Fan Rong,Ping Lingdi,Fu Jianqing,Pan Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-0801.2010.10.015

2010-01-01

Abstract:In the applications of unattended wireless sensor networks(UWSN),sensor nodes always are deployed in hostile area and are difficult to communicate with each other.Besides,the network user need abstract sensed data not real time data in some scene.Thus the sensor nodes need to store the sensed data until receiving the request of data.However,the distributed architecture makes it challenging to build a secure and efficient data storage system due to the resource-constrained nature of sensor node.Besides,due to the lack of physical protection,WBAN are vulnerable to attacks when deployed in hostile environments.In order to address the challenges,we propose a novel secure and efficient data storage scheme with dynamic integrity checking in this paper.Based on the policies of multiple secret sharing,we first propose secure and efficient patient-related data storage and access scheme for UWSN.Furthermore,to dynamically check the integrity of the distributed data shares,we then propose an efficient data integrity verification scheme based on orthonormal vectors.Finally,the security and performance analysis shows that the proposed scheme is secure and practical for UWSN.

Xiangguo Li,JianHua Yang,Zhaohui Wu

DOI: https://doi.org/10.1007/11576259_15

2005-01-01

Abstract:This paper presents a security scheme for network-attached storage based on NFSv4 frame. One novel aspect of our system is that it enhances NFSv4 to guarantee the security of storage. Another novel feature is that we develop new user authentication mechanism which outperforms Kerberos. It uses HMAC and the symmetric cryptography to provide the integrity and privacy of transmitted data. The system includes three essential procedures: authenticating user, establishing security context and exchanging data. Our scheme can protect data from tampering, eavesdropping and replaying attacks, and it ensures that the data stored on the device is copy-resistant and encrypted. In spite of this level of security, the scheme does not impose much performance overhead. Our experiments show that large sequential reads or writes with security impose performance expense by 10-20%, which is much less than some other security systems.

Jian Zhang,Yang,Yanjiao Chen,Fei Chen

DOI: https://doi.org/10.1109/iwqos.2017.7969107

2017-01-01

Abstract:With the development of cloud storage, data owners no longer physically possess their data and thus how to ensure the integrity of their outsourced data becomes a challenging task. Several protocols have been proposed to audit cloud storage, all of which rely mainly on data block tags to check data integrity. However, their block tag constructions employ cryptographic operations, which makes them computationally complex. In this paper, we investigate a secure cloud storage protocol based on the classic discrete logarithm problem. Our protocol generates data block tags with only basic algebraic operations, which brings substantial computation savings compared with previous work. We also strictly prove that the proposed protocol is secure under a definition which captures the real-world uses of cloud storage. In order to fit more application scenarios, we extend the proposed protocol to support data dynamics by employing an index vector and third-party public auditing by using a random masking number, both of which are efficient and provably secure. At last, theoretical analysis and experimental evaluation are provided to validate the superiority of the proposed protocol.

Anh Le,Athina Markopoulou

DOI: https://doi.org/10.1109/netcod.2012.6261901

2012-06-01

Abstract:Network coding-based storage has recently received a lot of attention in the network coding community. Independently, another body of work has proposed integrity checking schemes for cloud storage, none of which, however, is customized for network coding storage or can efficiently support repair. In this work, we bridge the gap between these currently disconnected bodies of work, and we focus on the (novel) advantage of network coding for integrity checking. We propose NC-Audit - a remote data integrity checking scheme, designed specifically for network coding-based storage cloud. NC-Audit provides a unique combination of desired properties: (i) efficient checking of data integrity (ii) efficient support for repairing failed nodes (iii) full support for modification of outsourced data and (iv) protection against information leakage when checking is performed by a third party. The key ingredient of the design of NC-Audit is a novel combination of SpaceMac, a homomorphic MAC scheme for network coding, and NCrypt, a novel CPA-secure encryption scheme that is compatible with SpaceMac. Our evaluation of a Java implementation of NC-Audit shows that an audit costs the storage node and the auditor only a few milliseconds of computation time, and lower bandwidth than prior work.

