Xiaohua Jia Shen Zhen Graduate School Harbin Institute of Technology Data Security for Cloud Storage...

Xiaohua JiaShen Zhen Graduate School

Harbin Institute of Technology

Data Security for Cloud Storage Systems

1

Outline

Dept. of Computer Science City University of Hong Kong

2

Cloud Storage Systems Auditing as a Service Access Control as a Service

Cloud Storage Systems


3

Cloud Storage Systems – data owners A model of online storage


4

Cloud Service Providers•Operate large data centers•Virtualize storage pools

Data Owners•Buy or rent storage in a pay-as-you-go model•Data stored in virtual storage

Cloud Storage Systems - users


5

OwnersUsers

Separation of data ownership and service provider

Users can access datafrom anywhere and at anytime

Security Challenges

Cloud Servers are not fully trustable:Data Integrity

Data could be corrupted or even deleted in the cloud.

Data Access controlData may be given access to unauthorized users.


6

Data Integrity

Auditing as a Service


7

Auditing as a Service

Checking On Retrieval is not adequate: Not sufficient: random sampling cannot cover large

size of data Not convenient: overhead is too high


8

Auditing as a Service A service to check the cloud data integrity Conducted by a Third Party Auditor

Why Third Party Auditing?


9

A third party auditor can Provide unbiased auditing results

Benefit for both data owners and service providers Data Owners – be ensured data integrity Service Providers – Build good reputation

Able to do a good job efficiently Professional Expertise Computing Capabilities

Research Issues Privacy Preservation

Keep the data confidential against the auditor

Dynamic Auditing Allow dynamic updates of data in the cloud

Batch Auditing Combine multiple auditing tasks together to

improve efficiency


10

Architecture of 3rd Party Auditing

Initialization: Data owner sends 1) encrypted data & verification tags to server, and 2) data index to auditorChallenge: Auditor sends Challenge to cloud serverProof: Server responses with ProofVerification: Auditor verifies correctness of the Proof


11

Auditor

Owners Cloud Servers

An Auditing Algorithm Initialization

Data Segmentation – Improve Efficiency Homomorphic Tag – Batch Auditing


12

m m1 mi mn

mi mi1 mij

……

mil……

Divide m into n blocks

Split mi into l sectors

System Parameters: G1, G2 , GT: multiplicative groups with the same prime order p

e: pairing operation maps a pair of points from G1 and G2 to a point in GT

g1: generator of G1; g2: generator of G2

Initialization (cont’d)


13

m m1 mi mn

mi mi1 mij

……

mil……

abstract information of m:FID, # of blocks, index table, etc.

Cloud Servers

Auditor

ti = (h(skh, FID||i)Πj=1->l g1xjmij)skt

skt: secret tag key kept by ownerskh: secret hash key shared with auditorg2

skt : public tag key shared with auditorg1

xj : random key shared with the cloud

Sampling Auditing Challenge from auditor: C = ({i, vi}iQ, R = (g2

skt) r)

Proof by Cloud: P = (DP, TP)Data Proof:

DP = Πj=1->l e(g1xj, R)MPj where MPj = ΣiQvimij

Tag Proof: TP = ΠiQ ti

vi


14

m1 m11 m1j m1l……

mi mi1 mij mil……

mq mq1 mqj mql……

MP1 MPj MPl

Sampling Auditing Challenge from auditor : C = ({i, vi}iQ , R = (g2

skt) r)

Proof by Cloud: P = (DP, TP)Data Proof:

DP = Πj=1->l e(g1xj, R)MPj where MPj = ΣiQvimij

Tag Proof: TP = ΠiQ ti

vi

Verification by auditor: Hchal = ΣiQh(skh, FID||i)rvi

DP·e(Hchal , g2skt) = e(TP, g2

r)Dept. of Computer Science

City University of Hong Kong15

?

References

Kan Yang and Xiaohua Jia. “Security for Cloud Storage Systems”, Springer 2014, ISBN 978-1-4614-7872-0.

Kan Yang and Xiaohua Jia. “An Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud Computing”. IEEE Trans. on Parallel and Distributed Systems (TPDS), Vol 24, Issue 9, September 2013.

Kan Yang and Xiaohua Jia. “Data Storage Auditing Service in Cloud Computing: Challenges, Methods and Opportunities”. World Wide Web, Vol 15, Issue 4, July 2012.


16

Data Access Control

Access Control as a Service


17


18

Access Control as a ServiceData stored in server is encrypted.Encryption-based Access Control

Each authorized user receives a secret key Users can decrypt ciphertext by their secret keys

SK

UserOwner


19

Difficulties in Key Distribution

Asymmetric Key Encryption (users pub-key for encryption) Multi-copies of encrypted data for difference users

Symmetric Key Encryption Difficulties in key distribution

A Wish-list for Encryption-based Access Control

Key management is scalable No need of online trusted server for access control Expressive access control polices


20

Attribute-Based Encryption (ABE) is a promising direction to go!

