Title: Security in distributed systems and Distributed methods in security
1Security in distributed systemsandDistributed
methods in security
Security
Lets vote
- Dahlia Malkhi
- The Hebrew University of Jerusalem
- Porquerolles Spring School
2Practical survivability in distributed systems
3Data-centric replication
No server-to-server comm NR-arbitrary failures
No client-to-client comm Bounded, unknown number
of clients
4Architecture
Reliable shared object
Fail-prone storage units
Coordination
5Motivation for data-centric model
- Storage Area Network (SAN)
- Scalable dynamic fault-tolerant services (e.g.,
Fleet) - Replication groups are created on-the-fly by
clients out of dynamic server universe - Servers need neither monitor nor be aware of each
other - Accommodates Byzantine failures
- Database servers
- Client-server middleware
6Data-centric replication
Persistent object servers
Server 1
Server 3
Server 2
Server 4
Server 5
No centralized management No locking No
server-to-server interaction No client-to-client
interaction Quorum tuning - benign/Byzantine
faults - strict/probabilistic
guarantees Simple, secure, modular
Q-RPC
Q-RPC
Object-stub
Object-stub
application
application
Client 1
Client 2
7Replication models
8Some design choices
- Scale
- Survivability
- Trusted clients
9Why scalability?
- Yesterday
- NFS
- Fault tolerant replicated file system (cluster)
- Four computers flying a shuttle
- Today
- Digital archiving Andersons Eternity
- Ubiquitous computing
- Peer-to-peer resource sharing
- eCommerce and eApplication on the Internet
A mobile user
10Why survivability?
- Yesterday
- Closely coupled, locally administered system
- Today
- Wide spread computing
- Internet hackers
- More
11(No Transcript)
12(No Transcript)
13Survivable systems
- The last frontier of protection
- Component penetrations will occur, so we should
build systems to anticipate them - Survivable system makes meaningful progress when
components fail to behave as expected, even when
they conspire to undermine the operation of the
system as a whole
14(No Transcript)
15Could clients be faulty?
- Benign faults yes
- Byzantine faults no
- Employ access control
- If bypassed, who cares?
- A malicious client can mess up the data anyway
16Summary of design choices
- Scaling
- thousands of servers, millions of clients
- Survivability
- Servers may be penetrated, hence use voting
- Trusted clients
17Byzantine quorum systems example Malkhi and
Reiter 98
- At most one server can be penetrated
- Read/write safe register
18Byzantine quorum systems example
- At most one server can be penetrated
- Read/write safe register
19Masking quorums
- A b-masking quorum system over a universe U of
servers is a set such that
- Justification let B be set of actually faulty
servers
20Replication using masking quorum systems
- Write(v)
- Read timestamps from quorum
- Choose higher, unique timestamp
- Read()
- Read (value, timestamp) pairs from quorum
- Identify correct values that appear b1
identical times - Return highest-timestamp correct value
21Byzantine Quorums - surprisingly
efficientMalkhi, Reiter and Wool 98
22Quorums can be surprisingly efficient
23Universal/atomic data emulation
High-level Reliable obj
Fail-prone disks
24Identifying an agreement building block
Propose(V) Begin RMW if (val
) valV return val End RMW
consensus
RMW
- Agreement is trivial with a single RMW
- RMW cannot be emulated out of faulty memory
objects of any type Jayanti, Chandra, Toueg 9?
25Weaker shared objects
- Consensus is not solvable if even a single
process can fail by crashing in - Asynchronous shared memory system with
read/write registers - Asynchronous message passing system (FLP)
- so any object that can be emulated by fail-prone
shared-memory is too weak
26The Approach Lamport 98
PAXOS
- Assume a weak leader election primitive
- Eventually there is a unique leader
- ? failure detector, partially synchronous/timed
asynchronous systems, etc. - To order operations, the leader invokes an
instance of the agreement protocol - Never disagree on the operation order
- Might fail to make progress if there is no unique
leader
27Agreement with R/W registersGafni Lamport
Disks
1
2
3
1
ltv,r,Rgt
ltv,r,Rgt
ltv,r,Rgt
2
processes
3
4
5
Process i can write blockij, for each disk
j Process i can read blockij, for all i, j
28Unknown clients
- Consider the same shared memory system with an
unknown number of processes - There might be a bound but it is unknown
- The process ids are unknown
- Assume there are no client faults
- Can you solve Consensus using a finite number of
- R/W registers? No!
- RMW registers
- Wait-free solution
- Eventual leader
- R/W registers? No!
