Writing on Wind and Water*:
Storage Security in the Cloud
Ari Juels
Chief Scientist
RSA
Workshop on Cryptography and Security in the Cloud
Zurich, Switzerland
15 March 2011
© 2011 RSA Laboratories
*Catullus 70
The Cloud
Cryptographers’ view of the Cloud
evil-minded
cloud providers
Trojans
viruses
faulty
hardware
faulty
software
Cryptographers’ view of the Cloud
Auditors’ view of the Cloud
RSA Labs Research Program:
Remote Cloud Security Checkups
Do you have
security property
X?
Challenge
Response
A Cloud
Auditor /
Tenant
Idea: Restore transparency to Cloud to achieve
stronger security / compliance
without trusting Cloud itself
!
Cloud storage
Alice
MiniFile Inc.
Bangalore, India
Peer-to-peer
network
Bob
Liverpool, UK
One day, Alice’s
machine crashes,
so she contacts
MegArchive…
Other financially motivated
service degradation
• MegArchive moves Alice’s file to a slow disk
array
– File is there, but retrieval is unacceptably slow
• MegArchive uses cheap storage that degrades
over time
• MegArchive throws away a portion of Alice’s file
to save space
– Most users don’t retrieve their backup files anyway
Question: How can Alice be sure that she can retrieve
her file in its entirety?
Proofs of Retrievability
Property X =
The tenant’s files are intact
PORs: Proofs of Retrievability
• Alice would like to ensure that her file F is
retrievable
– She may also want to ensure compliance with
a Service-Level Agreement (SLA)
• The simple approach: Alice periodically
downloads F
• This is resource-intensive!
• What about spot-checking instead?
Spot checking: Preparation
Archive
f1
f2
F
Alice
f3
Spot checking: Verification
Archive
~
f2
~
~
f1
~
f3
F
Alice
?
=
f1
f2
f3
Spot checking: Verification
Archive
~
f2
~
~
f1
X
~
f3
F
Alice
f1
f2
f3
Spot checking
Archive
~
f2
~
~
f1
~
f3
F
Pros:
• Alice needn’t
download all of F
• Can detect large
erasure / corruption
Cons:
• Alice must store
chunks of F
• Can’t detect small
erasure / corruption
Alice
f1
f2
f3
Message Authentication Code (MAC)
refinement: Preparation
Archive
f2
f1
F
c2
f3
MACk[f1]
c1
Alice
k
c3
MAC refinement: Preparation
Archive
f2
f1
F
c2
f3
MACk[f1]
c1
Alice
k
c3
MAC refinement: Preparation
Archive
f2
f1
F
Alice
k
f3
c1 c2 c 3
MAC refinement: Verification
Archive
f2
~
f1
f3
c1 c2 c 3
F
Pros:
• Alice needn’t store
any of F
• Can detect large
erasure / corruption
Alice
Cons:
k
• Can’t detect small
erasure / corruption
Error correcting code
Archive
F*
parity bits
decoder
F
• With ECC to encode F → F*,
big error in F* needed to induce any error in F
• In effect, we can amplify errors in stored file
ECC + MAC
Archive
f2
f1
f3
f4
parity bits
c1 c2 c3 c4
*
F
Pros:
Alice
k
• Alice needn’t store any
of F—only key k
• Alice can detect any
corruption in F w.h.p.
(= large corruption in F*)
PORs: The business plan
• Where is quick detection of file loss helpful?
• Backup!
• Idea:
– Use PORs to verify backed up files
– In case of failure, change providers or restore from
primary copy
• Another application: Quality of storage in backup
– E.g., are my files on disk or on tapes conveyed by mule
from a mountain bunker?
Where PORs blow up
challenge
response
Server
Alice
challenge
response
F*
challenge
X
response
E.g., T-Mobile
What’s Alice to do???
RAID
(Redundant Array of Inexpensive Disks)
File block
F
F1
File block
F2
File block
F3
Parity block
F1  F2  F3
The Cloud isn’t necessarily so nice
X
F
Provider A
Provider B
F1
F
X
2
Provider C
F3
Provider D
X
F1  F2  F3
• What if service providers lose data but… don’t tell you
until it’s too late?
