Security in distributed systems and Distributed methods in security - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

Security in distributed systems and Distributed methods in security

Description:

Read timestamps from quorum. Choose higher, unique timestamp. Read(): Read ... Return highest-timestamp correct value. Porquerolles Spring 03. Dahlia Malkhi. 21 ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 74
Provided by: liafaJ
Category:

less

Transcript and Presenter's Notes

Title: Security in distributed systems and Distributed methods in security


1
Security in distributed systemsandDistributed
methods in security
Security
Lets vote
  • Dahlia Malkhi
  • The Hebrew University of Jerusalem
  • Porquerolles Spring School

2
Practical survivability in distributed systems
3
Data-centric replication
No server-to-server comm NR-arbitrary failures
No client-to-client comm Bounded, unknown number
of clients
4
Architecture
Reliable shared object
Fail-prone storage units
Coordination
5
Motivation for data-centric model
  • Storage Area Network (SAN)
  • Scalable dynamic fault-tolerant services (e.g.,
    Fleet)
  • Replication groups are created on-the-fly by
    clients out of dynamic server universe
  • Servers need neither monitor nor be aware of each
    other
  • Accommodates Byzantine failures
  • Database servers
  • Client-server middleware

6
Data-centric replication
Persistent object servers
Server 1
Server 3
Server 2
Server 4
Server 5
No centralized management No locking No
server-to-server interaction No client-to-client
interaction Quorum tuning - benign/Byzantine
faults - strict/probabilistic
guarantees Simple, secure, modular
Q-RPC
Q-RPC
Object-stub
Object-stub
application
application
Client 1
Client 2
7
Replication models
8
Some design choices
  • Scale
  • Survivability
  • Trusted clients

9
Why scalability?
  • Yesterday
  • NFS
  • Fault tolerant replicated file system (cluster)
  • Four computers flying a shuttle
  • Today
  • Digital archiving Andersons Eternity
  • Ubiquitous computing
  • Peer-to-peer resource sharing
  • eCommerce and eApplication on the Internet

A mobile user
10
Why survivability?
  • Yesterday
  • Closely coupled, locally administered system
  • Today
  • Wide spread computing
  • Internet hackers
  • More

11
(No Transcript)
12
(No Transcript)
13
Survivable systems
  • The last frontier of protection
  • Component penetrations will occur, so we should
    build systems to anticipate them
  • Survivable system makes meaningful progress when
    components fail to behave as expected, even when
    they conspire to undermine the operation of the
    system as a whole

14
(No Transcript)
15
Could clients be faulty?
  • Benign faults yes
  • Byzantine faults no
  • Employ access control
  • If bypassed, who cares?
  • A malicious client can mess up the data anyway

16
Summary of design choices
  • Scaling
  • thousands of servers, millions of clients
  • Survivability
  • Servers may be penetrated, hence use voting
  • Trusted clients

17
Byzantine quorum systems example Malkhi and
Reiter 98
  • At most one server can be penetrated
  • Read/write safe register

18
Byzantine quorum systems example
  • At most one server can be penetrated
  • Read/write safe register

19
Masking quorums
  • A b-masking quorum system over a universe U of
    servers is a set such that
  • Justification let B be set of actually faulty
    servers

20
Replication using masking quorum systems
  • Write(v)
  • Read timestamps from quorum
  • Choose higher, unique timestamp
  • Read()
  • Read (value, timestamp) pairs from quorum
  • Identify correct values that appear b1
    identical times
  • Return highest-timestamp correct value

21
Byzantine Quorums - surprisingly
efficientMalkhi, Reiter and Wool 98
22
Quorums can be surprisingly efficient
23
Universal/atomic data emulation
High-level Reliable obj
Fail-prone disks
24
Identifying an agreement building block
Propose(V) Begin RMW if (val
) valV return val End RMW
consensus
RMW
  • Agreement is trivial with a single RMW
  • RMW cannot be emulated out of faulty memory
    objects of any type Jayanti, Chandra, Toueg 9?

