ConfiChair: Achievingconfidentiality from the cloud provider

Designing Secure SystemsNovember 2016

M. Arapinis, S. Bursuc, and M. D. Ryan. Privacy-supporting cloudcomputing by in-browser key translation. In Journal of ComputerSecurity, 2014.http://www.cs.bham.ac.uk/~mdr/research/papers/pdf/

14-cloud-confidentiality.pdf

Security of SaaS cloud computing

Can we make a SaaS systemwithout having to trust the cloud service provider?

Confidentiality

Integrity

Availability

Security of SaaS cloud computing

Can we make a SaaS systemwithout having to trust the cloud service provider?

Confidentiality

Integrity

Availability

Security of SaaS cloud computing

Can we make a SaaS systemwithout having to trust the cloud service provider?

Confidentiality ←− main issue

Integrity

Availability

Whether we have to trust the cloud provider or not depends onhow much computation in the cloud is needed.

sim

ple

back

upD

ropb

ox

Eas

yCha

ir

Can

vas

Face

book

Sale

sfor

ce.c

omT

rans

late

None Much

Avoiding having to trust cloud provider means:

You don’t have to trust its employees or subcontractors

You don’t lose data confidentiality if cloud provider getshacked

Case study:

SaaS system based on

Facebook

Case study:

SaaS system based on

///////////Facebook EasyChair

Case study:

SaaS system based on

///////////Facebook EasyChair

Similar: CanvasSalesforce.com. . .

EasyChair: conference managementA SaaS system consisting of authors, reviewers, & chairs

Year #confs2002 22003 32004 72005 662006 2762007 6292008 13122009 21832010 33052011 ≥ 4517

“We believe that since 2006 we have become number oneconference management system in the number of conferences,users and submissions. All together EasyChair proudly hosted49,000 conferences and 1M users.”

EasyChair use cases

1 Conference chair sets up her conference on EasyChair

2 Chair “opens” the conference for submissions

3 Authors submit papers to the conference

4 Chair “closes” the conf for submissions

5 Chair assigns (say) 3 PC members (aka reviewers) to eachpaper, and opens the “reviewing phase”

6 PC members login, see their assignments, download thepapers, write their reviews

7 Once all the reviewers have reviewed a paper, the discussionphase begins for the paper. Reviewers read each other’sreviews and comment on them, aiming to reach accept/rejectconsensus.

8 Chair takes the accept/reject decision, usually following therecommendation of the reviewers.

EasyChair uses cloud computing

Advantages

Cloud provider takesresponsibility for allaspects of organising theservice: storage, software,backup, availability,security, versionmanagement, . . .

And does it all for free!

Problem

Cloud provider has fullunmediated access to allthe data.

EasyChair uses cloud computing

Advantages

Cloud provider takesresponsibility for allaspects of organising theservice: storage, software,backup, availability,security, versionmanagement, . . .

And does it all for free!

Problem

Cloud provider has fullunmediated access to allthe data.

EasyChair: the confidentiality problem

EasyChair managers have direct access to the submission andreviewing profiles of 1M users across 49k conferences,including submission rate, acceptance rate, reviewer profile(fair/unfair, thorough/scant, prompt/late).

EasyChair could [in principle, if it wished] offer profilingservices to appointment panels, awarding bodies, recruitmentagencies.

The data could become a target for hackers/crackers.

Similar situation for other SaaS systems.

EasyChair: the confidentiality problem

EasyChair managers have direct access to the submission andreviewing profiles of 1M users across 49k conferences,including submission rate, acceptance rate, reviewer profile(fair/unfair, thorough/scant, prompt/late).

EasyChair could [in principle, if it wished] offer profilingservices to appointment panels, awarding bodies, recruitmentagencies.

The data could become a target for hackers/crackers.

Similar situation for other SaaS systems.

EasyChair: the confidentiality problem

EasyChair managers have direct access to the submission andreviewing profiles of 1M users across 49k conferences,including submission rate, acceptance rate, reviewer profile(fair/unfair, thorough/scant, prompt/late).

