New Cryptographic Protocols
for Data Confidentiality
Sergiu Costea
University POLITEHNICA of Bucharest
Scientific Adviser: Prof. Nicolae Țăpuș
Fact: attackers are powerful, widespread entities
with an abundance of resources
Need: better security algorithms
Goal: improve confidentiality and privacy with new
algorithms
• Efficient, usable, provably secure
3
Contributions
Privacy algorithms with
smaller errors
for sequential records
Formal definitions and
protocols for code
confidentiality
Confidentiality for
network traffic in the
presence of strong
adversaries
4
Privacy for sequential data
•
S. Costea, G. Ghinita, R. Rughinis, and N. Tapus. Reduced Relative Errors for
Short Sequence Counting with Differential Privacy, 20th International
Conference on Control Systems and Computer Science, Bucharest, 2015.
•
S. Costea, and N. Țăpuș. Solving the Top-K problem for Sequence Counting
Using Differential Privacy, 14th RoEduNet International Conference Networking in Education and Research (NER'2015), 2015.
5
Databases with sequences
• Used to store historical data:
• Location history
• Browsing history
• Network logs
• Counting frequencies is useful:
• Avoiding traffic jams
• Improving user interfaces
• Discovering traffic anomalies
• Risk: disclosing frequencies can compromise privacy
6
Subsequence counting
Name
Location history
Sequence
Frequency
A
Grozăvești – Politehnica
Grozăvești
3
B
Grozăvești – Eroilor – Politehnica
Eroilor
3
C
Grozăvești – Eroilor – Politehnica
Eroilor – Politehnica
2
D
Politehnica – Eroilor – Izvor
Izvor – Eroilor
0
...
...
...
...
Summaries leak information
Name Location history
Name Location history
A
Grozăvești
– Eroilor
Name
Location
history
A
Grozăvești
– Eroilor
Name
Location
history
B
Grozăvești
– Eroilor –
A
Grozăvești – Eroilor
Grozăvești
– Eroilor –
A B
Grozăvești
– Politehnica
Politehnica
B
Grozăvești
– Eroilor –
Politehnica
B C Grozăvești
??? – Eroilor – Politehnica
Politehnica
C
???
C C D ??????Politehnica – Eroilor – Izvor
D
Politehnica – Eroilor – Izvor
DD
Politehnica
– Eroilor
– Izvor
Politehnica
– Eroilor
– Izvor
Sequence
Frequency
Eroilor – Politehnica
2
Conclusion: User C location history
includes sequence Eroilor – Politehnica
8
Differential privacy
• Differential privacy algorithms can mitigate privacy
risks by altering frequencies with noise
• Drawback: resulting frequencies exhibit high
relative errors
• Contribution: new algorithm which reduces relative
errors without lowering privacy
9
Differential privacy
Name
Location history
A
Grozăvești – Politehnica
B
Grozăvești – Eroilor – Politehnica
C
???
D
Politehnica – Eroilor – Izvor
Sequence
Frequency
Eroilor – Politehnica
9
9=2+
Prevent information leaks by injecting random noise into results
10
How do we distribute noise?
• Differential privacy algorithms try to inject the minimum amount of
noise that ensures privacy
• Chen’s algorithm – uses Markov chains to estimate noise distribution
.
Sequence
Frequency
Grozăvești
3
Eroilor
3
C=5
Eroilor – Politehnica
2
G
Grozăvești – Eroilor
0
...
...
...
...
E
P
I
C =-1
C=3
C=1
G
E
P
I
C = -1
C=4
C=1
C=2
Drawback: the same noise is distributed to low frequency nodes and high frequency nodes
-> high relative errors
11
Our solution
Recursive Budget Allocation (RBA) Algorithm
Sequences
Chen’s
Algorithm
Recursive local
optimum
Compute
counts
Subsequence
frequencies
Compute noise scale
500% noise
no noise injected
125% noise
12
RBA Local Optimum Algorithm
• Iteratively applied over nodes in the tree
• Computes a local optimum that minimizes average relative
errors in each dotted rectangle
1
• 𝑥 – mean noise for parent noise injection in phase 2
𝑃 − 𝑝𝑎𝑟𝑒𝑛𝑡; 𝐶𝑖 − 𝑐ℎ𝑖𝑙𝑑𝑟𝑒𝑛
3
2
1
𝑐 ∙ = 1𝑠𝑡 𝑝ℎ𝑎𝑠𝑒 𝑐𝑜𝑢𝑛𝑡
𝛼=
1
𝑐(𝑃)
1
2
3
𝑛
𝛽=
𝑐(𝐶𝑖 )
𝑖=1
𝑥=
1
𝛼−𝛽
1
2
3
𝜖𝐿𝑂𝐴 𝛼 − 𝛼𝛽
13
Results – Mean relative error
Sequence
length
Chen’s
Algorithm
RBA
2
7.64%
3.15%
3
17.61%
13.27%
4
14.34%
12.15%
5
11.17%
10.12%
• Takeaway:
• RBA achieves better utility without compromising
privacy
• RBA achieves better privacy while providing the same
utility
14
Code confidentiality
•
S. Costea and B. Warinschi. Secure Software Licensing: Models, Constructions,
and Proofs, 2016 IEEE 29th Computer Security Foundations Symposium (CSF),
Lisbon, 2016.
