secure metering
DESCRIPTION
Secure Metering. Peng Wang. Outline. Introduction An Auditable Metering Scheme for Web Advertisement Applications, ISC 01, Liqun Chen and Wenbo Mao Secure and efficient Metering, Eurocrypt’98, by Naor and Pinkas - PowerPoint PPT PresentationTRANSCRIPT
Secure Metering
Peng Wang
Outline Introduction
1. An Auditable Metering Scheme for Web Advertisement Applications, ISC 01, Liqun Chen and Wenbo Mao
2. Secure and efficient Metering, Eurocrypt’98, by Naor and Pinkas
3. Third party certification of HTTP service access statistics, International Workshop on Security Protocols 99, F. Bergadano and P. De Mauro
4. SAWM: a tool for secure and authenticated web metering, SEKE’02, by Blundo and Cimato
Discussion
Introduction Metering schemes count (approximately) the number of
clients who visited a website Measure the popularity of website E.g. in order to decide on advertisement fees.
Secure against servers inflate the number of visits Secure against clients disrupt the metering process
Some schemes
Players
Web server
Clients
Request
Web page
setupsetup
Audit agency
proof
Request, page, evidence, etc.
1. Setup2. Evidence3. Proof
97
98
99
00
01
02
03
04
Timing function approachPolynomial approachTamper resistant hardware approachHash chain approach
97
98
99
00
01
02
03
04
Timing function approach
Auditable Metering with Lightweight Security, M. K. Franklin and D. Malkhi, Financial Crypto 97.
Use timing function to monitor the duration of browsing. Lightweight security that makes a large number of artificial visits very
costly.
An Auditable Metering Scheme for Web Advertisement Applications, Liqun Chen and Wenbo Mao, ISC 01
More details later.
97
98
99
00
01
02
03
04
Polynomial approach
Secure accounting and auditing on the Web, Moni Naor and Benny Pinkas, 7th international conference on World Wide Web
Secure and Efficient Metering, Moni Naor and Benny Pinkas, Eurocrypt '98
More details later.
97
98
99
00
01
02
03
04
Polynomial approach
Provably Secure Metering Scheme, Wakaha Ogata and Kaoru Kurosawa, ASIACRYPT '00 An attack on Noar and Pinkas paper, and the fix
Carlo Blundo and Annalisa De Bonis and Barbara Masucci and Douglas R. Stinson Metering Schemes with Pricing Dynamic Multi-threshold Metering Schemes A note on optimal metering schemes Bounds and constructions for metering schemes Metering Schemes for General Access Structures Efficient Metering Schemes With Pricing An information theoretic approach to metering schemes
97
98
99
00
01
02
03
04
Tamper resistant hardware approach
Third party certification of HTTP service access statistics, F. Bergadano and P. De Mauro, International Workshop on Security Protocols, 98
More details later.
97
98
99
00
01
02
03
04
Hash chain approach
SAWM: a tool for secure and authenticated web metering, Carlo Blundo and Stelvio Cimato, SEKE '02 More details later.
A Software Infrastructure for Authenticated Web Metering, Carlo Blundo and Stelvio Cimato, IEEE Computer
97
98
99
00
01
02
03
04
Lightweight security, timing function approachPolynomial approachTemper resistant hardware approachHash chain approach
An Auditable Metering Scheme Use timing function to monitor the duration of browsing a
web page that contains a ad bar. Lightweight security that makes a large number of
artificial visits very costly.
Setup: The audit agency generates e, n = qp, and sends (e,n) to
the website. Regular operation:
A web server sends the required web page with the ad bar, a timing function code and parameters (n, x, e) to clients upon requests.
x must be fresh The client’s browser displays the web page and runs the
timing function.
An Auditable Metering Scheme
The auditing algo takes 3 mod exponentiations.
When the client leaves the page, the code sends (t, a, x, e, n) to the server.
Server send (t, a, x, e, n) to the audit agency who runs:
+s & -s+ No client registration & modification+ Audit agency can be offline+ Can measure duration of visiting
- Light weight security- High verification overhead
- must verify each individual evidence
Some Server overhead
Secure and efficient Metering Based on Shamir’s polynomial secret sharing scheme Measure whether a server receives k visits in a certain
time frame Four schemes:
The basic scheme, A robust version, One that allows clients anonymity, One that allows unlimited use.
The basic scheme Initialization : (before any time frame)
A: generates a bivariate polynomial P(x, y) over Zp Degree k-1in x, and degree d-1 in y k: the expected number of visits d: the number of time frames The polynomial can be used < d time frames
A C: P(C, y)
The basic scheme cont
Regular operations: (when C visits S in the time frame t) C S: P(C, S || t) Assume that no two pairs (S || t) and (S’ || t’) are mapped to
the same element of Zp.