- RMW registers
29Identifying an agreement building-block
30Adding Ranks (ballots)
31Ranked Register Boichat et al. 02, Chockler and
Malkhi 02
- The interface
- rr-read(R), returns ltr,vgt
- rr-write(R,v), commits or aborts
- The Paxos Agreement
- Collect proposals with a rank
- Make a new proposal with a rank
- If rr-write with rank R1 commits, then rr-read
with rank R2gtR1 must see it - return the value written by this rr-write (or by
a write with rank Rgt R1)
32Agreement using RR
Shared A single ranked register propose(inp) wh
ile (true) do choose a unique monotonically
increasing rank R ltr,vgtrr-read(R) if
(v ) vinp if (rr-write(R,v)
commit) return v od
33Why is this working?
34The complete system
RR
RR
35Implementability of RR
36Active disk PaxosChockler Malkhi
- Paxos with infinitely many processes based on new
ranked register abstraction - Fault-tolerant replication in SANs
- Fault-tolerant client/server applications
- Extensions
- Handling Byzantine memory failures (NR-arbitrary)
- Specifying/implementing the leader election
primitive
37Distributed Methods in System Security
38Motivation
- Relationship to distributed computing
- Security is the last frontier of reliability and
availability - Require various coordination building blocks,
e.g., reliable broadcast, clock synchronization - Related notions robustness, fault models, the
Byzantine model - Coordinate activity vrs. Conflicting activity
- Confidentiality vrs. Data sharing
- Security by distribution
- Key principle Reduce trust in single components
- Secure storage keys (escrow), files
- Collective control
- Many cryptographic primitives Secure Multi-Party
Computation (SMPC), electronic voting, agreement
protocols, ...
39Simple secret sharing (SS)
- S A B, A given to one authority, B to another
- Perfect (unconditional, information theoretic)
security - Variation S A ? B
- Bad variation Divide bits among participants
(why?) - Generalization to t authorities
- S A1 A2 At (t-1 chosen at random)
- Demonstration Electronic voting
40Shamirs secret sharing Shamir 79
- Threshold secret sharing t-out-of-n shares
required to obtain secret - Fact t1 points (xi , yi) define a polynomial of
degree t , f(x) y - Set-up
- Choose a0 secret choose a1 , a2 , , at at
random. - Define f(x) a0 a1 x at x t
- Distribute (xi, yi f(xi)) shares for i 1..n
- Pooling of shares
- Lagrange interpolation of any t shares to
obtain secret
41Sharing the secret 1f(x) x 2- 2x 1
42Properties of Shamirs secret sharing
- Perfect information theoretic security
- Ideal Shares are of the same size as secret
- Extendable additional shares may be created
- Flexible Can assign different weights ( of
shares) to different authorities
43Homomorphism (f g)(x) f(x) g(x)
44Homomorphism (f g)(x) f(x) g(x)
45The homomorphism property
- Denote F(d1,,dt) the transformation determining
the secret from the shares - We say that F has the (?,?)-homomorphic property
if - F(d1,,dt) ? F(d1,,dt) F(d1 ? d1,,dt ?
dt) - generalize to k sub-shares
- Shamirs secret sharing scheme has the
(,)-homomorphic property - ? cidi ? cidi ? ci (di di)
46A simple decentralized electronic voting protocol
- Suppose ballots Bv are either 1 or -1.
- Each voter v
- chooses a polynomial to share the secret Bv
- sends shares to n authorities over authenticated
and secure channels - Using homomorphism Let f1, , fm be the
votes-polynomial - (f1 fm)(s) f1(s) fm(s)
- Each authority (out of t 1)
- sums its shares, to compute a point on the
sum-polynomial - exchanges shares to interpolate the
sum-polynomial
47Pro-active secret sharingHerzberg, Jarecki,
Krawczyk, Yung 95
- Motivation
- secret sharing security relies on a threshold of
compromised shared throughout the lifetime of the
secret - pro-active security assumes shares are gradually
compromised/corrupted - Compromised hosts recover (e.g., reboot/reset)
- Approach
- re-new shares continuously, without changing the
secret, so that old shares become useless - recover corrupted shares
- replace all shares of the same secret every
pre-defined period - attacker needs to break into t1 shares within
time period - attacker need to destroy t1 shares within time
period
48Pro-active model requirements
- Authenticated broadcast channel
- can be intercepted by adversary cannot be
altered, prevented or spoofed by adversary - Authenticated and secret communication channels
- same
- Synchronization
- Adversary can compromise/corrupt at most t
computers in any time period compromised
computers recover - Secrets can be erased (by honest servers)
- The guarantee Security (no information leaked)
and robustness (recoverability of secret) against
the pro-active adversary
49Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
50Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
51Share renewal (fk-1 r)(x) fk-1 (x) r1 (x)
rn (x)
52Share renewal
- Start with polynomial Pk-1(x) of degree t, s.t.
