Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

Chen Zhang,Yinbin Miao,Qingyuan Xie,Yu Guo,Hongwei Du,Xiaohua Jia

DOI: https://doi.org/10.1109/tpds.2022.3179992

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Distributed fog computing has received wide attention recently. It enables distributed computing and data management on the network nodes within the close vicinity of IoT devices. An important service of fog-cloud based systems is data deduplication. With the increasing concern of privacy, some privacy-preserving data deduplication schemes have been proposed. However, they cannot support lossless deduplication of encrypted similar data in the fog-cloud network. Meanwhile, no existing design can protect message equality information while resisting brute-force and frequency analysis attacks. In this paper, we propose a privacy-preserving and compression-based data deduplication system under the fog-cloud network, which supports lossless deduplication of similar data in the encrypted domain. Specifically, we first use the generalized deduplication technique and cryptographic primitives to implement secure deduplication over similar data. Then, we devise a two-level deduplication protocol that can perform secure and efficient deduplication at distributed fog nodes and the cloud. The proposed system can not only resist brute-force and frequency analysis attacks but also ensure that only the data operator can capture the message equality information. We formally analyze the security of our design. Performance evaluations demonstrate that our proposed design is efficient in computing, storage, and communication.

Yuan Zhang,Yunlong Mao,Minze Xu,Fengyuan Xu,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2019.2911502

2020-01-01

Abstract:As one of a few critical technologies to cloud storage service, deduplication allows cloud servers to save storage space by deleting redundant file copies. However, it often leaks side channel information regarding whether an uploading file gets deduplicated or not. Exploiting this information, adversaries can easily launch a template side-channel attack and severely harm cloud users' privacy. To thwart this kind of attack, we resort to the k-anonymity privacy concept to design secure threshold deduplication protocols. Specifically, we have devised a novel cryptographic primitive called "dispersed convergent encryption" (DCE) scheme, and proposed two different constructions of it. With these DCE schemes, we successfully construct secure threshold deduplication protocols that do not rely on any trusted third party. Our protocols not only support confidentiality protections and ownership verifications, but also enjoy formal security guarantee against template side-channel attacks even when the cloud server could be a "covert adversary" who may violate the predefined threshold and perform deduplication covertly. Experimental evaluations show our protocols enjoy very good performance in practice.

Xin Tang,Yudan Zhu,Mingjun Fu

DOI: https://doi.org/10.1109/tcc.2024.3376996

IF: 5.697

2024-01-01

IEEE Transactions on Cloud Computing

Abstract:Cross-user deduplication is an emerging technique to eliminate uploading of redundant data in cloud storage. Even though it is able to improve storage and communication efficiency simultaneously, it suffers from the problem of privacy leakage by side channel attack, which is a major obstacle to the practical application of this technique. In order to achieve a secure cross-user deduplication, Yu et al. recently proposed a zero-knowledge response (ZEUS) scheme, together with an advanced countermeasure ZEUS$^\mathrm{+}$ by combining ZEUS and the random threshold solution, each of which is claimed to be secure against side channel attack. However, in this paper we show that both ZEUS and ZEUS$^\mathrm{+}$ are easily subject to a random chunk generation attack, which in turn undermines the claimed security. Furthermore, we also propose a simple but effective method to improve the existing schemes.

computer science, information systems, theory & methods

TANG Xin,ZHOU Linna,SHAN Weijie,LIU Dan

DOI: https://doi.org/10.11959/j.issn.1000-436x.2020103

2020-01-01

Abstract:For security and efficiency problems in threshold based deduplication for cloud data,a novel method based on threshold re-encryption was proposed to deal with side channel attacks.A lightweight threshold re-encryption mechanism was presented to transfer the secondary encryption to the cloud for execution and allow clients to generate ciphertext based on key segmentation instead of ciphertext segmentation,both of which largely reduce computational overhead of clients.Also,the proposed mechanism enables clients to decrypt from both one-time encrypted and re-encrypted ciphertext,thus avoiding the overhead of redundant encryption of the same file.Mutual integrity verification between cloud service provider and clients was also supported by the proposed method,which directly ensured the correctness of the correspondence between ciphertext and plaintext on client side.Experiments show that the proposed method not only largely reduces the computational overhead on client side,but also achieves superior storage performance on cloud side simultaneously.

