust a provider Don’t protect integrity

(sacrifice availability, convenience, etc.) ¡ (who you may not know either) ¡

slide-6
SLIDE 6

Frientegrity’s approach

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 6

Client Client Server Server

Provider

Client

Benefit from a centralized provider Support common features

(e.g. walls, feeds, friends, FoFs, followers)

Assume untrusted provider

Server Server

slide-7
SLIDE 7

Enforce confidentiality

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 7

Client Client Server Server

Provider

Client

Provider only observes encrypted data

(Need dynamic access control and key distribution)

State

Encrypted state

slide-8
SLIDE 8

Verify integrity

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 8

Client Client Server Server

Provider

Client

Clients verify that the provider:

  • Hasn’t corrupted individual updates
  • Hasn’t equivocated
  • Enforced access control on writes
slide-9
SLIDE 9

Scalability challenges

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 9

Long histories; only want tail Many objects (walls, comment threads, photos, etc.) Many friends and FoFs Don’t verify whole history each time Support sharding O(log n) “(un)friending” …

slide-10
SLIDE 10

Server 1

Frientegrity overview

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 10

Server 2

Bob’s profile

Server n Bob

Read Alice’s wall

Verify & decrypt

Alice’s wall Alice’s photo album Alice’s ACL Comment thread

Alice’s profile Optionally entangled Checked for equivocation

  • 3. Proof of ACL enforcement
  • 4. Decryption keys
  • 1. Latest updates
  • 2. Proof of no equivocation
slide-11
SLIDE 11

Detecting equivocation

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 11

  • Honest server: linearizability
  • Malicious server: Alice and Bob

detect equivocation after exchanging 2 messages

  • Compare histories

Provider can still fork the clients, but can’t unfork

Server Alice

1 2 3

Bob

1 3 2

Enforce fork* consistency [LM07]

slide-12
SLIDE 12

Comparing histories

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 12

  • p0
  • p1
  • p2
  • p3
  • p4
  • p5
  • p6
  • p7

hn= H(hn-1 || opn)

Hash chains are O(n)

(and must download the whole history)

Previously: use a hash chain

slide-13
SLIDE 13

Objects in Frientegrity

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 13

  • p0
  • p1
  • p2
  • p3
  • p4
  • p5
  • p6
  • p7
  • p8
  • p9
  • p10
  • p11
  • p12
  • p13
  • p14
  • p15

History tree [CW09]

hroot commits to entire history Let C15 be a server- signed commitment to hroot up to op15

hi = H(hleftChild(i) || hrightChild(i))

slide-14
SLIDE 14

Objects (cont.)

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 14

  • p0
  • p1
  • p8
  • p9
  • p14
  • p15

C15 Is C8 consistent with C15?

slide-15
SLIDE 15

Verifying an object

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 15

  • p0
  • p1
  • p2
  • p3
  • p4
  • p5
  • p6
  • p7
  • p8
  • p9
  • p10
  • p11
  • p12
  • p13
  • p14
  • p15

C11

Is C11 consistent with C15?

C8 C4 C0

Alice’s ops Bob’s ops Charlie’s ops

Clients collaborate to verify the history

slide-16
SLIDE 16

Tolerating malicious users

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 16

  • p0
  • p1
  • p8
  • p9
  • p10
  • p11
  • p12
  • p13
  • p14
  • p15

C11

Alice’s ops Bob’s ops Charlie’s ops Bob’s ops

C9

Tolerate up to f malicious users

  • p15

C11

slide-17
SLIDE 17

Server

Access control

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 17

Bob

Verify & decrypt

Alice’s wall Alice’s photo album Alice’s ACL Comment thread

Prove ACL enforcement Efficient key distribution O(log n) “(un)friending”

slide-18
SLIDE 18

Server

Proving ACL enforcement

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 18

Bob

Verify & decrypt

Alice’s wall Alice’s photo album Alice’s ACL Comment thread Alice ¡ Charlie ¡ Bob ¡ Emma ¡ Sean ¡ David ¡

hi = H(hleftChild(i) || hrightChild(i)) hroot signed by Alice

Persistent authenticated dictionary

[AGT01]

slide-19
SLIDE 19

Server

Efficient key distribution

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 19

Bob

Verify & decrypt

Alice’s wall Alice’s photo album Alice’s ACL Comment thread Alice ¡ Charlie ¡ Bob ¡ Emma ¡ Sean ¡ David ¡

Key graph

[WGL98]

k0 = kalice_friend Ek3(k1) || Ek4(k1)

David, k0 ¡ Bob, k1 ¡ Sean, k2 ¡ Alice, k3 ¡ Charlie, k4 ¡ Emma, k5 ¡

Echarlie_pk(k4)

slide-20
SLIDE 20

Server

Adding a friend

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 20

Bob

Verify & decrypt

Alice’s wall Alice’s photo album Alice’s ACL Comment thread David, k0 ¡ Bob, k1 ¡ Sean, k2 ¡ Alice, k3 ¡ Charlie, k4 ¡ Emma, k5 ¡

Ek5(k2) || Ek6(k2) Ezack_pk(k6)

Zack, k6 ¡

slide-21
SLIDE 21

Server

Removing a friend

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 21

Bob

Verify & decrypt

Alice’s wall Alice’s photo album Alice’s ACL Comment thread David, k0 ¡ Bob, k1 ¡ Sean, k2 ¡ Alice, k3 ¡ Charlie, k4 ¡ Emma, k5 ¡ Zack, k6 ¡ Bob, k1’ ¡ David, k0’ ¡

k0’ = kalice_friend’

slide-22
SLIDE 22

Efficient enough in practice?

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 22

Setup

  • Java client & server
  • Simulate basic Facebook features (each user has wall & ACL)
  • 2048-bit RSA sign & verify batched via spliced signatures [CW10]
  • Experiments on LAN (8-core 2.4 GHz Intel Xeon E5620s, Gigabit network)

Measurements

  • Latency of reads & writes to objects
  • Latency of ACL changes
  • Throughput (in paper)
  • Effect of tolerating malicious users
slide-23
SLIDE 23

5K 10K 15K 20K 25K

Object History Size

2 4 6 8 10 12 14

Response Latency (ms)

Write Read

Object read & write latency

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 23

Frientegrity

(collaborative verification)

Hash chain

Constant cost

  • f signatures

dominates

500 1000 1500

Object History Size

200 400 600 800 1000

Response Latency (ms)

Read Write

slide-24
SLIDE 24

Latency of ACL changes

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 24

200 400 600 800 1000

ACL Size

5 10 15 20 25 30 35

Response Latency (ms)

Add User Revoke User

slide-25
SLIDE 25

10 20 30 40 50

f +1

10 100 1000

Response Latency (ms)

Power Uniform

Tolerating malicious users

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 25

  • 50 writers
  • 5000 operations
slide-26
SLIDE 26

Summary

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 26

Both confidentiality & integrity need protection Benefit from centralization, but provider is untrusted Clients collaborate to defend against equivocation Scalable, verifiable access control & key distribution

slide-27
SLIDE 27

Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 27

Thank you

Questions?

  • http://arifeldman.com

ariel.feldman@cis.upenn.edu