Security in distributed systems and Distributed methods in security

1
Security in distributed systemsandDistributed
methods in security
Security
Lets vote

• Dahlia Malkhi
• The Hebrew University of Jerusalem
• Porquerolles Spring School

2
Practical survivability in distributed systems
3
Data-centric replication
No server-to-server comm NR-arbitrary failures
No client-to-client comm Bounded, unknown number
of clients
4
Architecture
Reliable shared object
Fail-prone storage units
Coordination
5
Motivation for data-centric model

• Storage Area Network (SAN)
• Scalable dynamic fault-tolerant services (e.g.,
  Fleet)
• Replication groups are created on-the-fly by
  clients out of dynamic server universe
• Servers need neither monitor nor be aware of each
  other
• Accommodates Byzantine failures
• Database servers
• Client-server middleware

6
Data-centric replication
Persistent object servers
Server 1
Server 3
Server 2
Server 4
Server 5
No centralized management No locking No
server-to-server interaction No client-to-client
interaction Quorum tuning - benign/Byzantine
faults - strict/probabilistic
guarantees Simple, secure, modular
Q-RPC
Q-RPC
Object-stub
Object-stub
application
application
Client 1
Client 2
7
Replication models
8
Some design choices

• Scale
• Survivability
• Trusted clients

9
Why scalability?

• Yesterday
• NFS
• Fault tolerant replicated file system (cluster)
• Four computers flying a shuttle
• Today
• Digital archiving Andersons Eternity
• Ubiquitous computing
• Peer-to-peer resource sharing
• eCommerce and eApplication on the Internet

A mobile user
10
Why survivability?

• Yesterday
• Closely coupled, locally administered system
• Today
• Wide spread computing
• Internet hackers
• More

11
(No Transcript)
12
(No Transcript)
13
Survivable systems

• The last frontier of protection
• Component penetrations will occur, so we should
  build systems to anticipate them
• Survivable system makes meaningful progress when
  components fail to behave as expected, even when
  they conspire to undermine the operation of the
  system as a whole

14
(No Transcript)
15
Could clients be faulty?

• Benign faults yes
• Byzantine faults no
• Employ access control
• If bypassed, who cares?
• A malicious client can mess up the data anyway

16
Summary of design choices

• Scaling
• thousands of servers, millions of clients
• Survivability
• Servers may be penetrated, hence use voting
• Trusted clients

17
Byzantine quorum systems example Malkhi and
Reiter 98

• At most one server can be penetrated
• Read/write safe register

18
Byzantine quorum systems example

• At most one server can be penetrated
• Read/write safe register

19
Masking quorums

• A b-masking quorum system over a universe U of
  servers is a set such that

• Justification let B be set of actually faulty
  servers

20
Replication using masking quorum systems

• Write(v)
• Read timestamps from quorum
• Choose higher, unique timestamp
• Read()
• Read (value, timestamp) pairs from quorum
• Identify correct values that appear b1
  identical times
• Return highest-timestamp correct value

21
Byzantine Quorums - surprisingly
efficientMalkhi, Reiter and Wool 98
22
Quorums can be surprisingly efficient
23
Universal/atomic data emulation
High-level Reliable obj
Fail-prone disks
24
Identifying an agreement building block
Propose(V) Begin RMW if (val
) valV return val End RMW
consensus
RMW

• Agreement is trivial with a single RMW
• RMW cannot be emulated out of faulty memory
  objects of any type Jayanti, Chandra, Toueg 9?

