Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/tnet.2021.3058130

2021-01-01

Abstract:With the widespread application of cloud storage, ensuring the integrity of user outsourced data catches more and more attention. To remotely check the integrity of cloud storage, plenty of protocols have been proposed, implemented by checking the equation constructed by the aggregated blocks, tags, and indices. However, the verifier only has the knowledge of the indices of the audited blocks and tags, which thus requires the cloud to store both data blocks and tags for integrity verification. In this article, we present a compressive secure cloud storage protocol inspired by Goldreich-Goldwasser-Halevi (GGH) cryptosystem. Since the aggregated blocks can be reconstructed from the aggregated tags without the help of data indices, the cloud can only store data tags for providing the verifiable integrity proof. In this way, communication and storage costs can be hugely reduced and user private information can be hidden from the cloud. Furthermore, the proposed protocol only contains a few basic algebraic operations, making it highly efficient. We also provide formal security proof of the proposed protocol regarding forge, replay and replace attacks. In addition, we explore a new technique to support data dynamics. Furthermore, we establish a generic framework of compressive secure cloud storage protocols. Finally, we provide the theoretical analysis and experimental results, which further validate the effectiveness of the proposed protocol.

Jian Zhang,Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/iwqos.2017.7969107

2017-01-01

Abstract:With the development of cloud storage, data owners no longer physically possess their data and thus how to ensure the integrity of their outsourced data becomes a challenging task. Several protocols have been proposed to audit cloud storage, all of which rely mainly on data block tags to check data integrity. However, their block tag constructions employ cryptographic operations, which makes them computationally complex. In this paper, we investigate a secure cloud storage protocol based on the classic discrete logarithm problem. Our protocol generates data block tags with only basic algebraic operations, which brings substantial computation savings compared with previous work. We also strictly prove that the proposed protocol is secure under a definition which captures the real-world uses of cloud storage. In order to fit more application scenarios, we extend the proposed protocol to support data dynamics by employing an index vector and third-party public auditing by using a random masking number, both of which are efficient and provably secure. At last, theoretical analysis and experimental evaluation are provided to validate the superiority of the proposed protocol.

Huiying Hou,Jianting Ning,Yunlei Zhao,Robert Deng

DOI: https://doi.org/10.1109/TDSC.2021.3100401

2022-01-01

Abstract:With the increasing cloud storage service, users can enjoy non-interactive data sharing. Nonetheless, the data owner cannot timely update the shared data all the while. To ensure the timeliness and the authoritative source of the data, some users should be allowed to update the data on behalf of an authoritative data owner without changing data source. However, this allows harmful information to be injected into the data unnoticeably. How to efficiently realize editable cloud-based data sharing supporting malicious user tracing has not been fully explored. To address the problem, we propose a fine-grained and controllably editable cloud-based data sharing scheme with malicious user accountability. The data owner only needs to sign the shared data before uploading it and can specify a fine-grained access control policy about who can update the data and which portions of the data can be updated. The authorized users non-interactively convert signatures of original data into new ones for the updated data, which are indistinguishable from the original signatures. The proposed scheme also supports malicious user accountability in the sense that malicious users who post harmful information can be traced. We demonstrate the security and practicality of our scheme via formal security analysis and extensive experiments.

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

Cong Wang,Qian Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/iwqos.2009.5201385

2009-01-01

Abstract:Cloud computing has been envisioned as the next-generation architecture of IT enterprise. In contrast to traditional solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the large data centers, where the management of the data and services may not be fully trustworthy. This unique attribute, however, poses many new security challenges which have not been well understood. In this article, we focus on cloud data storage security, which has always been an important aspect of quality of service. To ensure the correctness of users' data in the cloud, we propose an effective and flexible distributed scheme with two salient features, opposing to its predecessors. By utilizing the homomorphic token with distributed verification of erasure-coded data, our scheme achieves the integration of storage correctness insurance and data error localization, i.e., the identification of misbehaving server (s). Unlike most prior works, the new scheme further supports secure and efficient dynamic operations on data blocks, including: data update, delete and append. Extensive security and performance analysis shows that the proposed scheme is highly efficient and resilient against Byzantine failure, malicious data modification attack, and even server colluding attacks.

