Shen Zhirong,Xue Mao,Xue Wei,Shu Jiwu

2011-01-01

Journal of Computer Research and Development

Abstract:With the development of network storage technology,how to protect the shared data from being intruded continues to grow in importance in the untrusted network storage environment.This paper presents the recently researches of shared secure file system and analyzes the Corslet secure file system proposed by our group.We give the description of the roles that play in Corslet and analyze the key approaches that are used in it.Meanwhile,this paper evaluates the performance of Corslet secure file system and takes some measures to optimize performance.By evaluating the operation of reading/writing big files in Corslet,we draw the conclusion that cryptographic overhead accounts for most of the overhead caused by reading writing operation.According to the conclusion,two optimizations are proposed which are to make improvement on the implementation of cryptographic algorithms and to use the new API of cryptographic functions.With the original Corslet secure file system optimizated by the two optimizations,the performance of reading/writing improve by 16% to 20% and 5% to 12% respectively evaluated by the benchmark of IOzone.

Jiwu Shu,Zhirong Shen,Wei Xue

DOI: https://doi.org/10.1016/j.jpdc.2014.06.003

IF: 4.542

2014-01-01

Journal of Parallel and Distributed Computing

Abstract:With the increasing amount of personal data stored in public storage, users are losing control of their physical data, putting their data information at risk of theft or being compromised. Traditional secure storage systems either require users to completely trust the storage provider or impose the considerable burden of managing files on file owners; such systems are inapplicable in the practical cloud environment. This paper addresses these challenging problems by proposing a new secure system architecture and implementing a stackable secure storage system named Shield, in which a proxy server is introduced to be in charge of authentication and access control. We propose a new variant of the Merkle Hash Tree to support efficient integrity checking and file content update; further, we have designed a hierarchical key organization to achieve convenient keys management and efficient permission revocation. Shield supports concurrent write access by employing a virtual linked list; it also provides secure file sharing without any modification to the underlying file systems. A series of evaluations over various real benchmarks show that Shield causes about 7%∼13% performance degradation when compared with eCryptfs but provides enhanced security for user’s data.

刘立坤,武永卫,徐鹏志,杨广文

DOI: https://doi.org/10.3321/j.issn:0253-987x.2009.08.009

2009-01-01

Abstract:The Corsair file system(CorsairFS),a scalable distributed file system for data sharing and online storage in campus network or intranet,is proposed.Adopting scalable architecture,chunk-based storage,and register/heartbeat mechanism,both the system scalability and manageability are improved.And decoupling the data storage and metadata management,the CorsairFS facilitates the arbitrary reorganization of the namespace,and supports multiple different data view for users.The experimental results demonstrate that the system can use the storage spaces more efficiently and achieve better transfer performance,especially for the cases with large number of small files.

Liang Xue,Dongxiao Liu,Cheng Huang,Xuemin (Sherman) Shen,Weihua Zhuang,Rob Sun,Bidi Ying

DOI: https://doi.org/10.1109/icc45855.2022.9838811

2022-01-01

Abstract:In this paper, we propose a Secure and Flexible Data Sharing (SFDS) scheme for distributed storage, where data owners can outsource their data to a distributed storage network and share the data with authorized users. To preserve confidentiality, all data are encrypted by data owners' secret keys before being outsourced, and fine-grained access policies are enforced on the encrypted data (ciphertexts) to achieve flexible data sharing. Furthermore, based on the ciphertext puncturable encryption and the hierarchical identity-based encryption, we design an efficient key and ciphertext update mechanism, which enables data owners to update their secret keys and the corresponding ciphertexts periodically to deal with side-channel attacks and system vulnerabilities. Update tokens are constructed to directly derive new keys and ciphertexts. Through detailed security analysis, it is demonstrated that SFDS can achieve all three essential security properties, i.e., forward security, post-compromise security, and collusion attack resistance.

Arastoo Bozorgi,Mahya Soleimani Jadidi,Jonathan Anderson

DOI: https://doi.org/10.5220/0012306600003648

2024-03-24

Abstract:Strong confidentiality, integrity, user control, reliability and performance are critical requirements in privacy-sensitive applications. Such applications would benefit from a data storage and sharing infrastructure that provides these properties even in decentralized topologies with untrusted storage backends, but users today are forced to choose between systemic security properties and system reliability or performance. As an alternative to this status quo we present UPSS: the user-centric private sharing system, a cryptographic storage system that can be used as a conventional filesystem or as the foundation for security-sensitive applications such as redaction with integrity and private revision control. We demonstrate that both the security and performance properties of UPSS exceed that of existing cryptographic filesystems and that its performance is comparable to mature conventional filesystems - in some cases, even superior. Whether used directly via its Rust API or as a conventional filesystem, UPSS provides strong security and practical performance on untrusted storage.

