Jian Zhang,Yang,Yanjiao Chen,Jing Chen,Qian Zhang

DOI: https://doi.org/10.1016/j.comnet.2017.08.019

IF: 5.493

2017-01-01

Computer Networks

Abstract:With the growing popularity of cloud storage, to guarantee the security of outsourced data becomes more and more important. In this paper, we make the first attempt to explore the intrinsic relationship between secure cloud storage and homomorphic encryption scheme, based on which we present a Generic way to design a Secure Cloud Storage protocol, denoted as G-SCS, using any homomorphic encryption scheme (HES). The proposed G-SCS is secure under a definition that satisfy the security requirement of cloud storage. To address various issues in real application scenarios, we further extend the protocol to support deterministic and randomized auditing, data dynamics (i.e., data insertion, deletion and modification), as well as third-party public auditing, while preserving the efficiency and security of the protocol. By instantiating all abstract semantics in G-SCS, we construct three concrete secure cloud storage protocols using RSA-based, Paillier-based and DGHV-based HESs, which are multiplicatively, additively and fully HESs, respectively. We conduct extensive theoretical analysis and experimental evaluations to validate the practicability of the proposed protocol.

Hongyi Su,Geng Yang,and Dawei Li

2011-01-01

Abstract:Data storage is an important application of cloud computing. With a cloud computing platform, the burden of local data storage can be reduced. However, services and applications in a cloud may come from different providers, and creating an efficient protocol to protect privacy is critical. We propose a verification protocol for cloud database entries that protects against untrusted service providers. Based on identity-based encryption （IBE） for cloud storage, this protocol guards against breaches of privacy in cloud storage. It prevents service providers from easily constructing cloud storage and forging the signature of data owners by secret sharing. Simulation results confirm the availability and efficiency of the proposed protocol.

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Qi Wang,Dehua Zhou,Yanling Li

DOI: https://doi.org/10.48550/arXiv.1812.00599

2018-12-03

Cryptography and Security

Abstract:With the rapid development of cloud computing, the privacy security incidents occur frequently, especially data security issues. Cloud users would like to upload their sensitive information to cloud service providers in encrypted form rather than the raw data, and to prevent the misuse of data. The main challenge is to securely process or analyze these encrypted data without disclosing any useful information, and to achieve the rights management efficiently. In this paper, we propose the encrypted data processing protocols for cloud computing by utilizing additively homomorphic encryption and proxy cryptography. For the traditional homomorphic encryption schemes with many limitations, which are not suitable for cloud computing applications. We simulate a cloud computing scenario with flexible access control and extend the original homomorphic cryptosystem to suit our scenario by supporting various arithmetical calculations. We also prove the correctness and security of our protocols, and analyze the advantages and performance by comparing with some latest works.

Qinlong Huang,Chao Wang,Lixuan Chen

DOI: https://doi.org/10.1109/tsc.2022.3203378

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:With the popularity of cloud computing services, an increasing number of users begin to use subscription-based services. Due to the semi-trusted cloud servers that may access the outsourced data, and malicious senders who may publish unauthorized data or junk data, access control encryption (ACE) schemes have been studied recently to enforce secure data write control as well as read control. However, their access control policies are specified by the authority or publishers, which do not apply to the subscriptions. In this paper, we propose DSFlow, a secure and fine-grained flow control system for subscription-based data services. DSFlow is designed in the cloud-edge computing architecture, which employs edge nodes to control the communications between publishers and cloud servers by sanitizing the original ciphertexts to resist malicious publishers, and allows any valid subscriber to decrypt the sanitized ciphertexts in cloud. We introduce a receiver-policy attribute-based ACE (RA-ACE) scheme for DSFlow, which embeds the fine-grained access control policy within the receiver's decryption key. We give a concrete construction of RA-ACE from key-policy attribute-based encryption, structure-preserving signature and non-interactive zero-knowledge proof, and formally prove the no-read rule and no-write rule of RA-ACE. The experiments demonstrate the efficiency of DSFlow compared with existing schemes.