25
Weaker shared objects

• Consensus is not solvable if even a single
  process can fail by crashing in
• Asynchronous shared memory system with
  read/write registers
• Asynchronous message passing system (FLP)
• so any object that can be emulated by fail-prone
  shared-memory is too weak

26
The Approach Lamport 98
PAXOS

• Assume a weak leader election primitive
• Eventually there is a unique leader
• ? failure detector, partially synchronous/timed
  asynchronous systems, etc.
• To order operations, the leader invokes an
  instance of the agreement protocol
• Never disagree on the operation order
• Might fail to make progress if there is no unique
  leader

27
Agreement with R/W registersGafni Lamport
Disks
1
2
3
1
ltv,r,Rgt
ltv,r,Rgt
ltv,r,Rgt
2
processes
3
4
5
Process i can write blockij, for each disk
j Process i can read blockij, for all i, j
28
Unknown clients

• Consider the same shared memory system with an
  unknown number of processes
• There might be a bound but it is unknown
• The process ids are unknown
• Assume there are no client faults
• Can you solve Consensus using a finite number of
• R/W registers? No!
• RMW registers
• Wait-free solution
• Eventual leader
• R/W registers? No!
• RMW registers

29
Identifying an agreement building-block
30
Adding Ranks (ballots)
31
Ranked Register Boichat et al. 02, Chockler and
Malkhi 02

• The interface
• rr-read(R), returns ltr,vgt
• rr-write(R,v), commits or aborts

• The Paxos Agreement
• Collect proposals with a rank
• Make a new proposal with a rank

• If rr-write with rank R1 commits, then rr-read
  with rank R2gtR1 must see it
• return the value written by this rr-write (or by
  a write with rank Rgt R1)

32
Agreement using RR
Shared A single ranked register propose(inp) wh
ile (true) do choose a unique monotonically
increasing rank R ltr,vgtrr-read(R) if
(v ) vinp if (rr-write(R,v)
commit) return v od
33
Why is this working?
34
The complete system
RR
RR
35
Implementability of RR
36
Active disk PaxosChockler Malkhi

• Paxos with infinitely many processes based on new
  ranked register abstraction
• Fault-tolerant replication in SANs
• Fault-tolerant client/server applications
• Extensions
• Handling Byzantine memory failures (NR-arbitrary)
• Specifying/implementing the leader election
  primitive

37
Distributed Methods in System Security
38
Motivation

• Relationship to distributed computing
• Security is the last frontier of reliability and
  availability
• Require various coordination building blocks,
  e.g., reliable broadcast, clock synchronization
• Related notions robustness, fault models, the
  Byzantine model
• Coordinate activity vrs. Conflicting activity
• Confidentiality vrs. Data sharing
• Security by distribution
• Key principle Reduce trust in single components
• Secure storage keys (escrow), files
• Collective control
• Many cryptographic primitives Secure Multi-Party
  Computation (SMPC), electronic voting, agreement
  protocols, ...

39
Simple secret sharing (SS)

• S A B, A given to one authority, B to another
• Perfect (unconditional, information theoretic)
  security
• Variation S A ? B
• Bad variation Divide bits among participants
  (why?)
• Generalization to t authorities
• S A1 A2 At (t-1 chosen at random)
• Demonstration Electronic voting

40
Shamirs secret sharing Shamir 79

• Threshold secret sharing t-out-of-n shares
  required to obtain secret
• Fact t1 points (xi , yi) define a polynomial of
  degree t , f(x) y
• Set-up
• Choose a0 secret choose a1 , a2 , , at at
  random.
• Define f(x) a0 a1 x at x t
• Distribute (xi, yi f(xi)) shares for i 1..n
• Pooling of shares
• Lagrange interpolation of any t shares to
  obtain secret

41
Sharing the secret 1f(x) x 2- 2x 1
42
Properties of Shamirs secret sharing

• Perfect information theoretic security
• Ideal Shares are of the same size as secret
• Extendable additional shares may be created
• Flexible Can assign different weights ( of
  shares) to different authorities

43
Homomorphism (f g)(x) f(x) g(x)
44
Homomorphism (f g)(x) f(x) g(x)
45
The homomorphism property

• Denote F(d1,,dt) the transformation determining
  the secret from the shares
• We say that F has the (?,?)-homomorphic property
  if
• F(d1,,dt) ? F(d1,,dt) F(d1 ? d1,,dt ?
  dt)
• generalize to k sub-shares
• Shamirs secret sharing scheme has the
  (,)-homomorphic property
• ? cidi ? cidi ? ci (di di)