Cryptography and Security,Operating Systems

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Xiangguo Li,JianHua Yang,Zhaohui Wu

DOI: https://doi.org/10.1007/11576259_15

2005-01-01

Abstract:This paper presents a security scheme for network-attached storage based on NFSv4 frame. One novel aspect of our system is that it enhances NFSv4 to guarantee the security of storage. Another novel feature is that we develop new user authentication mechanism which outperforms Kerberos. It uses HMAC and the symmetric cryptography to provide the integrity and privacy of transmitted data. The system includes three essential procedures: authenticating user, establishing security context and exchanging data. Our scheme can protect data from tampering, eavesdropping and replaying attacks, and it ensures that the data stored on the device is copy-resistant and encrypted. In spite of this level of security, the scheme does not impose much performance overhead. Our experiments show that large sequential reads or writes with security impose performance expense by 10-20%, which is much less than some other security systems.

Guoyou Chen,Jiajia Miao,Feng Xie,Handong Mao

DOI: https://doi.org/10.4028/www.scientific.net/amm.278-280.1767

2013-01-01

Applied Mechanics and Materials

Abstract:Cloud computing has been a hot researching area of computer network technology, since it was proposed in 2007. Cloud computing also has been envisioned as the next-generation architecture of IT Enterprise [1]. Cloud computing infrastructures enable companies to cut costs by outsourcing computations on-demand. It moves the application software and database to the large data centers, where the management of the data and services may not be fully trustworthy [2]. This poses many new security challenges. In this paper, we just focus on data storage security in the cloud, which has been the most important aspect of quality of service. To ensure the confidentiality and integrity of user's data in the cloud, and support of data dynamic operations, such as modification, insertion and deletion, we propose a framework for storage security, which includes cryptographic storage scheme and data structure. With our framework, the untrusted server cannot learn anything about the plaintext, and the dynamic operation can be finished in short time. The encryption algorithm and data storage structure is simple, and it's easy to maintain. Hence, our framework is practical to use today.

Kiavash Satvat,Maliheh Shirvanian,Nitesh Saxena

DOI: https://doi.org/10.48550/arXiv.2102.13607

2021-02-27

Abstract:In this paper, we introduce PASSAT, a practical system to boost the security assurance delivered by the current cloud architecture without requiring any changes or cooperation from the cloud service providers. PASSAT is an application transparent to the cloud servers that allows users to securely and efficiently store and access their files stored on public cloud storage based on a single master password. Using a fast and light-weight XOR secret sharing scheme, PASSAT secret-shares users' files and distributes them among n publicly available cloud platforms. To access the files, PASSAT communicates with any k out of n cloud platforms to receive the shares and runs a secret-sharing reconstruction algorithm to recover the files. An attacker (insider or outsider) who compromises or colludes with less than k platforms cannot learn the user's files or modify the files stealthily. To authenticate the user to multiple cloud platforms, PASSAT crucially stores the authentication credentials, specific to each platform on a password manager, protected under the user's master password. Upon requesting access to files, the user enters the password to unlock the vault and fetches the authentication tokens using which PASSAT can interact with cloud storage. Our instantiation of PASSAT based on (2, 3)-XOR secret sharing of Kurihara et al., implemented with three popular storage providers, namely, Google Drive, Box, and Dropbox, confirms that our approach can efficiently enhance the confidentiality, integrity, and availability of the stored files with no changes on the servers.

Cryptography and Security

Hsiao-Ying Lin,Wen-Guey Tzeng

DOI: https://doi.org/10.1109/tpds.2011.252

IF: 5.3

2012-06-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:A cloud storage system, consisting of a collection of storage servers, provides long-term storage services over the Internet. Storing data in a third party's cloud system causes serious concern over data confidentiality. General encryption schemes protect data confidentiality, but also limit the functionality of the storage system because a few operations are supported over encrypted data. Constructing a secure storage system that supports multiple functions is challenging when the storage system is distributed and has no central authority. We propose a threshold proxy re-encryption scheme and integrate it with a decentralized erasure code such that a secure distributed storage system is formulated. The distributed storage system not only supports secure and robust data storage and retrieval, but also lets a user forward his data in the storage servers to another user without retrieving the data back. The main technical contribution is that the proxy re-encryption scheme supports encoding operations over encrypted messages as well as forwarding operations over encoded and encrypted messages. Our method fully integrates encrypting, encoding, and forwarding. We analyze and suggest suitable parameters for the number of copies of a message dispatched to storage servers and the number of storage servers queried by a key server. These parameters allow more flexible adjustment between the number of storage servers and robustness.