computer science, information systems, software engineering

Tao Li,Xiaojun Ye,Jianmin Wang

DOI: https://doi.org/10.1145/2430475.2430493

2012-01-01

Abstract:To achieve a trustworthy cloud data service, there is a need to both provide the right services from a security engineering perspective, as well as to allows specific types of computations to be carried out on encrypted cloud data. However, traditional encryption solutions can't be used to process outsourcing encrypted data hosting to an untrusted cloud provider. A novel encryption scheme, called fully homomorphic encryption (FHE), could afford the circuit ability over encrypted data without decrypting it. In this paper, we deliver a universal construction framework for fully homomorphic encryption schemes. At first, this framework initializes a somewhat homomorphic encryption scheme based on the concept of metric space in abstract algebra which encodes the plaintext into a offset vector and generates a ciphertext by adding the offset vector to a random eigenvector in the metric space. As an abelian group, the ring is closed under addition and multiplication, this abstract algebra assume the metric space could forma ring and the eigenvectors belong to an ideal of this ring, then this framework could achieve homomorphism by having the scheme live in rings. We also deduce some well-known fully homomorphic schemes from the construction framework, and propose a prototype with an FHE encryption proxy to solve confidentiality problems in cloud systems. At last, we show the performance of FHE with some experiments, and speed the performance of fully homomorphic encryption up with cloud computing (parallel computing, distribute computing, etc.). We also discuss some opening issues and directions for future fully homomorphic encryption researches.

Yan Cui,Siqi Li,Yue Wang,Bolin Gao

DOI: https://doi.org/10.1109/cvci51460.2020.9338620

2020-01-01

Abstract:With the development of Intelligent Connected Vehicles (ICVs), Cloud Control Platform is becoming an important part to compute driving strategies. However, when strategies are put to cloud, some of vehicle manufacturers' private data must be sent to the cloud, like Engine Map, which are core data for vehicle manufactures. How to protect these data has been the largest obstacle for the ICVs. Thus, this paper proposes a new framework in which Fully Homomorphic Encryption (FHE) and Blockchain technology are combined to compute encryption data on the cloud and record trails of cloud request. In this framework, private data can be protected, the scope of data usage will be limited, and at the same time, the execution of specific type of computations with encryption data on the cloud are fulfilled. In the end, with the help of Simple Encrypted Arithmetic Library (SEAL) developed by Microsoft Research, and IBM blockchain framework Hyperledger Fabric, this framework is verified to be feasible to build a trustworthy ICVs cloud computing system.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Lin Liu,Jinshu Su,Ximeng Liu,Rongmao Chen,Xinyi Huang,Guang Kou,Shaojing Fu

DOI: https://doi.org/10.1109/tcc.2023.3269510

IF: 5.697

2023-01-01

IEEE Transactions on Cloud Computing

Abstract:Efficiently mining frequent itemsets and association rules on the encrypted outsourced data remains a great challenge for the time-consuming ciphertext computations. Nowadays, it has been not well addressed for privacy-preserving frequent itemsets and association rule mining schemes with mining efficiency, dataset, and query confidentiality simultaneously. In this paper, we investigate the study of privacy issues on frequent itemset mining and association rule mining on outsourced data in a two-cloud model, where the data are encrypted and outsourced by multiple owners holding different public keys. We develop several secure computation protocols based on additively homomorphic cryptosystem and additive secret sharing, which enable the clouds could securely mine the frequent itemsets and association rules. Furthermore, we also design two kinds of frequent itemset and association rule query service models, i.e., service customers query the cloud-mined results, and service customers query with their own decided threshold. The proposed scheme not only supports the mining process on the data encrypted by multiple public keys without compromising the security of the datasets, query data and query results, but also offline users. In addition, the experimental results show that our query scheme is much more efficient than the state-of-the-art work.

