350 likes | 616 Views
Secure Metering. Peng Wang. Outline. Introduction An Auditable Metering Scheme for Web Advertisement Applications, ISC 01, Liqun Chen and Wenbo Mao Secure and efficient Metering, Eurocrypt’98, by Naor and Pinkas
E N D
Secure Metering Peng Wang
Outline • Introduction • An Auditable Metering Scheme for Web Advertisement Applications, ISC 01, Liqun Chen and Wenbo Mao • Secure and efficient Metering, Eurocrypt’98, by Naor and Pinkas • Third party certification of HTTP service access statistics, International Workshop on Security Protocols 99, F. Bergadano and P. De Mauro • SAWM: a tool for secure and authenticated web metering, SEKE’02, by Blundo and Cimato • Discussion
Introduction • Metering schemes count (approximately) the number of clients who visited a website • Measure the popularity of website • E.g. in order to decide on advertisement fees. • Secure against servers inflate the number of visits • Secure against clients disrupt the metering process • Some schemes
Request Web page setup setup proof Request, page, evidence, etc. Audit agency Players Web server Clients • Setup • Evidence • Proof
97 98 99 00 01 02 03 04 Timing function approach Polynomial approach Tamper resistant hardware approach Hash chain approach
97 98 99 00 01 02 03 04 • Auditable Metering with Lightweight Security, M. K. Franklin and D. Malkhi, Financial Crypto 97. • Use timing function to monitor the duration of browsing. • Lightweight security that makes a large number of artificial visits very costly. • An Auditable Metering Scheme for Web Advertisement Applications, Liqun Chen and Wenbo Mao, ISC 01 • More details later. Timing function approach
97 98 99 00 01 02 03 04 • Secure accounting and auditing on the Web, Moni Naor and Benny Pinkas, 7th international conference on World Wide Web • Secure and Efficient Metering, Moni Naor and Benny Pinkas, Eurocrypt '98 • More details later. Polynomial approach
97 98 99 00 01 02 03 04 • Provably Secure Metering Scheme, Wakaha Ogata and Kaoru Kurosawa, ASIACRYPT '00 • An attack on Noar and Pinkas paper, and the fix • Carlo Blundo and Annalisa De Bonis and Barbara Masucci and Douglas R. Stinson • Metering Schemes with Pricing • Dynamic Multi-threshold Metering Schemes • A note on optimal metering schemes • Bounds and constructions for metering schemes • Metering Schemes for General Access Structures • Efficient Metering Schemes With Pricing • An information theoretic approach to metering schemes Polynomial approach
97 98 99 00 01 02 03 04 • Third party certification of HTTP service access statistics, F. Bergadano and P. De Mauro, International Workshop on Security Protocols, 98 • More details later. Tamper resistant hardware approach
97 98 99 00 01 02 03 04 • SAWM: a tool for secure and authenticated web metering, Carlo Blundo and Stelvio Cimato, SEKE '02 • More details later. • A Software Infrastructure for Authenticated Web Metering, Carlo Blundo and Stelvio Cimato, IEEE Computer Hash chain approach
97 98 99 00 01 02 03 04 Lightweight security, timing function approach Polynomial approach Temper resistant hardware approach Hash chain approach
An Auditable Metering Scheme • Use timing function to monitor the duration of browsing a web page that contains a ad bar. • Lightweight security that makes a large number of artificial visits very costly. • Setup: • The audit agency generates e, n = qp, and sends (e,n) to the website. • Regular operation: • A web server sends the required web page with the ad bar, a timing function code and parameters (n, x, e) to clients upon requests. • x must be fresh • The client’s browser displays the web page and runs the timing function.
An Auditable Metering Scheme Server send (t, a, x, e, n) to the audit agency who runs: When the client leaves the page, the code sends (t, a, x, e, n) to the server. The auditing algo takes 3 mod exponentiations.
+s & -s + No client registration & modification + Audit agency can be offline + Can measure duration of visiting • Light weight security - High verification overhead - must verify each individual evidence Some Server overhead
Secure and efficient Metering • Based on Shamir’s polynomial secret sharing scheme • Measure whether a server receives k visits in a certain time frame • Four schemes: • The basic scheme, • A robust version, • One that allows clients anonymity, • One that allows unlimited use.
The basic scheme • Initialization : (before any time frame) • A: generates a bivariate polynomial P(x, y) over Zp • Degree k-1in x, and degree d-1 in y • k: the expected number of visits • d: the number of time frames • The polynomial can be used < d time frames • A C: P(C, y)
The basic scheme cont • Regular operations: (when C visits S in the time frame t) • C S: P(C, S || t) • Assume that no two pairs (S || t) and (S’ || t’) are mapped to the same element of Zp. • Proof generation: (after time frame t) • If S has k different visitors in time frame t, it has k value: {P(Ci, S || t)i=1…k}. • S performs a Lagrange interpolation and computes the proof: P(0, S || t) • S sends the proof to A who then verifies the proof.
