Jian Zhang,Yang,Yanjiao Chen,Jing Chen,Qian Zhang

DOI: https://doi.org/10.1016/j.comnet.2017.08.019

IF: 5.493

2017-01-01

Computer Networks

Abstract:With the growing popularity of cloud storage, to guarantee the security of outsourced data becomes more and more important. In this paper, we make the first attempt to explore the intrinsic relationship between secure cloud storage and homomorphic encryption scheme, based on which we present a Generic way to design a Secure Cloud Storage protocol, denoted as G-SCS, using any homomorphic encryption scheme (HES). The proposed G-SCS is secure under a definition that satisfy the security requirement of cloud storage. To address various issues in real application scenarios, we further extend the protocol to support deterministic and randomized auditing, data dynamics (i.e., data insertion, deletion and modification), as well as third-party public auditing, while preserving the efficiency and security of the protocol. By instantiating all abstract semantics in G-SCS, we construct three concrete secure cloud storage protocols using RSA-based, Paillier-based and DGHV-based HESs, which are multiplicatively, additively and fully HESs, respectively. We conduct extensive theoretical analysis and experimental evaluations to validate the practicability of the proposed protocol.

Hongyi Su,Geng Yang,and Dawei Li

2011-01-01

Abstract:Data storage is an important application of cloud computing. With a cloud computing platform, the burden of local data storage can be reduced. However, services and applications in a cloud may come from different providers, and creating an efficient protocol to protect privacy is critical. We propose a verification protocol for cloud database entries that protects against untrusted service providers. Based on identity-based encryption （IBE） for cloud storage, this protocol guards against breaches of privacy in cloud storage. It prevents service providers from easily constructing cloud storage and forging the signature of data owners by secret sharing. Simulation results confirm the availability and efficiency of the proposed protocol.

Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

HAN Peiyi,LIU Chuanyi,WANG Jiahui,DUAN Shaoming,PAN Hezhong,FANG Binxing

DOI: https://doi.org/10.11959/j.issn.1000-436x.2020140

2020-01-01

Abstract:To order to address the problem of cloud storage data security,the generic proxy-based data protection system was proposed,which could automatically and transparently secure sensitive data in browser-based cloud storage applications.A novel dynamic program analysis technique was adopted based on JavaScript API function hooking for automatically extending to various cloud applications.And a novel proxy executed searchable encryption solution was presented so that it could achieve data encryption while maintaining the original functions of cloud applications.Experimental results show that the system can support a variety of typical cloud services,effectively protect sensitive data,and bring a relatively low overhead.

Chuanyi Liu,Peiyi Han,Yingfei Dong,Hezhong Pan,Shaoming Duan,Binxing Fang

DOI: https://doi.org/10.1109/access.2020.2985870

IF: 3.9

2020-01-01

IEEE Access

Abstract:Browser-based cloud storage services are still broadly used in enterprises for online sharing and collaboration. However, sensitive information in images or documents may be easily leaked outside trusted enterprise on-premises due to such cloud services. Existing solutions to prevent data leakage in cloud storage services either limit many functionalities of cloud applications or are difficult to be scaled to various cloud applications. In this paper, we propose CloudDLP, a transparent and scalable approach for enterprises to automatically sanitize sensitive data in images and documents with various browser-based cloud applications. CloudDLP is deployed as an internet gateway within the premises of an enterprise using JavaScript injecting techniques and deep learning methods to sanitize sensitive premise data. It neither compromises the user experience nor significantly affects application functionalities in browser-based cloud storage services. We have evaluated CloudDLP with a number of real-world cloud applications. Our experimental results show that it can achieve automatic data sanitization with cloud storage services while preserving most functionalities of cloud applications.

Debajyoti Mukhopadhyay,Gitesh Sonawane,Parth Sarthi Gupta,Sagar Bhavsar,Vibha Mittal

DOI: https://doi.org/10.48550/arXiv.1303.7075

2013-03-28

Cryptography and Security

Abstract:Cloud computing is a term coined to a network that offers incredible processing power, a wide array of storage space and unbelievable speed of computation. Social media channels, corporate structures and individual consumers are all switching to the magnificent world of cloud computing. The flip side to this coin is that with cloud storage emerges the security issues of confidentiality, data integrity and data availability. Since the cloud is a mere collection of tangible super computers spread across the world, authentication and authorization for data access is more than a necessity. Our work attempts to overcome these security threats. The proposed methodology suggests the encryption of the files to be uploaded on the cloud. The integrity and confidentiality of the data uploaded by the user is ensured doubly by not only encrypting it but also providing access to the data only on successful authentication.