25
Weaker shared objects
  • Consensus is not solvable if even a single
    process can fail by crashing in
  • Asynchronous shared memory system with
    read/write registers
  • Asynchronous message passing system (FLP)
  • so any object that can be emulated by fail-prone
    shared-memory is too weak

26
The Approach Lamport 98
PAXOS
  • Assume a weak leader election primitive
  • Eventually there is a unique leader
  • ? failure detector, partially synchronous/timed
    asynchronous systems, etc.
  • To order operations, the leader invokes an
    instance of the agreement protocol
  • Never disagree on the operation order
  • Might fail to make progress if there is no unique
    leader

27
Agreement with R/W registersGafni Lamport
Disks
1
2
3
1
ltv,r,Rgt
ltv,r,Rgt
ltv,r,Rgt
2
processes
3
4
5
Process i can write blockij, for each disk
j Process i can read blockij, for all i, j
28
Unknown clients
  • Consider the same shared memory system with an
    unknown number of processes
  • There might be a bound but it is unknown
  • The process ids are unknown
  • Assume there are no client faults
  • Can you solve Consensus using a finite number of
  • R/W registers? No!
  • RMW registers
  • Wait-free solution
  • Eventual leader
  • R/W registers? No!
  • RMW registers

29
Identifying an agreement building-block
30
Adding Ranks (ballots)
31
Ranked Register Boichat et al. 02, Chockler and
Malkhi 02
  • The interface
  • rr-read(R), returns ltr,vgt
  • rr-write(R,v), commits or aborts
  • The Paxos Agreement
  • Collect proposals with a rank
  • Make a new proposal with a rank
  • If rr-write with rank R1 commits, then rr-read
    with rank R2gtR1 must see it
  • return the value written by this rr-write (or by
    a write with rank Rgt R1)

32
Agreement using RR
Shared A single ranked register propose(inp) wh
ile (true) do choose a unique monotonically
increasing rank R ltr,vgtrr-read(R) if
(v ) vinp if (rr-write(R,v)
commit) return v od
33
Why is this working?
34
The complete system
RR
RR
35
Implementability of RR
36
Active disk PaxosChockler Malkhi
  • Paxos with infinitely many processes based on new
    ranked register abstraction
  • Fault-tolerant replication in SANs
  • Fault-tolerant client/server applications
  • Extensions
  • Handling Byzantine memory failures (NR-arbitrary)
  • Specifying/implementing the leader election
    primitive

37
Distributed Methods in System Security
38
Motivation
  • Relationship to distributed computing
  • Security is the last frontier of reliability and
    availability
  • Require various coordination building blocks,
    e.g., reliable broadcast, clock synchronization
  • Related notions robustness, fault models, the
    Byzantine model
  • Coordinate activity vrs. Conflicting activity
  • Confidentiality vrs. Data sharing
  • Security by distribution
  • Key principle Reduce trust in single components
  • Secure storage keys (escrow), files
  • Collective control
  • Many cryptographic primitives Secure Multi-Party
    Computation (SMPC), electronic voting, agreement
    protocols, ...

39
Simple secret sharing (SS)
  • S A B, A given to one authority, B to another
  • Perfect (unconditional, information theoretic)
    security
  • Variation S A ? B
  • Bad variation Divide bits among participants
    (why?)
  • Generalization to t authorities
  • S A1 A2 At (t-1 chosen at random)
  • Demonstration Electronic voting

40
Shamirs secret sharing Shamir 79
  • Threshold secret sharing t-out-of-n shares
    required to obtain secret
  • Fact t1 points (xi , yi) define a polynomial of
    degree t , f(x) y
  • Set-up
  • Choose a0 secret choose a1 , a2 , , at at
    random.
  • Define f(x) a0 a1 x at x t
  • Distribute (xi, yi f(xi)) shares for i 1..n
  • Pooling of shares
  • Lagrange interpolation of any t shares to
    obtain secret

41
Sharing the secret 1f(x) x 2- 2x 1
42
Properties of Shamirs secret sharing
  • Perfect information theoretic security
  • Ideal Shares are of the same size as secret
  • Extendable additional shares may be created
  • Flexible Can assign different weights ( of
    shares) to different authorities

