Vanish: Increasing Data Privacy with Self-Destructing Data

advertisement

Vanish: Increasing Data Privacy with Self-Destructing Data

USENIX Security Symposium (Usenix), 2009 (best student paper award)

Roxana Geambasu | Tadayoshi Kohno | Amit A. Levy | Henry M. Levy

P r e s e n t e d b y : L i b e r t Ta p i a

What is Vanish ?

Vanish is a project developed at the University of Washington which give the users the ability to determine the lifespan of their personal data stored in the web such as private message on

Facebook , documents on Google Docs, or private photo on Flickr by making the Web object self-destruct or vanish automatically.

Sensitive email sender

Motivating Problem:

Data Lives Forever

Hotmail Gmail

• The sensitive email is store in several servers before arriving to its final destination and if the sender deletes the email from his / hers inbox the email will still be store on several other locations for a long period of time.

• Creates multiple points where an attack can be performed. And compromise the person involved in the conversation

Sensitive email sender

Hotmail

Effects

Gmail subpoena

Lawyer, Attacker

Receiver

Candidate Approaches

• User explicitly and manually delete there data or install a cron job to do that.

• Use a standard public key or symmetric encryption scheme.

• Stenography, Deniable encryption or Deniable file system

• Ephemeral key exchange for interactive communication systems (eg: OTR)

• Ephemerizer (trusted 3rd parties)

Assumptions

Vanishing Data Object (VDO)

1. Time-limited value – store only for a limited period of time.

2. Known timeout – can be specified by the user.

3. Internet connectivity – required to interact with the VDO.

4. Dispensability under attack – user can destroy even if prematurely.

Goals

• Even if an attacker can retroactively obtain a pristine copy of that data and any relevant persistent cryptographic keys and passphrases from before that timeout, perhaps from stored or archived copies;

• Without the use of any explicit delete action by the user or the parties storing that data; (Automatically)

• Without needing to modify any of the stored or archived copies of that data;

• Without the use of secure hardware; and

• Without relying on the introduction of any new external services that would need to be deployed (whether trusted or not).

Threat Model

• Goal:

1. Trusted data owners

2. Retroactive attacks on privacy

• Out of scope threats

1. User making a clear text copy of the VDO and storing it.

2. ISPs that might spy on user DHT interaction.

How Vanish Works: Data Encapsulation

VDO = { C , L }

Encapsulate

( data , timeout)

Vanish Data Object

VDO = { C , L }

Vanish L

K

Secret

Sharing

(M of N)

C = E

K

9

( data )

.

.

.

k k

N k

3

World-Wide

DHT k

2 k

1

Data Encapsulation

How Vanish Works: Data Decapsulation

VDO = { C , L }

Encapsulate

( data , timeout)

Vanish Data Object

VDO = { C , L }

Vanish L

Secret

Sharing

(M of N)

C = E

K

( data ) k

1 k

2 k

3

.

k

N

World-Wide

DHT

Decapsulate

(VDO = { C , L }) data

L Vanish k

1

11 k

2

.

.

.

.

k

3 k

N

Secret

Sharing

(M of N)

K data = D

K

( C )

How Vanish Works: Data Timeout

• The DHT loses key pieces over time

– Natural churn: nodes crash or leave the DHT

– Built-in timeout: DHT nodes purge data periodically

• Key loss makes all data copies permanently unreadable

L Vanish k

N k

3 k

1

World-Wide

DHT k

1

X

X

.

.

3

X

N

Secret

Sharing

(M of N)

K data = D

12

K

( C )

12

Vuze Background (a.k.a Azureus)

• Uses Kademlia protocol

• Nodes or assigned a random 160-bit Id based on IP and port.

• Looks for 20 nodes with ID closets to the index.

• Republish every 30 minutes to the other 19 nodes to combat churn.

Availability and Expiration in Vuze

Vanish Applications

• FireVanish

• Vanishing Files

– Self-destructive trash bin or Microsoft Word’s auto save

Performance

• Based on T2500 DUO 2GB of Ram, Java 1.6 basic broadband network.

Security Analyses

• DHT can store information about the communication and an anonymization software like Tor is recommended.

• User not Vanishing the proper data.

• Vanish my raise legal implication in the new eDiscovery rules.

Retroactive Attacks

Vanish

Secret

Sharing

K

(M of N) k

1 k

2 k

3

.

..

k

N

Direct put

Replication

• Defense

• The attacker must join ~8% of the DHT size, for 25% capture.

• Decentralization

• Constant Evolution

Decapsulation Prior to Expiration

• Email provider decapsulate email on real time and storing them.

• Defense

– Use PGP(Pretty Good Privacy) or GPG(GNU

Privacy Guard) – this will make it harder for the email provider to decapsulate and the VDO will expire .

Sniff User’s Internet Connection

• Attacker might try to intercept and preserve the data users push into or retrieve from DHT.

• Defense

– Vuze provides security for this type of attack.

– Use Tor to tunnel the interaction with a DHT through remote machine.

Integrate into DHT

(Sybil / Eclipse Attacks)

• Attacker integrate within the DHT in order to create copies of all data that is ask to store.

• This is estimate to cost around $860k/year in

Amazon EC2 computation and networking cost.

Conclusions

• This paper introduced a new approach for protecting data privacy from attackers who retroactively obtain, through legal or other means, a user’s stored data and private decryption keys.

Improvements

• Using RSA before sending data to the node(SafeVanish Paper)

• Email provider stores decrypted data every certain time.

Download