Wei Xue,JiWu Shu,Yang Liu,Mao Xue

DOI: https://doi.org/10.1007/s11432-011-4259-y

2011-01-01

Science China Information Sciences

Abstract:With the exponential growth of digital data, it is becoming more and more popular to store data in shared distributed storage systems inside the same organization. In such shared distributed storage systems, an ordinary user usually does not have the control permission over the whole system, and thus cannot secure data storage or data sharing of his own files. To solve this issue, this paper proposes a new system architecture to secure file storing and sharing efficiently over untrusted shared storage and network environments. Based on this architecture, this paper designs and implements a stackable secure storage system called Corslet. Corslet can run directly on deployed underlying storage systems without modification, while bringing end-to-end confidentiality and integrity as well as efficient access control for user data. For individual users, Corslet is easy to use, and does not require users to maintain or manage any keys on their client machines locally. The Bonnie++ and IOzone benchmark results show that the throughput of Corslet over NFS can achieve more than 90% of native NFS throughput in most tests, proving that Corslet can provide enhanced security for user data while maintaining acceptable performance.

Viet Vo,Xingliang Yuan,Shi-Feng Sun,Joseph K. Liu,Surya Nepal,Cong Wang,Shifeng Sun

DOI: https://doi.org/10.1109/tkde.2021.3126607

IF: 9.235

2022-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Cloud storage systems have seen a growing number of clients due to the fact that more and more businesses and governments are shifting away from in-house data servers and seeking cost-effective and ease-of-access solutions. However, the security of cloud storage is underestimated in current practice, which resulted in many large-scale data breaches. To change the status quo, this paper presents the design of ShieldDB, an encrypted document database. ShieldDB adapts the searchable encryption technique to preserve the search functionality over encrypted documents without having much impact on its scalability. However, merely realising such a theoretical primitive suffers from real-world threats, where a knowledgeable adversary can exploit the leakage (aka access pattern to the database) to break the claimed protection on data confidentiality. To address this challenge in practical deployment, ShieldDB is designed with tailored padding countermeasures. Unlike prior works, we target a more realistic adversarial model, where the database gets updated continuously, and the adversary can monitor it at an (or multiple) arbitrary time interval(s). ShieldDB’s padding strategies ensure that the access pattern to the database is obfuscated all the time. We present a full-fledged implementation of ShieldDB and conduct intensive evaluations on Azure Cloud.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Jian Zhang,Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/iwqos.2017.7969107

2017-01-01

Abstract:With the development of cloud storage, data owners no longer physically possess their data and thus how to ensure the integrity of their outsourced data becomes a challenging task. Several protocols have been proposed to audit cloud storage, all of which rely mainly on data block tags to check data integrity. However, their block tag constructions employ cryptographic operations, which makes them computationally complex. In this paper, we investigate a secure cloud storage protocol based on the classic discrete logarithm problem. Our protocol generates data block tags with only basic algebraic operations, which brings substantial computation savings compared with previous work. We also strictly prove that the proposed protocol is secure under a definition which captures the real-world uses of cloud storage. In order to fit more application scenarios, we extend the proposed protocol to support data dynamics by employing an index vector and third-party public auditing by using a random masking number, both of which are efficient and provably secure. At last, theoretical analysis and experimental evaluation are provided to validate the superiority of the proposed protocol.

Liwei Guo,Yiying Zhang,Felix Xiaozhu Lin

DOI: https://doi.org/10.48550/arXiv.1902.06327

2019-02-17

Cryptography and Security

Abstract:Smart devices produce security-sensitive data and keep them in on-device storage for persistence. The current storage stack on smart devices, however, offers weak security guarantees: not only because the stack depends on a vulnerable commodity OS, but also because smart device deployment is known weak on security measures. To safeguard such data on smart devices, we present a novel storage stack architecture that i) protects file data in a trusted execution environment (TEE); ii) outsources file system logic and metadata out of TEE; iii) running a metadata-only file system replica in the cloud for continuously verifying the on-device file system behaviors. To realize the architecture, we build Overwatch, aTrustZone-based storage stack. Overwatch addresses unique challenges including discerning metadata at fine grains, hiding network delays, and coping with cloud disconnection. On a suite of three real-world applications, Overwatch shows moderate security overheads.

