Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/cit.2008.4594711

2008-01-01

Abstract:To protect data privacy and integrity, it encrypts each protected disk sector and creates hash tree upon all the protected sectors to resist against any possible attacks. To make it an appropriate way for disk protection, it designs the required solutions of disk layout, performance optimizing and consistency maintaining. Disk layout uses a fixed disk region to preserve hash tree nodes; performance optimizing utilizes system memory to buffer those frequently used hash tree nodes to offload the big working cost; and consistency maintaining logs disk modifications to recovery the valid result after unexpected failures. The implementation cost is low and running performance is satisfiable. Analysis and experimental simulations show that it is a practical and available way to build secure disk.

Mengqi Zeng,Dawu Gu,Fangyong Hou,Yuanyuan Zhang,Tao Cheng

DOI: https://doi.org/10.1109/NAS.2009.70

2009-01-01

Abstract:Self-securing storage devices prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, we design an efficient self-securing disk architecture, which is based on traditional self-securing storage prototype S4: 1) On the confidentiality protection side, authenticated encryption mode GCM is adapted to process disk block in parallel ,and authentication latency is overlapped with disk access latency so that our scheme is more efficient and secure than Windows BitLocker. 2) On the integrity protection side, GHASH proposed in GCM is used to generate MAC which is more efficient than SHA-1, MD5. Moreover, ldquoMinimum Integrity Verification Treerdquo is put forward to decrease performance loss at a maximum. 3) On the access control protection side, we propose a cryptographically featured capability based access control model, which is based on existing OSD access control model. We use hybrid hard drive as an instance to build a self-securing disk prototype which is implemented by simulation. The encryption/authentication overheads are significantly reduced due to buffer techniques and combined GCM/Flash scheme. According to the simulation results, the performance overhead is less than 18%, which is efficient and practical.

Minal Moharir,A. V. Suresh

DOI: https://doi.org/10.48550/arXiv.1109.4565

2011-08-26

Abstract:The main objective of the paper is to study and develop an efficient method for Hard Disk Drive(HDD) Security using Full Disk Encryption (FDE) with Advanced Encryption Standards(AES) for data security specifically for Personal Computers(PCS) and Laptops . The focus of this work is to authenticate and protect the content of HDD from illegal use. The paper proposes an adaptive methods for protecting a HDD based on FDE. The proposed method is labeled as DiskTrust. FDE encrypts entire content or a single volume on your disk. DiskTrust implements Symmetric key cryptography with, Advanced Encryption Standards. Finally, the applicability of these methodologies for HDD security will be evaluated on a set of data files with different key sizes.

Cryptography and Security

ZHANG Qin,LIU Shu-ming

DOI: https://doi.org/10.3969/j.issn.1002-2279.2008.01.014

2008-01-01

Microprocessors

Abstract:Ordinary encrypted file system can protect the content of files,and the encrypted file is bound with the relevant key.But,the key is just protected securely by the short password.This is a defect for the system and this question need to be solved exigently.This paper proposes a method based on TPM key-tree and data check-up with HMAC.The TPM key-tree encrypts all keys in file system and binds the keys with the TPM platform,thus,keys are protected safely and security of the whole system is enhanced.The data check-up with HMAC not only ensures security but also improves the performance of integrality check-up.

LIN Hao-xiang,DONG Yuan,ZHANG Wei,ZHANG Su-qin,HU Chang-jun

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.01.026

2007-01-01

Abstract:Recently it has been a focus to protect personal sensitive information. Using cryptographic technique is a promising way. This paper describes the design and implementation of Waycryptic, a versatile cryptographic file system for Linux. By integrating cryptographic technique into file system level, users obtain transparent, dynamic, efficient and secure encryption function without modifying their applications. Encrypted files could be saved on any physical file system which supports extended attributes (XATTR). Waycryptic also permits encrypted files to be shared among multi users and to be easily recovered by designating an account in advance. The results of Iozone and Bonnie benchmarks show that Waycryptic is comparatively efficient and is suitable for personal or multi-user systems which require enhanced security.

