Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J. Feldman Princeton UPenn Joint work with: Aaron Blankstein, Michael J. Freedman, and Edward W. Felten Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 1 Online social networks are centralized Pro: Availability, reliability, global accessibility, convenience Con: 3rd party involved in every social interaction Must trust provider for confidentiality & integrity Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 2 Threats to confidentiality • Theft by attackers Ars Technica. Mar. 11, 2011 • Accidental leaks EFF. Apr. 28, 2010 PC World. Dec. 6, 2011 • Privacy policy changes WSJ. Feb. 22, 2012 Google Transparency Report Jan. – Jun. 2011 • Government pressure Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 3 Threats to integrity Server Simple: Corrupting messages Complex: Server equivocation 1 2 3 Alice 1 3 2 Bob Equivocation in the wild: (e.g to disguise censorship) http://songshinan.blog.caixin.com/archives/22322 (translated by Google) Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 4 Limits of prior work 1. Cryptographic Don’t protect integrity 2. Decentralized Run your own server (sacrifice availability, convenience, etc.) Trust a provider OR (who you may not know either) Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 5 Frientegrity’s approach Provider Benefit from a centralized provider Support common features Server Server (e.g. walls, feeds, friends, FoFs, followers) Assume untrusted provider Client Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Client Client 6 Enforce confidentiality Provider Provider only observes encrypted data Server Encrypted State state Server (Need dynamic access control and key distribution) Client Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Client Client 7 Verify integrity Clients verify that the provider: Provider Server Server • Hasn’t corrupted individual updates • Hasn’t equivocated • Enforced access control on writes Client Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Client Client 8 Scalability challenges Long histories; only want tail … Don’t verify whole history each time Many objects (walls, comment threads, photos, etc.) Support sharding Many friends and FoFs O(log n) “(un)friending” Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 9 Frientegrity overview Server 1 Checked for equivocatio n Alice’s profile Server 2 Server n Alice’s photo album Alice’s ACL Comment thread Read Alice’s wall Alice’s wall Bob’s profile Optionally entangled 1. Latest updates 2. Proof of no equivocation Bob Verify & decrypt 3. Proof of ACL enforcement 4. Decryption keys Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 10 Detecting equivocation Enforce fork* consistency [LM07] • Honest server: linearizability • Malicious server: Alice and Bob detect equivocation after exchanging 2 messages • Compare histories 1 Server 2 Alice 3 1 3 2 Bob Provider can still fork the clients, but can’t unfork Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 11 Comparing histories Previously: use a hash chain op0 op1 op2 op3 op4 op5 op6 op7 hn= H(hn-1 || opn) Hash chains are O(n) (and must download the whole history) Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 12 Objects in Frientegrity Let C15 be a serversigned commitment to hroot up to op15 hroot commits to entire history hi = H(hleftChild(i) || hrightChild(i)) op0 op1 op2 op3 op4 op5 op6 op7 op8 op9 op10 op11 op12 op13 op14 op15 History tree [CW09] Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 13 Objects (cont.) Is C8 consistent C15 with C15? op0 op1 op8 op9 Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 op14 op15 14 Verifying an object Alice’s ops Bob’s ops Charlie’s ops Clients collaborate to verify the history op0 op1 op2 op3 op4 C0 op5 op6 op7 op8 op9 op10 C4 op11 C8 op12 op13 op14 op15 C1 1 Is C11 consistent with C15? Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 15 Tolerating malicious users Alice’s ops Bob’s ops Charlie’s ops Tolerate up to f malicious users op0 op1 op8 op9 op10 op11 op12 op13 op14 C9 Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 op15 C1 1 16 Access control Server Alice’s photo album Alice’s ACL Comment thread Prove ACL enforcement Alice’s wall Efficient key distribution O(log n) “(un)friending” Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 17 Proving ACL enforcement Server hi = H(hleftChild(i)hroot || hrightChild(i) signed by ) Alice Alice’s photo album Alice’s ACL Comment thread David Alice’s wall Sean Bob Alice Bob Verify & decrypt Charlie Emma Persistent authenticated dictionary [AGT01] Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 18 Efficient key distribution Server Ek3(k1) || Ek4(k1) k0 = kalice_friend Alice’s photo album Alice’s ACL Comment thread Davidk0 David, Alice’s wall Seank2 Sean, Bobk1 Bob, Alice, Alicek3 Charlie, Charliek4 Emma, Emmak5 Echarlie_pk(k4) Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 Key graph [WGL98] 19 Adding a friend Ek5(k2) || Ek6(k2) Server Alice’s photo album Alice’s ACL Comment thread David, k0 Alice’s wall Sean, k2 Bob, k1 Alice, k3 Charlie, k4 Emma, k5 Zack, k6 Ezack_pk(k6) Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 20 Removing a friend k0’ = kalice_friend’ Server Alice’s photo album Alice’s ACL Comment thread David, kk00’ David, Alice’s wall Bob, kk11’ Bob, Alice, k3 Charlie, k4 Sean, k2 Emma, k5 Zack, k6 Bob Verify & decrypt Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 21 Efficient enough in practice? Setup • • • • Java client & server Simulate basic Facebook features (each user has wall & ACL) 2048-bit RSA sign & verify batched via spliced signatures [CW10] Experiments on LAN (8-core 2.4 GHz Intel Xeon E5620s, Gigabit network) Measurements • • • • Latency of reads & writes to objects Latency of ACL changes Throughput (in paper) Effect of tolerating malicious users Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 22 Object read & write latency Frientegrity Constant cost of signatures dominates (collaborative verification) Hash chain Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 23 Latency of ACL changes Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 24 Tolerating malicious users • 50 writers • 5000 operations Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 25 Summary Both confidentiality & integrity need protection Benefit from centralization, but provider is untrusted Clients collaborate to defend against equivocation Scalable, verifiable access control & key distribution Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 26 Thank you Questions? http://arifeldman.com ariel.feldman@cis.upenn.edu Social Networking with Frientegrity — Ariel J. Feldman — Usenix Security 8/10/12 27