Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and Henry M. Levy,
USENIX Security Symposium (Usenix), 2009.
Presentation by
Sruthi Chiluka










Introduction
Example scenario
Goals
Other candidate Approaches
Vanish Implementation
DHT Implementation
Types of DHT
Vanish application
Conclusion
University of Central Florida

 What is Vanish? - Vanish is a self destructing system which is broadly applicable in today's Web-centered world.
 Where user's sensitive data can persist in the cloud even after the user account termination with the help of self destructing framework users can regain control over their confidential data such as (e-mails, facebook messages or any web contents created or posted).
University of Central Florida

 Vanish protects the privacy of past, archived data- such as copies of emails maintained by email provider against all kinds of legal, malicious and accidental attacks.
 All the copies of data including the pristine copy becomes obliterate after a specific amount of duration, without any user's involvement to perform any action or any third party association to perform the deletion.
University of Central Florida

How can Alice be sure that sensitive data sent over electronic mail system is secure?
Services may retain data for long after user tries to delete
University of Central Florida

ISP
 It is possible to retrieve archived data months/years later.
 Emails are frequently cached or archived by the email provider on their local back up systems, ISP’s etc.
 Therefore there is a chance of risk exposure in future to unintended parties.
University of Central Florida

 Destruction after Time out.
 Accessible until Time out.
 Leverage existing Infrastructures.
 No secure hardware
 No Privacy risks
University of Central Florida

Most obvious approach is to do manual deleting by installing CRON job.
Protection using PGP does not work against adversaries.
Forward secrecy encryption can be violated by caching, backup archives or court orders.
University of Central Florida

Emphemeizer solution - Untrustworthy Centralized
Third party Services
University of Central Florida

ISP
File/document is destroyed after specific time out period making all copies of data unreadable including the pristine copy.
University of Central Florida

 It encapsulates user’s data and prevents its content from storing at intermediate hops and becoming source of retroactive attacks.
 It will become unreadable even if connectivity is removed from storage site.
 While user encapsulates data in
VDO he/she would be knowing the approximate time period to be set to the VDO.
University of Central Florida

 Vanish is used to leverage existing, decentralized, large scale Distribution Hash Tables.
 Encrypt the data with a key and store the key in a highchurn globally-distributed DHT system
 Once it reaches the timeout value, the key would be erased from the DHT and forever lost. The data will not be readable without the key
University of Central Florida

 Distributed hash table works on peer to peer network(P2P is a decentralized and distributed network) that provides look up service similar to hash table.
 Each node in the network is associated with an index or node ID
 Using Hashing a node can find out index corresponding to the specific content
 Numerous DHT’s exist in the Internet like Vuze, Mainline and KAD.
University of Central Florida

Key
John
Smith
Hash Function buckets
00
01
02
.
.
03
.
13
14
15
521-9876
University of Central Florida

 Vanish takes data content D and encapsulates it into a VDO V.
 It encrypts D with a random key K and produces cipher text C
 It then splits the key into N shares suppose K1,k2....kn.
 After computing the shares it picks up random access key L as seed of random generator to generated the
Indices I1,I2...In
 Final VDO comprises of (L,C,N threshold)
University of Central Florida





Open to be joined by any users
Millions plus nodes, geographical distributed through the
High churn, user leaving and entering within the network
Fixed 8 hours timeout


Restricted membership
Variable time out up to 1 week
University of Central Florida

 The DHT nodes churn or internally cleanse themselves, thereby rendering the protected data unavailable over time.
 It would be difficult to determine retroactively which nodes where responsible for storing a given piece of data in past.
 Keyloses make all data copies permanently unreadable.
University of Central Florida

Time out time
Upload data
Copies
Archived
University of Central Florida





Firefox plug-in (Included in release of Vanish)
Thunderbird plug-in (Developed by the community two weeks after release )
Self-destructing files
Self-destructing trash-bin
University of Central Florida

University of Central Florida

 An attacker might try to obtain the copy of VDO and revoke its privacy prior to its expiration.

Further decapsulate VDO’s using further traditional encryption schemes like
PGP,GPG which are supported by fire vanish application.
 By the time user is forced to furnish PGP private keys VDO is expired.
University of Central Florida

Measurements use an Intel T2500
DUO with 2GBRAM,Java 1.6 and broadband network.
Single Vuze DHT took 4 minutes to store 50 shares by employing several vuze operations time could be lowered to 32 seconds for 50 shares
The graph shows getting DHT shares are relatively fast when compared to storing VDO’s
University of Central Florida


Disadvantages of Vanish
Fixed time out challenges in Vuze based DHT.
 For much larger data sizes encryption/decryption becomes complicated.
 No defense provided against certain attacks like denial of service which would prevent reading data for life time.
University of Central Florida

University of Central Florida