Guoyou Chen,Jiajia Miao,Feng Xie,Handong Mao

DOI: https://doi.org/10.4028/www.scientific.net/amm.278-280.1767

2013-01-01

Applied Mechanics and Materials

Abstract:Cloud computing has been a hot researching area of computer network technology, since it was proposed in 2007. Cloud computing also has been envisioned as the next-generation architecture of IT Enterprise [1]. Cloud computing infrastructures enable companies to cut costs by outsourcing computations on-demand. It moves the application software and database to the large data centers, where the management of the data and services may not be fully trustworthy [2]. This poses many new security challenges. In this paper, we just focus on data storage security in the cloud, which has been the most important aspect of quality of service. To ensure the confidentiality and integrity of user's data in the cloud, and support of data dynamic operations, such as modification, insertion and deletion, we propose a framework for storage security, which includes cryptographic storage scheme and data structure. With our framework, the untrusted server cannot learn anything about the plaintext, and the dynamic operation can be finished in short time. The encryption algorithm and data storage structure is simple, and it's easy to maintain. Hence, our framework is practical to use today.

Guofeng Wang,Chuanyi Liu,Yingfei Dong,Hezhong Pan,Peiyi Han,Binxing Fang

DOI: https://doi.org/10.1109/spac.2017.8304356

2017-01-01

Abstract:Confidential data is often encrypted before it is uploaded to cloud servers. However, client-controlled encryption often poses a major barrier towards the full functionalities of cloud services. This paper presents SafeBox, a new Cloud Access Security Broker (CASB)-based approach that protects sensitive information against attackers with full control of cloud servers, and allows clients to search and share encrypted data transparently. It addresses the following challenges: First, SafeBox brings almost no loss of functionalities for protecting sensitive information in cloud applications. It safeguards not only textual input data but also uploaded files. Second, it allows a server to perform keyword-based searching over encrypted contents, and does not modify the current cloud interfaces or users' habits. Finally, it enables encrypted data sharing between different brokers efficiently. Our experimental evaluations on multiple cloud applications show that SafeBox has modest overheads and can be applied to practical use.

Jiwu Shu,Zhirong Shen,Wei Xue

DOI: https://doi.org/10.1016/j.jpdc.2014.06.003

IF: 4.542

2014-01-01

Journal of Parallel and Distributed Computing

Abstract:With the increasing amount of personal data stored in public storage, users are losing control of their physical data, putting their data information at risk of theft or being compromised. Traditional secure storage systems either require users to completely trust the storage provider or impose the considerable burden of managing files on file owners; such systems are inapplicable in the practical cloud environment. This paper addresses these challenging problems by proposing a new secure system architecture and implementing a stackable secure storage system named Shield, in which a proxy server is introduced to be in charge of authentication and access control. We propose a new variant of the Merkle Hash Tree to support efficient integrity checking and file content update; further, we have designed a hierarchical key organization to achieve convenient keys management and efficient permission revocation. Shield supports concurrent write access by employing a virtual linked list; it also provides secure file sharing without any modification to the underlying file systems. A series of evaluations over various real benchmarks show that Shield causes about 7%∼13% performance degradation when compared with eCryptfs but provides enhanced security for user’s data.

Manting Shen,Yinyan Yu,Zhi Tang,Xiaoyu Cui

DOI: https://doi.org/10.1109/compsac.2016.56

2016-01-01

Abstract:Sensitive information leakage in files is one of the biggest concerns in people's life. Considering this situation, people have designed lots of tools to protect sensitive files. However, these specialized tools are not applicable when the user amount is small. This paper proposes a novel light-weight mechanism that provides efficient and fast cryptographic-based file protection to meet the need of small organizations. The highlights are its ability to provide protection for all types of files, and the usage of an efficient access control approach for file sharing. Operations in the directory are monitored in real time and files are protected automatically. Moreover, encryption keys are generated and well preserved by a hierarchical key generation algorithm. For further estimation, we conducted experiments and analyzed the security and performance of our mechanism as well as other file protection software, and then we made a comparison among them. Experimental results show that our mechanism performs well both in security and performance and outperforms those other file protection software when applied in small organizations.

