1

Confidentiality as a Service –Usable Security for the Cloud

2

Introduction Cloud computing provides numerous advantages.

But cloud computing is a security nightmare.

Don’t trust CSP (Cloud service provider) security.

Confidentiality and integrity vs. usability.

What about Confidentiality provider third party?

3

Confidentiality As A Service (CAAS). Combines data security with usability.

Trust splitting between CSP and CAAS. Hides all cryptographic artifacts from users.

4

User perspective in CAAS model: Create CAAS Identity .

Register via user name and password. Email-based identification and authentication

(EBIA) is used. The user must choose different passwords for

his CaaS and cloud service accounts.

User downloads and installs small software plug-ins.

User enters the CaaS password once per session.

5

Algorithm perspective in CAAS model

6

Prerequisite knowledge: MAC and HMAC. KDF and HKDF. Stream cipher.

7

Message authentication code (MAC)

8

Hash-based message authentication code (HMAC)

HMAC (K,m) = H ((K ⊕ opad) ∥ H ((K ⊕ ipad) ∥ m))

MAC based on hash functions .

9

key derivation function (KDF)  Derives one or more secret keys from a

secret value.

Prevents attacker to know either the input secret value or any of the other derived keys.

DK = KDF( Key, Salt, Iterations)

10

HMAC-based key derivation function (HKDF)

ExtractTakes the input keying material(IKM) and extracts

from it a fixed-length key (PRK).

ExpandExpands the key PRK into several additional keys .

PRK = HMAC-Hash(salt, IKM)

11

Stream cipher

It takes a short secret key and produces a long keystream.

Encryption is performed by bitwise XORing the keystream to the plain text.

Decryption is performed by regenerating the keystream and XORing it to the ciphertext.

Stream cipher with initialization vector: Take both secret key and public IV to produce

keystream.

12

Pre-Push Sequence:

+cLayerLocalPre: Choose a random initialization vector IVu1. Choose a random symmetric encryption key ku1. Calculate a keystream kstru1 = Symustr(ivu1, ku1 ). Encrypt clearu1 : encu1 = clearu1⊕ kstru1 . Calculate the message digest digu1 = Hu(clearu1 ). Send the tuple CredCaaS(u1), U, encu1 to the

CaaS.

13

Pre-Push Sequence Cont…

+cLayerRemote : Check if all u ∈ U are registered CaaS users. Add u1 to U. Sort the list of participating users. For all users compute hj = Hp(uj +hj−1)

to obtain iterative hash hn of all participating users. Calculate the secret key kp = HKDFp(hn,Xp). Choose a random initialisation vector ivp

Calculate a key stream kstrp = Symp str(ivp, kp) Add a remote cLayer to the input: encp = encu1⊕ kstrp. Send the tuple ivp, Encp back to the requesting client.

14

Pre-Push Sequence Cont…

-cLayerLocalPre: Decrypt encp: rts = encp ⊕ kstru1. Send rts, ivp, digu to the CSP

15

Post-Pull Sequence:

+cLayerLocalPost: Works as +cLayerLocalPre.

16

Post-Pull Sequence Cont…

+cLayerRemotePost: Add u2 to U. Sort the list of participating users. For all users compute hj = Hp(uj +hj−1)

to obtain iterative hash hn of all participating users.

Calculate the secret key kp = HKDFp(hn,Xp). Recalculate a key stream kstrp = Symp str(ivp, kp) Decrypt encu2 : decp = encu2⊕ kstrp

17

Post-Pull Sequence Cont…

-cLayerLocalPost: Decrypt cipher text using ivu2 , ku2. Calculate the result’s digest using Hu. If the digest is equal to digu1 integrity isn’t

violated.

18

Integration with facebook:

Sending a message:

Client-side Javascript checks if all recipients have CaaS accounts.

If not they will be highlighted. Password needs to be entered once per session.

19

Integration with facebook Cont…

Receiving a message: When the user opens the Facebook page, the

script recovers all encrypted message. The clear text message is inserted into the

Facebook message page and framed by a green border.

20

Evaluation:

21

References: S. Fahl, M. Harbach, T. Muders, and M. Smith.Condentiality as a Service -

Usable Security for the Cloud. In Proceedings of the IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 2012.

P. Sarkar , On Authenticated Encryption Using Stream Ciphers Supporting an Initialisation Vector.

http://en.wikipedia.org/wiki/Stream_cipher http://en.wikipedia.org/wiki/Message_authentication_code http://en.wikipedia.org/wiki/HMAC http://en.wikipedia.org/wiki/Key_derivation_function http://tools.ietf.org/html/rfc5869