1 / 35

Secure Metering

Secure Metering. Peng Wang. Outline. Introduction An Auditable Metering Scheme for Web Advertisement Applications, ISC 01, Liqun Chen and Wenbo Mao Secure and efficient Metering, Eurocrypt’98, by Naor and Pinkas

asha
Download Presentation

Secure Metering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure Metering Peng Wang

  2. Outline • Introduction • An Auditable Metering Scheme for Web Advertisement Applications, ISC 01, Liqun Chen and Wenbo Mao • Secure and efficient Metering, Eurocrypt’98, by Naor and Pinkas • Third party certification of HTTP service access statistics, International Workshop on Security Protocols 99, F. Bergadano and P. De Mauro • SAWM: a tool for secure and authenticated web metering, SEKE’02, by Blundo and Cimato • Discussion

  3. Introduction • Metering schemes count (approximately) the number of clients who visited a website • Measure the popularity of website • E.g. in order to decide on advertisement fees. • Secure against servers inflate the number of visits • Secure against clients disrupt the metering process • Some schemes

  4. Request Web page setup setup proof Request, page, evidence, etc. Audit agency Players Web server Clients • Setup • Evidence • Proof

  5. 97 98 99 00 01 02 03 04 Timing function approach Polynomial approach Tamper resistant hardware approach Hash chain approach

  6. 97 98 99 00 01 02 03 04 • Auditable Metering with Lightweight Security, M. K. Franklin and D. Malkhi, Financial Crypto 97. • Use timing function to monitor the duration of browsing. • Lightweight security that makes a large number of artificial visits very costly. • An Auditable Metering Scheme for Web Advertisement Applications, Liqun Chen and Wenbo Mao, ISC 01 • More details later. Timing function approach

  7. 97 98 99 00 01 02 03 04 • Secure accounting and auditing on the Web, Moni Naor and Benny Pinkas, 7th international conference on World Wide Web • Secure and Efficient Metering, Moni Naor and Benny Pinkas, Eurocrypt '98 • More details later. Polynomial approach

  8. 97 98 99 00 01 02 03 04 • Provably Secure Metering Scheme, Wakaha Ogata and Kaoru Kurosawa, ASIACRYPT '00 • An attack on Noar and Pinkas paper, and the fix • Carlo Blundo and Annalisa De Bonis and Barbara Masucci and Douglas R. Stinson • Metering Schemes with Pricing • Dynamic Multi-threshold Metering Schemes • A note on optimal metering schemes • Bounds and constructions for metering schemes • Metering Schemes for General Access Structures • Efficient Metering Schemes With Pricing • An information theoretic approach to metering schemes Polynomial approach

  9. 97 98 99 00 01 02 03 04 • Third party certification of HTTP service access statistics, F. Bergadano and P. De Mauro, International Workshop on Security Protocols, 98 • More details later. Tamper resistant hardware approach

  10. 97 98 99 00 01 02 03 04 • SAWM: a tool for secure and authenticated web metering, Carlo Blundo and Stelvio Cimato, SEKE '02 • More details later. • A Software Infrastructure for Authenticated Web Metering, Carlo Blundo and Stelvio Cimato, IEEE Computer Hash chain approach

  11. 97 98 99 00 01 02 03 04 Lightweight security, timing function approach Polynomial approach Temper resistant hardware approach Hash chain approach

  12. An Auditable Metering Scheme • Use timing function to monitor the duration of browsing a web page that contains a ad bar. • Lightweight security that makes a large number of artificial visits very costly. • Setup: • The audit agency generates e, n = qp, and sends (e,n) to the website. • Regular operation: • A web server sends the required web page with the ad bar, a timing function code and parameters (n, x, e) to clients upon requests. • x must be fresh • The client’s browser displays the web page and runs the timing function.

  13. An Auditable Metering Scheme Server send (t, a, x, e, n) to the audit agency who runs: When the client leaves the page, the code sends (t, a, x, e, n) to the server. The auditing algo takes 3 mod exponentiations.

  14. +s & -s + No client registration & modification + Audit agency can be offline + Can measure duration of visiting • Light weight security - High verification overhead - must verify each individual evidence Some Server overhead

  15. Secure and efficient Metering • Based on Shamir’s polynomial secret sharing scheme • Measure whether a server receives k visits in a certain time frame • Four schemes: • The basic scheme, • A robust version, • One that allows clients anonymity, • One that allows unlimited use.

  16. The basic scheme • Initialization : (before any time frame) • A: generates a bivariate polynomial P(x, y) over Zp • Degree k-1in x, and degree d-1 in y • k: the expected number of visits • d: the number of time frames • The polynomial can be used < d time frames • A C: P(C, y)

  17. The basic scheme cont • Regular operations: (when C visits S in the time frame t) • C  S: P(C, S || t) • Assume that no two pairs (S || t) and (S’ || t’) are mapped to the same element of Zp. • Proof generation: (after time frame t) • If S has k different visitors in time frame t, it has k value: {P(Ci, S || t)i=1…k}. • S performs a Lagrange interpolation and computes the proof: P(0, S || t) • S sends the proof to A who then verifies the proof.