Pk-1(0)s - Define Pk(x) Pk-1(x) ?(x)
- where ? is a degree-t polynomial, ?(0)0
- hence Pk is a degree-t polynomial,
Pk(0)Pk-1(0)s - ?(x) is chosen and distributed by n share
holders - Share holder Si chooses ?i(x) as a degree-t
polynomial with zero free coefficient, hence
?i(0)0 - Share holder Si distributes ?i(x) using SS among
share holders. Sj obtains the share ?i(j). - Share holder Sj receives ?1(j), , ?n(j), and
computes (Pk-1 ?) (j) Pk-1(j) ?i1..n
?i(j) , the share of Pk at j. - Share holders erase the shares of Pk-1 and keep
the new shares
53Security of secret renewal
- If all servers act correctly, each t1 shares of
phase k can reconstruct the original secret - If at most t shares are known from each phase
1..k, no information is leaked on the secret s
54Detection of corrupted shares
- Each share holder Si holds invariant yj gxj
(mod p) for j1..n - Periodically, share holders compare shares and
invariants using secure broadcast - Variants yj are obtained from the VSS as follows
- Si has encryptions of coefficients of the initial
polynomial P0(x) and of all polynomials ?kj(x) - Hence, Si can compute the encryptions of P0(x)
all ?j(x) for any integer, e.g., x1..n - Hence, it can compute the encryptions of Pk(j)
for j1..n recursively - Share holders Sr that have been detected to hold
corrupted own shares reconstruct their shares
55Share reconstruction of share 2
56Share reconstruction of share 2
57Share reconstruction of share 2
58Reconstruction of lost/corrupted shares
- Use the same protocol as share renewal to
construct shares of Pk(r), for any lost r - send the shares of Pk to r, to obtain the secret
share - Details
- Each Si chooses a random ?i(x) s.t. ?i(r)0
- Shares ?i(x) between servers using VSS
- Each server Sj computes uj (Pk ?i ?i ) (j) to
obtain a share of (Pk ?i ?i ) - It sends uj to r
- r can reconstruct Pk(r) (Pk ?i ?i ) (r)
59Verifiable secret sharing (VSS)
- Share holders can verify that shares are
t-consistent Every subset of t1 of them define
the same secret - In case the dealer is honest, share holders
accept the shares (w.h.p) - In Shamirs SS scheme, n shares are consistent
if they define a degree-t polynomial
60VSS Interactive proof Benaloh 86
- Trusted share-holders, untrusted dealer
- dealer chooses polynomial P, distributes shares
- dealer chooses 100 polynomials P1, , P100, of
degree t, distributes shares - verifier chooses a random subset of 50 of them
- dealer reveals shares of the 50 chosen
polynomials Pi1, , Pi50 and the share-sums of
remaining 50 sums PPi51 , , PPi100 - each share-holder (verifiers) ascertains that all
revealed polynomials are degree-t, and correspond
to its own known shares - Problem How to distinguish a faulty dealer from
a faulty share-holder?
61Interactive proof w/broadcast
- dealer chooses polynomial P, encrypts shares and
publishes using secure broadcast - dealer chooses 100 polynomials P1, , P100, of
degree t, encrypts shares and publishes using
secure broadcast - verifier chooses a random subset of 50 of them
- dealer reveals shares of the 50 chosen
polynomials Pi1, , Pi50 and the share-sums of
remaining 50 sums PPi51 , , PPi100 - verifier ascertains that all revealed polynomials
are degree-t, and correspond to published
encrypted shares - requirement E(ss) E(s) ? E(s) for some
known op ? - example
- public (g,p) to encrypt s, compute g s mod p.
- encryption of s is verified by releasing s.
- encryption of ss is verified by releasing ss .
62VSS Non-interactive proof Feldman 87
- Dealer chooses polynomial P, encrypts
coefficients using E and publishes encrypted
coefficient using secure broadcast - Dealer secretly sends shares to share holders
- Each share holder can verify its share P(i) by
- computing the (homomorphic) encryption of P(i)
- comparing with the polynomial of encrypted
coefficients - Requirement E is homomorphic both with respect
to addition and to multiplication. I.e. - E(ss) E(s) ? E(s) for some known op ?
- E(s?s) E(s) ? E(s) for some known op ?
- Let f0, f1, , ft by the coefficients of P. Then
E(P(i)) E(f0) ? E(f1) ? E(i) ? ? E(ft) ?