Cong Wang,Qian Wang,Kui Ren,Ning Cao,Wenjing Lou

DOI: https://doi.org/10.1109/tsc.2011.24

IF: 11.019

2011-01-01

IEEE Transactions on Services Computing

Abstract:Cloud storage enables users to remotely store their data and enjoy the on-demand high quality cloud applications without the burden of local hardware and software management. Though the benefits are clear, such a service is also relinquishing users' physical possession of their outsourced data, which inevitably poses new security risks toward the correctness of the data in cloud. In order to address this new problem and further achieve a secure and dependable cloud storage service, we propose in this paper a flexible distributed storage integrity auditing mechanism, utilizing the homomorphic token and distributed erasure-coded data. The proposed design allows users to audit the cloud storage with very lightweight communication and computation cost. The auditing result not only ensures strong cloud storage correctness guarantee, but also simultaneously achieves fast data error localization, i.e., the identification of misbehaving server. Considering the cloud data are dynamic in nature, the proposed design further supports secure and efficient dynamic operations on outsourced data, including block modification, deletion, and append. Analysis shows the proposed scheme is highly efficient and resilient against Byzantine failure, malicious data modification attack, and even server colluding attacks.

Yang Zhen,Wang Wenyu,Huang Yongfeng,Li Xing

DOI: https://doi.org/10.1049/cje.2018.02.017

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:Cloud data confidentiality need to be audited for the data owner’s concern. Confidentiality auditing is usually based on logging schemes, whereas cloud data dynamics and sharing group dynamics result in massive logs, which makes confidentiality auditing a formidable task for user with limited resources. So we propose a public auditing scheme for data confidentiality,in which user resorts to a Third-party auditor（TPA）for auditing. Our scheme design a special log called attestation in which hash user pseudonym is used to preserve user privacy. Attestation-based data access identifying is presented in our scheme which brings no new vulnerabilities toward data confidentiality and no extra online burden for user. We further support accountability of responsible user for data leakage based on user pseudonym. Extensive security and performance analysis compare our scheme with existing auditing schemes.Results indicate that the proposed scheme is provably secure and highly efficient.

Guoyou Chen,Jiajia Miao,Feng Xie,Handong Mao

DOI: https://doi.org/10.4028/www.scientific.net/amm.278-280.1767

2013-01-01

Applied Mechanics and Materials

Abstract:Cloud computing has been a hot researching area of computer network technology, since it was proposed in 2007. Cloud computing also has been envisioned as the next-generation architecture of IT Enterprise [1]. Cloud computing infrastructures enable companies to cut costs by outsourcing computations on-demand. It moves the application software and database to the large data centers, where the management of the data and services may not be fully trustworthy [2]. This poses many new security challenges. In this paper, we just focus on data storage security in the cloud, which has been the most important aspect of quality of service. To ensure the confidentiality and integrity of user's data in the cloud, and support of data dynamic operations, such as modification, insertion and deletion, we propose a framework for storage security, which includes cryptographic storage scheme and data structure. With our framework, the untrusted server cannot learn anything about the plaintext, and the dynamic operation can be finished in short time. The encryption algorithm and data storage structure is simple, and it's easy to maintain. Hence, our framework is practical to use today.