Wanzong Peng,Tongliang Lu,Wenju Peng,Zhongpan Wang

DOI: https://doi.org/10.1038/s41598-024-69011-4

2024-08-03

Abstract:File sharing, being the foundation of the Internet, has traditionally relied on a centralized service architecture resulting in significant maintenance costs. Moreover, due to the lack of an effective file management system, instances of sensitive information going out of control and loss of confidentiality in file sharing have occurred frequently. In order to address the difficulty of tamper detection and the lack of supervision in the entire process of file transfer in the current Internet environment, this paper designs a blockchain-based system architecture for secure sharing of electronic documents. An efficient blockchain model is used in our framework, and with the help of distributed storage system and asymmetric encryption technology, file sharing can be controlled, reliable and traceable in the transfer process. Referring to existing consensus mechanisms, e.g., Delegated Proof of Stake (DPoS) and Practical Byzantine Fault Tolerance (PBFT), we propose a new consensus for efficient and secure file sharing. Our experimental results show that our framework can maintain a higher throughput than existing schemes.

Guoyou Chen,Jiajia Miao,Feng Xie,Handong Mao

DOI: https://doi.org/10.4028/www.scientific.net/amm.278-280.1767

2013-01-01

Applied Mechanics and Materials

Abstract:Cloud computing has been a hot researching area of computer network technology, since it was proposed in 2007. Cloud computing also has been envisioned as the next-generation architecture of IT Enterprise [1]. Cloud computing infrastructures enable companies to cut costs by outsourcing computations on-demand. It moves the application software and database to the large data centers, where the management of the data and services may not be fully trustworthy [2]. This poses many new security challenges. In this paper, we just focus on data storage security in the cloud, which has been the most important aspect of quality of service. To ensure the confidentiality and integrity of user's data in the cloud, and support of data dynamic operations, such as modification, insertion and deletion, we propose a framework for storage security, which includes cryptographic storage scheme and data structure. With our framework, the untrusted server cannot learn anything about the plaintext, and the dynamic operation can be finished in short time. The encryption algorithm and data storage structure is simple, and it's easy to maintain. Hence, our framework is practical to use today.

Manting Shen,Yinyan Yu,Zhi Tang,Xiaoyu Cui

DOI: https://doi.org/10.1109/compsac.2016.56

2016-01-01

Abstract:Sensitive information leakage in files is one of the biggest concerns in people's life. Considering this situation, people have designed lots of tools to protect sensitive files. However, these specialized tools are not applicable when the user amount is small. This paper proposes a novel light-weight mechanism that provides efficient and fast cryptographic-based file protection to meet the need of small organizations. The highlights are its ability to provide protection for all types of files, and the usage of an efficient access control approach for file sharing. Operations in the directory are monitored in real time and files are protected automatically. Moreover, encryption keys are generated and well preserved by a hierarchical key generation algorithm. For further estimation, we conducted experiments and analyzed the security and performance of our mechanism as well as other file protection software, and then we made a comparison among them. Experimental results show that our mechanism performs well both in security and performance and outperforms those other file protection software when applied in small organizations.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Shen Zhirong,Xue Mao,Xue Wei,Shu Jiwu

2011-01-01

Journal of Computer Research and Development

Abstract:With the development of network storage technology,how to protect the shared data from being intruded continues to grow in importance in the untrusted network storage environment.This paper presents the recently researches of shared secure file system and analyzes the Corslet secure file system proposed by our group.We give the description of the roles that play in Corslet and analyze the key approaches that are used in it.Meanwhile,this paper evaluates the performance of Corslet secure file system and takes some measures to optimize performance.By evaluating the operation of reading/writing big files in Corslet,we draw the conclusion that cryptographic overhead accounts for most of the overhead caused by reading writing operation.According to the conclusion,two optimizations are proposed which are to make improvement on the implementation of cryptographic algorithms and to use the new API of cryptographic functions.With the original Corslet secure file system optimizated by the two optimizations,the performance of reading/writing improve by 16% to 20% and 5% to 12% respectively evaluated by the benchmark of IOzone.