HAIL:
A High-Availability and Integrity Layer for
Cloud Storage
Property X =
The tenant’s files can survive
service-provider failures
Mobile adversary
• A mobile adversary moves from device to
device, corrupting as it goes—potentially silently
• Mobile adversary models, e.g., system failures /
corruptions over time, virus propagation
• RAID isn’t designed for this kind of adversary
– Designed for limited, readily detectable failures in
devices you own—the benign case
Mobile adversary
• In cryptography, usual approach to mobile
adversary is proactive
Mobile adversary
• In cryptography, usual approach to mobile
adversary is proactive
• Another, cheaper possibility is reactive:
We detect and remediate
– Like whack-a-mole!
• PORs can provide detection here…
Applying PORs
F
Data
Parity
Applying PORs
F
Applying PORs
Alice
POR
HAIL:
High Availability and Integrity Layer
• RAID-type redundancy allows us to tolerate t provider failures
• POR bounds number of failures at t thanks to “whack-a-mole”
• Other optimizations: Use crypto tricks / row redundancy to get
MACs “for free.”
HAIL: Putting it all together
• HAIL offers an abstraction of high-integrity file
system
• Robust to Byzantine, mobile adversary
• Modest storage / server overhead, thanks to “free
MACs”
• Minimal-bandwidth checking, thanks to POR
techniques, e.g., aggregation
HAIL: The business plan
• RAID led to a new business model
– Shift from monolithic, high-performance drive to cheaper
drives with redundancy
– EMC vs. IBM
• HAIL: New model in the Cloud?
– Fuse together cheap cloud providers to provide highquality abstraction
– E.g., Memopal offers $0.02 / GB / Month storage on a
5-year contract vs. Amazon at $0.15 / GB / Month
– ??? vs. Amazon, Atmos, Azure, etc.?
Another challenge:
The physical layer
• Amazon claims to store three distinct copies
of my file for resilience. Can they prove it?
– POR won’t do the trick, nor will downloading!
Alice
F
F
F
F
F
F
F
F
or
?
Virtualization is a complication
Erasure coding across disks…
Disk 1
Disk 2
Disk 3
Disk 4
Disk 5
My file can survive two disk crashes!
Virtualization is a complication
Erasure coding across disks…
Virtual
Disk 1
Virtual
Disk 2
Virtual
Disk 3
Virtual
Disk 4
Virtual
Disk 5
X
file can
two destroy
disk crashes!
AMy
single
disksurvive
crash can
my file!
How to Tell if Your Cloud Files
Are Vulnerable to Drive Crashes
Property X =
The tenant’s files can survive
drive crashes
Our goal:
Prove disk-crash resilience
Disk 1
Disk 2
Disk 3
Disk 4
Disk 5
Claim: File can survive two disk crashes!
The Challenge: How can a cloud provider
prove that certain bits sit on certain disks?
The Pizza Oven Protocol
“Six pizzas!”
Eeta Pizza Pi
Cheapskate Pizza
The Pizza Oven Protocol
“Six pizzas!”
X
Eeta Pizza Pi
X
Cheapskate Pizza
The Pizza Oven Protocol
Eeta Pizza Pi
Cheapskate Pizza
Cheapskate now claims it can survive an oven failure!
How can Eeta Pizza Pi verify without visiting???
The Pizza Oven Protocol
T0
“Six pizzas!”
T1
T1 – T0 = 45 mins?
Eeta Pizza Pi
Cheapskate Pizza
Suppose that:
•A pizza oven bakes one pizza at a time, and takes 10 minutes
•The Cheapskate truck takes 15 minutes to deliver to Eeta Pizza Pi
Remote Cloud Security Checkups
Do you have
security property
X?
Challenge
Response
A Cloud
Auditor /
Tenant
X=
1.Tenant’s files are intact (POR)
2.Tenant’s files can survive service-provider failures (HAIL)
3.Tenant’s files can survive drive crashes
To Learn More
• A. Juels and B. Kaliski. Proof of Retrievability (PORs) for Large Files.
ACM CCS ‘07.
• K. D. Bowers, A Juels, and A. Oprea: HAIL: a high-availability and
integrity layer for cloud storage. ACM CCS ‘09.
• Kevin Bowers, Ari Juels, and Alina Oprea. Proofs of Retrievability:
Theory and Implementation. CCSW ‘09.
• K. Bowers, M. van Dijk, A. Juels, A. Oprea, and R. Rivest. How to Tell if
Your Cloud Files Are Vulnerable to Drive Crashes. In submission. 2011.
(Available on ePrint.)
• Y. Zhang, A. Juels, A. Oprea, and M. Reiter. HomeAlone: Co-Residency
Detection in the Cloud via Side-Channel Analysis. IEEE S&P. 2011. To
appear. Property X = “Are my virtual machines physically isolated?”