Anh Le,Athina Markopoulou,Alexandros G. Dimakis,Anh Le,Athina Markopoulou,Alexandros G. Dimakis

DOI: https://doi.org/10.1109/TNET.2015.2450761

2016-08-01

IEEE/ACM Transactions on Networking

Abstract:Distributed storage codes have recently received a lot of attention in the community. Independently, another body of work has proposed integrity-checking schemes for cloud storage, none of which, however, is customized for coding-based storage or can efficiently support repair. In this work, we bridge the gap between these two currently disconnected bodies of work. We propose \ssr NC \mathchar"702D Audit, a novel cryptography-based remote data integrity-checking scheme, designed specifically for network-coding-based distributed storage systems. \ssr NC \mathchar"702D Audit combines, for the first time, the following desired properties: 1 efficient checking of data integrity; 2 efficient support for repairing failed nodes; and 3 protection against information leakage when checking is performed by a third party. The key ingredient of the design of \ssr NC \mathchar"702D Audit is a novel combination of \ssr SpaceMac, a homomorphic message authentication code MAC scheme for network coding, and \ssr NCrypt, a novel chosen-plaintext attack CPA secure encryption scheme that preserves the correctness of \ssr SpaceMac. Our evaluation of \ssr NC \mathchar"702D Audit based on a real Java implementation shows that the proposed scheme has significantly lower overhead compared to the state-of-the-art schemes for both auditing and repairing of failed nodes.

Guangjun Liu,Wangmei Guo,Ximeng Liu,Jinbo Xiong

DOI: https://doi.org/10.1155/2021/6652606

IF: 1.968

2021-04-21

Security and Communication Networks

Abstract:Enabling remote data integrity checking with failure recovery becomes exceedingly critical in distributed cloud systems. With the properties of a lower repair bandwidth while preserving fault tolerance, regenerating coding and network coding (NC) have received much attention in the coding-based storage field. Recently, an outstanding outsourced auditing scheme named NC-Audit was proposed for regenerating-coding-based distributed storage. The scheme claimed that it can effectively achieve lightweight privacy-preserving data verification remotely for these networked distributed systems. However, our algebraic analysis shows that NC-Audit can be easily broken due to a potential defect existing in its schematic design. That is, an adversarial cloud server can forge some illegal blocks to cheat the auditor with a high probability when the coding field is large. From the perspective of algebraic security, we propose a remote data integrity checking scheme RNC-Audit by resorting to hiding partial critical information to the server without compromising system performance. Our evaluation shows that the proposed scheme has significantly lower overhead compared to the state-of-the-art schemes for distributed remote data auditing.

computer science, information systems,telecommunications

Xinpeng Zhang,Chunxiang Xu,Wei Sai,Ying Li,Tao Zhou

DOI: https://doi.org/10.2991/ictcs-14.2014.10

2014-01-01

Abstract:Cloud storage is a kind of cloud computing services that allows users to store their data in a remote cloud. Because of the loss of data control, data owners will concern that their data will be misused or unauthorized access by other users, in addition, they also worry their data may be lost in the clouds. Therefore, verify the authenticity of the data has become a key issue of data stored on the untrusted server.Shacham and Waters [17] give two Data storage audit protocols with full security proofs against arbitrary adversaries in the strongest secure model, but the server needs to give back a linear combination of the blocks that will leak audit data to the auditor. In order to improve the agreement of Shaham and waters, we use a hash function and blind technique to construct a public's privacy audit protocol.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ISPA.2009.32

2009-01-01

Abstract:Auditable file system is used to track the usage of the file system including the operations like read and write. Auditable file system keeps the trails of userspsila action and the trails are kept faithfully for future auditing. However, as the logs are still kept within the same file system, it will be quite vulnerable to be exposed as malware penetrating the system. Even with the file system hiding the logs, the skillful attacker can still analyze the on-disk structure to get and modify the logs. Thus the logs should be kept separate from the working system. Virtual machines can provide such separation as virtual machines can hold the whole operating system while still keep the system apart from the metal hardware. We propose a method of secure logging for auditable file system using a logging virtual machine. The logs are kept in another virtual machine safely. Even the working virtual machine is broken; the logs are not exposed to the outside. By the isolation provided by virtual machines, the logs can be kept safe and valid. The high privileged user can not modify the logs contents, or forge the logs and data to keep consistency, or pretend to be another user for doing un-authorized actions. We have done several works as well as a prototype system to show the feasibility of such approach. Experiments show that the logging virtual machine will not bring too much overhead.