Fauzi Adi Rafrastara,Qi DeYu

DOI: https://doi.org/10.48550/arXiv.2009.07099

2020-09-14

Abstract:Cloud storage provides the simpler way to share the files privately and publicly. A good Cloud Storage Provider (SCP) is not only measured by the access speed or file size that can be shared to others, but also regarding the security issues in file sharing itself. In this paper, we analyze the security of file sharing in 3 Chinese CSPs, which are: Baidu, Weiyun and Kanbox. Those CSPs have their own vulnerabilities that successfully revealed. We also provide some suggestions to countermeasure the weaknesses so that they can maintain the quality while improving the security.

Cryptography and Security

Jiwu Shu,Zhirong Shen,Wei Xue,Yingxun Fu

DOI: https://doi.org/10.1109/ASPDAC.2013.6509625

2013-01-01

Abstract:With the rapid development of cloud storage, data security in storage receives great attention and becomes the top concern to block the spread development of cloud service. In this paper, we systematically study the security researches in the storage systems. We first present the design criteria that are used to evaluate a secure storage system and summarize the widely adopted key technologies. Then, we further investigate the security research in cloud storage and conclude the new challenges in the cloud environment. Finally, we give a detailed comparison among the selected secure storage systems and draw the relationship between the key technologies and the design criteria.

Zijian Zhou,Caimei Wang,Xiaoheng Deng,Jianhao Lu,Qilue Wen,Chen Zhang,Hong Li

2024-04-02

Abstract:Although the decentralized storage technology based on the blockchain can effectively realize secure data storage on cloud services. However, there are still some problems in the existing schemes, such as low storage capacity and low efficiency. To address related issues, we propose a novel decentralized storage framework, which mainly includes four aspects: (1) we proposed a Bi-direction Circular Linked Chain Structure (BCLCS), which improves data's storage capacity and applicability in decentralized storage. (2) A Proof of Resources (PoR) decision model is proposed. By introducing the network environment as an essential evaluation parameter of storage right decision, the energy and time consumption of decision-making are reduced, and the fairness of decision-making is improved. (3) A chain structure dynamic locking mechanism (CSDLM) is designed to realize anti-traverse and access control. (4) A Bi-directional data Access Mechanism (BDAM) is proposed, which improves the efficiency of data access and acquisition in decentralized storage mode. The experimental results show that the framework has significantly improved the shortcomings of the current decentralized storage.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Hsiao-Shan Huang,Tian-Sheuan Chang,Jhih-Yi Wu

DOI: https://doi.org/10.1145/3409934.3409948

2022-05-02

Abstract:There is a great interest in many approaches towards blockchain in providing a solution to record transactions in a decentralized way. However, there are some limitations when storing large files or documents on the blockchain. In order to meet the requirements of storing relatively large data, a decentralized storage medium is produced. IPFS is a distributed file system which is content-addressable. It works very similar to the blockchain network. There are some attempts which take advantage of the blockchain concept and IPFS to design new approaches. Unfortunately, there are some inefficiencies in sharing data using the combination of IPFS and blockchain. In this paper, we proposed a secure file sharing system that brings a distributed access control and group key management by the adoption of the IPFS proxy. The IPFS proxy which plays an important role in the design is adopted to take responsibility for the control policies. The combination of the IPFS server and the blockchain network with the adoption of the IPFS proxy make a secure file sharing system which the members on the system can create new groups or join different groups by their own choice. Although there is no access control mechanism in IPFS server and blockchain network, the secure file sharing system manages the access control policies. The members access files only belong to the group they authorized.