15
Contribution
• Applications often run in the cloud
• Data and code is exposed to cloud service provider
• New hardware like SGX allows trusted execution
environments with encrypted code
• Code is encrypted/decrypted on the fly when in the CPU
• What meaningful security properties can we
achieve for code confidentiality during execution?
16
Remote execution
Remote
𝐶
Local
𝐾
Compile
loader
encrypted
memory
𝑇
normal
memory
loader
stub
loader
𝑃
stub
(Step usually performed offline)
17
Remote execution
Remote
𝐶
encrypted
memory
Local
𝐾
𝑆𝑖𝑔𝑛𝐶𝑃𝑈𝐾𝐸𝑌 (𝑇, 𝑐𝑡𝑥𝑡)
loader
normal
memory
loader
stub
18
Definition 1: Circuit privacy
• Virtual black box:
𝑃𝑟 𝐴 𝑃, 𝑇 = 𝑤(𝐶) − 𝑃𝑟 𝑆 𝐶 (1|𝐶| ) = 𝑤(𝐶)
≤ negl.
• Adversary 𝐴 with access to 𝑃 and 𝑇 cannot extract
more information about 𝐶 than an algorithm with
only black box access to 𝐶
in
C
out
19
Definition 2: Preserve functionality
• 𝑃 = 0∗ satifies the previous definition (no
information about 𝐶 is leaked)
• 𝑃 must behave the same as 𝐶, if no one interferes
with the execution and inputs token 𝑇 correctly and
no restrictions are active
• Possible restrictions:
• Limited number of executions
• Limited number of activated machines
20
Definition 3: Licensing compliance
• Example:
Pr 𝐴 𝑃, 𝑇 ⇒ 𝑂: ∀ 𝑖, 𝑜 ∈ 𝑂, 𝐶 𝑖 = 𝑜 ∧ 𝑂 > 5 ≤ negl.
• Adversary 𝐴 with access to 𝑃 and 𝑇 where the
system restricts 𝑃 to 5 executions cannot obtain
more than 5 valid input and output pairs
• Generalization can be found in the thesis
21
Conclusion
• Formal properties for code confidentiality did not
exist
• Classic confidentiality does not suffice because code
produces side effects
New Definitions
D1. Circuit
Privacy
D2. Preserve
Functionality
D3. License
Compliance
(Function privacy)
22
Secure Multipath Communications
•
•
S. Costea, M. Choudary, and C. Raiciu. Security from Disjoint Paths: Is It
Possible?, SPW 2017 (accepted).
S. Costea, M. Choudary, and C. Raiciu. Practical and secure multipath
communications (submitted at USENIX Security).
23
Motivation
• A lot of Internet traffic is still not encrypted (~40%)
• Massive surveillance is a reality
• (Even secure traffic has issues, e.g. TLS)
LTE
celltower
Mobile ISP
Core ISP
Server
Client
24
Single path limitations
• Diffie-Hellman Key Exchange is vulnerable to MITM
Client
Server
Generate 𝑎
𝑔𝑎
𝑘 = 𝑔 𝑥𝑎
Compute 𝑘 = 𝑔𝑏
𝑔𝑏
𝑎
Generate 𝑏
𝑘 = 𝑔 𝑥𝑏
Compute 𝑘 = 𝑔𝑎
25
𝑏
Multipath communications
• Many client devices have multiple paths to a server
• Goal: new protocols that improve security by using
multiple paths
Attacker
compromises only one path
LTE
celltower
Mobile ISP
Core ISP
Server
Client
WiFi AP
Campus ISP
26
Active and passive attackers
P
Client
Server
A
P/A notation – The attackers cannot synchronize during the attack
P-A notation – The attackers can synchronize during the attack
27
Threat Hierarchy
Secure Multipath Key
Exchange Protocol (SMKEX)
P/P,
P-P
P/A
A/A
Impossible
P-A
A-A
Secure Multipath Data Transfer Protocol
(SMDT) can detect or make attackers
incur costs (but leaks plaintext)
28
SMKEX
𝑔𝑏 , 𝑁𝑆
𝑔𝑎 , 𝑁𝐶
Client
Server
𝑁𝐶
𝐴𝐸𝑛𝑐𝐾 𝐻 𝑔𝑎 , 𝑔𝑏 , 𝑁𝑆 , 𝑁𝐶
29
SMKEX overhead
30
MTLS
• TLS relies on certificates, but certificates can be
easily forged (rogue CAs, leaked private keys,
malicious local certificate caches)
• Our solution: Multipath TLS
• Combines TLS1.3 and SMKEX
• Attackers must both forge certificate and synchronize
actively across multiple paths
• Does not increase number of round trips and adds
negligible processing overhead
31
Disjoint paths are needed
Single point of failure
Server
Client
32
Building disjoint paths
Server
Proxy
(self-signed secure tunnel)
Server
Client
Client’s
VM
33
Building disjoint paths
Server
Proxy
(self-signed secure tunnel)
Server
Path 1
Client
Client’s
VM
Path 2
34
Secure Multipath Data Transfer (SMDT)
