Vanish: Increasing Data Privacy with Self-Destructing Data

Vanish: Increasing Data Privacy with Self-Destructing Data

Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and Henry M. Levy, USENIX Security Symposium (Usenix), 2009.

Presentation bySruthi Chiluka

University of Central Florida

Overview

Introduction Example scenario Goals Other candidate Approaches Vanish Implementation DHT Implementation Types of DHT Vanish application Conclusion


INTRODUCTION

What is Vanish? - Vanish is a self destructing system which is broadly applicable in today's Web-centered world.

Where user's sensitive data can persist in the cloud even after the user account termination with the help of self destructing framework users can regain control over their confidential data such as (e-mails, facebook messages or any web contents created or posted).


Contd..

Vanish protects the privacy of past, archived data- such as copies of emails maintained by email provider against all kinds of legal, malicious and accidental attacks.

All the copies of data including the pristine copy becomes obliterate after a specific amount of duration, without any user's involvement to perform any action or any third party association to perform the deletion.


Example Scenario

How can Alice be sure that sensitive data sent over electronic mail system is secure?Services may retain data for long after user tries to delete


ISP

Files/Emails can re-emerge years later

It is possible to retrieve archived data months/years later.Emails are frequently cached or archived by the email provider on their local back up systems, ISP’s etc.Therefore there is a chance of risk exposure in future to unintended parties.


Goals

Destruction after Time out.

Accessible until Time out.

Leverage existing Infrastructures.

No secure hardware

No Privacy risks


Other Vulnerable Approaches

Most obvious approach is to do manual deleting by installing CRON job.

Protection using PGP does not work against adversaries.

Forward secrecy encryption can be violated by caching, backup archives or court orders.


Contd..

Emphemeizer solution - Untrustworthy Centralized Third party Services


Self Destructing Data Mold

ISP

File/document is destroyed after specific time out period making all copies of data unreadable including the pristine copy.


Vanish Data Object(VDO)

It encapsulates user’s data and prevents its content from storing at intermediate hops and becoming source of retroactive attacks.

It will become unreadable even if connectivity is removed from storage site.

While user encapsulates data in VDO he/she would be knowing the approximate time period to be set to the VDO.


Vanish Implementation

Vanish is used to leverage existing, decentralized, large scale Distribution Hash Tables.

Encrypt the data with a key and store the key in a high-churn globally-distributed DHT system

Once it reaches the timeout value, the key would be erased from the DHT and forever lost. The data will not be readable without the key


What is Distributed Hash Table(DHT)? Distributed hash table works on peer to peer network(P2P is a

decentralized and distributed network) that provides look up service similar to hash table.

Each node in the network is associated with an index or node ID

Using Hashing a node can find out index corresponding to the specific content

Numerous DHT’s exist in the Internet like Vuze, Mainline and KAD.


DHT Implementation

Key Hash Function buckets

John

Smith

521-9876

00010203...131415


Vanish usage of DHTVanish takes data content D and encapsulates it into a VDO V.

It encrypts D with a random key K and produces cipher text C

It then splits the key into N shares suppose K1,k2....kn.

After computing the shares it picks up random access key L as seed of random generator to generated the Indices I1,I2...In

Final VDO comprises of (L,C,N threshold)


Vuze Mechanism over OPEN DHT

Vuze DHT Open to be joined by any users Millions plus nodes, geographical distributed through the High churn, user leaving and entering within the network Fixed 8 hours timeout

Open DHT Restricted membership Variable time out up to 1 week


How Data Time out Works

The DHT nodes churn or internally cleanse themselves, thereby rendering the protected data unavailable over time.

It would be difficult to determine retroactively which nodes where responsible for storing a given piece of data in past.

Keyloses make all data copies permanently unreadable.


Defense against Retro active attacks.

Upload data

Copies Archived

Time out

time

Retro active

attack begins


Vanish Applications

Firefox plug-in (Included in release of Vanish) Thunderbird plug-in (Developed by the community two

weeks after release ) Self-destructing files Self-destructing trash-bin


Contd..


VDO decapsulated Prior to Expiration?

An attacker might try to obtain the copy of VDO and revoke its privacy prior to its expiration.

Further decapsulate VDO’s using further traditional encryption schemes like PGP,GPG which are supported by fire vanish application.

By the time user is forced to furnish PGP private keys VDO is expired.


Performance Evaluation

Measurements use an Intel T2500 DUO with 2GBRAM,Java 1.6 and broadband network.

Single Vuze DHT took 4 minutes to store 50 shares by employing several vuze operations time could be lowered to 32 seconds for 50 shares

The graph shows getting DHT shares are relatively fast when compared to storing VDO’s


CONCLUSION

Disadvantages of Vanish Fixed time out challenges in Vuze based DHT.

For much larger data sizes encryption/decryption becomes complicated.

No defense provided against certain attacks like denial of service which would prevent reading data for life time.


THANK YOU…

Vanish: Increasing Data Privacy with Self-Destructing Data

Documents

Transcript of Vanish: Increasing Data Privacy with Self-Destructing Data