Cong Wang,Kui Ren,Wenjing Lou,Jin Li

DOI: https://doi.org/10.1109/mnet.2010.5510914

IF: 10.294

2010-01-01

IEEE Network

Abstract:Cloud computing is the long dreamed vision of computing as a utility, where data owners can remotely store their data in the cloud to enjoy on-demand high-quality applications and services from a shared pool of configurable computing resources. While data outsourcing relieves the owners of the burden of local data storage and maintenance, it also eliminates their physical control of storage dependability and security, which traditionally has been expected by both enterprises and individuals with high service-level requirements. In order to facilitate rapid deployment of cloud data storage service and regain security assurances with outsourced data dependability, efficient methods that enable on-demand data correctness verification on behalf of cloud data owners have to be designed. In this article we propose that publicly auditable cloud data storage is able to help this nascent cloud economy become fully established. With public auditability, a trusted entity with expertise and capabilities data owners do not possess can be delegated as an external audit party to assess the risk of outsourced data when needed. Such an auditing service not only helps save data owners' computation resources but also provides a transparent yet cost-effective method for data owners to gain trust in the cloud. We describe approaches and system requirements that should be brought into consideration, and outline challenges that need to be resolved for such a publicly auditable secure cloud storage service to become a reality.

Qian Wang,Cong Wang,Kui Ren,Wenjing Lou,Jin Li

DOI: https://doi.org/10.1109/tpds.2010.183

IF: 5.3

2010-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Cloud Computing has been envisioned as the next-generation architecture of IT Enterprise. It moves the application software and databases to the centralized large data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings about many new security challenges, which have not been well understood. This work studies the problem of ensuring the integrity of data storage in Cloud Computing. In particular, we consider the task of allowing a third party auditor (TPA), on behalf of the cloud client, to verify the integrity of the dynamic data stored in the cloud. The introduction of TPA eliminates the involvement of the client through the auditing of whether his data stored in the cloud are indeed intact, which can be important in achieving economies of scale for Cloud Computing. The support for data dynamics via the most general forms of data operation, such as block modification, insertion, and deletion, is also a significant step toward practicality, since services in Cloud Computing are not limited to archive or backup data only. While prior works on ensuring remote data integrity often lacks the support of either public auditability or dynamic data operations, this paper achieves both. We first identify the difficulties and potential security problems of direct extensions with fully dynamic data updates from prior works and then show how to construct an elegant verification scheme for the seamless integration of these two salient features in our protocol design. In particular, to achieve efficient data dynamics, we improve the existing proof of storage models by manipulating the classic Merkle Hash Tree construction for block tag authentication. To support efficient handling of multiple auditing tasks, we further explore the technique of bilinear aggregate signature to extend our main result into a multiuser setting, where TPA can perform multiple auditing tasks simultaneously. Extensive security and performance analysis show that the proposed schemes are highly efficient and provably secure.

Yong Yu,Yannan Li,Bo Yang,Willy Susilo,Guomin Yang,Jian Bai

DOI: https://doi.org/10.1109/tetc.2017.2759329

2020-01-01

IEEE Transactions on Emerging Topics in Computing

Abstract:Outsourced storage such as cloud storage can significantly reduce the burden of data management of data owners. Despite of a long list of merits of cloud storage, it triggers many security risks at the same time. Data integrity, one of the most burning challenges in secure cloud storage, is a fundamental and pivotal element in outsourcing services. Outsourced data auditing protocols enable a verifier to efficiently check the integrity of the outsourced files without downloading the entire file from the cloud, which can dramatically reduce the communication overhead between the cloud server and the verifier. Existing protocols are mostly based on public key infrastructure or an exact identity, which lacks flexibility of key management. In this paper, we seek to address the complex key management challenge in cloud data integrity checking by introducing attribute-based cloud data auditing, where users can upload files to cloud through some customized attribute set and specify some designated auditor set to check the integrity of the outsourced data. We formalize the system model and the security model for this new primitive, and describe a concrete construction of attribute-based cloud data integrity auditing protocol. The new protocol offers desirable properties namely attribute privacy-preserving and collusion-resistance. We prove soundness of our protocol based on the computational Diffie-Hellman assumption and the discrete logarithm assumption. Finally, we develop a prototype of the protocol which demonstrates the practicality of the protocol.

