Efficient Proactive Security for Sensitive Data Storage

1
Efficient Proactive Security for Sensitive Data
Storage

• Arun Subbiah
• Douglas M. Blough

School of ECE, Georgia Tech arun,
dblough_at_ece.gatech.edu
2
Autonomic Proactive
Detect failures
Repair
Periodic refresh
Autonomic
Proactive
Distributed Data Storage System

• Autonomic / self-healing / adaptive
• Detect storage node failure / compromise, then
  repair
• Proactive security and fault-tolerance
• Refresh and renew, dont rely on failure detector

3
Failure Detector for Byzantine Quorum Systems
FD
FD
Diagnosis Server
FD
FD
Users
FD
Byzantine Quorum System

• Integrated into a distributed filesystem
  prototype
• L. Kong, A. Subbiah, M. Ahamad, and D. M. Blough,
  "A Reconfigurable Byzantine Quorum Approach for
  the Agile Store," SRDS 2003
• L. Kong, D. J. Manohar, A. Subbiah, M. Sun, M.
  Ahamad, and D. M. Blough, "Agile Store
  Experience with Quorum-Based Data Replication
  Techniques for Adaptive Byzantine Fault
  Tolerance," SRDS 2005

4
Failure Detector Performance in Byzantine Quorum
Systems
Probability of detection

• p

bad
5
Proactive Security Integrity and
Confidentiality Protection
SVR1
SVR2
SVR3
Time Interval 1
Time Interval 2
Time Interval 3
Time Interval 4

• p

6
Proactive Security Confidentiality Protection

• Data storage using perfect secret sharing
• Problem Perfect secret sharing schemes have high
  computation overhead do not scale with large
  amounts of data
• Solution The GridSharing Framework Use XOR and
  replication
• A. Subbiah and D. M. Blough, "An Approach for
  Fault Tolerant and Secure Data Storage in
  Collaborative Work Environments," Workshop on
  Storage Security and Survivability, ACM CCS, 2005

7
Computation Overheads for Perfect Secret Sharing

• Verifiable secret sharing Feldmans scheme with
  Shamirs scheme
• Computation times during encoding and decoding
  over 700 ms
• For any 3 out of 5 shares scheme
• Compare with AES (Rijndael) symmetric key
  encryption
• Encryption and decryption times approx. 205 µs
• Perfect secret sharing is over 3000 times slower
  than symmetric-key encryption
• The GridSharing framework lt 1 ms
• Computation times for an 8 KB data block on a
  Pentium 4 3GHz computer.

8
Proactive Security Integrity Protection
Users
Assume metadata is replicated at all servers

• Each server periodically checks the integrity of
  its stored data with other servers.
• Repair if any corruptions are detected.

9
A Proactively-Secure Document Store
Time Interval Marker
100 Mbps LAN
Diagnosis Server
Users
All machines 3 GHz, 64-bit Xeon, 2 GB RAM, 146
GB hard disk

• Users upload / download encrypted documents.
• Documents stored at all the servers.
• Experiments run on the Emulab cluster
  (http//www.emulab.net).

10
Throughput Measurement
11
Storage Repair Rate
12
PhD Work

• Byzantine-fault detection algorithms
• Integrated with Reconfigurable Quorums to give
  Agile Store.
• Coding techniques for distributed storage
• First secret sharing technique that scales with
  large amounts of data.
• Protocol design for integrity and confidentiality
  protection
• Prototype implementation and performance
  evaluation
• First practical proactively-secure data store.
• Scales to 100s GB of data.
• More info http//www.arunsubbiah.com