private editing using untrusted cloud services
DESCRIPTION
Private Editing Using Untrusted Cloud Services. Yan Huang and David Evans University of Virginia http://MightBeEvil.com. Motivation. To take advantage of existing cloud services without revealing private data to untrusted servers . We expect a solution that is easy to deploy - PowerPoint PPT PresentationTRANSCRIPT
Private Editing Using Untrusted Cloud Services
Yan Huang and David EvansUniversity of Virginia
http://MightBeEvil.com
Motivation
2
To take advantage of existing cloud services without revealing private data to untrusted servers.
We expect a solution that• is easy to deploy• and results in minimal
negative interference with existing functionalities
Observation: Server Doesn’t Need Data
Many cloud applications perform most data-dependent computation on the client:–Reduce server load–Reduce latency
3
Computation needed at server-side:• Protecting proprietary algorithms• Greater computing power• Large data needed
4
Developed a Firefox extension to enable private editing using Google Documents.
Typical Threat Model
5
Server is not trusted, hasfull access to user data.
Browser is not compromised
Design Choices
6
Client
Server
Proxy
User JS
Add-on
Protocol Without Extension
7
docid=001“sunny”
Client Server(1) Open
document http://docs.google.com/Doc?docid=001
docid=001“cloudy”
<html>...<script>var DOC_Content=“...cloudy...
”</script>…</html>
(2) Save “sunny” http://.../RawDocContents?docContents=“sunny”
ACK:{contentFromServer:””,contentFromServerHas
h:0}
Protocol Without Extension
8
docid=001“sunny”
Client Server
(3) Save “sunshine”
.../RawDocContents?contentIsDelta=true&delta=“=3 +shi =1 -1 +e”
ACK:{contentFromServer:””,contentFromServerHas
h:0}
docid=001“sunshine”
Protocol With Extension
9
docid=001E(‘sunny’)
Client Server(1) Open
document…/Doc?docid=001
docid=001E(‘cloudy’)
(2) Save “sunny”
…/RawDocContents?docContents=sunny
ACK:
{contentFromServer:””,contentFromSe
rverHash:0}
Extension
…/Doc?docid=001
<html> “...E(‘cloudy’)...”
</html><html> “... cloudy...” </html>
RawDocContents?docContents=E(‘sunny’)
ACK:
{contentFromServer:””,contentFromS
erverHash:0}
Dec
Enc
Protocol With Extension
10
docid=001E(‘sunny’)
Client Server
(3) Save “sunshine”
.../RawDocContents?...&delta=“=3 +shi =1 -1 +e”
ACK:
{contentFromServer:””,contentFromSe
rverHash:0}
Extension
…/RawDocContents?...&delta=IncE(delta)
ACK:
{contentFromServer:””,contentFromS
erverHash:0}
IncE
docid=001E(‘sunshine’)
Incremental Encryption
key generation algorithm encrypt whole message m decrypt ciphertext c given a key k, an edit operation op,
previous message m, and previous ciphertext c, compute an updated ciphertext c’.
11
Gen)(mEncc k)(cDecm k
),,( cmopIncEc k
[BKY01] – Buonanno, Katz, and Yung. Fast Software Encryption 2001
Privacy Only Mode
12
Trapdoor psuedorandom permutation Random numbers Document segments Concatenation
Trapdoor psuedorandom permutation Random numbers Document segments Concatenation
ir
id||
F
1d 2d nd
)||( 0 padsk rrF )||( 1110 drrrFsk )||( 2220 drrrFsk )||( 0 nnnsk drrrF
Multiple Characters per Block
Motivation: reduce the ciphertext blow-up
Challenge: the index of each character will change so that naïve implementation won’t work
13
1id
id
id
IndexedSkipList
14
Head Nil
0
0
0
IndexedSkipList
15
Head Nil
3
3
0
Insert(0,“abc”);
abc
3
IndexedSkipList
16
Head Nil
7
3
0
Insert(0,“abc”);Insert(3,“1234”);
abc
4
1234
3
4
IndexedSkipList
17
Head Nil
4
2
0
Ins(0,“abc”);Ins(3,“1234”);Del(2, 3);
ab
2
34
2
2
Security Analysis
• Server knows the document ciphertext• Can infer the length of original document• Knows editing positions and edit operation types• Can deny service
18
Extreme Threat Model
19
Server controls client’sapplication content software.
Security Analysis
• Covert Channels such as timing or delta
• Using obfuscated protocol• Dynamically generated client/server protocols
20
Virginia California
-1 +Cal =1 +fo =1 -2 =3
-5 +Califor =3
-8 +California
Functional Evaluation
• Basic editing functions are supported• Features disrupted:
– Translation– Spell checking– Drawings– Export– Collaboration
21
Performance EvaluationMicro-Benchmarks
Average Time (per char)
encryption .091 ms
decryption .085 ms
transform delta .110 ms
22
Microbenchmark of privacy-and-integrity mode
(avg. of 1000 tests)
Macro-Benchmarks
23
1 2 3 4 5 6 7 80
5
10
15
20
25
Blow-upBlock Size
Blow
-up
insert deletes inserts & deletes
0%2%4%6%8%
10%12%14%
1 char/block 8 char/block
perfo
rman
ce d
egra
datio
n
Conclusion
• Editing encrypted data can be practical• Practical secure computation under relaxed
security definitions can be very useful• Would be a very challenging problem should the
service provider chooses not to cooperate
24
Download from: www.MightBeEvil.com/securedocs