Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Security, For Real This Time (CloudDevelop 2014)

Cloud Security, For Real This Time (CloudDevelop 2014)

Cloud Security, For Real This Time: Homomorphic Encryption and the Future of Data Privacy (CloudDevelop 2014)

Craig Stuntz

October 17, 2014
Tweet

More Decks by Craig Stuntz

Other Decks in Programming

Transcript

  1. Cloud Security,
    for Real This Time
    Homomorphic Encryption
    and the Future of Data Privacy
    Need to get a sense of experience in audience.
    Define HE? (Explain how it works? Implemented?)
    Will explain 1) Def 2) Why important 3) Implementation details 4) Real world.

    View Slide

  2. Slides
    https://speakerdeck.com/craigstuntz

    View Slide

  3. TLS Changed the Internet
    Remember?
    Define SSL/TLS? Changed everything.

    View Slide

  4. Browser Server Application
    TLS: Safe (mostly!), but must
    decrypt to do business
    TLS gives you 1) Some assurance you’re connecting to the right server, 2) some protection from MITM
    Good enough for shopping?

    View Slide

  5. What if it’s stolen?
    The card isn’t the end of the world.
    Your PII?
    Snowden?

    View Slide

  6. My New Business
    Ask for income, SSNs of your children, what you spend on health care, bank account passwords, etc.,
    give you pretty charts.

    View Slide

  7. My New Business
    Ask for income, SSNs of your children, what you spend on health care, bank account passwords, etc.,
    give you pretty charts.

    View Slide

  8. Threat Model

    View Slide

  9. Advanced Persistent Threats?
    Asking for PII. Have to consider threat model.

    View Slide

  10. Criminals?
    However… (click)

    View Slide

  11. Idiots?
    Most dangerous?

    View Slide

  12. Uh Oh.
    Is it even possible to build this kind of business? Home Depot did a lot wrong, sure, but banks who ran
    pretty clean shops have also suffered major data exfiltration. Need a way out.

    View Slide

  13. Symmetry
    Consumer
    Protect PII Zero Install
    Cloud
    Service
    Provider
    Nothing to
    Steal
    Frequent
    Site Visits
    Look at what customer wants, you want.
    Note symmetry
    Symmetry in software = Opportunity!

    View Slide

  14. What if?
    How can I prepare your taxes without asking for the data, at least not in readable form?
    You could encrypt and not give me the key, but then how do I perform useful computations?

    View Slide

  15. Homomorphic Encryption In a
    Nutshell
    Client
    Server
    Computation
    Data
    Plaintext
    Define plaintext, cyphertext, computation. (hand waving)
    Secure! No key exchange! Keys stay on client
    Cyphertext should be indistinguishable from random bits
    Considered maybe impossible for a long time. Changed in 2009. How?
    Stop me now if terms don’t make sense.

    View Slide

  16. Homomorphic Encryption In a
    Nutshell
    Client
    Server
    Data Cyphertext
    Computation
    Data
    Plaintext
    Define plaintext, cyphertext, computation. (hand waving)
    Secure! No key exchange! Keys stay on client
    Cyphertext should be indistinguishable from random bits
    Considered maybe impossible for a long time. Changed in 2009. How?
    Stop me now if terms don’t make sense.

    View Slide

  17. Homomorphic Encryption In a
    Nutshell
    Client
    Server
    Data Cyphertext
    Result Cyphertext
    Computation
    Data
    Plaintext
    Define plaintext, cyphertext, computation. (hand waving)
    Secure! No key exchange! Keys stay on client
    Cyphertext should be indistinguishable from random bits
    Considered maybe impossible for a long time. Changed in 2009. How?
    Stop me now if terms don’t make sense.

    View Slide

  18. Homomorphic Encryption In a
    Nutshell
    Client
    Server
    Data Cyphertext
    Result Cyphertext
    Computation
    Data
    Plaintext
    Result
    Plaintext
    Define plaintext, cyphertext, computation. (hand waving)
    Secure! No key exchange! Keys stay on client
    Cyphertext should be indistinguishable from random bits
    Considered maybe impossible for a long time. Changed in 2009. How?
    Stop me now if terms don’t make sense.