Yanbo Yang,Jiawei Zhang,Ximeng Liu,Jianfeng Ma,Qi Jiang,Yuanzhen Liu,Baoshan Li,Yongxing Du

DOI: https://doi.org/10.1109/jiot.2022.3220850

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Smart logistics (s-Logistics) has become more and more popular driven by the intelligent Internet of Things (IoT) which deploys pervasive smart devices in s-Logistics systems. The explosive growth of s-Logistics data collected by these resource-limited IoT devices enables Fog-based s-Logistics that provides data outsourcing and sharing services via multiple clouds within small latency. Nevertheless, it also gives rise to prominent security risks of user privacy leakage considering malicious users and data integrity violation with untrusted cloud servers, which are severe to s-Logistics systems and cannot be addressed by simple encryption. To solve these issues, in this article, we propose an efficient large universe and traceable privacy-preserving data sharing (LUTPDS) for Fog-based s-Logistics. It simultaneously achieves data access control, data integrity protection, key escrow and abuse resistance, user privacy preserving, and scalability. We devise a large universe and multiauthority ciphertext-policy attribute-based encryption (CP-ABE) scheme in which access policy hiding mechanism is used for user privacy preserving, while white-box tracing and certificateless public data integrity auditing techniques are employed to resist key abuse and escrow problems. In addition, online/offline encryption and verifiable outsourced decryption are leveraged for high efficiency and cloud encryption is utilized to extend to multiple clouds. In the end, we formally prove the security of our scheme for indistinguishability of chosen plaintext attack (IND-CPA) security and traceability. Detailed performance evaluation with extensive experiments shows that our scheme is practicable for s-Logistics compared with the existing schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingwei Li,Jin Li,Dongqing Xie,Zhang Cai

DOI: https://doi.org/10.1109/tc.2015.2389960

2016-01-01

Abstract:As the cloud computing technology develops during the last decade, outsourcing data to cloud service for storage becomes an attractive trend, which benefits in sparing efforts on heavy data maintenance and management. Nevertheless, since the outsourced cloud storage is not fully trustworthy, it raises security concerns on how to realize data deduplication in cloud while achieving integrity auditing. In this work, we study the problem of integrity auditing and secure deduplication on cloud data. Specifically, aiming at achieving both data integrity and deduplication in cloud, we propose two secure systems, namely SecCloud and SecCloud(+). SecCloud introduces an auditing entity with a maintenance of a MapReduce cloud, which helps clients generate data tags before uploading as well as audit the integrity of data having been stored in cloud. Compared with previous work, the computation by user in SecCloud is greatly reduced during the file uploading and auditing phases. SecCloud(+) is designed motivated by the fact that customers always want to encrypt their data before uploading, and enables integrity auditing and secure deduplication on encrypted data.

Tao Jiang,Wenjuan Meng,Xu Yuan,Liangmin Wang,Jianhua Ge,Jianfeng Ma

DOI: https://doi.org/10.1109/tpds.2021.3080594

IF: 5.3

2021-12-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:While the prevalent cloud storage platforms are offering convenient services in support of diverse data-driven applications for clients, various security concerns raise in terms of data confidentiality, availability, and retrievability. Among them, servers' dishonesty on the location-specific data backup becomes a serious concern when the data stands out clients' control, considering the strict regulations imposed by many governments and organizations on data storage location. This article studies location-aware data backup verification for the data stored in clouds and aims to design a secure framework, named as ReliableBox, enabling the clients to verify if their data have been backed up on the remote servers with specific geolocation. In the design of ReliableBox, we leverage the prominent proof-of-storage techniques for data possession proof, and take advantage of multilateration geolocation and Intel SGX for the precise communication delay measurement and trust computing delay measurement, respectively. In ReliableBox, a client first computes integrity tags for the files and then outsources both the files and tags to the cloud storage server. In the later attestation, with the precise network delay and distance measurement from location-known verifiers, the client verifies that the outsourced files are intact and backed-up to hosts at the specific geolocation. With the customized design, ReliableBox can support the security needs in terms of both data integrity and backup location verification for clients, even when there exists potential dishonest cloud service providers who may manipulate the network delays or forge verification proofs. We provide security analysis to show the security property of ReliableBox in terms of data access, confidentiality, and verifications. In the end, we implement the system prototype and deploy it into several prevalent and commercial cloud platforms for performance evaluation. The experime-tal results demonstrate that ReliableBox is secure in support of data integrity checking and location-aware backup auditing, while it is robust to the data possession and location spoofing attacks.