computer science, information systems, theory & methods

Wen Zeng,Chunyan Mu,Maciej Koutny,Paul Watson

DOI: https://doi.org/10.48550/arXiv.1404.7760

2014-04-30

Cryptography and Security

Abstract:The extent and importance of cloud computing is rapidly increasing due to the ever increasing demand for internet services and communications. Instead of building individual information technology infrastructure to host databases or software, a third party can host them in its large server clouds. Large organizations may wish to keep sensitive information on their more restricted servers rather than in the public cloud. This has led to the introduction of federated cloud computing (FCC) in which both public and private cloud computing resources are used.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

xuejiao liu,yingjie xia,yang xiang,mohammad mehedi hassan,abdulhameed alelaiwi

DOI: https://doi.org/10.1109/SocialSec2015.13

2015-01-01

Abstract:Hybrid cloud is a widely used cloud architecture in large companies that can outsource data to the publiccloud, while still supporting various clients like mobile devices. However, such public cloud data outsourcing raises serious security concerns, such as how to preserve data confidentiality and how to regulate access policies to the data stored in public cloud. To address this issue, we design a hybrid cloud architecture that supports data sharing securely and efficiently, even with resource-limited devices, where private cloud serves as a gateway between the public cloud and the data user. Under such architecture, we propose an improved construction of attribute-based encryption that has the capability of delegating encryption/decryption computation, which achieves flexible access control in the cloud and privacy-preserving in datautilization even with mobile devices. Extensive experiments show the scheme can further decrease the computational cost and space overhead at the user side, which is quite efficient for the user with limited mobile devices. In the process of delegating most of the encryption/decryption computation to private cloud, the user can not disclose any information to the private cloud. We also consider the communication securitythat once frequent attribute revocation happens, our scheme is able to resist some attacks between private cloud and data user by employing anonymous key agreement.

Zhen Xu,Cong Wang,Kui Ren,Lingyu Wang,Bingsheng Zhang

DOI: https://doi.org/10.1109/tifs.2014.2352457

2013-01-01

Abstract:Cloud computing provides a “pay-per-use” utility service which offers the customer the economical access to large amount of computing resources with minimal management overhead. Despite the tremendous benefits, computation outsourcing also eliminates the customer's ultimate control over the data computation process, which makes securing cloud computation an imperative and challenging task, especially in the aspect of integrity verification. To address these challenges, in this paper we propose to research on integrity verification mechanisms for secure outsourced computations in cloud computing. In particular, we focus on outsourcing the widely applicable engineering optimization problem, i.e., convex optimization, and aim to investigate efficient integrity verification mechanisms using application-specific techniques. Our security design does not require the use of heavy cryptographic tools. Instead, we leverage the inherent structure of the optimization problems and the proof-carrying characteristics of the solving algorithms to achieve efficient integrity verification. The proposed design provides substantial computational savings on the customer side and introduce marginal overhead on the cloud side. We further prove its correctness and soundness. The extensive experiments under real cloud environment show our mechanisms ensure strong integrity assurance with high efficiency on both the customer and cloud sides and are readily applicable in practice.

Mingsheng Ying,Yuan Feng,Nengkun Yu

DOI: https://doi.org/10.1109/csf.2013.16

2013-01-01

Abstract:Quantum cryptography has been extensively studied in the last twenty years, but information-flow security of quantum computing and communication systems has been almost untouched in the previous research. Due to the essential difference between classical and quantum systems, formal methods developed for classical systems, including probabilistic systems, cannot be directly applied to quantum systems. This paper defines an automata model in which we can rigorously reason about information-flow security of quantum systems. The model is a quantum generalisation of Goguen and Meseguer's noninterference. The unwinding proof technique for quantum noninterference is developed, and a certain compositionality of security for quantum systems is established. The proposed formalism is then used to prove security of access control in quantum systems.