  18. +s & -s + strong + low verification overhead + Audit agency can be offline • Clients must register Some server overhead

  19. Third party certification of HTTP service access statistics • Setup: the website obtains a tamper-proof box from the audit agency and connects the box to a web server. • Regular operation: • The web server inputs every client request to the box. • The box generates random bits • The probability of 1 must be low to reduce overhead. • If 0, the web server serves the client request normally. • If 1, • the box Mac the request. • the web server redirects the request to the audit agency • the audit agency verifies the request. • It redirects the request back to the web server who serves the request. • the web server log the operations • Verification: the web server submits the log to the audit agency who verifies the log file.

  20. +s & -s + No client registration & modification • Require special hardware • Audit agency must be online • Server overhead & delay Secure?

  21. SAWM • The authors did many work on polynomial based metering schemes • This paper describes a hash chain based solution • Initialization: • For each client C, A generates a random value w and computes Hk(w) • A C: k, w • A S: C, Hk(w) • C builds the hash chain: H(w)… Hk(w) • S stores C, Hk(w) and sets a counter Lc to 0.

  22. SAWM cont • Regular operations: • C has the hash chain: H(w), H2(w) , … Hk-1(w), Hk(w) • C S: Hk-j(w) for j-th visit • S verifies and stores it, then increases the counter Lc • Proof generation and verification: • SA: [C, Hk-Lc(w), Lc] for each client • A has w and can verify.

  23. +s & -s + Low server overhead + Audit agency can be offline • Clients must register • High verification overhead - must verify each individual evidence Some Server overhead

  24. Comparison

  25. Discussion • How to use metering schemes measure the number of client visited an out-sourced service?

  26. Secure Outsourcing Yongdae Kim

  27. Outsourcing • Outsourcing is popular and will be much more popular • Examples • ISP, SSP, DBSP • Intrusion Detection • Web service, Grid computing • P2P… • Any outsourcing is involved with Service Level Agreement (SLA) • Current SLA is vague, so that the service provider can fight in case of dispute • Otherwise, most outsourcing cases are based on trust

  28. Outsourcing Primitives • Counting • WS.com promised to provide web access to at least 10,000 users in 10 minute interval • Bandwidth • Streaming.com promised to provide streaming service with at least 100Kbps for any client of cnn.com • Connection • Computation • Down-time • Storage • Database • Intrusion detection • If your domain is shut down by the worm, secure.com will pay all cost associated with the worm to insecure.com. • Hybrid

  29. Trustworthy Outsourcing • Previous work focuses on mostly web counting • Research Theme • Framework to develop a trustworthiness between a client (service providee) and a server (service provider) in outsourcing • Simplification of dispute resolution

  30. Trustworthy Outsourcing: Topics • Extending web counting to more diverse primitives (as outlined in previous slides) • Fairness • A client can prove to a third party (or public) that the service was not provided, when it was not. • A server can prove to a third party (or public) that the service was provided, when it was. • How can we relax the assumption on participants? • Auditing Agent? • Client authentication required? • Fair P2P (file sharing) system

  31. Supplemental

  32. Robustness • If clients send incorrect evidence, then the server cannot compute the proof. • The server must verify the evidence. • Given v=au+b, if S has (a, b), S can verify (v, u) • Initialization: • A: Generates random polynomial P(x, y), A(x, y), and B(y). • Computes V(x, y) = A(x, y)*P(x, y) + B(y) • A C: V(C, y) and P(C, y) • A S: A(x, S || ti ) and B(S || ti ), i = 1…# of time frames

  33. Robustness cont • Regular operations: • C S: V(C, S ||t) and P (C, S ||t) • S verifies if V = AP +B at the point (C, S || t) • Proof generation: • S uses the k value {P(Ci, S || t)i=1…k} only to perform a Lagrange interpolation and computes the proof: P(0, S || t) • S sends the proof to A who then verifies the proof.

  34. Anonymity • Sounds counterintuitive, but: • Initialization: (based on basic scheme) • A: Generates random polynomial P(x, y), Qc(y) • A C: P(Qc(y), y) and P(C, y) • Regular operations: • C S: Qc(S ||t) and P (Qc(S ||t), S ||t) • Proof generation: • S performs a Lagrange interpolation and computes the proof: P(0, S || t) • S sends the proof to A who then verifies the proof.

  35. A scheme for unlimited use • g is a generator of a subgroup of Zp*, with order q • Initialization: • A: Generates random polynomial P(x) of degree k-1 over Zq • A C: P(C) and A’s signature of gP(C) • At the beginning of time frame t: • A S: a challenge gr • Regular operations: • S C: gr • C S: A’s signature of gP(C), grp(c) , and a proof of the discrete log of gP(C) to the base g and the discrete log of grP(C) to the base gr are the same. • Proof generation: SA:grp(0)

More Related