43
Homomorphism (f g)(x) f(x) g(x)
44
Homomorphism (f g)(x) f(x) g(x)
45
The homomorphism property
  • Denote F(d1,,dt) the transformation determining
    the secret from the shares
  • We say that F has the (?,?)-homomorphic property
    if
  • F(d1,,dt) ? F(d1,,dt) F(d1 ? d1,,dt ?
    dt)
  • generalize to k sub-shares
  • Shamirs secret sharing scheme has the
    (,)-homomorphic property
  • ? cidi ? cidi ? ci (di di)

46
A simple decentralized electronic voting protocol
  • Suppose ballots Bv are either 1 or -1.
  • Each voter v
  • chooses a polynomial to share the secret Bv
  • sends shares to n authorities over authenticated
    and secure channels
  • Using homomorphism Let f1, , fm be the
    votes-polynomial
  • (f1 fm)(s) f1(s) fm(s)
  • Each authority (out of t 1)
  • sums its shares, to compute a point on the
    sum-polynomial
  • exchanges shares to interpolate the
    sum-polynomial

47
Pro-active secret sharingHerzberg, Jarecki,
Krawczyk, Yung 95
  • Motivation
  • secret sharing security relies on a threshold of
    compromised shared throughout the lifetime of the
    secret
  • pro-active security assumes shares are gradually
    compromised/corrupted
  • Compromised hosts recover (e.g., reboot/reset)
  • Approach
  • re-new shares continuously, without changing the
    secret, so that old shares become useless
  • recover corrupted shares
  • replace all shares of the same secret every
    pre-defined period
  • attacker needs to break into t1 shares within
    time period
  • attacker need to destroy t1 shares within time
    period

48
Pro-active model requirements
  • Authenticated broadcast channel
  • can be intercepted by adversary cannot be
    altered, prevented or spoofed by adversary
  • Authenticated and secret communication channels
  • same
  • Synchronization
  • Adversary can compromise/corrupt at most t
    computers in any time period compromised
    computers recover
  • Secrets can be erased (by honest servers)
  • The guarantee Security (no information leaked)
    and robustness (recoverability of secret) against
    the pro-active adversary

49
Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
50
Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
51
Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
52
Share renewal
  • Start with polynomial Pk-1(x) of degree t, s.t.
    Pk-1(0)s
  • Define Pk(x) Pk-1(x) ?(x)
  • where ? is a degree-t polynomial, ?(0)0
  • hence Pk is a degree-t polynomial,
    Pk(0)Pk-1(0)s
  • ?(x) is chosen and distributed by n share
    holders
  • Share holder Si chooses ?i(x) as a degree-t
    polynomial with zero free coefficient, hence
    ?i(0)0
  • Share holder Si distributes ?i(x) using SS among
    share holders. Sj obtains the share ?i(j).
  • Share holder Sj receives ?1(j), , ?n(j), and
    computes (Pk-1 ?) (j) Pk-1(j) ?i1..n
    ?i(j) , the share of Pk at j.
  • Share holders erase the shares of Pk-1 and keep
    the new shares

53
Security of secret renewal
  • If all servers act correctly, each t1 shares of
    phase k can reconstruct the original secret
  • If at most t shares are known from each phase
    1..k, no information is leaked on the secret s

54
Detection of corrupted shares
  • Each share holder Si holds invariant yj gxj
    (mod p) for j1..n
  • Periodically, share holders compare shares and
    invariants using secure broadcast
  • Variants yj are obtained from the VSS as follows
  • Si has encryptions of coefficients of the initial
    polynomial P0(x) and of all polynomials ?kj(x)
  • Hence, Si can compute the encryptions of P0(x)
    all ?j(x) for any integer, e.g., x1..n
  • Hence, it can compute the encryptions of Pk(j)
    for j1..n recursively
  • Share holders Sr that have been detected to hold
    corrupted own shares reconstruct their shares

55
Share reconstruction of share 2
56
Share reconstruction of share 2
57
Share reconstruction of share 2
58
Reconstruction of lost/corrupted shares
  • Use the same protocol as share renewal to
    construct shares of Pk(r), for any lost r
  • send the shares of Pk to r, to obtain the secret
    share
  • Details
  • Each Si chooses a random ?i(x) s.t. ?i(r)0
  • Shares ?i(x) between servers using VSS
  • Each server Sj computes uj (Pk ?i ?i ) (j) to
    obtain a share of (Pk ?i ?i )
  • It sends uj to r
  • r can reconstruct Pk(r) (Pk ?i ?i ) (r)