+s & -s + strong + low verification overhead + Audit agency can be offline • Clients must register Some server overhead
Third party certification of HTTP service access statistics • Setup: the website obtains a tamper-proof box from the audit agency and connects the box to a web server. • Regular operation: • The web server inputs every client request to the box. • The box generates random bits • The probability of 1 must be low to reduce overhead. • If 0, the web server serves the client request normally. • If 1, • the box Mac the request. • the web server redirects the request to the audit agency • the audit agency verifies the request. • It redirects the request back to the web server who serves the request. • the web server log the operations • Verification: the web server submits the log to the audit agency who verifies the log file.
+s & -s + No client registration & modification • Require special hardware • Audit agency must be online • Server overhead & delay Secure?
SAWM • The authors did many work on polynomial based metering schemes • This paper describes a hash chain based solution • Initialization: • For each client C, A generates a random value w and computes Hk(w) • A C: k, w • A S: C, Hk(w) • C builds the hash chain: H(w)… Hk(w) • S stores C, Hk(w) and sets a counter Lc to 0.
SAWM cont • Regular operations: • C has the hash chain: H(w), H2(w) , … Hk-1(w), Hk(w) • C S: Hk-j(w) for j-th visit • S verifies and stores it, then increases the counter Lc • Proof generation and verification: • SA: [C, Hk-Lc(w), Lc] for each client • A has w and can verify.
+s & -s + Low server overhead + Audit agency can be offline • Clients must register • High verification overhead - must verify each individual evidence Some Server overhead
Discussion • How to use metering schemes measure the number of client visited an out-sourced service?
Secure Outsourcing Yongdae Kim
Outsourcing • Outsourcing is popular and will be much more popular • Examples • ISP, SSP, DBSP • Intrusion Detection • Web service, Grid computing • P2P… • Any outsourcing is involved with Service Level Agreement (SLA) • Current SLA is vague, so that the service provider can fight in case of dispute • Otherwise, most outsourcing cases are based on trust
Outsourcing Primitives • Counting • WS.com promised to provide web access to at least 10,000 users in 10 minute interval • Bandwidth • Streaming.com promised to provide streaming service with at least 100Kbps for any client of cnn.com • Connection • Computation • Down-time • Storage • Database • Intrusion detection • If your domain is shut down by the worm, secure.com will pay all cost associated with the worm to insecure.com. • Hybrid
Trustworthy Outsourcing • Previous work focuses on mostly web counting • Research Theme • Framework to develop a trustworthiness between a client (service providee) and a server (service provider) in outsourcing • Simplification of dispute resolution
Trustworthy Outsourcing: Topics • Extending web counting to more diverse primitives (as outlined in previous slides) • Fairness • A client can prove to a third party (or public) that the service was not provided, when it was not. • A server can prove to a third party (or public) that the service was provided, when it was. • How can we relax the assumption on participants? • Auditing Agent? • Client authentication required? • Fair P2P (file sharing) system
Robustness • If clients send incorrect evidence, then the server cannot compute the proof. • The server must verify the evidence. • Given v=au+b, if S has (a, b), S can verify (v, u) • Initialization: • A: Generates random polynomial P(x, y), A(x, y), and B(y). • Computes V(x, y) = A(x, y)*P(x, y) + B(y) • A C: V(C, y) and P(C, y) • A S: A(x, S || ti ) and B(S || ti ), i = 1…# of time frames
Robustness cont • Regular operations: • C S: V(C, S ||t) and P (C, S ||t) • S verifies if V = AP +B at the point (C, S || t) • Proof generation: • S uses the k value {P(Ci, S || t)i=1…k} only to perform a Lagrange interpolation and computes the proof: P(0, S || t) • S sends the proof to A who then verifies the proof.
Anonymity • Sounds counterintuitive, but: • Initialization: (based on basic scheme) • A: Generates random polynomial P(x, y), Qc(y) • A C: P(Qc(y), y) and P(C, y) • Regular operations: • C S: Qc(S ||t) and P (Qc(S ||t), S ||t) • Proof generation: • S performs a Lagrange interpolation and computes the proof: P(0, S || t) • S sends the proof to A who then verifies the proof.
A scheme for unlimited use • g is a generator of a subgroup of Zp*, with order q • Initialization: • A: Generates random polynomial P(x) of degree k-1 over Zq • A C: P(C) and A’s signature of gP(C) • At the beginning of time frame t: • A S: a challenge gr • Regular operations: • S C: gr • C S: A’s signature of gP(C), grp(c) , and a proof of the discrete log of gP(C) to the base g and the discrete log of grP(C) to the base gr are the same. • Proof generation: SA:grp(0)