曾梦岐,谷大武,侯方勇,宋宁楠

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.046

2010-01-01

Abstract:This paper puts forward a self-securing disk model system, which self-securing storage technique and cryptographic technique are combined to protect disk data. The self-securing technique includes safe boundary, and access control. The cryptographic technique mainly refers to encryption/decryption. The self-securing disk is more intelligent when expansion adds to common disk architecture.

Fangyong Hou,Nong Xiao,Fang Liu,Hongjun He,Dawu Gu

DOI: https://doi.org/10.1109/nas.2009.15

2009-01-01

Abstract:Hash tree based disk storage integrity protection suffers from performance penalty and possible losing of consistency. FI-Tree deploys a fixed-structure tree and applies incremental-hash to tree node updating to solve the difficulties of performance and consistency. The biggest advantage of FI-Tree comes from that: to allow tree nodes to be cached to optimize performance, it can maintain consistency between the tree and the protected data with low cost at the same time. Basing on FI-Tree, TNSD constructs an instance of secure disk. TNSD associates one nonce with each data block to be protected, and applies FI-Tree to ensure the nonce to be untampered. In such way, data protection can be fulfilled with resistance against any attacks. Related approaches are elaborated, as well as testing results. Theoretical analysis and experimental simulation show that it is a practical and available way to build secure disk.

Mengqi Zeng,Fangyong Hou,Dawu Gu,Yuanyuan Zhang,NingNan Song

DOI: https://doi.org/10.1109/HPCC.2008.129

2008-01-01

Abstract:Hybrid hard drives (HHD) are coming up with potential high viability in mobile computing. It's quite necessary to put forward an efficient secure scheme for hybrid hard drives. NAND Flash of HHD is made full use as a container and a buffer for metadata. We propose an efficient combined scheme based on Galois/Counter Mode (GCM) to protect hard disk data by authenticated encryption, and build a secure architecture for HHD. Our results show that we not only protect the disk data by authenticated encryption, but also gain high performance. According to the simulation results, for the best of our methods, the performance overhead is less than 18%, which is efficient and acceptable practically.

ZHANG Jing,CHEN Wen-yuan,ZHANG Wei-ping

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.26.064

2008-01-01

Abstract:With the explosion of information,information security increasingly becomes evident. A complete data encryption system must consists of a reliable authentication mechanism and an advanced encryption algorithm. In this paper,we will introduce a new fast encryption system based on MEMS stronglink,USB controller and FPGA and its crypto algorithm is AES. A common IDE harddisk attached on this system becomes a very safe USB mobile encrypted harddisk,and the data throughput rate of it achieves 10MB/s,closed to any common USB flash disk in the market.

Danny Harnik,Oded Naor,Effi Ofer,Or Ozery

DOI: https://doi.org/10.48550/arXiv.2205.15545

2022-05-31

Cryptography and Security

Abstract:Disk encryption today uses standard encryption methods that are length preserving and do not require storing any additional information with an encrypted disk sector. This significantly simplifies disk encryption management as the disk mapping does not change with encryption. On the other hand, it forces the encryption to be deterministic when data is being overwritten and it disallows integrity mechanisms, thus lowering security guarantees. Moreover, because the most widely used standard encryption methods (like AES-XTS) work at small sub-blocks of no more than 32 bytes, deterministic overwrites form an even greater security risk. Overall, today's standard practice forfeits some security for ease of management and performance considerations. This shortcoming is further amplified in a virtual disk setting that supports versioning and snapshots so that overwritten data remains accessible. In this work, we address these concerns and stipulate that especially with virtual disks, there is motivation and potential to improve security at the expense of a small performance overhead. Specifically, adding per-sector metadata to a virtual disk allows running encryption with a random initialization vector (IV) as well as potentially adding integrity mechanisms. We explore how best to implement additional per-sector information in Ceph RBD, a popular open-source distributed block storage with client-side encryption. We implement and evaluate several approaches and show that one can run AES-XTS encryption with a random IV at a manageable overhead ranging from 1\%--22\%, depending on the IO size.