59
Verifiable secret sharing (VSS)
  • Share holders can verify that shares are
    t-consistent Every subset of t1 of them define
    the same secret
  • In case the dealer is honest, share holders
    accept the shares (w.h.p)
  • In Shamirs SS scheme, n shares are consistent
    if they define a degree-t polynomial

60
VSS Interactive proof Benaloh 86
  • Trusted share-holders, untrusted dealer
  • dealer chooses polynomial P, distributes shares
  • dealer chooses 100 polynomials P1, , P100, of
    degree t, distributes shares
  • verifier chooses a random subset of 50 of them
  • dealer reveals shares of the 50 chosen
    polynomials Pi1, , Pi50 and the share-sums of
    remaining 50 sums PPi51 , , PPi100
  • each share-holder (verifiers) ascertains that all
    revealed polynomials are degree-t, and correspond
    to its own known shares
  • Problem How to distinguish a faulty dealer from
    a faulty share-holder?

61
Interactive proof w/broadcast
  • dealer chooses polynomial P, encrypts shares and
    publishes using secure broadcast
  • dealer chooses 100 polynomials P1, , P100, of
    degree t, encrypts shares and publishes using
    secure broadcast
  • verifier chooses a random subset of 50 of them
  • dealer reveals shares of the 50 chosen
    polynomials Pi1, , Pi50 and the share-sums of
    remaining 50 sums PPi51 , , PPi100
  • verifier ascertains that all revealed polynomials
    are degree-t, and correspond to published
    encrypted shares
  • requirement E(ss) E(s) ? E(s) for some
    known op ?
  • example
  • public (g,p) to encrypt s, compute g s mod p.
  • encryption of s is verified by releasing s.
  • encryption of ss is verified by releasing ss .

62
VSS Non-interactive proof Feldman 87
  • Dealer chooses polynomial P, encrypts
    coefficients using E and publishes encrypted
    coefficient using secure broadcast
  • Dealer secretly sends shares to share holders
  • Each share holder can verify its share P(i) by
  • computing the (homomorphic) encryption of P(i)
  • comparing with the polynomial of encrypted
    coefficients
  • Requirement E is homomorphic both with respect
    to addition and to multiplication. I.e.
  • E(ss) E(s) ? E(s) for some known op ?
  • E(s?s) E(s) ? E(s) for some known op ?
  • Let f0, f1, , ft by the coefficients of P. Then
    E(P(i)) E(f0) ? E(f1) ? E(i) ? ? E(ft) ?
    E(it)
  • Example E(x) gx mod p
  • Remark It is also possible to verify P(0)s, if
    s is known

63
Secure Multi Party Computation(SMPC)Secure
Function Evaluation(SFE)
64
Informal setting
  • Heads of all Fortune-500 companies want to
    collectively compute various statistics, such as
    the average earnings, total spending on crypto
    research. Etc
  • without revealing their raw data
  • without a trusted third party (simulating it)
  • If phone lines are secure, they can do it with
    333 trustworthy companies
  • If secure conferencing call is available, they
    can do it with 251 trustworthy companies
  • If their CTOs cannot break certain hard
    mathematical problems, they can do it with any
    number of trustworthy companies

65
Informal definition
  • m players hold inputs x1 ,, xm
  • goal each player outputs f(x1 , , xm)
  • security no information about the inputs is
    revealed by the computation
  • Emulate a Trusted Third Party (TTP)
  • TTP securely receives x1 ,, xm from players,
  • computes f(x1 , , xm) ,
  • returns result to players
  • variations many
  • applications many

66
Problem reduction
  • f described as a circuit of binary additions and
    multiplications (ANDs and XORs)
  • computation proceeds along the circuit
  • gate inputs are shares of values held by
    different players
  • exchanged by players before computation
  • gate outputs are shares of result
  • can be exchanged by players after computation
  • inefficient, but general
  • specific problems may have better solutions