E(it) - Example E(x) gx mod p
- Remark It is also possible to verify P(0)s, if
s is known
63Secure Multi Party Computation(SMPC)Secure
Function Evaluation(SFE)
64Informal setting
- Heads of all Fortune-500 companies want to
collectively compute various statistics, such as
the average earnings, total spending on crypto
research. Etc - without revealing their raw data
- without a trusted third party (simulating it)
- If phone lines are secure, they can do it with
333 trustworthy companies - If secure conferencing call is available, they
can do it with 251 trustworthy companies - If their CTOs cannot break certain hard
mathematical problems, they can do it with any
number of trustworthy companies
65Informal definition
- m players hold inputs x1 ,, xm
- goal each player outputs f(x1 , , xm)
- security no information about the inputs is
revealed by the computation - Emulate a Trusted Third Party (TTP)
- TTP securely receives x1 ,, xm from players,
- computes f(x1 , , xm) ,
- returns result to players
- variations many
- applications many
66Problem reduction
- f described as a circuit of binary additions and
multiplications (ANDs and XORs) - computation proceeds along the circuit
- gate inputs are shares of values held by
different players - exchanged by players before computation
- gate outputs are shares of result
- can be exchanged by players after computation
- inefficient, but general
- specific problems may have better solutions
67A single gate of the computation
a
b
c
68A single gate of the computation
a1 Share of a an share of a
b1 Share of b bn share of b
c1 Share of c cn share of c
69Example sharing by summands
- a a1 a2 b b1 b2
- Goal compute and share c a b
- 2-way XOR gate (easy)
- player 1 holds a1 , b1 player 2 holds a2 , b2
- result player 1 holds c1 a1 b1 player 2
holds c2 a2 b2 - c1 c2 (a1 a2) (b1 b2)
- 2-way AND gate (core of problem)
- compute c1, c2, such that c1 c2 (a1 a2) ?
(b1 b2)
70Private computation
- Guarantee privacy of inputs against a curious
adversary - Two main methods cryptographic and information
theoretic - Cryptographic based on Oblivious Transfer
- tolerates up to n-1 faults
- Information theoretic based on homomorphic
polynomial secret sharing - requires secure communication channels
- tolerate up to n/2-1 faults
- Does not provide resilience of computation
against malicious adversary
71Non-cryptographic SMPC
- Share initial input values using Shamirs secret
sharing - Combining inputs
- Addition is easy (using homomorphism), without
communication - Multiplying by a constant is easy, without
communication - Multiplication done by degree-reduction and
randomization techniques
72Multiplication details
- Denote a and b the two initial secret values
- a encoded and shared via f(x) b by g(x)
- The free coefficient of h(x) f(x)g(x) is the
desired result ab - Two problems with the multiplication
- degree of f(x)g(x) is 2t
- it is not random
- Solution
- degree reduction
- randomization
73Multiplication degree reduction and
randomization
- a f(0) f(x) a f1x ftxt
- b g(0) g(x) b g1x gtxt
- h(x) f(x)g(x)
- h(i) f(i)g(i)
- h(0) multiplication result (multiplication of
secrets) - h of degree 2t
- denote h(x) ab h1x h2t x2t
- H (ab, h1, , h2t)
- S ( h(1), , h(2t1) ) the shares of h held
by players
74Multiplication degree reduction and
randomization
- Let A be (2t1)?(2t1) Vandermonde matrix
- aij i j i,j1..(2t1)
- A is constant, a priori known
- Then A?H ( h(1), , h(2t1) ) S
- A is non singular and has an inverse A-1
- A-1 ? S H
- Denote the first row of A-1 by (?1 , , ?2t1)
then ?1h(1) ?2t1 h(2t1) ab - Use (?1 , , ?2t1) for linear combination of
polynomials hi (x) - of degree t
- hi (0) h(i)
75Degree reduction randomization
h(3)
h(2)
h(1)
76Degree reduction randomization
77Multiplication the gory details
- a and b be shared by players using f(x) ,
g(x), resp. player j has f(j), g(j) - Player j chooses hj(x) s.t. hj(0) f(j)g(j)
sends shares of hi to all players - Player i computes si ?1h1(i) ?2t1
h2t1(i) share of degree-t polynomial , with
free coefficient ab
78The full picture
- Transform f(x1, , xn) into a binary computation
- 1 (x1, x2) 2 (1, x3) 3 (1, 2)
- Share initial inputs using SS
- Compute
- addition gates locally
- multiplication gates degree-reduction and
randomization - Result share output values of all intermediate
results - Output combine shares of output and interpolate
79Robust SMPC
- Ensure unique computation verify that values are
shared properly - Ensure correct values verify that intermediate
results are shared and used correctly - Suppose a and b are shared among players
- verify that shares of good players encode a
unique value (VSS) - in multiplication, verify that hi (0) encodes
multiplication result consistent with shares of a
, b
80Summary
- Distributed computing issues
- Reliable, authenticated communication
- Reliable broadcast
- (round) synchronization
- Advanced adversarial model, proactivity
- Share information, rather than replicate
- Advertisements
- Multi-party computation workshop, in conjunction
with DISC 2003 - SFE project at Hebrew U open source two-way
cryptographic SFE system.