    View Slide

  19. Rot-13!
    How can this possibly work?
    Warm up

    View Slide

  20. Awesoma Powa!
    Plaintext top row. Cyphertext middle. Note symmetries
    Homomorphic operation doesn’t have to be the same as corresponding non-homomorphic operation,
    but in this case it is. We’ll look at stronger choices later, but first…

    View Slide

  21. Let’s launch a startup!
    concatenatr!
    Join us!
    New business: Cloud-based, privacy preserving concatenation of strings.
    Get the VC $$$$, foosball table…
    But there’s a problem with this idea.
    Why won’t this work? You’ll never guess…

    View Slide

  22. (Using Goldwasser and Micali’s
    algorithm developed 20 years earlier)
    Stupidly enough, it’s patented (by SAP). Cryptographers have been working on HE for a long
    time.Goldwasser and Micali won Turing award, but for semantic security, not HE. Chose concat
    example as simple/joke, found the patent later. Security industry may or may not have noticed HE,
    but patent lawyers have!

    View Slide

  23. Unpadded RSA
    Back to drawing board. Need a different algorithm.
    NB: Unpadded RSA is insecure! Simple, but insecure. Cryptosystem security is an end to end pipeline,
    not a single algorithm.
    Feel free to ignore the algebra, point is

    View Slide

  24. Pivot!
    multiplir!
    We make products
    Cloud-based, privacy preserving multiplication.
    Get the VC $$$, front page of Hacker News, then… Click
    Click. Can we do better? What do we really need?

    View Slide

  25. Pivot!
    multiplir!
    We make products
    Awesome!
    Now add.
    Cloud-based, privacy preserving multiplication.
    Get the VC $$$, front page of Hacker News, then… Click
    Click. Can we do better? What do we really need?

    View Slide

  26. Pivot!
    multiplir!
    We make products
    Awesome!
    Now add. Uhhh….
    Cloud-based, privacy preserving multiplication.
    Get the VC $$$, front page of Hacker News, then… Click
    Click. Can we do better? What do we really need?

    View Slide

  27. Fully Homomorphic Encryption
    What are the operations I really need?
    Must be able to write any program, but not necessarily execute arbitrary programs. Customer and
    service provider agree on service in advance.
    What operations give me all of the above?
    (Cannot perform conditional…) => Branch prediction won’t work!

    View Slide

  28. Fully Homomorphic Encryption
    • Multiply
    What are the operations I really need?
    Must be able to write any program, but not necessarily execute arbitrary programs. Customer and
    service provider agree on service in advance.
    What operations give me all of the above?
    (Cannot perform conditional…) => Branch prediction won’t work!

    View Slide

  29. Fully Homomorphic Encryption
    • Multiply
    • Add, subtract, exponents, etc.
    What are the operations I really need?
    Must be able to write any program, but not necessarily execute arbitrary programs. Customer and
    service provider agree on service in advance.
    What operations give me all of the above?
    (Cannot perform conditional…) => Branch prediction won’t work!

    View Slide

  30. Fully Homomorphic Encryption
    • Multiply
    • Add, subtract, exponents, etc.
    • Doesn’t have to be (quite) Turing
    complete
    What are the operations I really need?
    Must be able to write any program, but not necessarily execute arbitrary programs. Customer and
    service provider agree on service in advance.
    What operations give me all of the above?
    (Cannot perform conditional…) => Branch prediction won’t work!

    View Slide

  31. Fully Homomorphic Encryption
    • Multiply
    • Add, subtract, exponents, etc.
    • Doesn’t have to be (quite) Turing
    complete
    • Conditional branching and loops, of a sort
    What are the operations I really need?
    Must be able to write any program, but not necessarily execute arbitrary programs. Customer and
    service provider agree on service in advance.
    What operations give me all of the above?
    (Cannot perform conditional…) => Branch prediction won’t work!

    View Slide

  32. Fully Homomorphic Encryption
    • Multiply
    • Add, subtract, exponents, etc.
    • Doesn’t have to be (quite) Turing
    complete
    • Conditional branching and loops, of a sort
    • Cannot perform conditional jumps based
    on (encrypted) user input
    What are the operations I really need?
    Must be able to write any program, but not necessarily execute arbitrary programs. Customer and
    service provider agree on service in advance.
    What operations give me all of the above?
    (Cannot perform conditional…) => Branch prediction won’t work!

