Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting...
Transcript of Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting...
![Page 1: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/1.jpg)
Security of Internet-Scale Services
Thesis Defense — Adam Everspaugh
Committee: Prof Nigel Boston Prof Barton Miller Prof Somesh Jha
Assc Prof Thomas Ristenpart* Prof Michael Swift*
![Page 2: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/2.jpg)
Software Environment Has Changed
OS
users: 20-25
machines: 20
Microsoft Word, ~1995
datacenter
Google Docs, 2015
users: 220-230
machines: 210
revisions
authentication
spellcheck
browser+javascript
collaboration
front-end
![Page 3: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/3.jpg)
Interesting Properties of Internet-scale Services
• Millions or billions of users
• Geo-replicated applications and storage systems
• Applications built as distributed services: componentized, communication, failures, concurrency
• Highly available: 1.0 - 𝜀
• Security? • Carried forward from previous era of application
development
![Page 4: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/4.jpg)
Research Question
• Not-So-Random Numbers [IEEE S&P '14]. Evaluate RNGs in virtual machine and and cloud compute environments.
• Pythia PRF Service [Usenix Sec '15]. Design and evaluate a secure password authentication service built around a new cryptographic primitive.
• Key Rotation for Auth Encryption [Crypto '17]. Examines updatable encryption for cloud storage. Formal analysis of security notions and updatable encryption schemes.
Can we improve the security of internet-scale services?
Outline
![Page 5: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/5.jpg)
Random Number Generators
Outputs uniformly distributed
RNGInputssystem events
Example uses: • StackProtector canaries • TCP/IP sequence numbers • Cryptographic keys
![Page 6: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/6.jpg)
Random Number Generators
Outputs uniformly distributed
RNGInputssystem events
![Page 7: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/7.jpg)
Outputs uniformly distributed
RNGInputssystem events
Random Number Generators
Input Pool
Random Pool
URandom Pool
Interrupt Pool
/dev/random
/dev/urandomget_random_bytes()
interrupt events
disk events keyboard events
mouse events hardware RNGs
Cryptographic hash
Linux /dev/(u)random:
![Page 8: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/8.jpg)
Random Number Generators
Outputs uniformly distributed
RNGInputssystem events
1. Do full-memory snapshots cause problems for system RNGs? [GR05] [RY10]
2. Are input sources entropy-poor inside a virtual machine? [SBW09]
Folklore concerns regarding security
![Page 9: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/9.jpg)
Virtual Machine Snapshot and Resumption
Snapshot
Resumption
disk
Does the RNG produce distinct outputs with each resumption?
Boot
![Page 10: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/10.jpg)
Linux RNG Not Reset Secure
One experiments:• Boot VM in Xen, idle for 5 minutes • Start measurement process, capture snapshot • Resume from snapshot,
read 512-bits from /dev/urandom every 500 us
Repeat for 8 distinct snapshots Do 20 resumptions/snapshot
RNG/dev/urandom
7/8 snapshots produce repeated outputs
![Page 11: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/11.jpg)
Why does this happen?
Input Pool
Random Pool
URandom Pool
Interrupt Pool
/dev/random
/dev/urandomget_random_bytes()
Linux /dev/(u)random
interrupts
disk events
if (entropy estimate >= 64)
if (entropy estimate >= 192)
if (count > 64 or elapsed time > 1s )
Buffering and thresholds prevent new inputs from impacting outputs
![Page 12: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/12.jpg)
Reset Vulnerabilities Effect Other Platforms
Microsoft Windows 7Produces repeated outputs indefinitelyrand_s (stdlib)CryptGenRandom (Win32)RngCryptoServices (.NET)
FreeBSD/dev/random produces identical output streamUp to 100 seconds after resumption
![Page 13: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/13.jpg)
RNG Summary
• Snapshots cause problems?
• Entropy-poor inputs?
• New clean-slate RNG design
→ Yes
→ No
→ Whirlwind
![Page 14: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/14.jpg)
Outline
• Not-So-Random Numbers [IEEE S&P '14]. Evaluate RNGs in virtual machine and and cloud compute environments.
• Pythia PRF Service [Usenix Sec '15]. Design and evaluate a secure password authentication service built around a new cryptographic primitive.
• Key Rotation for Auth Encryption [Crypto '15]. Examines updatable encryption for cloud storage. Formal analysis of security notions and updatable encryption schemes.
![Page 15: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/15.jpg)
Password Database Compromises
Password DB breaches are common
![Page 16: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/16.jpg)
![Page 17: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/17.jpg)
Website stores one of: • pw • Hash(pw) • salt, Hash(salt, pw) • salt, Hash4096(salt, pw)
6.5M hashes leaked
90%recovered 2 weeks
![Page 18: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/18.jpg)
Facebook’s Password Onion
$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt)
[Moffet RWC15]
![Page 19: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/19.jpg)
Facebook’s Password Onion
$cur = ‘password’$cur = md5($cur)$salt = randbytes(20)$cur = hmac_sha1($cur, $salt)$cur = remote_hmac_sha256($cur, $secret)$cur = scrypt($cur, $salt)$cur = hmac_sha256($cur, $salt)
[Moffet RWC15]
![Page 20: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/20.jpg)
Remote HMAC Distributes Trust
Web Server
pw db
$cur
hmac($cur, $secret)
pwCrypto Server
$secret
pw db
How do we rotate $secret?
