In [1]:
# Mirror Project Readdme
from IPython.display import display, Markdown
with open('README.md', 'r') as f:
    content = f.read()
display(Markdown(content))

# iAudit INDaaS (Independence as a Service)
## Private, Independent Audits of Alternative Inter-Cloud Replication Deployments 

Customers of modern cloud services deploy replicas of their applications 
in order to improve reliability and performance. These replicas may be spread 
across multiple providers, such as Amazon AWS and Microsoft Azure.

Shared vulnerabilities (both hardware and software) of providers can lead to 
cascading failures, since the benefits of redundancy are lost. Despite this risk 
to consumers, cloud providers are reluctant to share vulnerability information 
with other providers. How can we let consumers achieve sufficient redundancy 
in their application deployments, while also recognizing the business concerns
of cloud providers?

Introducing  **iAudit**. 

**iAudit** is a system for computing the weighted shared dependency score
between multiple cloud providers, which does not require any of the providers
to disclose their vulnerabilities to the customer or competing providers. Lower
score indicates higher independence. Higher independence scores indicate deployment schemes with higher  application reliability.

There are two components to the system. This repository contains Python
code for the second, with influence from the [Java](https://github.com/ennanzhai/auditor) implementation.

1. Generation of provider dependency graphs
2. Compute dependency scores using a Weighted Private Set Intersection Cardinality Protocol (Vaidya and Clifton)

Part of a senior project at Yale University.

### iAudit Team
- Project Lead: [Ennan Zhai, PhD](http://www.cs.yale.edu/homes/zhai-ennan/)
- Advisor: [Profesor Avi Silberschatz](http://codex.cs.yale.edu/avi/)
- Students: William Dower, [Cameron Yick](www.cameronyick.us)


### Single Node Example

Show that protocol works when doing ring pass on a single computer


In [2]:
import iaudit

In [3]:
# Dummy data
'''
 A cutset is a list of vulernabilities that would break the application on a given node.
 A node can have multiple cutsets.
 Each cutset has a weight, indicating its significance. Higher score = more significance.
 In these cells, we setup
'''

strings = {}

strings['A'] = \
"""
<cutsets>
    <cutset items="DNS1" weight="10"/>
    <cutset items="Agg1, Agg2" weight="6"/>
</cutsets>
"""

strings['B'] = \
"""
<cutsets>
    <cutset items="DNS1" weight="10"/>
    <cutset items="Agg3" weight="6"/>
    <cutset items="DNS2" weight="4"/>
</cutsets>
"""

In [4]:
# Unweighted Example
cutsetsA = iaudit.string_to_cutsets(strings['A'])
cutsetsB = iaudit.string_to_cutsets(strings['B'])

In [5]:
# Because of the weights, we won't have true set interesection.
# for c in cutsets.cutsets:
#     print c

In [6]:
# cutsets[0]

## Adding Encryption


First, we try out an RSA based method, like the Sefasi tool.


In [297]:
import Crypto
from Crypto.PublicKey import RSA
from Crypto.PublicKey import pubkey
print Crypto.__version__

2.6.1


In [298]:
# For demo, these variables are hard coded into notebook. In practice, will live as config files on each node.
# Same across all nodes
# Use sample numbers from http://www.di-mgt.com.au/rsa_alg.html
pub_config = {}
pub_config['encryption'] = {
    'p': 47,
    'q': 13
}

# Private Configuration
pvt_config = {}
pvt_config['encryption'] = {
    'e': 5
}

In [299]:
'''
RSA Directions:
The modulus **n** must be the product of two primes.
The public exponent **e** must be odd and larger than 1.

In case of a private key, the following equations must apply:

- e != 1
- p*q = n
- e*d = 1 mod (p-1)(q-1)
- p*u = 1 mod q

# order of arguments for RSA.Construct
1. RSA modulus (n).
2. Public exponent (e).
3. Private exponent (d). Only required if the key is private.
4. First factor of n (p). Optional.
5. Second factor of n (q). Optional.
6. CRT coefficient, (1/p) mod q (u). Optional.
'''

def make_private_key(public_config, private_config):
    '''
    Args:
        public_config (dict): Contains public modulus p, q
        private_config (dict): Contains private exponent e
    Returns:
        An RSA key object (`_RSAobj`).
    