Cryptography and Security,Networking and Internet Architecture

Yuxiang Chen,Guishan Dong,Chunxiang Xu,Yao Hao,Yue Zhao

DOI: https://doi.org/10.3390/s23208526

IF: 3.9

2023-10-18

Sensors

Abstract:In this paper, we propose a user-friendly encrypted storage scheme named EStore, which is based on the Hadoop distributed file system. Users can make use of cloud-based distributed file systems to collaborate with each other. However, most data are processed and stored in plaintext, which is out of the owner's control after it has been uploaded and shared. Meanwhile, simple encryption guarantees the confidentiality of uploaded data but reduces availability. Furthermore, it is difficult to deal with complex key management as there is the problem whereby a single key encrypts different files, thus increasing the risk of leakage. In order to solve the issues above, we put forward an encrypted storage model and a threat model, designed with corresponding system architecture to cope with these requirements. Further, we designed and implemented six sets of protocols to meet users' requirements for security and use. EStore manages users and their keys through registration and authentication, and we developed a searchable encryption module and encryption/decryption module to support ciphertext retrieval and secure data outsourcing, which will only minimally increase the calculation overhead of the client and storage redundancy. Users are invulnerable compared to the original file system. Finally, we conducted a security analysis of the protocols to demonstrate that EStore is feasible and secure.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jin Wang,Chenchen Han,Xiaofeng Yu,Yongjun Ren,R. Simon Sherratt

DOI: https://doi.org/10.32604/cmc.2022.020648

2022-01-01

Abstract:Distributed storage can store data in multiple devices or servers to improve data security. However, in today's explosive growth of network data, traditional distributed storage scheme is faced with some severe challenges such as insufficient performance, data tampering, and data lose. A distributed storage scheme based on blockchain has been proposed to improve security and efficiency of traditional distributed storage. Under this scheme, the following improvements have been made in this paper. This paper first analyzes the problems faced by distributed storage. Then proposed to build a new distributed storage blockchain scheme with sharding blockchain. The proposed scheme realizes the partitioning of the network and nodes by means of blockchain sharding technology, which can improve the efficiency of data verification between nodes. In addition, this paper uses polynomial commitment to construct a new verifiable secret share scheme called PolyVSS. This new scheme is one of the foundations for building our improved distributed storage blockchain scheme. Compared with the previous scheme, our new scheme does not require a trusted third party and has some new features such as homomorphic and batch opening. The security of VSS can be further improved. Experimental comparisons show that the proposed scheme significantly reduces storage and communication costs.

Dagang Li,Rong Du,Man Ho Au,Yue Fu

DOI: https://doi.org/10.1109/lnet.2019.2891998

2017-01-01

Abstract:In this letter we propose Meta-key, a data-sharing mechanism that enablesusers share their encrypted data under a blockchain-based decentralized storagearchitecture. All the data-encryption keys are encrypted by the owner's publickey and put onto the blockchain for safe and secure storage and easykey-management. Encrypted data are stored in dedicated storage nodes and proxyre-encryption mechanism is used to ensure secure data-sharing in the untrustedenvironment. Security analysis of our model shows that the proxy re-encryptionadopted in our system is naturally free from collusion-attack due to thespecific architecture of Meta-key.

Liang Xue,Dongxiao Liu,Cheng Huang,Xuemin (Sherman) Shen,Weihua Zhuang,Rob Sun,Bidi Ying

DOI: https://doi.org/10.1109/icc45855.2022.9838811

2022-01-01

Abstract:In this paper, we propose a Secure and Flexible Data Sharing (SFDS) scheme for distributed storage, where data owners can outsource their data to a distributed storage network and share the data with authorized users. To preserve confidentiality, all data are encrypted by data owners' secret keys before being outsourced, and fine-grained access policies are enforced on the encrypted data (ciphertexts) to achieve flexible data sharing. Furthermore, based on the ciphertext puncturable encryption and the hierarchical identity-based encryption, we design an efficient key and ciphertext update mechanism, which enables data owners to update their secret keys and the corresponding ciphertexts periodically to deal with side-channel attacks and system vulnerabilities. Update tokens are constructed to directly derive new keys and ciphertexts. Through detailed security analysis, it is demonstrated that SFDS can achieve all three essential security properties, i.e., forward security, post-compromise security, and collusion attack resistance.

