PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers

Mark ShaneckKarthikeyan Mahadevan

JeffYongdae Kim

Collection of Personal Information on the Internet *

A survey by www.epic.org on the hot 100 websites (www.100hot.com) suggested that 49 of these collect private information

“For example America Online is matching its subscribers to demographic and psychographic data obtained from Donnelley Marketing”

*Source: http://www.epic.org/reports/surfer-beware.html

Privacy – do we have it on the Internet ? Privacy is a right that every individual

should possess Apparently this concept is not true in

the Internet "You have zero privacy now. Get over

it“ - Sun CEO Scott McNealy Conclusion: Protecting privacy will be

one the greatest challenges for the Internet

Outline

MotivationMotivation Existing Approaches Overview of PRIAM Challenge Details Conclusion and Future Work

Problem Setting Alice wants to have control over her

private information She wants to store it with a highly available

storage provider, which she could access from anywhere

Storage provider should not know what she is storing

Alice - Minimal computation Alice should be able to let the people she

like access some information for a limited period of time

Basic Architecture

Existing Approaches - ACL

Access Control List: Owner defines an ACL and gives it to the PIP

Problems PIP should be trusted. Else encrypt the data – implies more

key management issues

Existing Approaches - Kerberos

Kerberos : Owner has to play AS Problems

Owner has to online Also PIP should be trusted Else encrypt files – key management

problems (similar to ACL approach)

Existing Approaches - Lockbox

Idea – encrypt the file with symmetric key and encrypt the symmetric key with public key of users who will be granted access (used in Storage Security) Problem owner has to be online to

provide access to new user! Once the authorization expires – update

the lockbox, has to contact PIP!

PRIAM

PRIAM is a suite of protocols: Private Information Storage Protocol Private Information Evolution Protocol Private Information Authorization

Protocol Private Information Retrieval Protocol

Challenge How can the PIP do updation without

owner interference? There exists a function f such that:

)())(,(11 mEmEkf kk

Building Blocks Safe Prime: A prime p is called a

safe prime if it is of the form p = 2p’+1, where p’ is a prime

Odd hash function

Key Chain

1||

}1,0{}1,0{:'

*'

hh

h l

j

iij kk

0

'

Set up

Owner does the following Choose two safe primes p, q and

compute n=pq Pick random odd number r (blinding

factor) which is co prime to φ(n) Public value : n Private values: p, q, p’, q’, φ(n), r

Private Information Storage Alice wants to store t items {m(0),

m(1),…,m(t)} – after initial setup For each i, 1≤i≤t, generate an odd

random number such that Compute: To store the information with PIP,

Alice will send encrypted message, along with initial value of k, index i:

ik0 )(0 0 nk i

nmmirkii mod)( 0)()(

0

}),,,(),....,2,,(),1,,{(: )(0

)(0

)2(0

)2(0

)1(0

)1(0 ntkmkmkmPIPOwner tt

Private Information Evolution PIP updates the encryption key every

night (whenever appropriate) as follows:

Note, that for day j :

nmmcomputesPIPijki

jij mod)(:

)()(1

)(

nmmijrki

jij mod)(

)(')(1

)(

Private Information Authorization Bob wants to know some information

about Alice, he must get Alice’s consent.Alice -> Bob :

This message is sent over a secure channel, where r is a fixed odd random.

Alice could give Bob authorization for over a period of time

}),(mod){( 1)(' nnrk ij

Temporal Private Information Retrieval

ijmQuerierPIP

sidowneriquestPIPQuerier

:

',,Re:

Querier can now recover the message as

nmm irkij

ijrki

j mod)( )()()(1))('()('

Performance EvaluationCommunicati

onComputation Storage

Private Information

Storage

1 Owner: t PIP: t records, t

keysOwner: TJ

tokens

Private Information Evolution

0 N 0

Private Information

Authorization

2 0 Querier: T tokens

Temporal Private

Information Retrieval

2 Querier: 1 0

Security Analysis

Confidentiality Our scheme is secure against an

outside attack Our scheme is secure against an

inside attacker under the hardness of finding φ(n) from n

Integrity: RSA guarantees this property

Security Analysis – Cont’d

Collusion The advantage of any number of

collusion is not better that that of an inside attacker with several transcripts

Knowing the values of encryption keys without the knowledge of φ(n) does not help finding the inverse of a future key

Application – (1)

Private Information on the Internet We will be able to realize privacy on

the Internet using our approach. For example Alice purchasing

products from a website could provide authorization to some information, with which the website could contact a PIP

Application – (2)

Disclosure of Medical History Information Any doctor would be able to access

the required medical information about a patient with his/her authorization

Conclusions

We have proposed a scheme to achieve control over one’s private information

Provide dynamic authorization No necessity to contact the PIP for

key updates PIP is minimally trusted !

Future Work

Applying to Storage Area Networks Symmetric Key Version of this

scheme Supporting multiple owners Digital watermarking or traitor

tracing to prevent information dissemination from an authorized querier.