computer science, theory & methods,engineering, electrical & electronic

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

Liwei Guo,Yiying Zhang,Felix Xiaozhu Lin

DOI: https://doi.org/10.48550/arXiv.1902.06327

2019-02-17

Cryptography and Security

Abstract:Smart devices produce security-sensitive data and keep them in on-device storage for persistence. The current storage stack on smart devices, however, offers weak security guarantees: not only because the stack depends on a vulnerable commodity OS, but also because smart device deployment is known weak on security measures. To safeguard such data on smart devices, we present a novel storage stack architecture that i) protects file data in a trusted execution environment (TEE); ii) outsources file system logic and metadata out of TEE; iii) running a metadata-only file system replica in the cloud for continuously verifying the on-device file system behaviors. To realize the architecture, we build Overwatch, aTrustZone-based storage stack. Overwatch addresses unique challenges including discerning metadata at fine grains, hiding network delays, and coping with cloud disconnection. On a suite of three real-world applications, Overwatch shows moderate security overheads.

Yuxiang Chen,Guishan Dong,Chunxiang Xu,Yao Hao,Yue Zhao

DOI: https://doi.org/10.3390/s23208526

IF: 3.9

2023-10-18

Sensors

Abstract:In this paper, we propose a user-friendly encrypted storage scheme named EStore, which is based on the Hadoop distributed file system. Users can make use of cloud-based distributed file systems to collaborate with each other. However, most data are processed and stored in plaintext, which is out of the owner's control after it has been uploaded and shared. Meanwhile, simple encryption guarantees the confidentiality of uploaded data but reduces availability. Furthermore, it is difficult to deal with complex key management as there is the problem whereby a single key encrypts different files, thus increasing the risk of leakage. In order to solve the issues above, we put forward an encrypted storage model and a threat model, designed with corresponding system architecture to cope with these requirements. Further, we designed and implemented six sets of protocols to meet users' requirements for security and use. EStore manages users and their keys through registration and authentication, and we developed a searchable encryption module and encryption/decryption module to support ciphertext retrieval and secure data outsourcing, which will only minimally increase the calculation overhead of the client and storage redundancy. Users are invulnerable compared to the original file system. Finally, we conducted a security analysis of the protocols to demonstrate that EStore is feasible and secure.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qingni Shen,Xin Yang,Xi Yu,Pengfei Sun,Yahui Yang,Zhonghai Wu

DOI: https://doi.org/10.1109/APSCC.2011.56

2011-01-01

Abstract:Cloud Storage has been turned into a common platform shared among varied organizations, even market competitors, thus has raised many security concerns. Most of the current researches focus on data encryption and decryption, in this paper, however, we take an alternative perspective - access control, to design and implement a secure solution for cloud storage, aiming to solve both the data isolation problem, which ensures that data in storage cloud owned by one company wouldn't be crossly accessed by other ones, and data collaboration problem, which makes data sharing between different organizations through storage cloud possible while still under the restriction of company data isolation. Besides, we have presented a pretty flexible security policy which could be easily customized to fit the variant security requirements in different cooperation. Finally, a prototype has been implemented based on HDFS by this policy, and the time cost is given and evaluated. © 2011 IEEE.

Yuxiang Chen,Yao Hao,Zhongqiang Yi,Xiaoyu Guo,Chunxiang Xu

DOI: https://doi.org/10.1109/nana56854.2022.00042

2022-01-01

Abstract:As file management is widely used in e-government and enterprise office, the file exchange, as the main means of sharing and collaborating in office, has been far from able to meet the needs of data security. Encrypted Storage with its highly security, controllability, can be an effective solution to the limitations of existing authority control services. However, during the data sharing and exchange, the file is separated from the owner, which has the problem of insufficient or over -authorization, thus needs fine-grained hierarchical control and cooperation. In this article, we propose a hierarchical management and control scheme for encrypted storage combined with ciphertext retrieval. The proposed scheme supports top-down privilege division without increasing the number of managed keys, all the data are processed and authorized strictly, the high-level user can deduce the keys of lower authorized users, but not vice versa, thus solving data leakage caused by over-authorization. Through performance and security analysis, we demonstrate that the scheme can better meet the data security and precise authorization requirements.