Leo Yu Zhang,Yifeng Zheng,Jian Weng,Cong Wang,Zihao Shan,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2018.2864748

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The wide adoption of cloud greatly facilitates the sharing of explosively generated media content today, yet deprives content providers' direct control over the outsourced media content. Thus, it is pivotal to build an encrypted cloud media center where only authorized access is allowed. Enforcing access control alone, however, cannot fully protect content providers' interests, as authorized users may later become traitors that illegally redistribute media content to the public. Such realistic threat should have been seriously treated yet is largely overlooked in the literature. In this paper, we initiate the first study on secure media sharing with fair traitor tracing in the encrypted cloud media center, through a new marriage of proxy re-encryption (for secure media sharing) and fair watermarking (for fair traitor tracing). Our key insight is to fully leverage the homomorphic properties residing in proxy re-encryption to embrace operations in fair watermarking. Two protocols are proposed for different application scenarios. We also provide complexity analysis for performance, showing that our work can also be treated as secure outsourcing of fair watermarking, and thus kills two birds with one stone. We thoroughly analyze the security strengths and conduct extensive experiments to validate the effectiveness of our design.

Cong Wang,Qian Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/iwqos.2009.5201385

2009-01-01

Abstract:Cloud computing has been envisioned as the next-generation architecture of IT enterprise. In contrast to traditional solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the large data centers, where the management of the data and services may not be fully trustworthy. This unique attribute, however, poses many new security challenges which have not been well understood. In this article, we focus on cloud data storage security, which has always been an important aspect of quality of service. To ensure the correctness of users' data in the cloud, we propose an effective and flexible distributed scheme with two salient features, opposing to its predecessors. By utilizing the homomorphic token with distributed verification of erasure-coded data, our scheme achieves the integration of storage correctness insurance and data error localization, i.e., the identification of misbehaving server (s). Unlike most prior works, the new scheme further supports secure and efficient dynamic operations on data blocks, including: data update, delete and append. Extensive security and performance analysis shows that the proposed scheme is highly efficient and resilient against Byzantine failure, malicious data modification attack, and even server colluding attacks.

Duane Wilson,Giuseppe Ateniese

DOI: https://doi.org/10.48550/arXiv.1404.2697

2014-04-10

Cryptography and Security

Abstract:With the advent of cloud computing, a number of cloud providers have arisen to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and business organizations. SaaS (different than Software-as-a-Service in this context) refers to an architectural model in which a cloud provider provides digital storage on their own infrastructure. Three models exist amongst SaaS providers for protecting the confidentiality data stored in the cloud: 1) no encryption (data is stored in plain text), 2) server-side encryption (data is encrypted once uploaded), and 3) client-side encryption (data is encrypted prior to upload). This paper seeks to identify weaknesses in the third model, as it claims to offer 100% user data confidentiality throughout all data transactions (e.g., upload, download, sharing) through a combination of Network Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The weaknesses we uncovered primarily center around the fact that the cloud providers we evaluated were each operating in a Certificate Authority capacity to facilitate data sharing. In this capacity, they assume the role of both certificate issuer and certificate authorizer as denoted in a Public-Key Infrastructure (PKI) scheme - which gives them the ability to view user data contradicting their claims of 100% data confidentiality. We have collated our analysis and findings in this paper and explore some potential solutions to address these weaknesses in these sharing methods. The solutions proposed are a combination of best practices associated with the use of PKI and other cryptographic primitives generally accepted for protecting the confidentiality of shared information.