46
A simple decentralized electronic voting protocol

• Suppose ballots Bv are either 1 or -1.
• Each voter v
• chooses a polynomial to share the secret Bv
• sends shares to n authorities over authenticated
  and secure channels
• Using homomorphism Let f1, , fm be the
  votes-polynomial
• (f1 fm)(s) f1(s) fm(s)
• Each authority (out of t 1)
• sums its shares, to compute a point on the
  sum-polynomial
• exchanges shares to interpolate the
  sum-polynomial

47
Pro-active secret sharingHerzberg, Jarecki,
Krawczyk, Yung 95

• Motivation
• secret sharing security relies on a threshold of
  compromised shared throughout the lifetime of the
  secret
• pro-active security assumes shares are gradually
  compromised/corrupted
• Compromised hosts recover (e.g., reboot/reset)
• Approach
• re-new shares continuously, without changing the
  secret, so that old shares become useless
• recover corrupted shares
• replace all shares of the same secret every
  pre-defined period
• attacker needs to break into t1 shares within
  time period
• attacker need to destroy t1 shares within time
  period

48
Pro-active model requirements

• Authenticated broadcast channel
• can be intercepted by adversary cannot be
  altered, prevented or spoofed by adversary
• Authenticated and secret communication channels
• same
• Synchronization
• Adversary can compromise/corrupt at most t
  computers in any time period compromised
  computers recover
• Secrets can be erased (by honest servers)
• The guarantee Security (no information leaked)
  and robustness (recoverability of secret) against
  the pro-active adversary

49
Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
50
Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
51
Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
52
Share renewal

• Start with polynomial Pk-1(x) of degree t, s.t.
  Pk-1(0)s
• Define Pk(x) Pk-1(x) ?(x)
• where ? is a degree-t polynomial, ?(0)0
• hence Pk is a degree-t polynomial,
  Pk(0)Pk-1(0)s
• ?(x) is chosen and distributed by n share
  holders
• Share holder Si chooses ?i(x) as a degree-t
  polynomial with zero free coefficient, hence
  ?i(0)0
• Share holder Si distributes ?i(x) using SS among
  share holders. Sj obtains the share ?i(j).
• Share holder Sj receives ?1(j), , ?n(j), and
  computes (Pk-1 ?) (j) Pk-1(j) ?i1..n
  ?i(j) , the share of Pk at j.
• Share holders erase the shares of Pk-1 and keep
  the new shares

53
Security of secret renewal

• If all servers act correctly, each t1 shares of
  phase k can reconstruct the original secret
• If at most t shares are known from each phase
  1..k, no information is leaked on the secret s

54
Detection of corrupted shares

• Each share holder Si holds invariant yj gxj
  (mod p) for j1..n
• Periodically, share holders compare shares and
  invariants using secure broadcast
• Variants yj are obtained from the VSS as follows
• Si has encryptions of coefficients of the initial
  polynomial P0(x) and of all polynomials ?kj(x)
• Hence, Si can compute the encryptions of P0(x)
  all ?j(x) for any integer, e.g., x1..n
• Hence, it can compute the encryptions of Pk(j)
  for j1..n recursively
• Share holders Sr that have been detected to hold
  corrupted own shares reconstruct their shares

55
Share reconstruction of share 2
56
Share reconstruction of share 2
57
Share reconstruction of share 2
58
Reconstruction of lost/corrupted shares

• Use the same protocol as share renewal to
  construct shares of Pk(r), for any lost r
• send the shares of Pk to r, to obtain the secret
  share
• Details
• Each Si chooses a random ?i(x) s.t. ?i(r)0
• Shares ?i(x) between servers using VSS
• Each server Sj computes uj (Pk ?i ?i ) (j) to
  obtain a share of (Pk ?i ?i )
• It sends uj to r
• r can reconstruct Pk(r) (Pk ?i ?i ) (r)