GAO Wei,GU Da-wu,HOU Fang-yong,SONG Ning-nan

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.02.050

2009-01-01

Abstract:A fast disk encryption algorithm targeted at the specific application scenario of disk encryption is devised.The new algorithm is a tweakable cipher,and experimental results show that its performance is about 20% better than the algorithm adopted by Windows Vista Bitlocker Driver Encryption in software environment.The algorithm can provide the pseudo integrity protection ability.

Xiaoyu Ma,Fan Zhang,Yan Han

DOI: https://doi.org/10.1088/1742-6596/2221/1/012047

2022-01-01

Abstract:Abstract An authenticated encryption chip with novel nonce generation circuit was developed. This circuit associates the nonce generation with the contents and receiving time of plaintext. It will also generate overlapping power compensation for the whole chip. The integrated chip was fabricated under SMIC 180nm technology. Under 1.8V VDD, 100MHz global clock, the power consumption is about 14mW within 50k gates. The test result exhibits more than 10 times the strength in resistance to side-channel attack than the unprotected version without increasing hardware cost.

Weiping Zhang,Wenyuan Chen,Jian Tang,Peng Xu,Yibin Li,Shengyong Li

DOI: https://doi.org/10.3390/s91109300

IF: 3.9

2009-01-01

Sensors

Abstract:In this paper, a novel portable hard-disk encryption/decryption system with a MEMS coded lock is presented, which can authenticate the user and provide the key for the AES encryption/decryption module. The portable hard-disk encryption/decryption system is composed of the authentication module, the USB portable hard-disk interface card, the ATA protocol command decoder module, the data encryption/decryption module, the cipher key management module, the MEMS coded lock controlling circuit module, the MEMS coded lock and the hard disk. The ATA protocol circuit, the MEMS control circuit and AES encryption/decryption circuit are designed and realized by FPGA(Field Programmable Gate Array). The MEMS coded lock with two couplers and two groups of counter-meshing-gears (CMGs) are fabricated by a LIGA-like process and precision engineering method. The whole prototype was fabricated and tested. The test results show that the user's password could be correctly discriminated by the MEMS coded lock, and the AES encryption module could get the key from the MEMS coded lock. Moreover, the data in the hard-disk could be encrypted or decrypted, and the read-write speed of the dataflow could reach 17 MB/s in Ultra DMA mode.

Weiping Zhang,Wenyuan Chen,Jian Tang,Peng Xu,Yibin Li,Shengyong Li

DOI: https://doi.org/10.3390/s91109300

IF: 3.9

2009-01-01

Sensors

Abstract:In this paper, a novel portable hard-disk encryption/decryption system with a MEMS coded lock is presented, which can authenticate the user and provide the key for the AES encryption/decryption module. The portable hard-disk encryption/decryption system is composed of the authentication module, the USB portable hard-disk interface card, the ATA protocol command decoder module, the data encryption/decryption module, the cipher key management module, the MEMS coded lock controlling circuit module, the MEMS coded lock and the hard disk. The ATA protocol circuit, the MEMS control circuit and AES encryption/decryption circuit are designed and realized by FPGA(Field Programmable Gate Array). The MEMS coded lock with two couplers and two groups of counter-meshing-gears (CMGs) are fabricated by a LIGA-like process and precision engineering method. The whole prototype was fabricated and tested. The test results show that the user’s password could be correctly discriminated by the MEMS coded lock, and the AES encryption module could get the key from the MEMS coded lock. Moreover, the data in the hard-disk could be encrypted or decrypted, and the read-write speed of the dataflow could reach 17 MB/s in Ultra DMA mode.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Jian Zhang,Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/iwqos.2017.7969107

2017-01-01

Abstract:With the development of cloud storage, data owners no longer physically possess their data and thus how to ensure the integrity of their outsourced data becomes a challenging task. Several protocols have been proposed to audit cloud storage, all of which rely mainly on data block tags to check data integrity. However, their block tag constructions employ cryptographic operations, which makes them computationally complex. In this paper, we investigate a secure cloud storage protocol based on the classic discrete logarithm problem. Our protocol generates data block tags with only basic algebraic operations, which brings substantial computation savings compared with previous work. We also strictly prove that the proposed protocol is secure under a definition which captures the real-world uses of cloud storage. In order to fit more application scenarios, we extend the proposed protocol to support data dynamics by employing an index vector and third-party public auditing by using a random masking number, both of which are efficient and provably secure. At last, theoretical analysis and experimental evaluation are provided to validate the superiority of the proposed protocol.