Minghao Zhao,Chengyu Hu,Xiangfu Song,Chuan Zhao

DOI: https://doi.org/10.1016/j.jnca.2019.01.021

IF: 7.574

2019-01-01

Journal of Network and Computer Applications

Abstract:Cloud computing provides the clients with diversified services in a flexible manner. Recently, the cloud platforms have been the basic underling-support for The IoT and mobile computing. The client outsources data storage or computation overhead to the cloud, which accordingly yields a new computing paradigm – the outsourced computing. In such a scenario, the clients hope to acquire the service quality, and wish to not leak their sensitive data to the cloud service provider. Thus, the trustworthy (verifiability) and privacy has been a hot issue for outsourced computing. In this survey, we systematically present the cryptographic methods for ensuring verifiability and privacy. We first describe the research advancement in verifiable computing and the cryptographic primitives for privacy-preserving techniques; and then, taking outsourcing cryptographic operations as an example, to show how them primitives can be integrated to achieve a dependable and privacy-preserving outsourced computing scheme. This paper bridges the gap between the theoretical cryptographic research and engineering secure cloud computing systems.

Jun Tang,Yong Cui,Qi Li,Kui Ren,Jiangchuan Liu,Rajkumar Buyya

DOI: https://doi.org/10.1145/2906153

IF: 16.6

2016-01-01

ACM Computing Surveys

Abstract:With the rapid development of cloud computing, more and more enterprises/individuals are starting to outsource local data to the cloud servers. However, under open networks and not fully trusted cloud environments, they face enormous security and privacy risks (e.g., data leakage or disclosure, data corruption or loss, and user privacy breach) when outsourcing their data to a public cloud or using their outsourced data. Recently, several studies were conducted to address these risks, and a series of solutions were proposed to enable data and privacy protection in untrusted cloud environments. To fully understand the advances and discover the research trends of this area, this survey summarizes and analyzes the state-of-the-art protection technologies. We first present security threats and requirements of an outsourcing data service to a cloud, and follow that with a high-level overview of the corresponding security technologies. We then dwell on existing protection solutions to achieve secure, dependable, and privacy-assured cloud data services including data search, data computation, data sharing, data storage, and data access. Finally, we propose open challenges and potential research directions in each category of solutions.

Kui Ren,Cong Wang

2012-01-01

Abstract:Cloud computing economically enables a fundamental paradigm of data service outsourcing, which provides lower up-front capital costs and less hands-on management. However, outsourcing data services to the commercial public cloud deprives customers' control over the systems that manage their data, raising security and privacy as the primary obstacles to the adoption of the cloud. To address these challenges, in this dissertation we explore the problem of secure and privacy-assured data service outsourcing in cloud computing. We aim at deploying the most fundamental data services including data storage, search, and sharing on the commercial public cloud, with built-in security and privacy assurance as well as high level service performance, usability, and scalability. Our contributions are as follows: Firstly, we focus on privacy-preserving secure cloud storage auditing to maintain strong storage correctness guarantee, given the difficulty that data files are no longer locally possessed by data owners. We first develop a random-masking sampling approach to allow a third party auditor to perform on-demand privacy-preserving storage correctness auditing on behalf of data owners, without violating owners' data privacy. For storage correctness assurance with data dynamics, we further investigate a novel sequence-enforced Merkle Hash Tree and manipulate it with the random sampling approach to support fully dynamic data operations. Secondly, we focus on privacy-assured and effective cloud data search services with strong privacy-assurance, while enjoying high service-level performance inherently demanded by the large number of data users and huge amount data files. We first investigate a widely applicable fuzzy/similarity keyword search problem, and develop a brand new symbol-based trie-traverse searching approach, where transformed fuzzy keywords extracted from data files are stored using a multi-way tree structure, while protecting keyword privacy. To enable search result relevance ranking, we further investigate secure ranked search, which facilitates efficient server-side result ranking without leaking any keyword related information. Thirdly, we study how to enable scalable and owner-controlled cloud data sharing services, given the challenge that data no longer resides on owners' trusted domain. We first associate data with a set of meaningful attributes, use logical composition of attributes to reflect fine-grained data access, and enforce owner's control via attribute-based encryption. For the inherent scalability requirement of cloud system, we further leverage the cloud as a mediated proxy, to which data owners can delegate most cumbersome data/user management workload, without affecting the underlying data confidentiality.