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Data are encrypted by the access policy

Secret keys are associated with attributes Attributes are mathematically incorporated into the key


21

(CS AND PhD) OR Prof

OR

AND

CS PhD

Prof

{EE, Prof}

AliceSK

Bob

{CS, PhD}

Ciphertext can be decrypted iff attributes in the key satisfy the access policy


22

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

• No 3rd party evaluates the policy and makes access decision (server is excluded)

• Policy checking is embedded in cryptography

{EE, Prof}

(CS AND PhD) OR Prof

Satisfies

Alice

Attribute-Based Access Control (ABAC)


23

PK

MSK

SKBob:“CS Dept.”“Professor”

SKKevin:“CS Dept.”“Master”

OR

Professor AND

CS Dept. PhD

AuthorityOwner

Advantages of ABAC

Access policy is defined by owners

Access policy is enforced by the cryptography nobody explicitly evaluates the policies and makes an

access decision

Only one copy of ciphertext is generated for each file


24

Basic Construction G: multiplicative group of prime order p.

Intuitive Hardness Discrete Log:

Given: g, ga Hard to find: a

Bilinear map e: GG GT Def: An admissible bilinear map e: GG GT is:

–Non-degenerate: g generates G e(g, g) generates GT.

–Bilinear: e(ga, gb) = (e(g,g))ab a,bZp, gG

–Efficiently computable


25

CP-ABE Algorithms


26

Setup(λ) -> MSK, PK PK

MSK

Encrypt(PK ,M, Access policy) -> CT

KeyGen(MSK, Attrs.) -> SK “CS Dept.”“PhD”

SK

Decrypt(SK, CT) -> M“CS Dept.”“PhD”

SK

OR

ProfessorAND

CS Dept. PhD

OR

ProfessorAND

CS Dept. PhD

System Setup


27

PK = ( g, gb, e(g, g)a , H: {0,1}* G )

MSK = aMSK

Public Key

Authority

a, b R ZP

Secret Key Generation


28

Authority

Authority issues secret keys for users who have attributes

BobAlice Charlie

“CS Dept.”“Professor”

“CS Dept.”“Master”

“EE Dept.”“PhD”

Collusion Attack


29

Users may collude to decrypt data by combining their attributes

“EE Dept.”“PhD”

CharlieBob

“CS Dept.”“Master”

OR

AND

CS Dept. PhD

Prof

Prevent Collusion Attack


30

SK = ( ga+bt, gt, H(“Master”)t, H(“CS Dept.”)t, H(“TA”)t )

t: random number in Zp. It ties components in SK together

Authority

MSK = aBob has attributes: {“Master”, “CS Dept.”, “TA”}

Personalization!Collusion Resistance

Key Personalization


31

Bob:“CS Dept.”…

Charlie:“PhD”…

Random t

Random t’

Components are incompatible

ga+bt, gt, H(“CS Dept.”)t,

ga+bt’, gt’, H(“PhD”)t’

SK

SK

Data Encryption


32

M

Given M and policy, owner generates a random secret s

OR

AND

CS Dept. PhD

Prof

s

s

s3=r s2=s-r

s1=s

Data Owner

OR

ProfessorAND

CS Dept. PhD

Ciphertext:

CT = ( M e(g,g)as, gs,

C1 = (gbs1H(“Prof”)r1, gr1), C2 = (gbs2H(“PhD”)r2,

C3 = (gbs3H(“CS Dept.”)r3, gr3) )

.

PK = ( g, gb, e(g, g)a , H: {0,1}* G )

Data Decryption


33

Ciphertext CT

Secret Key SK

CT = ( Me(g,g)as, gs, C1= (gbs1H(“Prof”)r1, gr1),

C2 = (gbs2H(“PhD”)r2, gr2), C3 = (gbs3H(“CS Dept.”)r3, gr3) )

SK = ( ga+bt, gt, H(“Prof”)t, H(“PhD”)t, H(“CS Dept.”)t )

e(g,g)bts =e(gbs1H(“Prof”)r1, gt)

e(gr1, H(“Prof”)t)

e(ga+bt, gs) = e(g,g)as e(g,g)bts

“Prof” “PhD” AND “CS Dept.”OR

= e(g,g)bts2 e(g,g)bts3

= e(g,g)bts

e(gbs2H(“PhD”)r2, gt)

e(gr2, H(“PhD”)t)

e(gbs3H(“CS Dept.”)r3, gt)

e(gr3, H(“CS Dept.”)t) .

Research Challenges


34

Multiple Authorities

Bob:“CS dept.”

Kevin:“manager”

AND

CS dept. OR

manager marketing

Authorityin CityU

Authorityin Google

Research Challenges


35

Attribution RevocationPrevent revoked users from decrypting new ciphertextsGuarantee new users to decrypt previous ciphertexts

Decryption EfficiencyMobile Devices

Policy Hidden

K Yang, X Jia, K Ren, R Xie and L Huang. “Enabling Efficient Access Control with Dynamic Policy Updating for Big Data in the Cloud”, INFOCOM’14.

K Yang, X Jia, K Ren and B Zhang. “DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems”, INFOCOM’13, extended version in IEEE Trans on Information Forensics and Security 8(11), 2013.

K Yang and X Jia. “Attributed-based Access Control for Multi-authority Systems in Cloud Storage,” ICDCS’12.

Summary

Cloud server is not fully trusted by data owners

Data Integrity Auditing as a Service

Data Access Control Access Control as a Service


36

Q&A

Thank You!

Dept. of Computer ScienceCity University of Hong Kong

37

Xiaohua Jia Shen Zhen Graduate School Harbin Institute of Technology Data Security for Cloud Storage...

Documents

Transcript of Xiaohua Jia Shen Zhen Graduate School Harbin Institute of Technology Data Security for Cloud Storage...