Quinn Burke,Yohan Beugin,Blaine Hoak,Rachel King,Eric Pauley,Ryan Sheatsley,Mingli Yu,Ting He,Thomas La Porta,Patrick McDaniel

2024-10-03

Abstract:Cloud file systems offer organizations a scalable and reliable file storage solution. However, cloud file systems have become prime targets for adversaries, and traditional designs are not equipped to protect organizations against the myriad of attacks that may be initiated by a malicious cloud provider, co-tenant, or end-client. Recently proposed designs leveraging cryptographic techniques and trusted execution environments (TEEs) still force organizations to make undesirable trade-offs, consequently leading to either security, functional, or performance limitations. In this paper, we introduce BFS, a cloud file system that leverages the security capabilities provided by TEEs to bootstrap new security protocols that deliver strong security guarantees, high-performance, and a transparent POSIX-like interface to clients. BFS delivers stronger security guarantees and up to a 2.5X speedup over a state-of-the-art secure file system. Moreover, compared to the industry standard NFS, BFS achieves up to 2.2X speedups across micro-benchmarks and incurs <1X overhead for most macro-benchmark workloads. BFS demonstrates a holistic cloud file system design that does not sacrifice an organizations' security yet can embrace all of the functional and performance advantages of outsourcing.

Cryptography and Security,Operating Systems

Marciano da Rocha,Dalton Cézane Gomes Valadares,Angelo Perkusich,Kyller Costa Gorgonio,Rodrigo Tomaz Pagno,Newton Carlos Will

DOI: https://doi.org/10.5220/0009130600310043

2020-03-09

Abstract:With the evolution of computer systems, the amount of sensitive data to be stored as well as the number of threats on these data grow up, making the data confidentiality increasingly important to computer users. Currently, with devices always connected to the Internet, the use of cloud data storage services has become practical and common, allowing quick access to such data wherever the user is. Such practicality brings with it a concern, precisely the confidentiality of the data which is delivered to third parties for storage. In the home environment, disk encryption tools have gained special attention from users, being used on personal computers and also having native options in some smartphone operating systems. The present work uses the data sealing, feature provided by the Intel Software Guard Extensions (Intel SGX) technology, for file encryption. A virtual file system is created in which applications can store their data, keeping the security guarantees provided by the Intel SGX technology, before send the data to a storage provider. This way, even if the storage provider is compromised, the data are safe. To validate the proposal, the Cryptomator software, which is a free client-side encryption tool for cloud files, was integrated with an Intel SGX application (enclave) for data sealing. The results demonstrate that the solution is feasible, in terms of performance and security, and can be expanded and refined for practical use and integration with cloud synchronization services.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Duane Wilson,Giuseppe Ateniese

DOI: https://doi.org/10.48550/arXiv.1404.2697

2014-04-10

Cryptography and Security

Abstract:With the advent of cloud computing, a number of cloud providers have arisen to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and business organizations. SaaS (different than Software-as-a-Service in this context) refers to an architectural model in which a cloud provider provides digital storage on their own infrastructure. Three models exist amongst SaaS providers for protecting the confidentiality data stored in the cloud: 1) no encryption (data is stored in plain text), 2) server-side encryption (data is encrypted once uploaded), and 3) client-side encryption (data is encrypted prior to upload). This paper seeks to identify weaknesses in the third model, as it claims to offer 100% user data confidentiality throughout all data transactions (e.g., upload, download, sharing) through a combination of Network Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The weaknesses we uncovered primarily center around the fact that the cloud providers we evaluated were each operating in a Certificate Authority capacity to facilitate data sharing. In this capacity, they assume the role of both certificate issuer and certificate authorizer as denoted in a Public-Key Infrastructure (PKI) scheme - which gives them the ability to view user data contradicting their claims of 100% data confidentiality. We have collated our analysis and findings in this paper and explore some potential solutions to address these weaknesses in these sharing methods. The solutions proposed are a combination of best practices associated with the use of PKI and other cryptographic primitives generally accepted for protecting the confidentiality of shared information.

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Kaitai Liang,Lifei Wei,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tsc.2018.2791538

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic “all-or-nothing” decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud±. We also present the security analysis and further demonstrate the utility of our system via experiments.

Li, ZiTong,Yan, Zhengmao,Liu, Yi,Zeng, Detian,Yu, Haoyang

DOI: https://doi.org/10.1007/s12083-024-01856-y

IF: 3.488

2024-12-01

Peer-to-Peer Networking and Applications

Abstract:The evolution of cloud computing towards X-as-a-Service models and the adoption of microservices architecture have significantly matured the field. As these technologies advance, they bring challenges such as data consistency, transaction traceability, and efficient information processing, particularly in edge computing environments. This paper explores the integration of microservices architecture, edge computing, and blockchain technology to address these challenges, with a focus on secure file sharing. We present a framework that uses identity authentication and leverages Ethereum blockchain, IPFS, and HDFS for decentralized, tamper-resistant file sharing. Our implementation in the FsMbe system fetches data using the DHT of the distributed network after authentication by Ethereum and employs multi-round AES encryption for data sharing. Extensive experiments were conducted to evaluate our framework's performance in various scenarios, including small data communication between microservices in edge groups and large file transfers between edge nodes in larger groups. The framework demonstrated stable data transfer performance, particularly for small payloads, even as the number of clients increased. This research contributes to secure and efficient data management in edge computing and microservice environments, providing a robust solution for decentralized file sharing with enhanced performance and security.