67
A single gate of the computation
a
b

c
68
A single gate of the computation
a1 Share of a an share of a
b1 Share of b bn share of b

c1 Share of c cn share of c
69
Example sharing by summands
  • a a1 a2 b b1 b2
  • Goal compute and share c a b
  • 2-way XOR gate (easy)
  • player 1 holds a1 , b1 player 2 holds a2 , b2
  • result player 1 holds c1 a1 b1 player 2
    holds c2 a2 b2
  • c1 c2 (a1 a2) (b1 b2)
  • 2-way AND gate (core of problem)
  • compute c1, c2, such that c1 c2 (a1 a2) ?
    (b1 b2)

70
Private computation
  • Guarantee privacy of inputs against a curious
    adversary
  • Two main methods cryptographic and information
    theoretic
  • Cryptographic based on Oblivious Transfer
  • tolerates up to n-1 faults
  • Information theoretic based on homomorphic
    polynomial secret sharing
  • requires secure communication channels
  • tolerate up to n/2-1 faults
  • Does not provide resilience of computation
    against malicious adversary

71
Non-cryptographic SMPC
  • Share initial input values using Shamirs secret
    sharing
  • Combining inputs
  • Addition is easy (using homomorphism), without
    communication
  • Multiplying by a constant is easy, without
    communication
  • Multiplication done by degree-reduction and
    randomization techniques

72
Multiplication details
  • Denote a and b the two initial secret values
  • a encoded and shared via f(x) b by g(x)
  • The free coefficient of h(x) f(x)g(x) is the
    desired result ab
  • Two problems with the multiplication
  • degree of f(x)g(x) is 2t
  • it is not random
  • Solution
  • degree reduction
  • randomization

73
Multiplication degree reduction and
randomization
  • a f(0) f(x) a f1x ftxt
  • b g(0) g(x) b g1x gtxt
  • h(x) f(x)g(x)
  • h(i) f(i)g(i)
  • h(0) multiplication result (multiplication of
    secrets)
  • h of degree 2t
  • denote h(x) ab h1x h2t x2t
  • H (ab, h1, , h2t)
  • S ( h(1), , h(2t1) ) the shares of h held
    by players

74
Multiplication degree reduction and
randomization
  • Let A be (2t1)?(2t1) Vandermonde matrix
  • aij i j i,j1..(2t1)
  • A is constant, a priori known
  • Then A?H ( h(1), , h(2t1) ) S
  • A is non singular and has an inverse A-1
  • A-1 ? S H
  • Denote the first row of A-1 by (?1 , , ?2t1)
    then ?1h(1) ?2t1 h(2t1) ab
  • Use (?1 , , ?2t1) for linear combination of
    polynomials hi (x)
  • of degree t
  • hi (0) h(i)

75
Degree reduction randomization
h(3)
h(2)
h(1)
76
Degree reduction randomization
77
Multiplication the gory details
  • a and b be shared by players using f(x) ,
    g(x), resp. player j has f(j), g(j)
  • Player j chooses hj(x) s.t. hj(0) f(j)g(j)
    sends shares of hi to all players
  • Player i computes si ?1h1(i) ?2t1
    h2t1(i) share of degree-t polynomial , with
    free coefficient ab

78
The full picture
  • Transform f(x1, , xn) into a binary computation
  • 1 (x1, x2) 2 (1, x3) 3 (1, 2)
  • Share initial inputs using SS
  • Compute
  • addition gates locally
  • multiplication gates degree-reduction and
    randomization
  • Result share output values of all intermediate
    results
  • Output combine shares of output and interpolate

79
Robust SMPC
  • Ensure unique computation verify that values are
    shared properly
  • Ensure correct values verify that intermediate
    results are shared and used correctly
  • Suppose a and b are shared among players
  • verify that shares of good players encode a
    unique value (VSS)
  • in multiplication, verify that hi (0) encodes
    multiplication result consistent with shares of a
    , b

80
Summary
  • Distributed computing issues
  • Reliable, authenticated communication
  • Reliable broadcast
  • (round) synchronization
  • Advanced adversarial model, proactivity
  • Share information, rather than replicate
  • Advertisements
  • Multi-party computation workshop, in conjunction
    with DISC 2003
  • SFE project at Hebrew U open source two-way
    cryptographic SFE system.
Write a Comment
User Comments (0)
About PowerShow.com