    '''
    # public key contains public modulus
    # in production, use a local public key file
    p = long(public_config['encryption']['p'])
    q = long(public_config['encryption']['q'])
    # private key contains private exponent
    e = long(private_config['encryption']['e'])

    # Enforce constraint that p must be bigger.
    # http://crypto.stackexchange.com/questions/18084/in-rsa-why-does-p-have-to-be-bigger-than-q-where-n-p-times-q
    if p < q:
        p, q = q, p
        
    # in practice, not needed 
    n = p*q
    phi = (p - 1)*(q - 1)
    d = pubkey.inverse(e, phi)
    rsaInit = (n, e, d, p, q)
    #     rsaInit = (n, e, d)
    #     print "n {}, e {}, d {}, p {}, q {}".format(n, e, d, p, q)
    return RSA.construct(rsaInit)

- e*d = 1 mod (p-1)(q-1)
- p*u = 1 mod q


In [300]:
# Setup the crypto 
pvtKey = make_private_key(pub_config, pvt_config)
pubKey = pvtKey.publickey()

In [301]:
# With our weak example, we must use a short message 
# See: http://0x90909090.blogspot.com/2015/10/playing-with-rsa-and-python.html
# We must assert that the length of our key is 
message = "z"
print message

z


In [302]:
encrypted = pubKey.encrypt(message, None) # second parameter is ignored for some reason
print encrypted

('`',)


In [303]:
pvtKey.decrypt(encrypted)

'z'

If our data is purely numeric (e.g. with Sefasi they just had IP addresses which have fixed size, this is good enough. However, our list of dependencies may contain strings of arbitrary length. Thus, we want to try a different encryption scheme that can overcome these limits.


SRA calculator [here](https://asecuritysite.com/encryption/comm2)

Why RSA has message length restriction [here](http://stackoverflow.com/questions/10061626/message-length-restriction-in-rsa)



Would it still be sensible to get this working with SRA protocol, knowing that we limit all cutset lengths to be less than a bounded number of characters?


What about "Fast Private Set Intersection Cardinality" with the help of Bloom Filters?

http://www.ics.uci.edu/~gts/paps/psi-ca.pdf

### Use AES to overcome item length limits



In [7]:
import base64
from Crypto.Cipher import AES
from Crypto import Random
import os

import os
import hashlib


In [9]:
# for i in range(10):
#     print crypto.decrypt(encrypted)

In [315]:
# x1 = Cipher("key2")
# x2 = Cipher("key1")

In [316]:
# a1 = x2.encrypt(x1.encrypt("4a"))
# # need to reset counter states 
# a2 = x1.encrypt(x2.encrypt("4a"))

In [317]:
x1.decrypt(x2.decrypt(a1))

'4a'

In [241]:
x2.decrypt(a1)


'\x87\xee\x12,\xfdq\x0f\x04N\xd29\xc3^p\xd8p\xf6\x00'

In [240]:
x1.decrypt(a1)

'@1X\xe0\xdaw\x95\xf7\x87g\xad\xce\xe09\xc4;\xf3b'

In [231]:
x1.decrypt(a2)

'qb\x0c&n\xf0\xde\xf3\xb2W<\xcal\xb4f\x93\xd5\n'

In [33]:
import Crypto.Cipher.AES
import Crypto.Util.Counter

key1 = "01234ABCDEF56789" # test key
key2 = "123343cswEABCDEF"

# replace this with a RANDOMLY GENERATED VALUE, and send this with the ciphertext!
# let every member participate with the same iv
iv1 = "2100000000000001" 
iv2 = "0000000000005678" 

message = "foo bar bear bake"
    
ctr1 = Crypto.Util.Counter.new(128, initial_value=long(iv1.encode("hex"), 16))
ctr2 = Crypto.Util.Counter.new(128, initial_value=long(iv1.encode("hex"), 16))

cipher1 = Crypto.Cipher.AES.new(key1, Crypto.Cipher.AES.MODE_CTR, counter=ctr1)
cipher2 = Crypto.Cipher.AES.new(key2, Crypto.Cipher.AES.MODE_CTR, counter=ctr2)


In [34]:
def cipher(key, iv, message):
    ctr = Crypto.Util.Counter.new(128, initial_value=long(iv.encode("hex"), 16)) # can we reuse this?
    _cipher = Crypto.Cipher.AES.new(key, Crypto.Cipher.AES.MODE_CTR, counter=ctr)
    return _cipher.encrypt(message)


In [16]:
a1 = cipher2.encrypt(cipher1.encrypt(message))

In [43]:
cipher(key2, iv2, "cake")

'\xe6\xec\xd9;'