Mingyang Song,Zhongyun Hua,Yifeng Zheng,Tao Xiang,Xiaohua Jia

DOI: https://doi.org/10.1109/tpds.2023.3298684

IF: 5.3

2023-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Distributed fog computing has received increasing attention recently and fog-assisted cloud storage can provide a real-time service to collect and manage large-scale data for the applications of Internet of Things. Encrypted data deduplication over cloud storage can significantly save storage space of the cloud server while protecting the confidentiality of the outsourced data. Previous encrypted data deduplication schemes are mostly designed for traditional cloud storage with a two-layer architecture and cannot be applied to the emerging fog-assisted cloud storage that has a more complex three-layer architecture (i.e., cloud server, fog node and endpoint device). In this paper, we design, analyze and implement FCDedup, a new encrypted data deduplication scheme for fog-assisted cloud storage. FCDedup is a two-level deduplication system that enables each fog node to detect duplicated encrypted data uploaded by different endpoint devices, as well as enables cloud server to detect duplicated encrypted data from different fog nodes. By doing so, FCDedup can achieve both intra-deduplication within a single data owner and inter-deduplication across different data owners. FCDedup is also designed to prevent cloud server and fog nodes launching the brute-force attacks, and to guarantee the reliability of files downloaded from the cloud. Formal analysis is provided to justify its deduplication correctness and security. Besides, we implement a prototype of FCDedup using Alibaba Cloud as backend storage. Our evaluations demonstrate that FCDedup is completely compatible with existing cloud storage systems and achieves modest performance overhead.

Liangmin Wang,Xiaofeng Chen,Yuan Chen,Tao Jiang,Jianfeng Ma,Xu Yuan,Ke Cheng

DOI: https://doi.org/10.1109/TDSC.2022.3185313

2023-05-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Data deduplication is of critical importance to reduce the storage cost for clients and to relieve the unnecessary storage pressure for cloud servers. While various techniques have been proposed for secure deduplication of identical files/blocks, the effective and secure deduplication solutions on fuzzy similar data (image, video, and others) which occupy a large portion in the real world across wide applications, remain open. In this article, we propose a novel deduplication system, named Fuzzy Deduplication (FuzzyDedup), to implement the secure deduplication of similar data (i.e., similar files, chunks, or blocks). In particular, we leverage the similarity-preserving hash, a fuzzy extractor based on error-correcting codes, and the encryption with customized design to construct a fuzzy-style deduplication encryption scheme (FuzzyMLE), achieving the ciphertext-based deduplication for similar data. Besides, to defend against data ownership cheating attack and duplicate-faking attack, a fuzzy-style proof of ownership scheme (FuzzyPoW) is designed for the cloud server to securely verify a client in possession of the similar data. To further enhance security and efficiency, we also propose both server-aided and random-tag FuzzyMLE to make FuzzyDedup robust against off-line brute-force attack and to support tag randomization, respectively. Then, we design Hamming distance reduction and tag cutting optimization algorithms to improve the tag query efficiency of FuzzyDedup. In the end, we formally prove the security of our solution and conduct experiments on real-world datasets for performance evaluation. Experimental results exhibit the efficiency of FuzzyDedup in terms of computation cost and communication overhead.