EasyChair could [in principle, if it wished] offer profilingservices to appointment panels, awarding bodies, recruitmentagencies.

The data could become a target for hackers/crackers.

Similar situation for other SaaS systems.

EasyChair: the confidentiality problem

EasyChair managers have direct access to the submission andreviewing profiles of 1M users across 49k conferences,including submission rate, acceptance rate, reviewer profile(fair/unfair, thorough/scant, prompt/late).

EasyChair could [in principle, if it wished] offer profilingservices to appointment panels, awarding bodies, recruitmentagencies.

The data could become a target for hackers/crackers.

Similar situation for other SaaS systems.

ConfiChair

ConfiChair: user experience

Aim: usability is as good

Similarly to EasyChair, when you log into ConfiChair youshould see all the conferences you are associated with.

Users have accounts on ConfiChair; the names, affiliations,email addresses and other public data about users are knownto ConfiChair.

Confidentiality from cloud provider

User’s browser encrypts data before sending it to ConfiChair,and decrypts data received from ConfiChair. Papers, reviews,discussions etc. are confidential from ConfiChair.

ConfiChair: encryption keys

Users have keys associated with papers and reviews they havesubmitted to conferences; they are kept in their key purse.

The key purse is stored on ConfiChair encrypted by a keyderived from the user’s username and passphrase.

At login time, two secrets are derived from the user’susername and passphrase:

An encryption key, with which to decrypt the user’s key purse;The user’s ConfiChair login credentials.

ConfiChair: security properties

Secrecy properties

ConfiChair does not knowthe content of

papers

reviews

scores

discussions

decisions

Unlinkability property

ConfiChair does not knowthat a particular reviewer Rreviewed a paper written bya particular author A.

ConfiChair: security properties

Secrecy properties

ConfiChair does not knowthe content of

papers

reviews

scores

discussions

decisions

Unlinkability property

ConfiChair does not knowthat a particular reviewer Rreviewed a paper written bya particular author A.

C Cloud R A

Initialisation

create Conf,KConf, pub(Conf), priv(Conf)

Conf,R1, . . . ,Rℓ

DBKeys ← ∅DBPapers ← ∅

KConf

Submissioncreate λ, p, kkey ← (λ,A, {λ, k}pub(Conf))paper ← (λ,A, {λ,A, p}k)

(key , paper)

DBKeys ← DBKeys ∪ {key}DBPapers ← DBPapers ∪ {paper}

C Cloud R A

ReviewingDBKeys DBPapers

DBrKeys ←R

{(µ, {µ, λ, k}KConf

,R, C)∣∣∣∣(λ,A, {λ, k}pub(Conf)) ∈ DBKeys,µ ∈r N, R, C ⊆r {R1, . . . ,Rℓ}, R∩ C = ∅

}

DBrKeys

for all (µ, {µ, λ, k}KConf,R, C) ∈ DBr

Keys ∧ R 6∈ CDBµ ← ∅

(µ, {µ, λ, k}KConf,R)

if R ∈ R thenpick s ∈ Screate rrev ← {µ, λ, k , r , s, ∅}KConf

(µ, rev)

DBµ ← DBµ ∪ {(R, rev)}

C Cloud R A

Discussion (R′, {(µ, λ, k , r ′, s ′,D)}KConf) ∈ DBµ

create d ; rev ′ ← {µ, λ, k, r ′, s ′, (D, d)}KConf

(µ, rev ′)

DBµ ← DBµ ∪ {(R, rev ′)}

Notification & report generation⋃

µ

(µ,DBµ)

DBrnotf ←R

(λ, {λ, dec , revs}k)

∣∣∣∣∣∣∣∣

DBµ =⋃

j∈{1,...,nµ}(Rij , {µ, λ, k , rj , sj , dj}KConf

,

revs = (r1, . . . , rnµ)dec ∈R {acc , rej}

DBnotf

(λ,A, sub) ∈ DBConf

(λ, notf ) ∈ DBnotf(λ, notf )

Report generation

ConfiChair: security mechanisms

Keys, and key purse

Key translation and mixes in the browser

ConfiChair enforces access control

malicious-but-cautious attacker model: Cloud providerpotentially malicious, but wants to keep your custom

Prototypeimplementation

Implementation details

confichair.org

The user interface follows that of EasyChair, HotCRP, andother conference management systems.