59
Verifiable secret sharing (VSS)

• Share holders can verify that shares are
  t-consistent Every subset of t1 of them define
  the same secret
• In case the dealer is honest, share holders
  accept the shares (w.h.p)
• In Shamirs SS scheme, n shares are consistent
  if they define a degree-t polynomial

60
VSS Interactive proof Benaloh 86

• Trusted share-holders, untrusted dealer
• dealer chooses polynomial P, distributes shares
• dealer chooses 100 polynomials P1, , P100, of
  degree t, distributes shares
• verifier chooses a random subset of 50 of them
• dealer reveals shares of the 50 chosen
  polynomials Pi1, , Pi50 and the share-sums of
  remaining 50 sums PPi51 , , PPi100
• each share-holder (verifiers) ascertains that all
  revealed polynomials are degree-t, and correspond
  to its own known shares
• Problem How to distinguish a faulty dealer from
  a faulty share-holder?

61
Interactive proof w/broadcast

• dealer chooses polynomial P, encrypts shares and
  publishes using secure broadcast
• dealer chooses 100 polynomials P1, , P100, of
  degree t, encrypts shares and publishes using
  secure broadcast
• verifier chooses a random subset of 50 of them
• dealer reveals shares of the 50 chosen
  polynomials Pi1, , Pi50 and the share-sums of
  remaining 50 sums PPi51 , , PPi100
• verifier ascertains that all revealed polynomials
  are degree-t, and correspond to published
  encrypted shares
• requirement E(ss) E(s) ? E(s) for some
  known op ?
• example
• public (g,p) to encrypt s, compute g s mod p.
• encryption of s is verified by releasing s.
• encryption of ss is verified by releasing ss .

62
VSS Non-interactive proof Feldman 87

• Dealer chooses polynomial P, encrypts
  coefficients using E and publishes encrypted
  coefficient using secure broadcast
• Dealer secretly sends shares to share holders
• Each share holder can verify its share P(i) by
• computing the (homomorphic) encryption of P(i)
• comparing with the polynomial of encrypted
  coefficients
• Requirement E is homomorphic both with respect
  to addition and to multiplication. I.e.
• E(ss) E(s) ? E(s) for some known op ?
• E(s?s) E(s) ? E(s) for some known op ?
• Let f0, f1, , ft by the coefficients of P. Then
  E(P(i)) E(f0) ? E(f1) ? E(i) ? ? E(ft) ?
  E(it)
• Example E(x) gx mod p
• Remark It is also possible to verify P(0)s, if
  s is known

63
Secure Multi Party Computation(SMPC)Secure
Function Evaluation(SFE)
64
Informal setting

• Heads of all Fortune-500 companies want to
  collectively compute various statistics, such as
  the average earnings, total spending on crypto
  research. Etc
• without revealing their raw data
• without a trusted third party (simulating it)
• If phone lines are secure, they can do it with
  333 trustworthy companies
• If secure conferencing call is available, they
  can do it with 251 trustworthy companies
• If their CTOs cannot break certain hard
  mathematical problems, they can do it with any
  number of trustworthy companies

65
Informal definition

• m players hold inputs x1 ,, xm
• goal each player outputs f(x1 , , xm)
• security no information about the inputs is
  revealed by the computation
• Emulate a Trusted Third Party (TTP)
• TTP securely receives x1 ,, xm from players,
• computes f(x1 , , xm) ,
• returns result to players
• variations many
• applications many

66
Problem reduction

• f described as a circuit of binary additions and
  multiplications (ANDs and XORs)
• computation proceeds along the circuit
• gate inputs are shares of values held by
  different players
• exchanged by players before computation
• gate outputs are shares of result
• can be exchanged by players after computation
• inefficient, but general
• specific problems may have better solutions

