Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J.
Download ReportTranscript Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J.
Social Networking with Frientegrity :
Privacy and Integrity with an Untrusted Provider Ariel J. Feldman Princeton UPenn Joint work with: Aaron Blankstein, Michael J. Freedman, and Edward W. Felten Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 1
Online social networks are centralized
Pro: Availability, reliability, global accessibility, convenience Con: 3 rd party involved in every social interaction Must trust provider for confidentiality & integrity Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 2
Threats to confidentiality
• Theft by attackers Ars Technica. Mar. 11, 2011 • Accidental leaks EFF. Apr. 28, 2010 PC World. Dec. 6, 2011 • Privacy policy changes WSJ. Feb. 22, 2012 Google Transparency Report Jan. – Jun. 2011 • Government pressure Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 3
Threats to integrity
Simple: Corrupting messages Complex: Server equivocation 1 2 3 Alice Server 1 3 2 Bob Equivocation in the wild: (e.g to disguise censorship) http://songshinan.blog.caixin.com/archives/22322 (translated by Google) Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 4
Limits of prior work
1. Cryptographic Don’t protect integrity 2. Decentralized Run your own server (sacrifice availability, convenience, etc.) OR Trust a provider (who you may not know either) Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 5
Frientegrity’s approach
Benefit from a centralized provider Support common features (e.g. walls, feeds, friends, FoFs, followers) Provider Assume untrusted provider Client Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Client Client 6
Enforce confidentiality
Provider only observes encrypted data (Need dynamic access control and key distribution) Provider Server State state Server Client Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Client Client 7
Verify integrity
Clients verify that the provider: • • • Hasn’t corrupted individual updates Hasn’t equivocated Enforced access control on writes Server Provider Server Client Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Client Client 8
Scalability challenges
Long histories; only want tail
…
Don’t verify whole history each time Many objects (walls, comment threads, photos, etc.) Support sharding Many friends and FoFs O(log n) “(un)friending” Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 9
Frientegrity overview
Server 2 Checked for equivocatio n Server 1 Alice’s photo album Comment thread Alice’s profile Alice’s ACL Alice’s wall Bob’s profile Server n Optionally entangled Bob Read Alice’s wall Verify & decrypt 1. Latest updates 2. Proof of no equivocation 3. Proof of ACL enforcement 4. Decryption keys Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 10
Detecting equivocation
• • • Enforce fork* consistency [LM07] Honest server: linearizability Malicious server: Alice and Bob detect equivocation after exchanging 2 messages Compare histories 1 2 Alice 3 Server 1 3 2 Bob Provider can still fork the clients, but can’t unfork Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 11
Comparing histories
Previously: use a hash chain op 0 op 1 op 2 op 3 op 4 op 5 op 6 op 7 h n = H(h n-1 || op n ) Hash chains are O(n) (and must download the whole history) Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 12
Objects in Frientegrity
h root commits to entire history Let C 15 be a server signed commitment to h root up to op 15 h i = H(h leftChild(i) || h rightChild(i) ) op 0 op 1 op 2 op 3 op 4 op 5 op 6 op 7 op 8 op 9 op 10 op 11 op 12 op 13 op 14 op 15 History tree [CW09] Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 13
Objects
(cont.) Is C 8 C 15 consistent with C 15 ?
op 0 op 1 op 8 op 9 Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 op 14 op 15 14
Verifying an object
Alice’s ops Bob’s ops Charlie’s ops Clients collaborate to verify the history op 0 op 1 op 2 op 3 op 4 C 0 op 5 op 6 op 7 op 8 C 4 op 9 op 10 Is C 11 consistent with C 15 ?
op 11 C 8 op 12 op 13 op 14 op 15 C 1 1 Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 15
Tolerating malicious users
Alice’s ops Charlie’s ops Tolerate up to
f
malicious users op 0 op 1 op 8 op 9 op 10 op 11 op 12 op 13 op 14 C 9 op 15 C 1 Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 16
Access control
Server Alice’s photo album Prove ACL enforcement Alice’s ACL Alice’s wall Comment thread Efficient key distribution O(log n) “(un)friending” Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 17
Proving ACL enforcement
Server Alice’s photo album h i = H(h leftChild(i) h || h signed by Alice Comment thread Alice’s ACL Alice’s wall David Bob Sean Emma Alice Charlie Bob Verify & decrypt Persistent authenticated dictionary [AGT01] Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 18
Efficient key distribution
Server Alice’s photo album E k3 (k 1 ) || E k4 (k 1 ) Alice’s ACL Alice’s wall Comment thread David 0 k 0 = k alice_friend Bob 1 Sean 2 Emma 5 Alice 3 Charlie 4 Bob Verify & decrypt E charlie_pk (k 4 ) Key graph [WGL98] Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 19
Adding a friend
Server Alice’s photo album Alice’s ACL Alice’s wall Comment thread Alice, k 3 Bob, k 1 Charlie, k 4 E k5 (k 2 ) || E k6 (k 2 ) David, k 0 Emma, k 5 Sean, k 2 Zack, k 6 E zack_pk (k 6 ) Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 20
Removing a friend
Server Alice’s photo album Alice’s ACL Alice’s wall Comment thread Bob, k 1 ’ k 0 ’ = k alice_friend ’ David, k 0 ’ Sean, k 2 Alice, k 3 Charlie, k 4 Emma, k 5 Zack, k 6 Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 21
Efficient enough in practice?
• • • • Setup Java client & server Simulate basic Facebook features (each user has wall & ACL) 2048-bit RSA sign & verify batched via spliced signatures [CW10] Experiments on LAN (8-core 2.4 GHz Intel Xeon E5620s, Gigabit network) • • • • Measurements Latency of reads & writes to objects Latency of ACL changes Throughput (in paper) Effect of tolerating malicious users Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 22
Object read & write latency
Frientegrity (collaborative verification) Constant cost of signatures dominates Hash chain Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 23
Latency of ACL changes
Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 24
Tolerating malicious users
• 50 writers • 5000 operations Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 25
Summary
Both confidentiality & integrity need protection Benefit from centralization, but provider is untrusted Clients collaborate to defend against equivocation Scalable, verifiable access control & key distribution Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 26
Thank you
Questions?
http://arifeldman.com
Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 27