Computing and communicating through the Web makes it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview; a lost or stolen laptop can expose personal photos or messages; or a legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating or just embarrassing details from the past.
Our research seeks to protect the privacy of past, archived data — such as copies of emails maintained by an email provider — against accidental, malicious, and legal attacks. Specifically, we wish to ensure that all copies of certain data become unreadable after a user-specified time, without any specific action on the part of a user, without needing to trust any single third party to perform the deletion, and even if an attacker obtains both a cached copy of that data and the user's cryptographic keys and passwords.
Vanish is a research project aimed at meeting this challenge through a novel integration of cryptographic techniques with distributed systems. We initially implemented a proof-of-concept Vanish prototype that uses the million-node Vuze BitTorrent DHT to create self-destructing data. For a description of our Vuze-based self-destructing data system, please refer to our paper.
Thanks to research done by others, we found that the initial Vuze DHT implementation on which Vanish was based was not adequately protected against Sybil attacks that seek to harvest data from the DHT. In part, this was due to overly eager replication for availability, and in part, it is due to the fact that existing DHTs were not designed with such attacks in mind. In response, we have been working with Paul Gardner from Vuze, Inc. to implement, deploy, and evaluate at scale measures for improving Vuze's security against Sybil-driven data-harvesting attacks. Specifically, our measures: (1) limit the excessive amount of replication that currently exists in Vuze, and (2) limit the ability of an attacker to perform large-scale Sybil attacks. Our evaluation shows that our combined defenses significantly raise the bar against Sybil data-harvesting attacks. A comprehensive evaluation of all of our defenses is currently underway and will be available shortly.
In addition, we are investigating new directions and architectures for self-destructing data. We believe that the future for self-destructing data is to leverage multiple back-end storage systems (both DHTs and other types of distributed structures) in such a way that compromising Vanish would require compromising all of the storage systems. As a proof of concept of this idea, in Sept. 2009 we released a new prototype that splits the keys across both Vuze DHT and OpenDHT. In collaboration with Vinnie Moscaritolo from PGP Corporation, we are now investigating new storage backends for Vanish that have fundamentally different properties and threat models than DHTs. Once again, new developments in self-destructing data are underway, so stay tuned -- we will describe the latest advances in Vanish research on our publications page as they become available.
Overall, we have thus far made several significant contributions to the self-destructing data problem and beyond; some of these contributions are already published, while others are still in the works:
|Roxana Geambasu, Amit Levy|
|Yoshi Kohno, Hank Levy, Arvind Krishnamurthy|
|Paul Gardner (Vuze, Inc.)|
|Vinnie Moscaritolo (PGP Corporation)|
This work is supported by NSF grants NSF-0846065, NSF-0627367, and NSF-614975, an Alfred P. Sloan Research Fellowship, the Wissner-Slivka Chair, and a gift from Intel Corporation.