Computer Science

Yongkai Fan,Xiaodong Lin,Wei Liang,Gang Tan,Priyadarsi Nanda

DOI: https://doi.org/10.1016/j.future.2019.04.046

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Data deduplication is a key technique to improve storage efficiency in cloud computing. By pointing redundant files to a single copy, cloud service providers greatly reduce their storage space as well as data transfer costs. Despite of the fact that the traditional deduplication approach has been adopted widely, it comes with a high risk of losing data confidentiality because of the data storage models in cloud computing. To deal with this issue in cloud storage, we first propose a TEE (trusted execution environment) based secure deduplication scheme. In our scheme, each cloud user is assigned a privilege set; the deduplication can be performed if and only if the cloud users have the correct privilege. Moreover, our scheme augments the convergent encryption with users’ privileges and relies on TEE to provide secure key management, which improves the ability of such cryptosystem to resist chosen plaintext attacks and chosen ciphertext attacks. A security analysis indicates that our scheme is secure enough to support data deduplication and to protect the confidentiality of sensitive data. Furthermore, we implement a prototype of our scheme and evaluate the performance of our prototype, experiments show that the overhead of our scheme is practical in realistic environments.

Meixia Miao,Jianfeng Wang,Hui Li,Xiaofeng Chen

DOI: https://doi.org/10.1016/j.pmcj.2015.03.002

IF: 3.848

2015-01-01

Pervasive and Mobile Computing

Abstract:Cloud computing enables on-demand and ubiquitous access to a centralized pool of configurable resources such as networks, applications, and services. This makes that huge of enterprises and individual users outsource their data into the cloud server. As a result, the data volume in the cloud server is growing extremely fast. How to efficiently manage the ever-increasing datum is a new security challenge in cloud computing. Recently, secure deduplication techniques have attracted considerable interests in the both academic and industrial communities. It can not only provide the optimal usage of the storage and network bandwidth resources of cloud storage providers, but also reduce the storage cost of users. Although convergent encryption has been extensively adopted for secure deduplication, it inevitably suffers from the off-line brute-force dictionary attacks since the message usually can be predictable in practice. In order to address the above weakness, the notion of DupLESS was proposed in which the user can generate the convergent key with the help of a key server. We argue that the DupLESS does not work when the key server is corrupted by the cloud server. In this paper, we propose a new multi-server-aided deduplication scheme based on the threshold blind signature, which can effectively resist the collusion attack between the cloud server and multiple key servers. Furthermore, we prove that our construction can achieve the desired security properties.

Shanshan Li,Chunxiang Xu,Yuan Zhang

DOI: https://doi.org/10.1016/j.jisa.2019.03.015

IF: 4.96

2019-01-01

Journal of Information Security and Applications

Abstract:As digital data are explosively generated nowadays, data management becomes a critical problem, which makes cloud storage services important and popular. In reality, the storage overhead can be reduced significantly by performing date deduplication. Among the outsourced data, some of them are very personal and sensitive, and should be prevented for any leakage. Generally, if clients conventionally encrypt the data, deduplication is lost. Message-locked encryption (MLE) is a cryptographic primitive supporting encrypted data deduplication. A secure client-side deduplication scheme can be built upon MLE to reduce both communication and computation overhead for cloud storage systems, where a client interacts with the cloud server to check the duplicate data and only the data which has not been outsourced by other clients before is required to be uploaded. However, existing client-side encrypted data deduplication schemes are confronted with brute-force attacks that can recover files falling into a known set. Furthermore, existing schemes are vulnerable to illegal content distribution attacks, where the adversary can distribute data to other users via the cloud server without detecting. In this paper, we propose a secure and efficient client-side encrypted data deduplication scheme (CSED). In CSED, a dedicated key server is introduced in generating MLE keys to resist brute-force attacks. We propose a Bloom filter-based proofs of ownership (PoW) mechanism and integrate it into CSED to resist illegal content distribution attacks. Moreover, a hierarchical storage architecture is employed to improve the I/O efficiency on the cloud server. Security analysis and performance evaluation demonstrate that CSED is secure and efficient.

