2.
Cloud computing provides numerous advantages.
But cloud computing is a security nightmare.
Don’t trust CSP (Cloud service provider) security.
Confidentiality and integrity vs. usability.
What about Confidentiality provider third party?
2
3. Combines data security with usability.
3
Trust splitting between CSP and CAAS.
Hides all cryptographic artifacts from users.
4. Create CAAS Identity .
Register via user name and password.
Email-based identification and authentication (EBIA) is
used.
The user must choose different passwords for his CaaS
and cloud service accounts.
User downloads and installs small software plug-ins.
User enters the CaaS password once per session.
4
8. MAC based on hash functions .
HMAC (K,m) = H ((K ⊕ opad)
∥ H ((K ⊕ ipad) ∥ m))
8
9. Derives one or more secret keys from a secret value.
DK = KDF( Key, Salt, Iterations)
Prevents attacker to know either the input secret value
or any of the other derived keys.
9
10.
Extract
Takes the input keying material(IKM) and extracts from it a
fixed-length key (PRK).
PRK = HMAC-Hash(salt, IKM)
Expand
Expands the key PRK into several additional keys .
10
11.
It takes a short secret key and produces a long
keystream.
Encryption is performed by bitwise XORing the
keystream to the plain text.
Decryption is performed by regenerating the
keystream and XORing it to the ciphertext.
Stream cipher with initialization vector:
11
Take both secret key and public IV to produce keystream.
12.
+cLayerLocalPre:
Choose a random initialization vector IVu1.
Choose a random symmetric encryption key ku1.
Calculate a keystream kstr = Sym (iv , k ).
Encrypt clearu1 : encu1 = clearu1⊕ kstru1 .
Calculate the message digest digu1 = Hu(clearu1 ).
Send the tuple CredCaaS(u1), U, encu1 to the CaaS.
12
u1
ustr
u1
u1
13.
+cLayerRemote :
13
Check if all u ∈ U are registered CaaS users.
Add u1 to U.
Sort the list of participating users.
For all users compute hj = Hp(uj +hj−1)
to obtain iterative hash hn of all participating users.
Calculate the secret key kp = HKDFp(hn,Xp).
Choose a random initialisation vector ivp
Calculate a key stream kstrp = Symp str(ivp, kp)
Add a remote cLayer to the input: encp = encu1⊕ kstrp.
Send the tuple ivp, Encp back to the requesting client.
16.
+cLayerRemotePost:
Add u2 to U.
Sort the list of participating users.
For all users compute hj = Hp(uj +hj−1)
to obtain iterative hash hn of all participating users.
Calculate the secret key kp = HKDFp(hn,Xp).
Recalculate a key stream kstrp = Symp str(ivp, kp)
Decrypt enc : dec = enc ⊕ kstr
16
u2
p
u2
p
18.
Sending a message:
18
Client-side Javascript checks if all recipients have CaaS
accounts.
If not they will be highlighted.
Password needs to be entered once per session.
19.
Receiving a message:
When the user opens the Facebook page, the script
recovers all encrypted message.
The clear text message is inserted into the Facebook
message page and framed by a green border.
19
21.
S. Fahl, M. Harbach, T. Muders, and M. Smith.Condentiality as a Service - Usable Security
for the Cloud. In Proceedings of the IEEE International Conference on Trust, Security and
Privacy in Computing and Communications, 2012.
P. Sarkar , On Authenticated Encryption Using Stream Ciphers Supporting an
Initialisation Vector.
http://en.wikipedia.org/wiki/Stream_cipher
http://en.wikipedia.org/wiki/Message_authentication_code
http://en.wikipedia.org/wiki/HMAC
http://en.wikipedia.org/wiki/Key_derivation_function
http://tools.ietf.org/html/rfc5869
21
Editor's Notes
(1) -No upfront commitment in buying/leasing hardware–On demand “just-in-time” provisioning–No upfront cost … pay-per-use.Use only when you want, and pay only what you use. (2)- Facebook, for example, leaked all their users’ private information to third-party applications over a time span of multipleyears4. In April 2011, it was reported that the design of theDropbox authentication system was insecure and users could access files of others without authorisation5.(3)-CSPs privacy efforts are usually limited to access control (AC) mechanisms that aim to exclude unauthorized users from accessing the protected data. -Time after time, careless staff members or technical complexity cause accidental sharing of user data that actually should havebeen private. - Furthermore there are situations where CSPs themselves invade the privacy of their users.
(EBIA) email-based identification and authenticationIt identifies and authenticates a user by sending a validation secret to the given email address.If the user is able to read the secret, a new CaaS credential set CredCaaS = email, ids =[], password is created.
http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdfhttp://en.wikipedia.org/wiki/HMACH is a cryptographic hash function,K is a secret key padded to the right with extra zeros to the input block size of the hash function, or the hash of the original key if it's longer than that block size,m is the message to be authenticated,∥ denotes concatenation,⊕ denotes exclusive or (XOR),opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
http://en.wikipedia.org/wiki/Key_derivation_function kdf is the key derivationfunction,KEYis the original key or password,Saltis a random number which acts as cryptographic salt, and Iteration refers to the number ofiterations of a sub-function. The derived key is used instead of the original key or password as the key to the system.
http://tools.ietf.org/html/rfc5869ExtractTakes the input keying material(IKM) and "extracts" from it a fixed-length pseudorandom key (PRK). PRK = HMAC-Hash(salt, IKM ” Message here is key”)Expand"expands" the key PRK into several additional pseudorandom keys (the output of the KDF).T(0) = empty string (zero length) T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
http://en.wikipedia.org/wiki/Stream_cipherOn Authenticated Encryption Using Stream Ciphers Supportingan Initialisation VectorFlexibility in usage arises from the fact that the same key can now be usedwith dierent messages; the IV only needs to be changed. Since there is no secrecy requirement onthe IV, this is a much more easier task to manage.
Run on client sideCredCaaS(u1) user credentials.U list of users.