    View Slide

  33. Functional Completeness and
    Universal Gates
    Need a new kind of computer. Want to compute anything, not just *!
    Let’s start from the basics. Logic gates! If we have homomorphic logic gates we can do what we need.
    Homomorphic * insufficient. Homomorphic NAND would be OK.What gates do I need to perform any
    computation? Define NOR.
    NOR via NANDS. De Morgan’s Laws. What does any of this mean?

    View Slide

  34. Functional Completeness and
    Universal Gates
    • NAND
    • NOR
    • AND and NOT
    • XOR and AND
    Need a new kind of computer. Want to compute anything, not just *!
    Let’s start from the basics. Logic gates! If we have homomorphic logic gates we can do what we need.
    Homomorphic * insufficient. Homomorphic NAND would be OK.What gates do I need to perform any
    computation? Define NOR.
    NOR via NANDS. De Morgan’s Laws. What does any of this mean?

    View Slide

  35. Addition, Multiplication Over
    GF(2)
    + 0 1
    0 0 1
    1 1 0
    * 0 1
    0 0 0
    1 0 1
    Adding + multiplying a bit very simple. So are computers. Need building blocks which can work
    homomorphically but be built into anything we need.
    Start with bits. + looks like XOR. * looks like AND.
    Can grow from there.

    View Slide

  36. > def choose(first, second, choose_first): !
    .. return first if choose_first else second !
    .. !
    > choose(True, False, True)!
    => True!
    > choose(True, False, False)!
    => False
    Branching hard, but: Here’s a program I wrote. Normal computers eval condition, execute selected
    path.
    …so if I have a homomorphic and, or, and not… or just nand, now I can write logic. Branching becomes
    a truth table.
    click. As a circuit. Circuits easy.

    View Slide

  37. > def choose(first, second, choose_first): !
    .. return first if choose_first else second !
    .. !
    > choose(True, False, True)!
    => True!
    > choose(True, False, False)!
    => False
    first
    choose_first
    second
    Branching hard, but: Here’s a program I wrote. Normal computers eval condition, execute selected
    path.
    …so if I have a homomorphic and, or, and not… or just nand, now I can write logic. Branching becomes
    a truth table.
    click. As a circuit. Circuits easy.

    View Slide

  38. > def my_factorial(n): !
    .. result = 1 !
    .. while n > 1: !
    .. result *= n !
    .. n -= 1 !
    .. return result
    Here’s another program I wrote. Explain factorial.
    Click. Here’s a really strange version. Why? Note n
    Program has interesting properties. Bounded loops are decidable! Security vs. efficiency.

    View Slide

  39. > def my_factorial(n): !
    .. result = 1 !
    .. while n > 1: !
    .. result *= n !
    .. n -= 1 !
    .. return result
    > def my_factorial_less_than_20(n): !
    .. result = 1; !
    .. for i in range(2, 20): !
    .. result *= 1 if i > n else i !
    .. return result !
    > my_factorial_less_than_20(4)!
    => 24!
    > my_factorial_less_than_20(100)!
    => 121645100408832000L!
    > my_factorial_less_than_20(1000)!
    => 121645100408832000L
    Here’s another program I wrote. Explain factorial.
    Click. Here’s a really strange version. Why? Note n
    Program has interesting properties. Bounded loops are decidable! Security vs. efficiency.

    View Slide

  40. !
    Fast!
    Turing Complete*
    Strong Encryption
    Practical Homomorphic
    Encryption
    Would be awesome, but where could I find such a thing?

    View Slide

  41. There’s one on GitHub.
    But how?

    View Slide

  42. Craig Gentry 

    IBM Research
    Thesis.
    Refined by himself and others.

    View Slide

  43. Input Data
    Cyphertext
    Add
    (Lossless)
    Multiply
    (Lossy)
    Bootstrappable
    Reencryption
    Result
    Cyphertext
    Multiply
    (Lossy)
    Found strong encryption scheme with homomorphic + and lossy homomorphic *.
    Too many *s and can’t decrypt.
    We will look at bootstrapping in more detail on next slide
    Explain lossy multiplication here.