𝐶𝑡𝑒𝑥𝑡
Server
Proxy
(self-signed secure tunnel)
Server
Client
Client’s
VM
𝐾𝑇 , 𝑇𝑎𝑔
Generate 𝐾𝑇
𝑇𝑎𝑔, 𝐶𝑡𝑒𝑥𝑡 ← 𝐴𝐸𝑛𝑐𝐾𝐸 ⨁𝐾𝑇 (𝑚)
Can detect attackers by monitoring latency, but leaks first message and is vulnerable to forging
SMDT – Latency analysis
Data transfer duration using SMDT and trans-atlantic tunnels
36
Conclusion
• SMKEX provides secure communications against all
attackers except A-A, improving on state of the art
solutions like Tcpcrypt
• MTLS offers both the benefits of TLS1.3 and SMKEX
• SMDT can detect A-A attackers, but has security
limitations
37
Acknowledgment
•
The work has been funded by the Sectoral Operational Programme Human Resources Development 20072013 of the Ministry of European Funds through the Financial Agreement POSDRU/159/1.5/S/134398
•
The Scalable and Secure Infrastructures for Cloud Operations (SSICLOPS, pronounced “cyclops”) project
focuses on techniques for the management of federated private cloud infrastructures, in particular
cloud networking techniques within software-defined data centres and across wide-area networks.
SSICLOPS is funded by the European Commission under the Horizon2020 programme.
38
Publications
1.
S. Costea, M. Choudary, and C. Raiciu. Security from Disjoint Paths: Is It Possible?, SPW 2017 (accepted).
2.
V. Ghiță, S. Costea, N. Țăpuș. Implementation of Cryptographically Enforced RBAC, UPB Scientific Bulletin, 2017 (accepted).
3.
S. Costea and B. Warinschi. Secure Software Licensing: Models, Constructions, and Proofs, 2016 IEEE 29th Computer Security Foundations
Symposium (CSF), Lisbon, 2016.
4.
L. Gheorghe, D. Dragomir, S. Costea, and A. Radovici. A Survey on Secure Communication Protocols for IoT Systems, Workshop on Secure
Internet of Things, Invited Paper, Heraklion, 2016.
5.
S. Costea, and N. Țăpuș. Solving the Top-K problem for Sequence Counting Using Differential Privacy, 14th RoEduNet International
Conference - Networking in Education and Research (NER'2015), 2015.
6.
A. Ciocan, S. Costea, and N. Țăpuș. Implementation and Optimization of a Somewhat Homomorphic Encryption Scheme, 14th RoEduNet
International Conference - Networking in Education and Research (NER'2015), 2015.
7.
S. Costea and N. Tapus. Input Validation for the Laplace Differential Privacy Mechanism, 20th International Conference on Control Systems
and Computer Science, Bucharest, 2015.
8.
S. Costea, G. Ghinita, R. Rughinis, and N. Tapus. Reduced Relative Errors for Short Sequence Counting with Differential Privacy, 20th
International Conference on Control Systems and Computer Science, Bucharest, 2015.
9.
S. Costea, D. M. Barbu, C. Muraru, and R. Rughinis. Resource Allocation Heuristics for the miriaPOD Platform, 12th RoEduNet Conference:
Networking in Education and Research, 2013.
10.
S. Costea, D. M. Barbu, and R. Rughinis. Qualitative analysis of differential privacy applied over graph structures. 11th RoEduNet
Conference: Networking in Education and Research, 2013.
11.
D. M. Barbu, S. Costea, and R. Rughiniș. Performance evaluation and optimizations of hidden vector encryption. 11th RoEduNet
Conference: Networking in Education and Research, 2013.
12.
S. Costea, D. M. Barbu, G. Ghinita, and R. Rughiniș. Comparative Evaluation of Private Information Retrieval Techniques in Location-Based
Services. Intelligent Networking and Collaborative Systems (INCoS), 2012.
13.
S. Costea, V. Dumitrescu, R. Rughinis, and M. Bucicoiu. MiriaPOD A distributed solution for virtual network topologies management. 10th
RoEduNet Conference: Networking in Education and Research, 2011.
39
Contributions
Privacy algorithms for
sequential records with
reduced errors
Algorithms for code
confidentiality during
remote execution
Confidentiality for
network traffic in the
presence of strong
adversaries
40