Key generation, secure storage, protocol messages are alltransparently performed by browser.

Authors need to copy-paste pub(Conf ) from call for papers.Then, they just submit a paper using the usual “browse filesystem”, “submit” buttons.

If an author submits more than one paper, the systemremembers the key.

Reviewers need to copy-paste KConf from their e-mail.

The system remebers the key after the first time it’s used.

Implementation:

Uses HTML 5 features, incl local storage and

W3C File API.

//////////////////

//////////////////

/////////////

Crypto by LiveConnect and Java plug-in.

Crypto in Javascript, using SJCL.

(Not yet done) Code signing by trusted party.

Implementation details

confichair.org

The user interface follows that of EasyChair, HotCRP, andother conference management systems.

Key generation, secure storage, protocol messages are alltransparently performed by browser.

Authors need to copy-paste pub(Conf ) from call for papers.Then, they just submit a paper using the usual “browse filesystem”, “submit” buttons.

If an author submits more than one paper, the systemremembers the key.

Reviewers need to copy-paste KConf from their e-mail.

The system remebers the key after the first time it’s used.

Implementation:

Uses HTML 5 features, incl local storage and

W3C File API.

//////////////////

//////////////////

/////////////

Crypto by LiveConnect and Java plug-in.

Crypto in Javascript, using SJCL.

(Not yet done) Code signing by trusted party.

Key translation in the browser: performance

Speed evaluation. The time taken for moving to the review stageis about 75s for 500 papers. The time for moving to the feedback

phase is about 150s for 500 papers.

Formal verification

Formal verification

Tool: ProVerif [Blanchet 2001]based on applied pi calculus [Abadi/Fournet 2001]

Pros:

+ Automatic verification of observational equivalence+ Soundness (no false proofs)+ Counter examples (attack traces)

Cons:

– Abstractions: false attacks– Non-termination– Requires symmetric process structure

Formal verification

Tool: ProVerif [Blanchet 2001]based on applied pi calculus [Abadi/Fournet 2001]

Pros:

+ Automatic verification of observational equivalence+ Soundness (no false proofs)+ Counter examples (attack traces)

Cons:

– Abstractions: false attacks– Non-termination– Requires symmetric process structure

Best paper on my pile

Worst paper I have read

Secrecy of reviews

Similarly for papers, scores, comments, decisions.

Quick

sort

Tony

Hoare

Pi calculus

Robin Milner

Pi cal

culus

Robin

Milner

Quick sort

Tony Hoare

Unlinkability author-reviewer

Caveat about unlinkability property

Unlinkability property

“ConfiChair does not know that a particular reviewer R reviewed apaper written by a particular author A.”

This property is difficult to achieve because the CSP can simplyfollow the ciphertexts (without needing to decrypt them):

Author Alice uploaded an encrypted paper

Reviewer Richard later downloaded the same encrypted paper

Therefore, Richard reviewed Alice’s paper

The way we achieved the desired unlinkability property is not verygood. We simply coded it so that papers are divided into bundlesof 10, and when a reviewer asks to download one paper, heactually downloads the group of 10 that it belongs to.

This is not really secure. It does not really satisfy the unlinkabilityproperty.

Summary

ConfiChair

ConfiChair is an infrastructure for hosting a type ofSaaS systems

Its unique selling point is that the cloud doesn’t see anysensitive data.

Therefore, it’s invulnerable to attacks from/on the cloudprovider, its employees, its subcontractors, or hackers thatattack it.

We formalised the properties, and verified them with ProVerif.

Prototype implementation by Matt Roberts, Joshua Phillips,Mihai Ordean

https://www.confichair.org/

The future

Production implementation

Commercial exploitation