V Naresh,M Anudeep,M Saipraneeth,A Saikumar Reddy,V Navya

DOI: https://doi.org/10.14419/ijet.v7i2.32.15703

2018-05-31

International Journal of Engineering and Technology

Abstract:The cloud stockpiling framework, comprising of capacity servers, gives long haul stockpiling administrations on the Internet. Maintaining the data in the cloud computing of third parties generates: serious concern about the confidentiality of data and the reduction of data management costs. Nonetheless, we should give security certifications to outside information. We plan and actualize a protected cloud stockpiling framework that gives secure, secure and available record security for document administration and secure information exchange. It includes foreign files with a file access policy, possibly deleting files, to avoid being denied to anyone with a file access policy. To achieve these security objectives, a set of password keys is implemented that maintain a host (s) or head (s) separately. We offer a twofold edge intermediary coding plan and incorporate it with a decentralized disposal code, which is detailed with a safely Cloud storage framework. The Cloud storage system not only provides a secure and stable search and storage of data, but also allows the user to transfer their data to the user of the backup to another user without the data being returned.

Cong Wang,Qian Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/iwqos.2009.5201385

2009-01-01

Abstract:Cloud computing has been envisioned as the next-generation architecture of IT enterprise. In contrast to traditional solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the large data centers, where the management of the data and services may not be fully trustworthy. This unique attribute, however, poses many new security challenges which have not been well understood. In this article, we focus on cloud data storage security, which has always been an important aspect of quality of service. To ensure the correctness of users' data in the cloud, we propose an effective and flexible distributed scheme with two salient features, opposing to its predecessors. By utilizing the homomorphic token with distributed verification of erasure-coded data, our scheme achieves the integration of storage correctness insurance and data error localization, i.e., the identification of misbehaving server (s). Unlike most prior works, the new scheme further supports secure and efficient dynamic operations on data blocks, including: data update, delete and append. Extensive security and performance analysis shows that the proposed scheme is highly efficient and resilient against Byzantine failure, malicious data modification attack, and even server colluding attacks.

H Han,YF Dai,XM Li

DOI: https://doi.org/10.1002/cpe.839

2005-01-01

Concurrency and Computation Practice and Experience

Abstract:The CSFS (cryptographic storage file system) is a network file storage system that is suitable for a small‐to‐medium sized networks such as a campus network. In a CSFS, a lot of distributed file servers are organized in a star‐liked architecture. File names are stored in a name server and file data are stored in distributed file servers. A CSFS has good scalability and is able to accommodate hundreds of file servers. We implemented a CSFS in pure Java and tested the system with a benchmark. The test results show that CSFS delivers acceptable performance for general file operations. Its performance of file upload and download is as efficient as FTP. It can support more than 450 concurrent online users. Copyright © 2005 John Wiley & Sons, Ltd.

Jinlei Jiang,Xiaomeng Huang,Yongwei Wu,Guangwen Yang

DOI: https://doi.org/10.4018/978-1-4666-2854-0.ch012

2013-01-01

Abstract:We are now living in the era of big data. The large volume of data raises a lot of issues related to data storage and management, stimulating the emergence of Cloud storage. Unlike traditional storage systems such as SAN (Storage Area Network) and NAS (Network Attached Storage), Cloud storage is delivered over a network and has such features as easy to scale and easy to manage. With Cloud storage shielding complex technical details such as storage capacity, data location, data availability, reliability and security, users can then concentrate on their business rather than IT (Information Technology) system maintenance. However, it is not an easy task to develop a Cloud storage system because multiple factors are involved. In this chapter, the authors show their experience in the design and implementation of a Cloud storage system. They detail its key components, namely the distributed file system Carrier and the data sharing service Corsair. A case study is also given on its application at Tsinghua University.

Shenglong Zhao,Zhichao Hua,Yubin Xia

DOI: https://doi.org/10.1109/icpads60453.2023.00097

2023-01-01

Abstract:Consortium networks are usually constructed among enterprises and organizations. A consortium network is a specific type of decentralized network which only has a limited number of untrusted nodes. Consortium systems are designed to achieve consensus in such a network and provide stable and trusted services. Meanwhile, secure data sharing plays a crucial role in the consortium network, introducing new requirements to the underlying file system. Firstly, a consortium file system should be decentralized since any party of the consortium network is untrusted. Secondly, it should enforce data confidentiality and integrity and provide access control. Finally, the system should offer high performance. Existing file systems are designed for public decentralized or centralized networks and cannot meet all the above requirements. To address this problem, we present SecDFS, a decentralized, secure, high-performance file system for consortium networks. SecDFS first combines trusted execution environment and consistent hashing to design a consistent consensus protocol, through which SecDFS distributes files across consortium nodes and achieves data consensus. After that, SecDFS introduces a secure storage constructing method to protect the confidentiality and integrity of both the data and metadata, as well as a two-level cache to speed up the file system performance. We have implemented a prototype of SecDFS and performed a detailed evaluation with it. The results show that SecDFS has 74.83X latency speedup compared with the InterPlanetary File System on average.