private editing using untrusted cloud services

Private Editing Using Untrusted Cloud Services

Yan Huang and David EvansUniversity of Virginia

http://MightBeEvil.com

Motivation

2

To take advantage of existing cloud services without revealing private data to untrusted servers.

We expect a solution that• is easy to deploy• and results in minimal

negative interference with existing functionalities

Observation: Server Doesn’t Need Data

Many cloud applications perform most data-dependent computation on the client:–Reduce server load–Reduce latency

3

Computation needed at server-side:• Protecting proprietary algorithms• Greater computing power• Large data needed

4

Developed a Firefox extension to enable private editing using Google Documents.

Typical Threat Model

5

Server is not trusted, hasfull access to user data.

Browser is not compromised

Design Choices

6

Client

Server

Proxy

User JS

Add-on

Protocol Without Extension

7

docid=001“sunny”

Client Server(1) Open

document http://docs.google.com/Doc?docid=001

docid=001“cloudy”

<html>...<script>var DOC_Content=“...cloudy...

”</script>…</html>

(2) Save “sunny” http://.../RawDocContents?docContents=“sunny”

ACK:{contentFromServer:””,contentFromServerHas

h:0}

Protocol Without Extension

8

docid=001“sunny”

Client Server

(3) Save “sunshine”

.../RawDocContents?contentIsDelta=true&delta=“=3 +shi =1 -1 +e”

ACK:{contentFromServer:””,contentFromServerHas

h:0}

docid=001“sunshine”

Protocol With Extension

9

docid=001E(‘sunny’)

Client Server(1) Open

document…/Doc?docid=001

docid=001E(‘cloudy’)

(2) Save “sunny”

…/RawDocContents?docContents=sunny

ACK:

{contentFromServer:””,contentFromSe

rverHash:0}

Extension

…/Doc?docid=001

<html> “...E(‘cloudy’)...”

</html><html> “... cloudy...” </html>

RawDocContents?docContents=E(‘sunny’)

ACK:

{contentFromServer:””,contentFromS

erverHash:0}

Dec

Enc

Protocol With Extension

10

docid=001E(‘sunny’)

Client Server

(3) Save “sunshine”

.../RawDocContents?...&delta=“=3 +shi =1 -1 +e”

ACK:

{contentFromServer:””,contentFromSe

rverHash:0}

Extension

…/RawDocContents?...&delta=IncE(delta)

ACK:

{contentFromServer:””,contentFromS

erverHash:0}

IncE

docid=001E(‘sunshine’)

Incremental Encryption

key generation algorithm encrypt whole message m decrypt ciphertext c given a key k, an edit operation op,

previous message m, and previous ciphertext c, compute an updated ciphertext c’.

11

Gen)(mEncc k)(cDecm k

),,( cmopIncEc k

[BKY01] – Buonanno, Katz, and Yung. Fast Software Encryption 2001

Privacy Only Mode

12

Trapdoor psuedorandom permutation Random numbers Document segments Concatenation

Trapdoor psuedorandom permutation Random numbers Document segments Concatenation

ir

id||

F

1d 2d nd

)||( 0 padsk rrF )||( 1110 drrrFsk )||( 2220 drrrFsk )||( 0 nnnsk drrrF

Multiple Characters per Block

Motivation: reduce the ciphertext blow-up

Challenge: the index of each character will change so that naïve implementation won’t work

13

1id

id

id

IndexedSkipList

14

Head Nil

0

0

0

IndexedSkipList

15

Head Nil

3

3

0

Insert(0,“abc”);

abc

3

IndexedSkipList

16

Head Nil

7

3

0

Insert(0,“abc”);Insert(3,“1234”);

abc

4

1234

3

4

IndexedSkipList

17

Head Nil

4

2

0

Ins(0,“abc”);Ins(3,“1234”);Del(2, 3);

ab

2

34

2

2

Security Analysis

• Server knows the document ciphertext• Can infer the length of original document• Knows editing positions and edit operation types• Can deny service

18

Extreme Threat Model

19

Server controls client’sapplication content software.

Security Analysis

• Covert Channels such as timing or delta

• Using obfuscated protocol• Dynamically generated client/server protocols

20

Virginia California

-1 +Cal =1 +fo =1 -2 =3

-5 +Califor =3

-8 +California

Functional Evaluation

• Basic editing functions are supported• Features disrupted:

– Translation– Spell checking– Drawings– Export– Collaboration

21

Performance EvaluationMicro-Benchmarks

Average Time (per char)

encryption .091 ms

decryption .085 ms

transform delta .110 ms

22

Microbenchmark of privacy-and-integrity mode

(avg. of 1000 tests)

Macro-Benchmarks

23

1 2 3 4 5 6 7 80

5

10

15

20

25

Blow-upBlock Size

Blow

-up

insert deletes inserts & deletes

0%2%4%6%8%

10%12%14%

1 char/block 8 char/block

perfo

rman

ce d

egra

datio

n

Conclusion

• Editing encrypted data can be practical• Practical secure computation under relaxed

security definitions can be very useful• Would be a very challenging problem should the

service provider chooses not to cooperate

24

Download from: www.MightBeEvil.com/securedocs