computer science, theory & methods,engineering, electrical & electronic

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Chunye ZHAO,Shanshan TU,Haoyu CHEN,Yongfeng HUANG

DOI: https://doi.org/10.16652/j.issn.1004-373x.2017.02.001

2017-01-01

Abstract:Cloud Storage provides data storage service for external by combing and coordinating different types of storage devices in the network,so that they can collectively work together. However it always exists a trust game relationship between users and service providers,therefore it is important to build a healthy,fair and secure cloud data service environment for the security auditing on the state of cloud data and operation processes. A cloud security?auditing scheme based on analysis of user behavior(UB)log data from cloud servers is proposed in this paper. The system log information analysis based on UB is realized functionally by description rules of UB. And the existing association rule mining algorithm is improved simultaneously,which is proposed for dealing with the Long Sequence Frequent Pattern(LSFP)to extract UB. The experiment result indicates that the so?lution can implement the tracking and evidence taking of data leakage efficiently for the cloud security auditing.

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Kaitai Liang,Lifei Wei,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tsc.2018.2791538

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic “all-or-nothing” decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud±. We also present the security analysis and further demonstrate the utility of our system via experiments.

Fuzhi Cang,Mingxing Zhang,Yongwei Wu,Weimin Zheng

DOI: https://doi.org/10.3969/j.issn.1673-5188.2013.04.004

2013-01-01

Abstract:Despite the multifaceted advantages of cloud computing,concerns about data leakage or abuse impedes its adoption for security-sensi tive tasks.Recent investigations have revealed that the risk of unauthorized data access is one of the biggest concerns of users of cloud-based services.Transparency and accountability for data managed in the cloud is necessary.Specifically,when using a cloudhost service,a user typically has to trust both the cloud service provider and cloud infrastructure provider to properly handling private data.This is a multi-party system.Three particular trust models can be used according to the credibility of these providers.This pa per describes techniques for preventing data leakage that can be used with these different models.

Michael T. Goodrich,Ryuto Kitagawa,Vinesh Sridhar

2024-11-01

Abstract:Ateniese, Goodrich, Lekakis, Papamanthou, Paraskevas, and Tamassia introduced the Accountable Storage protocol, which is a way for a client to outsource their data to a cloud storage provider while allowing the client to periodically perform accountability challenges. An accountability challenge efficiently recovers any pieces of data the server has lost or corrupted, allowing the client to extract the original copies of the damaged or lost data objects. A severe limitation of the prior accountable storage scheme of Ateniese et al., however, is that it is not fully dynamic. That is, it does not allow a client to freely insert and delete data from the outsourced data set after initializing the protocol, giving the protocol limited practical use in the real world. In this paper, we present Dynamic Accountable Storage, which is an efficient way for a client to periodically audit their cloud storage while also supporting insert and delete operations on the data set. To do so, we introduce a data structure, the IBLT tree, which allows either the server or the client to reconstruct data the server has lost or corrupted in a space-efficient way.

Cryptography and Security,Data Structures and Algorithms

Wei-wei ZHAO,Qiang LI,Ai-xin ZHANG,Jian-hua LI

DOI: https://doi.org/10.3969/j.issn.1002-0802.2018.02.031

2018-01-01

Abstract:In the era of big data, cloud storage is regarded as an excellent storage tool for a variety of enterprises and individuals. Searchable encrypted audit logs may efficiently monitor data-sharing operation of every cloud storage user. A novel searchable encrypted audit log scheme is proposed for the cloud storage system of multi-cloud service providers to generate, encrypt, search and verify audit logs. Based on identity-based encryption, the cloud service provider is allowed in advance to verify the permissions of users contained in audit logs before releasing their operations while assuring the privacy. In addition, the experiment indicates that this scheme could provide the guarantee for audit-log authenticity.