Xinyu Tang,Cheng Guo,Kim-Kwang Raymond Choo,Xueru Jiang,Yining Liu

DOI: https://doi.org/10.1016/j.comcom.2024.05.003

IF: 5.047

2024-01-01

Computer Communications

Abstract:Data deduplication technology is extensively employed to enhance the storage efficiency of cloud servers by eliminating redundant files. Cloud users commonly encrypt their data prior to uploading it to the server. Conventional encryption algorithms, however, lead to the encryption of duplicated data from different users into distinct ciphertexts. Consequently, these ciphertexts must be stored in the cloud since the cloud server cannot identify such duplicated data. In this paper, we introduce a hybrid cloud-based secure deduplication scheme tailored for implementation on large-scale data systems. Specifically, our approach leverages ciphertext-policy attribute-based encryption (CP-ABE), which enables us to establish access control and key management via a private cloud server. Simultaneously, we leverage a public cloud server to cater to enterprises and groups seeking secure data storage. Notably, our approach ensures mutual zero-interaction verification between both public and private cloud servers through ElGamal encryption, thereby guaranteeing data unforgeability. The security assessment illustrates that our proposed approach ensures both data privacy and integrity. We also show that the approach resists brute-force attacks on the dictionary, prevents malicious users from deceiving cloud servers to return incorrect ciphertext, and achieves secure and efficient access control and key management. Furthermore, functional and performance evaluation underscores the superiority of our method over five other classical data deduplication schemes. Under the premise of having more comprehensive security settings, the performance of the scheme still maintains a good level at every stage.

Jiajun Yan,Xiaoming Wang,Qingqing Gan,Suyu Li,Daxin Huang

DOI: https://doi.org/10.1007/s00500-019-04215-9

IF: 3.732

2019-01-01

Soft Computing

Abstract:With the rapid development of the Internet of Things, the massive amount of big data generated by the Internet of Things terminals and the real-time processing requirements have brought enormous challenges. A two-tier computing model consisting solely of two entities, cloud and user, will not be sufficient to support processing large numbers of concurrent data requests. Therefore, fog computing was proposed. How to realize the secure and efficient deduplication of ciphertext in fog computing has become a new research topic. In this paper, we firstly present a new decentralized deduplication structure and then show how to apply it to construct a secure and efficient big data deduplication scheme in fog computing. The cloud server, in the proposed paper, can quickly determine which fog server needs to be traversed to search duplicate data, and instead of traversing all fog servers. This significantly improves the efficiency of big data deduplication in fog computing. Furthermore, the proposed scheme allows fog server to verify whether the user possesses the ownership of the data. Performance analysis and experimental results show the proposed scheme has less overheads than existing schemes.

Li Peng,Zheng Yan,Xueqin Liang,Xixun Yu

DOI: https://doi.org/10.1016/j.ins.2023.119279

IF: 8.1

2023-01-01

Information Sciences

Abstract:In the era of big data, data explosion has brought challenges to cloud storage management. To improve cloud storage efficiency and save network communication bandwidth, cloud data deduplication has emerged as a research hotspot, especially in the field of encrypted cloud data storage. How to enhance the security of encrypted data deduplication by resisting various attacks on deduplication has become an important research issue. However, existing solutions suffer from security flaws and are vulnerable to a series of attacks, e.g., duplicate faking attacks, file ownership spoofing attacks, and file tampering attacks. Besides, dynamic data operation is rarely considered or audited. To solve the above problems, we propose a novel scheme, named SecDedup, to enhance the security of encrypted cloud data deduplication with dynamic auditing. SecDedup applies a homomorphic authenticator and designs a multi-functional data tag with optimized storage to support deduplication and auditing at the same time with security guarantee against various attacks as mentioned above. In particular, We embed multi-set hash functions into data tags to achieve dynamic data auditing. In addition, SecDedup supports batch auditing with optimized computational cost for multiple deduplication auditing tasks. We formally prove the correctness and security of SecDedup, showing that it can successfully achieve our design goals for resisting the above listed attacks. We also analyze and evaluate the performance of SecDedup in terms of computation, communication, and tag storage overheads by comparing them with existing works. The results show its effectiveness and scalability.