L. Jin-gang

Abstract:This paper introduces a new security and reliability mechanism of the file system of Linux-limiting OS physical storage space,and make it can’t be rewritten.Will be relatively independent of the operating system installed in the physical space,and other applications software in the physical separation of space,the operating system will be installed into a physical storage medium limited to read-only,so that the operating system installed can not be rewritten on the physical layer,so as to achieve secure and reliable;at the same time,user space and system space isolated from each other in the physical space,when users need to install software or preserve documents,can be transparent in the storage space.Then describes its design principle and implement details,and comes to the conclusion of providing security and reliability without performance loss by giving fully test results.

Computer Science,Engineering

徐辉,潘爱民

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.11.052

2004-01-01

Abstract:An enhanced security auditing mechanism for Linux is proposed.This mechanism is based on loadable kernel mo-(dule) and provides system level and application level auditing functions.System audit generates an audit record for every security sensitive system call.Application level audit abandons the traditional auditing fashion that auditing system completely depends on applications writing log file in user space.Instead,applications and system kernel will generate audit record coordinately.Examples are given for intrusion detection with this mechanism.

Shen Zhirong,Xue Mao,Xue Wei,Shu Jiwu

2011-01-01

Journal of Computer Research and Development

Abstract:With the development of network storage technology,how to protect the shared data from being intruded continues to grow in importance in the untrusted network storage environment.This paper presents the recently researches of shared secure file system and analyzes the Corslet secure file system proposed by our group.We give the description of the roles that play in Corslet and analyze the key approaches that are used in it.Meanwhile,this paper evaluates the performance of Corslet secure file system and takes some measures to optimize performance.By evaluating the operation of reading/writing big files in Corslet,we draw the conclusion that cryptographic overhead accounts for most of the overhead caused by reading writing operation.According to the conclusion,two optimizations are proposed which are to make improvement on the implementation of cryptographic algorithms and to use the new API of cryptographic functions.With the original Corslet secure file system optimizated by the two optimizations,the performance of reading/writing improve by 16% to 20% and 5% to 12% respectively evaluated by the benchmark of IOzone.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/IAS.2009.100

2009-01-01

Abstract:Rapid increase of information resources speeds the development of network storage. And security of network storage satisfies the demands of privacy and safety of the information. Data encryption and personal identity authentication which are based on cryptography can protect the storage against non-authorized access, while they are ineffective for malicious authorized users and inherent attacks. Also heavy performances affect the control of storage. This paper demonstrates an efficient intrusion detection system model for network-attached storage based on system calls and improves the Process Homeostasis to realize the implementation. The experimental results demonstrate high detection rate and low false detection rate. The total performance is about 3% additions when the detection system is running normally.

CHEN Li-ming,YU Yan,HUANG Hao

2005-01-01

Journal of Computer Applications

Abstract:All kinds of system events are stored in logs. After a successful intrusion, the intruder will try to modify the logs to conceal the intrusion. A method for verifying and protecting log integrity was described to make all log entries generated prior to the logging system's compromise impossible for the attacker to undetectably modify. A set of trusted log entries was provided to other programs when damages are made to log integrity.