computer science, information systems,telecommunications

Eduardo Duarte,Filipe Pinheiro,André Zúquete,Hélder Gomes

DOI: https://doi.org/10.48550/arXiv.1501.03139

2015-01-14

Abstract:This paper presents a multi-platform, open-source application that aims to protect data stored and shared in existing cloud storage services. The access to the cryptographic material used to protect data is implemented using the identification and authentication functionalities of national electronic identity (eID) tokens. All peer to peer dialogs to exchange cryptographic material is implemented using the cloud storage facilities. Furthermore, we have included a set of mechanisms to prevent files from being permanently lost or damaged due to concurrent modification, deletion and malicious tampering. We have implemented a prototype in Java that is agnostic relatively to cloud storage providers; it only manages local folders, one of them being the local image of a cloud folder. We have successfully tested our prototype in Windows, Mac OS X and Linux, with Dropbox, OneDrive, Google Drive and SugarSync.

Cryptography and Security

Lei Zhang,Hu Xiong,Qiong Huang,Jiguo Li,Kim-Kwang Raymond Choo,Jiangtao Li

DOI: https://doi.org/10.1109/tsc.2019.2937764

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:While cloud computing is relatively mature and its potential benefits well understood by individual, industry and government consumers, a number of security and privacy concerns remain. Unsurprisingly, designing cryptographic solutions to ensure the security of cloud services and the privacy of data outsourced to the cloud remains an ongoing research area. This paper provides a critique of the wide range of cryptographic schemes designed for securing sensitive data in the cloud computing environment, as well as outlining the research opportunities in the use of cryptographic techniques in cloud computing.

computer science, information systems, software engineering

Liwei Guo,Yiying Zhang,Felix Xiaozhu Lin

DOI: https://doi.org/10.48550/arXiv.1902.06327

2019-02-17

Cryptography and Security

Abstract:Smart devices produce security-sensitive data and keep them in on-device storage for persistence. The current storage stack on smart devices, however, offers weak security guarantees: not only because the stack depends on a vulnerable commodity OS, but also because smart device deployment is known weak on security measures. To safeguard such data on smart devices, we present a novel storage stack architecture that i) protects file data in a trusted execution environment (TEE); ii) outsources file system logic and metadata out of TEE; iii) running a metadata-only file system replica in the cloud for continuously verifying the on-device file system behaviors. To realize the architecture, we build Overwatch, aTrustZone-based storage stack. Overwatch addresses unique challenges including discerning metadata at fine grains, hiding network delays, and coping with cloud disconnection. On a suite of three real-world applications, Overwatch shows moderate security overheads.

Sandeep K. Sood

DOI: https://doi.org/10.1016/j.jnca.2012.07.007

IF: 7.574

2012-11-01

Journal of Network and Computer Applications

Abstract:Cloud computing is a forthcoming revolution in information technology (IT) industry because of its performance, accessibility, low cost and many other luxuries. It is an approach to maximize the capacity or step up capabilities vigorously without investing in new infrastructure, nurturing new personnel or licensing new software. It provides gigantic storage for data and faster computing to customers over the internet. It essentially shifts the database and application software to the large data centers, i.e., cloud, where management of data and services may not be completely trustworthy. That is why companies are reluctant to deploy their business in the cloud even cloud computing offers a wide range of luxuries. Security of data in cloud is one of the major issues which acts as an obstacle in the implementation of cloud computing. In this paper, a frame work comprising of different techniques and specialized procedures is proposed that can efficiently protect the data from the beginning to the end, i.e., from the owner to the cloud and then to the user. We commence with the classification of data on the basis of three cryptographic parameters presented by the user, i.e., Confidentiality (C), Availability (A) and Integrity (I).The strategy followed to protect the data utilizes various measures such as the SSL (Secure Socket Layer) 128-bit encryption and can also be raised to 256-bit encryption if needed, MAC (Message Authentication Code) is used for integrity check of data, searchable encryption and division of data into three sections in cloud for storage. The division of data into three sections renders supplementary protection and simple access to the data. The user who wishes to access the data is required to provide the owner login identity and password, before admittance is given to the encrypted data in Section 1, Section 2, and Section 3.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.