Proof generation: (after time frame t) If S has k different visitors in time frame t, it has k value:
{P(Ci, S || t)i=1…k}. S performs a Lagrange interpolation and computes the
proof: P(0, S || t)
S sends the proof to A who then verifies the proof.
+s & -s+ strong+ low verification overhead+ Audit agency can be offline
- Clients must register
Some server overhead
Third party certification of HTTP service access statistics
Setup: the website obtains a tamper-proof box from the audit agency and connects the box to a web server.
Regular operation: The web server inputs every client request to the box. The box generates random bits
The probability of 1 must be low to reduce overhead. If 0, the web server serves the client request normally. If 1,
1. the box Mac the request. 2. the web server redirects the request to the audit agency3. the audit agency verifies the request. 4. It redirects the request back to the web server who serves the
request. the web server log the operations
Verification: the web server submits the log to the audit agency who verifies the log file.
+s & -s+ No client registration & modification
- Require special hardware- Audit agency must be online- Server overhead & delay
Secure?
SAWM The authors did many work on polynomial based metering
schemes This paper describes a hash chain based solution Initialization:
For each client C, A generates a random value w and computes Hk(w)
A C: k, w A S: C, Hk(w)
C builds the hash chain: H(w)… Hk(w) S stores C, Hk(w) and sets a counter Lc to 0.
SAWM cont
Regular operations: C has the hash chain: H(w), H2(w) , … Hk-1(w), Hk(w) C S: Hk-j(w) for j-th visit S verifies and stores it, then increases the counter Lc
Proof generation and verification: SA: [C, Hk-Lc(w), Lc] for each client A has w and can verify.
+s & -s+ Low server overhead+ Audit agency can be offline
- Clients must register- High verification overhead
- must verify each individual evidence
Some Server overhead
No client registration & modification
Strong No online Agency
Can measure duration
Low server overhead
Low verification overhead
Timing function
Polynomial
Tamper proof hardware
Hash chain
Comparison
Discussion How to use metering schemes measure the
number of client visited an out-sourced service?
Secure Outsourcing
Yongdae Kim
Outsourcing Outsourcing is popular and will be much more popular
Examples ISP, SSP, DBSP Intrusion Detection Web service, Grid computing P2P…
Any outsourcing is involved with Service Level Agreement (SLA) Current SLA is vague, so that the service provider can fight
in case of dispute Otherwise, most outsourcing cases are based on trust
Outsourcing Primitives Counting
WS.com promised to provide web access to at least 10,000 users in 10 minute interval
Bandwidth Streaming.com promised to provide streaming service with
at least 100Kbps for any client of cnn.com Connection Computation Down-time Storage Database Intrusion detection
If your domain is shut down by the worm, secure.com will pay all cost associated with the worm to insecure.com.
Hybrid
Trustworthy Outsourcing Previous work focuses on mostly web counting
Research Theme Framework to develop a trustworthiness between a client
(service providee) and a server (service provider) in outsourcing
Simplification of dispute resolution
Trustworthy Outsourcing: Topics Extending web counting to more diverse primitives (as
outlined in previous slides) Fairness
A client can prove to a third party (or public) that the service was not provided, when it was not.
A server can prove to a third party (or public) that the service was provided, when it was.
How can we relax the assumption on participants? Auditing Agent? Client authentication required?
Fair P2P (file sharing) system
Supplemental
Robustness If clients send incorrect evidence, then the server cannot
compute the proof. The server must verify the evidence.
Given v=au+b, if S has (a, b), S can verify (v, u)
Initialization: A: Generates random polynomial P(x, y), A(x, y), and B(y).
Computes V(x, y) = A(x, y)*P(x, y) + B(y) A C: V(C, y) and P(C, y) A S: A(x, S || ti ) and B(S || ti ), i = 1…# of time frames
Robustness cont
Regular operations: C S: V(C, S || t) and P (C, S || t) S verifies if V = AP +B at the point (C, S || t)
Proof generation: S uses the k value {P(Ci, S || t)i=1…k} only to perform a
Lagrange interpolation and computes the proof: P(0, S || t)
S sends the proof to A who then verifies the proof.
Anonymity Sounds counterintuitive, but: Initialization: (based on basic scheme)
A: Generates random polynomial P(x, y), Qc(y) A C: P(Qc(y), y) and P(C, y)
Regular operations: C S: Qc(S || t) and P (Qc(S || t), S || t)
Proof generation: S performs a Lagrange interpolation and computes the proof:
P(0, S || t) S sends the proof to A who then verifies the proof.
A scheme for unlimited use g is a generator of a subgroup of Zp*, with order q Initialization:
A: Generates random polynomial P(x) of degree k-1 over Zq A C: P(C) and A’s signature of gP(C)
At the beginning of time frame t: A S: a challenge gr
Regular operations: S C: gr C S: A’s signature of gP(C), grp(c) , and a proof of the discrete log of
gP(C) to the base g and the discrete log of grP(C) to the base gr are the same.
Proof generation: SA: grp(0)