Eduardo Duarte,Filipe Pinheiro,André Zúquete,Hélder Gomes

DOI: https://doi.org/10.48550/arXiv.1501.03139

2015-01-14

Abstract:This paper presents a multi-platform, open-source application that aims to protect data stored and shared in existing cloud storage services. The access to the cryptographic material used to protect data is implemented using the identification and authentication functionalities of national electronic identity (eID) tokens. All peer to peer dialogs to exchange cryptographic material is implemented using the cloud storage facilities. Furthermore, we have included a set of mechanisms to prevent files from being permanently lost or damaged due to concurrent modification, deletion and malicious tampering. We have implemented a prototype in Java that is agnostic relatively to cloud storage providers; it only manages local folders, one of them being the local image of a cloud folder. We have successfully tested our prototype in Windows, Mac OS X and Linux, with Dropbox, OneDrive, Google Drive and SugarSync.

Cryptography and Security

Solonas Gousteris,Yoannis C. Stamatiou,Constantinos Halkiopoulos,Hera Antonopoulou,Nikos Kostopoulos

DOI: https://doi.org/10.28991/esj-2023-07-02-012

2023-02-14

Emerging Science Journal

Abstract:Objectives: This paper addresses the problem of secure data storage and sharing over cloud storage infrastructures. A secure, distributed cloud storage structure incorporating the blockchain structure is proposed that supports confidentiality, integrity, and availability. Methods/Analysis: The proposed structure combines two well-known technologies: one of them is the Ethereum Blockchain and its Smart Contracts and the other is the RSA encryption and authentication scheme. The Ethereum Blockchain is used as a data structure, which ensures data availability and integrity while RSA provides sensitive data confidentiality and source authentication. Findings: As a result, users of the proposed structure can trust it and be certain that they can securely exchange information through a publicly accessible and shared cloud storage. The application can be used either through a user interface (UI) or a command-line interface (CLI). Novelty /Improvement:The novelty of this work is that the system that is proposed could be used for secure data storage on the cloud as well as for file sharing and authentication verification. Also, secure data storage and file sharing are already offered by the proposed system. Doi: 10.28991/ESJ-2023-07-02-012 Full Text: PDF

Minghui Xu,Jiahao Zhang,Hechuan Guo,Xiuzhen Cheng,Dongxiao Yu,Qin Hu,Yijun Li,Yipu Wu

2024-03-22

Abstract:Decentralized Storage Network (DSN) is an emerging technology that challenges traditional cloud-based storage systems by consolidating storage capacities from independent providers and coordinating to provide decentralized storage and retrieval services. However, current DSNs face several challenges associated with data privacy and efficiency of the proof systems. To address these issues, we propose FileDES (\uline{D}ecentralized \uline{E}ncrypted \uline{S}torage), which incorporates three essential elements: privacy preservation, scalable storage proof, and batch verification. FileDES provides encrypted data storage while maintaining data availability, with a scalable Proof of Encrypted Storage (PoES) algorithm that is resilient to Sybil and Generation attacks. Additionally, we introduce a rollup-based batch verification approach to simultaneously verify multiple files using publicly verifiable succinct proofs. We conducted a comparative evaluation on FileDES, Filecoin, Storj and Sia under various conditions, including a WAN composed of up to 120 geographically dispersed nodes. Our protocol outperforms the others in terms of proof generation/verification efficiency, storage costs, and scalability.

Cryptography and Security