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/NAS.2008.48

2008-01-01

Abstract:Storage systems are more distributed and more subject to attacks. Cryptographic file system gives a promising way to mitigate the danger of exposing data by using encryption and integrity protection methods and guarantee end-to-end security to clients. This paper describes SRSAE, a generic approach to cryptographic file system, as well as its realization in a distributed data storage environment. SRSAE applies authenticated encryption to each data block transferred between clients and the remote block devices. It provides strong data confidentiality and integrity protections through trusted IV (Initialization Vector) and MAC (Message Authentication Code) comparison. Performance is optimized by buffering IV and MAC locally. Integration into original file system is presented with specific implementation. Related model, approach and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure network storage system.

Shengmin Xu,Xingshuo Han,Guowen Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3321314

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Cloud computing is the widespread acceptance of a promising paradigm offering a substantial amount of storage and data services on demand. To preserve data confidentiality, many cryptosystems have been introduced. However, current solutions are incompatible with the resource-constrained end-devices because of a variety of vulnerabilities in terms of practicality and security. In this article, we propose a practical and secure data-sharing system by introducing a new design of attribute-based encryption with verifiable outsourced decryption-attribute-based encryption (VO-ABE for short). Our system offers: (1) data sharing at a fine-grained level; (2) a scalable key issuing protocol without any secure channel; (3) a verifiable outsourced decryption mechanism for resource-constrained end-devices against the malicious cloud service provider; and (4) adaptive security against the real-world attacks. To formalize our solution with cryptographic analysis, we present the formal definition of VO-ABE and its concrete construction with provable security. In particular, our design leverages the techniques of the traditional ABE, verifiable outsourced decryption, and randomness extractor to support fine-grained access control, cost-effective data sharing, and security assurance with high entropy. Moreover, our design is provably secure in the adaptive model under the standard assumption, which offers a stronger security guarantee since the state-of-the-art solution is selectively secure under the non-standard assumption and suffers from a variety of real-world attacks. The implementation and evaluation demonstrate that our solution enjoys superior functionality and better performance than the relevant solutions. More importantly, our solution is compatible with the resource-constrained end-devices since the decryption mechanism takes around 1.1 ms and is 22.7x faster than the state-of-the-art solution.

Wu Dianshuang,Liu Hang,He Dequan

DOI: https://doi.org/10.16526/j.cnki.11-4762/tp.2009.05.031

2009-01-01

Abstract:To transparently encrypt the data stored in solid state disk (SSD) and enhance the integration of the whole secure storage system, a method to integrate hardware encryption function into SSD was proposed after analyzing the architecture of SSD. The scheme of encrypted SSD was also given. Then, the hardware encryption module (HEM) to be embedded into the SSD was designed and implemented based on FPGA. Finally, the encrypted SSD was implemented with the HEM, common ATA flash disk controller and NAND flash chips. The testing and experimental results show that the encrypted SSD can encrypt all the data stored in it and the integration of the encryption function doesn't lead to decrease of performance due to hardware implementation, high speed and no use of system resources of HEM.

Zoe Lin Jiang,Jun-bin Fang,Lucas Chi Kwong Hui,SiuMing Yiu,Kam Pui Chow,Meng-meng Sheng

DOI: https://doi.org/10.1631/jzus.c1000425

2011-01-01

Abstract:Verifying the integrity of a hard disk is an important concern in computer forensics, as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation. A typical approach is to compute a single chained hash value of all sectors in a specific order. However, this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally. In this paper we propose a k-dimensional hashing scheme, kD for short, to distribute sectors into a kD space, and to calculate multiple hash values for sectors in k dimensions as integrity evidence. Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors, the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk. We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully. Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.