Hard to detect online attacks
cur1cur2cur3
![Page 21: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/21.jpg)
Advantages of Partially Oblivious PRF
Web Server
pw db
pw
Pythia PRF Service
Doesn’t learn secret key
Detect online attacks Doesn’t learn pw
uid, blind(pw)
y = Fk(uid, blind(pw))
unblind(y) = Fk(uid, pw)
![Page 22: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/22.jpg)
Existing Crypto Primitives are Insufficient
Deterministic
Pseudorandom
Key Rotation
PRFs
Key Updatable Encryption
Proxy Re-encryption
(Partial) Message Privacy
Oblivious PRFs
Partially-Blind Signatures
Partially Oblivious PRF
empty
![Page 23: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/23.jpg)
Fast, Scalable PRF Service
Throughput: 1350 queries/sec (8-core EC2 instance)
Pythia Query5.2 ms
Within factor of 2 of HTTP GET over TLS
18.6 GB (keytable)100M Web Server:
Storage: O(1) per web serverSupports arbitrary number of users for each web server
8.9 ms (SHA25610k)
Iterated Hashing
nginx MongoDB
![Page 24: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/24.jpg)
Outline
• Not-So-Random Numbers [IEEE S&P '14]. Evaluate RNGs in virtual machine and and cloud compute environments.
• Pythia PRF Service [Usenix Sec '15]. Design and evaluate a secure password authentication service built around a new cryptographic primitive.
• Key Rotation for Auth Encryption [Crypto '17]. Examines updatable encryption for cloud storage. Formal analysis of security notions and updatable encryption schemes.
![Page 25: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/25.jpg)
Encryption for Cloud Storage
{file0}k1
k1 — secret keyfile0 {file1}k1 {file4}k1
{file3}k1
{file5}k1
{file2}k1How do we rotate k1?
Δ1→2
Rekey token
{file1}k2 {file2}k2
{file3}k2{file4}k2
{file5}k2
k1 k2
Δ1→2
![Page 26: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/26.jpg)
Updatable Encryption
D m or ⊥ CEm$
K
k
$
Symmetric Encryption scheme = (K,E,D)
C2ReEnc
Updatable Encryption scheme = (Kg, Enc, Dec, RekeyGen, ReEnc)
error
Enc C1
k1
m Dec
k2
m or ⊥
RekeyGen
k1 k2
Δ1→2
Ch
![Page 27: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/27.jpg)
Security NotionsSymmetric Encryption
scheme
Authenticated Encryption: AE ⇒ Ind-Cpa ⋀ Int-Ctxt
Updatable Encryption scheme
Integrity: Up-Int
Confidentiality: Ind-Cpa (indistinguishable to
chosen-plaintext attack)
Integrity: Int-Ctxt (integrity of ciphertext)
Confidentiality: Up-Ind
Indist. ReEncryption: Up-ReEnc
![Page 28: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/28.jpg)
Security of Updatable Schemes
Confidentiality(Up-Ind)
Integrity(Up-Int)
Indist. ReEncryption (Up-ReEnc)
AE-hybrid
KSS*
[BLMR13]
ReCrypt*
X X X✔ ✔ XX X X✔ ✔ ✔
* introduced in this work
![Page 29: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/29.jpg)
AE-hybrid is Not Secure
Confidentiality (Up-Ind)Give the attacker: k1, all headers, C2 Integrity (Up-Int)
XX
{x}k1Enck1(m): {m}x
header body
ReEnc(Δ,C1):
= C1
{x}k2 {m}x = C2
Updatable encryption built with symmetric authenticated encryption (AES-GCM)
AE-hybrid in production use:
![Page 30: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/30.jpg)
AE-hybrid Fixed: KSSKEM/DEM with
Secret Sharing (KSS)
Confidentiality (Up-Ind)Integrity (Up-Int)
✔✔
Indist. ReEnc (Up-ReEnc)X
AE-Hybrid
Enck1(m) {x⊕y,h(m)}k1 y,{m}x
Key-share hides x in header
Hash gives integrity — binds header/body
{x}k1 {m}x
![Page 31: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/31.jpg)
Strongest Security: ReCrypt
Confidentiality (Up-Ind)Integrity (Up-Int)
✔✔
Indist. ReEnc (Up-ReEnc)✔
Eb(Ea(m)) = Ea⊙b(m)
{x'+y'+x+y, Ex'(Ex(d))}k2 y'+y, Ex'(Ex(m))ReEnc:
d=h(m); gives integrity
Da⊙b(Ea⊙b(m)) = m
{x+y, Ex(d)}k1
header
y,Ex(m)Enc:body
Key Homomorphic Encryption
![Page 32: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/32.jpg)
Strongest Security Impacts Performance
ReCrypt 1 KB 1 GBEncrypt 10.0 ms 2.6 hrsReEnc 8.8 ms 2.4 hrs
Decrypt 9.1 ms 2.4 hrs
ReCrypt operations are 1000x slower than KSS
• Good fit for: small, high-value plaintexts
• E.g. credit card numbers, personally-identifying information, financial information
![Page 33: Security of Internet-Scale Servicespages.cs.wisc.edu/~ace/papers/thesis-defense.pdf · Interesting Properties of Internet-scale Services • Millions or billions of users • Geo-replicated](https://reader033.fdocuments.us/reader033/viewer/2022050603/5fab0abdfcbc7304052f6b1a/html5/thumbnails/33.jpg)
Conclusions
• Not-So-Random Numbers [IEEE S&P '14] Environment is fine — entropy rich inputs.New designs fix VM reset vulnerabilities; easier to analyze.
• Pythia PRF Service [Usenix Sec '15] State-of-the-art is broken — new cryptography in service-oriented setting is a great direction.
• Key Rotation for Auth Encryption [Crypto '17] Customers need updatable encryption — proper balance of security strength and performance is still an open question.
There are significant opportunities for improving the security of internet-scale services.