Jin Li,Xiaofeng Chen,Xinyi Huang,Shaohua Tang,Yang Xiang,Mohammad Mehedi Hassan,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1109/tc.2015.2401017

2015-01-01

Abstract:Data deduplication is a technique for eliminating duplicate copies of data, and has been widely used in cloud storage to reduce storage space and upload bandwidth. However, there is only one copy for each file stored in cloud even if such a file is owned by a huge number of users. As a result, deduplication system improves storage utilization while reducing reliability. Furthermore, the challenge of privacy for sensitive data also arises when they are outsourced by users to cloud. Aiming to address the above security challenges, this paper makes the first attempt to formalize the notion of distributed reliable deduplication system. We propose new distributed deduplication systems with higher reliability in which the data chunks are distributed across multiple cloud servers. The security requirements of data confidentiality and tag consistency are also achieved by introducing a deterministic secret sharing scheme in distributed storage systems, instead of using convergent encryption as in previous deduplication systems. Security analysis demonstrates that our deduplication systems are secure in terms of the definitions specified in the proposed security model. As a proof of concept, we implement the proposed systems and demonstrate that the incurred overhead is very limited in realistic environments.

Mingyang Song,Zhongyun Hua,Yifeng Zheng,Tao Xiang,Xiaohua Jia

DOI: https://doi.org/10.1109/tdsc.2023.3334475

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In cloud storage systems, secure deduplication plays a critical role in saving storage costs for the cloud server and ensuring data confidentiality for cloud users. Traditional secure deduplication schemes require users to encrypt their outsourced files using specific encryption algorithms that cannot provide semantic security. However, users are unable to directly benefit from the storage savings, as the relation between the actual storage cost and the offered prices remains not transparent. As a result, users may be unwilling to cooperate with the cloud by encrypting their data using semantically secure algorithms. Moreover, data integrity is a significant concern for cloud storage users. To address these issues, this paper proposes a novel transparent and secure deduplication scheme that supports integrity auditing. Compared to previous works, our design can verify the number of file owners and the integrity through one-time proof verification. It also protects the private contents of files and the privacy of file ownership from malicious users. Moreover, our scheme includes a batch auditing method to simultaneously verify the numbers of file owners and the integrity of multiple files. Theoretical analysis confirms the correctness and security of our scheme. Comparison results demonstrate its competing performance over previous solutions

Wenjuan Meng,Jianhua Ge,Tao Jiang

DOI: https://doi.org/10.1142/s0129054119400124

2019-01-01

International Journal of Foundations of Computer Science

Abstract:A cloud storage system which incorporates the deletion and deduplication functionalities will have both security and efficiency advantages over exiting solutions which provide only one of them. However, the security models of secure data deletion and data deduplication functionalities are not compatible with each other, which will cause security and efficiency vulnerability under coercive adversaries. To solve these security and efficiency challenges, we define and construct a scheme, whose security relies on the proper erasure of keys in the wrapped key tree and periodical update of the deduplication encryption keys. Moreover, we enhance the efficiency of the proposed scheme by introducing incremental data update, where only the changed part is encrypted/decrypted and uploaded/downloaded in data updating. Further security analysis shows that the proposed scheme is secure against coercive attack. Finally, the practical implementation shows that our scheme is performance efficient in computation, storage and communication for both the cloud storage server and users.