In [38]:
cipher(key1, iv1, "cake")

'\xab\xc2\xd7\xfd'

In [30]:
# at the very end, need to provide all sides with counter reset to the same initial values.
# ctr1 = Crypto.Util.Counter.new(128, initial_value=long(iv.encode("hex"), 16))
# ctr2 = Crypto.Util.Counter.new(128, initial_value=long(iv.encode("hex"), 16))
# cipher1 = Crypto.Cipher.AES.new(key1, Crypto.Cipher.AES.MODE_CTR, counter=ctr1)
# cipher2 = Crypto.Cipher.AES.new(key2, Crypto.Cipher.AES.MODE_CTR, counter=ctr2)

a2 = cipher1.encrypt(cipher2.encrypt(message))


In [31]:
a1

'w\x14F\xa9\xf5\xaa"_\x9a+\x10e\x87\x01'

In [32]:
a2

'\x13T\x88>dn\xb3\xd6\x0c\xf8\x98]!\xcc\x0ed\xf1'

In [359]:
cipher2.decrypt(a1)

'\xa7\xaa%d\\q~\x19\x8bz\x19p<\x0c'

Readings: Implementing the Mental Poker Scheme with SRA


- https://en.wikipedia.org/wiki/Mental_poker
- http://people.csail.mit.edu/rivest/ShamirRivestAdleman-MentalPoker.pdf
- https://link.springer.com/chapter/10.1007%2F3-540-39799-X_10

General Crypto
- https://9d0df72831e4b345bb93-4b37fd03e6af34f2323bb971f72f0c0d.ssl.cf5.rackcdn.com/Crypto101.pdf
- Python has Pycrypto (unmaintained), as well as Pycrytodome. See cryptography.io
- https://security.stackexchange.com/questions/33434/rsa-maximum-bytes-to-encrypt-comparison-to-aes-in-terms-of-security
- [Basic Python RSA Example](http://stackoverflow.com/questions/30056762/rsa-encryption-and-decryption-in-python)
- [Pycryptodome](https://pycryptodome.readthedocs.io/en/latest/src/examples.html#encrypt-data-with-aes)


Commutative Crypto
- http://crypto.stackexchange.com/questions/11083/can-we-decrypt-in-this-order-when-the-message-is-encrypted-twice/11084#11084
- http://crypto.stackexchange.com/questions/41328/is-there-an-encryption-method-where-the-order-of-decryption-is-irrelevant-to-the

Why we can't reuse the [counter](https://www.dlitz.net/software/pycrypto/api/current/Crypto.Util.Counter-module.html)

- https://security.stackexchange.com/questions/63188/whats-the-point-of-the-nonce-in-ctr-mode

- https://security.stackexchange.com/questions/27776/block-chaining-modes-to-avoid
- http://crypto.stackexchange.com/questions/2377/deterministic-nonces-in-ctr-mode
- http://crypto.stackexchange.com/questions/11361/how-good-is-using-aes-ctr-mode-with-initial-counter-as-0
- http://crypto.stackexchange.com/questions/23993/ivs-for-different-aes-encryption-modes

Python AES CTR Examples

- http://stackoverflow.com/questions/14714968/pycrypto-aes-ctr-implementation?rq=1
- http://stackoverflow.com/questions/11656045/pycrypto-incrementing-ctr-mode
- http://stackoverflow.com/questions/21440506/aes-ctr-implementation
- http://stackoverflow.com/questions/3154998/pycrypto-problem-using-aesctr
- http://stackoverflow.com/questions/12691168/how-aes-in-ctr-works-for-python-with-pycrypto?answertab=oldest#tab-top

Links

- Commutative? https://www.experts-exchange.com/questions/22807749/Commutative-encryption-for-secret-key-exchange.html
- About crypto and poker: https://www.cs.purdue.edu/homes/ninghui/courses/Fall05/lectures/355_Fall05_lect25.pdf
- can bloom filters help to make this faster [paper](http://www.utdallas.edu/~muratk/publications/pakdd09.pdf)

Is this work similar to zero-knowledge proof projects?
- http://crypto.stackexchange.com/questions/1363/software-implementation-of-a-commutative-cipher
- http://zk-ssh.cms.ac/
- [Privacy-preserving set intersection protocol](http://fnp.sourceforge.net/)


### Multi Node Example

Extending program to work when managing communication between multiple computers


In [345]:
# Use hostname as the salt to the hashing function as a prototype

from iaudit import network 
network.hostname()

'BlueTurtle'