Lipeng Wang,Mingsheng Hu,Zhijuan Jia,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1109/tifs.2024.3383772

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:As more internet users opt to store their data in cloud storage, ensuring data integrity becomes a paramount concern. The emerging provable data possession (PDP) scheme enables auditors to verify data integrity with reduced bandwidth consumption compared to hash-based alternatives. Nevertheless, most existing PDP variants rely on a centralized node for generating or maintaining user keys, creating a potential single point of failure. Moreover, previous PDP schemes could only detect whether challenged data blocks were corrupted, lacking the ability to pinpoint affected blocks precisely. To tackle these challenges, we propose a novel PDP scheme that eliminates the necessity for a key management center and supports the localization of corrupted data blocks. In our scheme, users no longer need to retain private keys once they cease performing data dynamic operations, thus liberating them from reliance on external entities for key maintenance. Moreover, the new scheme utilizes existing authenticators in the cloud to identify corrupted file blocks, eliminating the necessity of storing hash values for these data blocks as seen in most of existing implementations. This effectively reduces required storage space. Furthermore, we introduce SStore, a decentralized cloud storage platform that incorporates the new PDP scheme to verify data integrity. SStore facilitates public auditing of user data, thereby enhancing transparency in the data verification procedure. Moreover, SStore leverages basic algebraic operations for data auditing, significantly increasing its efficiency. We analyze the security of the new PDP scheme, and evaluate the performance of both the PDP scheme and SStore to demonstrate their efficiency.

computer science, theory & methods,engineering, electrical & electronic

Yang Xu,Cheng Zhang,Guojun Wang,Zheng Qin,Quanrun Zeng

DOI: https://doi.org/10.1109/tetc.2020.3005610

2021-07-01

IEEE Transactions on Emerging Topics in Computing

Abstract:Since network storage services achieve widespread adoption, security and performance issues are becoming primary concerns, affecting the scalability of storage systems. Countermeasures like data auditing mechanisms and deduplication techniques are widely studied. However, the existing data auditing mechanism with deduplication cannot solve the problems such as high cost and reliance on trusted third parties in traditional approaches, and it also faces the problem of repeated auditing of data shared by multiple-tenant. This article proposes a blockchain-based deduplicatable data auditing mechanism. We first design a client-side data deduplication scheme based on bilinear-pair techniques to reduce the burden on users and service providers. On this basis, we achieve a trustworthy and efficient data auditing mechanism that helps to check data integrity by using both the blockchain technique and bilinear pairing cryptosystem. The blockchain system is used to record the behaviors of entities in both data outsourcing and auditing processes so that the corresponding immutable records can be used to not only ensure the credibility of audit results but also help to monitor unreliable third-party auditors. Finally, theoretical analysis and experiments reveal the effectiveness and performance of our scheme.

computer science, information systems,telecommunications

Manting Shen,Yinyan Yu,Zhi Tang,Xiaoyu Cui

DOI: https://doi.org/10.1109/compsac.2016.56

2016-01-01

Abstract:Sensitive information leakage in files is one of the biggest concerns in people's life. Considering this situation, people have designed lots of tools to protect sensitive files. However, these specialized tools are not applicable when the user amount is small. This paper proposes a novel light-weight mechanism that provides efficient and fast cryptographic-based file protection to meet the need of small organizations. The highlights are its ability to provide protection for all types of files, and the usage of an efficient access control approach for file sharing. Operations in the directory are monitored in real time and files are protected automatically. Moreover, encryption keys are generated and well preserved by a hierarchical key generation algorithm. For further estimation, we conducted experiments and analyzed the security and performance of our mechanism as well as other file protection software, and then we made a comparison among them. Experimental results show that our mechanism performs well both in security and performance and outperforms those other file protection software when applied in small organizations.

Mao Ye

DOI: https://doi.org/10.48550/arXiv.2104.08699

2021-04-18

Hardware Architecture

Abstract:With emerging non-volatile memories entering the mainstream market, several operating systems start to incorporate new changes and optimizations. One major OS support is the direct-access for files, which enables efficient access for files hosted in byte-addressable NVM systems. With DAX-enabled filesystems, files can be accessed directly similar to memory with typical load/store operations. Despite its efficiency, the frequently used system call of direct access is troublesome for system auditing. File system auditing is mandatory and widely used because auditing logs can help detect anomalies, suspicious file accesses, or be used as an evidence in digital forensics. However, the frequent and long-time usage of direct access call blinds the operating system or file system from tracking process operations to shared files after the initial page faults. This might results in imprecise casualty analysis and leads to false conclusion for attack detection. To remedy the tension between enabling fine-grained file system auditing and leveraging the performance of NVM-hosted file systems, we propose a novel hardware-assisted auditing scheme, FOX. FOX enables file system auditing through lightweight hardware-software changes which can monitor every read or write event for mapped files on NVM. Additionally, we propose the optimized schemes, that enable auditing flexibility for selected files/memory range. By prototyping FOX on a full system simulator, Gem5, we observe a relatively small reduced throughput and an acceptable extra writes compared to our baseline. Compared to other instrumentation-based software schemes, our scheme is low-overhead and secure.