67
A single gate of the computation
a
b

c
68
A single gate of the computation
a1 Share of a an share of a
b1 Share of b bn share of b

c1 Share of c cn share of c
69
Example sharing by summands

• a a1 a2 b b1 b2
• Goal compute and share c a b
• 2-way XOR gate (easy)
• player 1 holds a1 , b1 player 2 holds a2 , b2
• result player 1 holds c1 a1 b1 player 2
  holds c2 a2 b2
• c1 c2 (a1 a2) (b1 b2)
• 2-way AND gate (core of problem)
• compute c1, c2, such that c1 c2 (a1 a2) ?
  (b1 b2)

70
Private computation

• Guarantee privacy of inputs against a curious
  adversary
• Two main methods cryptographic and information
  theoretic
• Cryptographic based on Oblivious Transfer
• tolerates up to n-1 faults
• Information theoretic based on homomorphic
  polynomial secret sharing
• requires secure communication channels
• tolerate up to n/2-1 faults
• Does not provide resilience of computation
  against malicious adversary

71
Non-cryptographic SMPC

• Share initial input values using Shamirs secret
  sharing
• Combining inputs
• Addition is easy (using homomorphism), without
  communication
• Multiplying by a constant is easy, without
  communication
• Multiplication done by degree-reduction and
  randomization techniques

72
Multiplication details

• Denote a and b the two initial secret values
• a encoded and shared via f(x) b by g(x)
• The free coefficient of h(x) f(x)g(x) is the
  desired result ab
• Two problems with the multiplication
• degree of f(x)g(x) is 2t
• it is not random
• Solution
• degree reduction
• randomization

73
Multiplication degree reduction and
randomization

• a f(0) f(x) a f1x ftxt
• b g(0) g(x) b g1x gtxt
• h(x) f(x)g(x)
• h(i) f(i)g(i)
• h(0) multiplication result (multiplication of
  secrets)
• h of degree 2t
• denote h(x) ab h1x h2t x2t
• H (ab, h1, , h2t)
• S ( h(1), , h(2t1) ) the shares of h held
  by players

74
Multiplication degree reduction and
randomization

• Let A be (2t1)?(2t1) Vandermonde matrix
• aij i j i,j1..(2t1)
• A is constant, a priori known
• Then A?H ( h(1), , h(2t1) ) S
• A is non singular and has an inverse A-1
• A-1 ? S H
• Denote the first row of A-1 by (?1 , , ?2t1)
  then ?1h(1) ?2t1 h(2t1) ab
• Use (?1 , , ?2t1) for linear combination of
  polynomials hi (x)
• of degree t
• hi (0) h(i)

75
Degree reduction randomization
h(3)
h(2)
h(1)
76
Degree reduction randomization
77
Multiplication the gory details

• a and b be shared by players using f(x) ,
  g(x), resp. player j has f(j), g(j)
• Player j chooses hj(x) s.t. hj(0) f(j)g(j)
  sends shares of hi to all players
• Player i computes si ?1h1(i) ?2t1
  h2t1(i) share of degree-t polynomial , with
  free coefficient ab

78
The full picture

• Transform f(x1, , xn) into a binary computation
• 1 (x1, x2) 2 (1, x3) 3 (1, 2)
• Share initial inputs using SS
• Compute
• addition gates locally
• multiplication gates degree-reduction and
  randomization
• Result share output values of all intermediate
  results
• Output combine shares of output and interpolate

79
Robust SMPC

• Ensure unique computation verify that values are
  shared properly
• Ensure correct values verify that intermediate
  results are shared and used correctly
• Suppose a and b are shared among players
• verify that shares of good players encode a
  unique value (VSS)
• in multiplication, verify that hi (0) encodes
  multiplication result consistent with shares of a
  , b

80
Summary

• Distributed computing issues
• Reliable, authenticated communication
• Reliable broadcast
• (round) synchronization
• Advanced adversarial model, proactivity
• Share information, rather than replicate
• Advertisements
• Multi-party computation workshop, in conjunction
  with DISC 2003
• SFE project at Hebrew U open source two-way
  cryptographic SFE system.