(tan#ar#i4e# as IEEE +171?22 *2010./erhea# consi#ere# to e *too- cost!y
–
●
&o practica! #ep!oyment so $ar
$omparison
CBC mode Passive adversary - Aoca!i4e changes in encrypte# $i!e Active adversary - Trigger contro!!e# change o$ p!ainte:t Situation in practice 'irst change# !ock in sector TwE narrow 3!! !ocks that change# TwE wide >ho!e sector * est possi !e-
Change one !ock &one 0 mo/e !ocks
&one
%ep!oye#
%ep!oye#
&ot use#
How realistic are active attacks - Encryption in .( kerne!) attack re9uires access to store# its - Kn!ike!y $or !aptops - More p!ausi !e $or /irtua! #isk images on c!ou# storage
!ntegrity protection
Integrity protection or one client
● ●
●
(torage consists o$ n #ata items :1) 222) :n C!ient accesses storage /ia integrityprotection !ayer – Kses sma!! truste# memory to store short re$erence hash /a!ue / *together with encryption keysIntegrity !ayer operations – Rea# item an# /eri$y w2r2t2 / – >rite item an# up#ate / accor#ing!y
Integrity
Truste# memory
C!ient
'ash trees or integrity checking %(erkle trees&
root L0 L00 L01 L10 L1 L11
● ●
+arent no#e is hash o$ its chi!#ren Root hash /a!ue commits a!! #ata !ocks – Root hash in truste# memory – Tree is on e:tra untruste# storage To /eri$y :i) recompute path $rom :i to root with si !ing no#es an# compare to truste# root hash To up#ate :i) recompute new root hash an# no#es a!ong path $rom :i to root
Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation &ee# to synchroni4e truste# memories E/ery c!ient associate# with a pu !ic,pri/ate key pair >rite operation pro#uces signature σ on hash / C!ient stores signature an# hash *σ) /- on c!ou# This approach permits rep!ay attacks 222 +re/ente# using truste# coor#2 ser/ice
●
Mu!tip!e c!ientsM
–
●
(o!ution with #igita! signatures
– – –
Integrity
●
Rep!ay attacks
– –
C!ient
C!ient
C!ient
()lti-client integrity protection and orking attacks
●
(er/er may present #i$$erent /iews to separate# c!ients
– – –
E2g2) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication
BMa4ieres) (hasha) +.%C D02E5
●
Kse $ork !ineari4a i!ity
–
I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then → their /iews are $orke# e/er a$ter → they ne/er again see each others up#ates
●
E/ery inconsistency or integrity /io!ation resu!ts in a $ork
– –
Best achie/a !e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna! channe!
●
–
+rototype imp!ementation in @E&K(
Kse on!y a semi-truste# coor#inator BCachin et a!2) (I3M N2 Comput) 2011E
B(hraer et a!2) CC(> 2011E
Kser u authenticates to token
u ∈ Qsecurity-o$$icer) app!icationR
●
u in/okes operations through Crypto 3+I
– –
.perations on pay!oa#
●
Encrypt) #ecrypt) sign) /eri$y 222 Create) store) rea#V) up#ateV key %eri/e key $rom a parent key >rap key , e:port Knwrap key , import V Restricte# to a#minW
"ey-management operations
● ● ● ●
●
(tan#ar#i4e# inter$aces
– –
+"C( S11 BEMC,R(3E Common cryptographic architecture *CC3- BIBME
+roblems with crypto /+Is %1&
●
Aegacy 3+I po!icies are o$ten 8un#erspeci$ie#8
–
&e/erthe!ess) they aim to protect keys
●
+ure!y !ogica! attacks → 3+I attacks
–
E:pose a protecte# key B3n#erson) Bon#) C!u!owE
●
E:amp!e attack on +"C( S11
– – –
Sensitive keys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u ≠ a#min i$ key k is sensitive But a!!ows u to wrap k un#er a non-sensitive key # → user u wraps k un#er # an# rea#s # → this e:poses k in c!ear
+roblems with crypto /+Is %2&
●
>hyM >hy is access contro! with simp!e rea#,write permissions not enough to protect keysM Because keys may #epen# cryptographica!!y on other keys
–
●
●
.n!y cryptographic operations create such #epen#encies
●
+ropose to keep track o$ #epen#encies with a mo#e! $or strict access control BCachin) Chan#ran) C(' D0?E
.ther o 1ects whose cryptographic /a!ue can e compute# $rom the cryptographic /a!ue o$ the o 1ect
●
ancestors ⊆ . 1ects
–
.ther o 1ects on which the o 1ect #epen#s
●
rea#ers ⊆ Ksers
–
Ksers who ha/e e:ecute# rea#*k- $or some key k such that o 1ect ∈ k2#epen#ents
Basic and strict policies
●
I$ o2strict F true) then o ene$its $rom strict security po!icy .therwise) o un#er!ies asic access-contro! po!icy (trict security po!icy respects #epen#encies etween keys in access #ecisions
●
●
Basic a)thori.ation
Basic authori4ation ru!e o$ permission p $or user u on o 1ect o5
B3(IC3KTL*u) p) o- F *any) p- ∈ o2ac! or *u F o2creator and *creator) p- ) p- ∈ o2ac! or *u) p- ∈ o2ac!2
Implementation o read
Con#ition $or user u to e:ecute rea#*o-5
o2strict F $a!se and B3(IC3KTL*u) Rea#) o- or o2strict F true and ∀ 9 ∈ o2#epen#ents) B3(IC3KTL*u) Rea#) 9-
E$$ect5
if o2strict F true then ∀ 9 ∈ o2#epen#ents) 92rea#ers ← 92rea#ers ∪ QuR
Implementation o export
Con#ition $or user u to e:ecute e:port*o) w-5
o2strict F $a!se and B3(IC3KTL*u) E:port) o- or o2strict F true and w2strict F true and B3(IC3KTL*u) E:port) o- and B3(IC3KTL*u) >rap) w- and ∀ / ∈ w2rea#ers) ∀ 9 ∈ o2#epen#ents) B3(IC3KTL*/) Rea#) 9- and w ∉ o2#epen#ents
E$$ect5
if o2strict F true then ∀ / ∈ w2rea#ers) o2rea#ers ← o2rea#ers ∪ Q/R w2#epen#ents ← w2#epen#ents ∪ o2#epen#ents o2ancestors ← o2ancestors ∪ w2ancestors
Kse authenticate# encryption $or key wrapping
Implementation o import
Con#ition $or u to e:ecute import*w) wrappe#- in strict mo#e5
B3(IC3KTL*u) Knwrap) w- and w2rea#ers F ∅ and w2strict F true and W∃ key in %B with same #igest as o) where o F unwrap*wrappe#-