Xiao-yong GUO,An-min FU,Bo-yu KUANG,Wei-jia DING

2017-01-01

Abstract:Cloud storage applications quickly become the best choice of the personal user and enterprise storage with its convenience,scalability and other advantages,secure deduplication and integrity auditing are key issues for cloud storage.At first,convergent key encapsulation/decoupling algorithm based on blind signature was set up,which could securely store key and enable it to deduplicate.Besides,a BLS signature algorithm based on convergence key was provided and use TTP to store public key and proxy audit which enables signature and pubic key deduplication and reduces client storage and computing overhead.Finally,cloud-based secure deduplicaion and integrity audit system was designed and implemented.It offered user with data privacy protection,deduplication authentication,audit authentication services and lowered client and cloud computation overhead.

An-min FU,Jian-ye SONG,Mang SU,Shuai LI

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.12.006

2017-01-01

Abstract:In cloud storage environment,client-side data deduplication can detect duplicated files at local,so as to save storage space and network bandwidth effectively.However,client-side deduplication still faces many security challenges.Firstly,since the file hash value is regarded as the evidence of duplication detection,the attacker is likely to obtain a whole file via a hash of the file.Secondly,to ensure the privacy of data,convergent encryption has been widely used in data deduplication technology,but the data itself is predictable,so that convergent encryption still inevitably suffered from violence dictionary attacks.To solve problems mentioned above,this paper uses blind signature to construct a secure key generation protocol,by introducing a key server to achieve the secondary encryption of keys,which efficiently prevents violence dictionary attacks.Furthermore,we propose a Proof of Ownership method based on block key signature.It can effectively prevent the attacker from obtaining the file through a single hash value and can realize the file-level and block-level deduplication of the encrypted file simultaneously.Meanwhile,the security analysis shows that our scheme can be proved to be secure in the random oracle model and can meet the security properties such as convergence key security,tag consistency and anti-violence dictionary attacks.In addition,compared with the existing schemes,the experimental results show that the computational overhead of our scheme is relatively small in terms of file upload and file deduplication.

Xuewei Ma,Wenyuan Yang,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc55026.2022.9894331

2022-01-01

Abstract:Encrypted data deduplication is an important technique for saving storage space and network bandwidth, which has been widely used in cloud storage. Recently, a number of schemes that solve the problem of data deduplication with dynamic ownership management have been proposed. However, these schemes suffer from low efficiency when the dynamic ownership changes a lot. To this end, in this paper, we propose a novel server-side deduplication scheme for encrypted data in a hybrid cloud architecture, where a public cloud (Pub-CSP) manages the storage and a private cloud (Pri-CSP) plays a role as the data owner to perform deduplication and dynamic ownership management. Further, to reduce the communication overhead we use an initial uploader check mechanism to ensure only the first uploader needs to perform encryption, and adopt an access control technique that verifies the validity of the data users before they download data. Our security analysis and performance evaluation demonstrate that our proposed server-side deduplication scheme has better performance in terms of security, effectiveness, and practicability compared with previous schemes. Meanwhile, our method can efficiently resist collusion attacks and duplicate faking attacks.

Hua Ma,Guohua Tian,Zhenhua Liu,Linchao Zhang

DOI: https://doi.org/10.1016/j.jisa.2019.102432

IF: 4.96

2020-01-01

Journal of Information Security and Applications

Abstract:In commercial cloud services, the client-side deduplication is widely used to save the system resource of servers. However, this kind of deduplication technique is vulnerable to the collusive authentication attack, brute-force attack and duplicate-faking attack. Most existing schemes cannot resolve those problems efficiently. Besides, how to realize the ownership management in client-side deduplication to ensure the forward and backward secrecy of outsourced data is also a hot issue. In this paper, we propose a randomized client-side deduplication scheme, which uses a randomized deduplication protocol to prevent the collusive authentication attack and offline brute-force attack launched by the outside adversaries, and stores each data according to two file tags to resist duplicate-faking attack. In addition, we realize a more available ownership management and data sharing with the aid of dynamic Key-Encrypting Key tree. Security and performance analysis show that the proposed scheme can achieve the desired security requirements while saving the system resource efficiently.