Stefano Braghin,Marco Simioni,Mathieu Sinn

DOI: https://doi.org/10.48550/arXiv.2108.13785

2021-08-31

Abstract:Shared folders are still a common practice for granting third parties access to data files, regardless of the advances in data sharing technologies. Services like Google Drive, Dropbox, Box, and others, provide infrastructures and interfaces to manage file sharing. The human factor is the weakest link and data leaks caused by human error are regrettable common news. This takes place as both mishandled data, for example stored to the wrong directory, or via misconfigured or failing applications dumping data incorrectly. We present Data Leakage Prevention FileSystem (DLPFS), a first attempt to systematically protect against data leakage caused by misconfigured application or human error. This filesystem interface provides a privacy protection layer on top of the POSIX filesystem interface, allowing for seamless integration with existing infrastructures and applications, simply augmenting existing security controls. At the same time, DLPFS allows data administrators to protect files shared within an organisation by preventing unauthorised parties to access potentially sensitive content. DLPFS achieves this by transparently integrating with existing access control mechanisms. We empirically evaluate the impact of DLPFS on system's performances to demonstrate the feasibility of the proposed solution.

Cryptography and Security,Computers and Society

Zequan Zhou,Xiling Luo,Yupeng Wang,Jian Mao,Feixiang Luo,Yi Bai,Xiaochao Wang,Gang Liu,Junjun Wang,Feng Zeng

DOI: https://doi.org/10.1109/tvt.2023.3295953

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:In vehicular cloud computing (VCC), cloud servers provide enormous storage and powerful computing capacity to Vehicular Ad-hoc Networks (VANETs). Resource-constrained vehicles outsource data to vehicular cloud platforms for timely traffic safety services, e.g., navigation, accident alarms, etc. Auditing the authenticity of data has become a critical issue in outsourcing data to untrusted servers. Existing data audit methods encode all data with error correction codes (ECC) techniques that retrieve corrupted data by downloading all data. The communication overhead of such methods is $O(n)$ ($n$ is the number of data blocks) which is unbearable for vehicles with limited resources. In addition, these schemes employ an inaccurate privacy-preserving model. This will lead to data leakage in the third-party audit process. Although they use randomness to confuse parts of the proof that is used to prove the data state, a small amount of information is still distinguishable. For such, in this paper, we propose a practical data audit scheme with retrievability and indistinguishable privacy-preserving to efficiently audit the state of outsourced data. We improve the Invertible Bloom Filter (IBF) to compress redundancy locally, which can retrieve corrupted data without prior context. Furthermore, we define an indistinguishable privacy-preserving model to capture the complete semantics of repeated audit attacks and achieve indistinguishability in the audit. We prove that our scheme is secure against adaptive chosen message attacks and is indistinguishable privacy-preserving against repeated audit attacks. The experiment results demonstrate that for 1.9GB data when $\sqrt[]{n}$ blocks are corrupted, auditors complete a check in 3.31 seconds with 99% confidence, and vehicles retrieve corrupted data in 3.16 seconds with 16.67MB communication overhead.

telecommunications,engineering, electrical & electronic,transportation science & technology

ZHAO Xiu-wen,LUO Ping,CHEN Qiang,ZHANG Ning

2006-01-01

Abstract:How to provide stronger and more flexible security protections for file systems is one important part of secure file systems research.Based LDAP and SSH protocol,the distributed secure file system is designed.The model,principle and security analysis of distributed secure file system are introduced.