    View Slide

  44. E(E(E(plaintext), key), key2), key 3
    E(E(plaintext), key), key2
    E(plaintext)
    Plaintext
    Bootstrappable Encryption
    Every time you decrypt, you “reset” errors.
    Only a student with a thesis deadline could have thought of this.
    Works, but inefficient in time and space.
    Maybe work around? PKE is slow, but combine with SE for performance.

    View Slide

  45. CryptDB
    http://css.csail.mit.edu/cryptdb/

    View Slide

  46. CryptDB
    ❖ Query-based encryption
    ❖ Requires no changes to DB server
    ❖ Tested on phpBB, OpenEMR, TPC-C, etc.
    ❖ Only 14-26% slower than unmodified apps.
    http://css.csail.mit.edu/cryptdb/

    View Slide

  47. Encrypted BigQuery Client
    https://code.google.com/p/encrypted-bigquery-client/

    View Slide

  48. Zero Knowledge Proof
    Image: Wikimedia Commons / User:Dake
    Applications! I want to talk about 2 party secure computation, but…
    It’s often the case you want to talk about f(alice_value, bob_value) without revealing either arg.
    ZKPs do exist, but can be tricky.

    View Slide

  49. Zero Knowledge Proof
    Image: Wikimedia Commons / User:Dake
    Applications! I want to talk about 2 party secure computation, but…
    It’s often the case you want to talk about f(alice_value, bob_value) without revealing either arg.
    ZKPs do exist, but can be tricky.

    View Slide

  50. Zero Knowledge Proof
    Image: Wikimedia Commons / User:Dake
    Applications! I want to talk about 2 party secure computation, but…
    It’s often the case you want to talk about f(alice_value, bob_value) without revealing either arg.
    ZKPs do exist, but can be tricky.

    View Slide

  51. 2 Party Secure Computation
    Sends c = E(x) to Bob
    Computes and sends c’
    = E(f(x,y)), ZKP of c’
    correctness to Alice
    Decrypt c’, compute
    ZKP of valid decryption,
    and return both to Bob
    HELLO
    My Name Is
    Alice
    HELLO
    My Name Is
    Bob
    Want to compute f(aliceData, bobData). How does Alice know Bob used correct input? How does Bob know
    Alice didn’t lie about result?

    View Slide

  52. Limitations
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  53. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  54. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  55. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  56. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    ! Often computationally expensive
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  57. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    ! Often computationally expensive
    ! Client complexity and deployment
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  58. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    ! Often computationally expensive
    ! Client complexity and deployment
    ! Not always clear when to choose fully
    homomorphic algorithms.
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  59. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    ! Often computationally expensive
    ! Client complexity and deployment
    ! Not always clear when to choose fully
    homomorphic algorithms.
    ! Not a cure-all. Metadata and side-channels still a
    problem
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  60. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    ! Often computationally expensive
    ! Client complexity and deployment
    ! Not always clear when to choose fully
    homomorphic algorithms.
    ! Not a cure-all. Metadata and side-channels still a
    problem
    ! Moving target!
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  61. Limitations
    ! Server doesn’t have data to, e.g. hand off to third
    parties
    ! All “new” cryptosystems are relatively untested
    and security not proven.
    ! Space issues
    ! Often computationally expensive
    ! Client complexity and deployment
    ! Not always clear when to choose fully
    homomorphic algorithms.
    ! Not a cure-all. Metadata and side-channels still a
    problem
    ! Moving target!
    ! Patent encumbered
    “New” -> (Both in terms of algorithms and implementation.)

    View Slide

  62. Patent Encumbrance
    • “Nevertheless, the authors of this method to concede that
    making this scheme practical remains an open problem.”
    • “There exist well known solutions for secure computation
    of any function… It seems hard to apply these methods to
    complete continuous functions or represent Real
    numbers, since the methods inherently work over finite
    fields.”
    • “An encryption scheme with these two properties is called
    a homomorphic encryption scheme. The Paillier system is
    one homomorphic encryption scheme, but more ones [sic]
    exist.”
    Hand-waving which wouldn’t be allowed in a freshman term paper

    View Slide