Guangyu Chen,Jian Liu,Ming Xian

DOI: https://doi.org/10.1088/1742-6596/1314/1/012190

2019-01-01

Journal of Physics Conference Series

Abstract:With the increase of data volume, the service of data publication and subscription is an efficient method to share massive data. It is impossible to capture and manage data with traditional database tools. Therefore, the cloud platform becomes the most suitable platform for data publication and subscription due to its huge storage, strong computing power and good economical utility. In the process of data publishing and subscription, cloud server as a third party is semi-honest, which will bring serious privacy problems. In this paper, a secure data publishing and subscription scheme based on cloud platform is proposed, which can protect the privacy of data and subscriber interest, and achieve efficient and accurate data publishing and subscription. It can realize that only data subscribers who meet the requirements of access rights can obtain and decrypt the data, and the matching of data subscriber interest and data label can be realized at the same time. In addition, this scheme also supports user cancellation, it can cancel dishonest users in the system.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Yanping Xiao,Chuang Lin,Yixin Jiang,Xiaowen Chu,Fangqin Liu

DOI: https://doi.org/10.1109/GLOCOM.2010.5683310

2010-01-01

Abstract:Cloud computing provides a novel computing paradigm for enterprises to store programs and data in the Cloud in a transparent manner, which poses the challenge of security and privacy. In this paper, based on homomorphic cryptography and Zero-Knowledge Proof, we present a novel privacy-preserving scheme for Cloud publish/subscribe service, which achieve efficient privacy-preserving authentication, data integrity, and publish-subscribe confidentiality. The performance evaluation and security analysis demonstrate the practice and validity of the proposed scheme.

Kai Zhang,Xiwen Wang,Jianting Ning,Junqing Gong,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2023.3303720

IF: 7.231

2023-09-01

IEEE Transactions on Information Forensics and Security

Abstract:Secure cloud-assisted data publish/subscribe (Pub/Sub) service provides an asynchronous method for publishers and subscribers to non-interactively exchange encrypted messages. Besides performing conjunctive subscription policy, numerous data Pub/Sub systems have recently been proposed to provide dynamic access control enforced from the publisher side to the subscriber side. However, these solutions fail to consider the following properties: (i) bilateral access control for both publishers and subscribers; (ii) the anonymity of the publisher; (iii) high matching time cost between publication and subscription. Therefore, we present P/S-BiAC, a secure and boolean cloud-assisted data Pub/Sub system with attribute-based bilateral access control that achieves authenticity and anonymity of publishers. In particular, P/S-BiAC enables cloud-based brokers to use the subscriber's trapdoor to match published data with sub-linear time complexity. Technically, we introduce a "BiAC-and-Hidden" technique to refine publication tuples and trapdoor in classic searchable symmetric encryption solutions. Moreover, we implement P/S-BiAC and evaluate its practical performance based on Enron dataset in real cloud environment. To deal with a conjunctive subscription policy, P/S-BiAC runs faster for matching time cost (with -term=10) compared to state-of-the-art solutions, which demonstrates its feasibility in practical data Pub/Sub services with strong security properties.

computer science, theory & methods,engineering, electrical & electronic

Chunlin Li,Jinguo Li,Kai Zhang,Yan,Jianting Ning

DOI: https://doi.org/10.1109/tcc.2023.3326339

IF: 5.697

2023-01-01

IEEE Transactions on Cloud Computing

Abstract:Cloud-based publish-subscribe (pub-sub) services provide a decoupling method for publishers and subscribers to effectively exchange targeted information and massive data on the cloud platform. Data publishers implement fine-grained access control to set subscription privileges for outsourced data through an access policy. However, in the context of semi-honest cloud platforms, the publisher's access policy may be collected, and incomplete or incorrect subscription results may be returned (e.g., to save communication costs). Existing solutions pay little attention to protecting the data publisher's access policy and cannot provide efficient verification for local results. In this article, we propose a verifiable multi-keyword data publish-subscribe scheme with a hidden access policy (VMP/S). Specifically, VMP/S combines attribute-based keyword search and data aggregation technology to achieve secure fine-grained access control, thereby protecting the privacy of the access policy. Additionally, the scheme provides an effective method for verifying local results by using equal-length verification information to confirm the correctness of feedback subscription data. Furthermore, we introduce a novel verification method for access control to enhance subscription performance efficiency. We demonstrate that VMP/S achieves IND-CKA security and ensures the privacy of the access policy through a comprehensive security analysis. Through experimental simulations, we confirm its effectiveness.

C. Wang,A. Carzaniga,D. Evans,A. Wolf

DOI: https://doi.org/10.1109/hicss.2002.994531

2002-01-01

Abstract:Publish-subscribe is a communication paradigm that supports dynamic, many-to-many communications in a distributed environment. Content-based pub-sub systems are often implemented on a peer-to-peer infrastructure that enables information dissemination from information producers (publishers) to consumers (subscribers) through a subscription mechanism. In a wide-area pub-sub network, the pub-sub service must handle information dissemination across distinct authoritative domains, heterogeneous platforms and a large, dynamic population of publishers and subscribers. Such an environment raises serious security concerns. In this paper, we investigate the security issues and requirements that arise in an internet-scale content-based pub-sub system. We distinguish among those requirements that can be achieved with current technology and those that require innovative solutions.

Sisi Duan,Chao Liu,Xin Wang,Yusen Wu,Shuai Xu,Yelena Yesha,Haibin Zhang

DOI: https://doi.org/10.1109/srds51746.2020.00039

2020-01-01

Abstract:We present Chios, an intrusion-tolerant publish/subscribe system which protects against Byzantine failures. Chios is the first publish/subscribe system achieving decentralized confidentiality with fine-grained access control and strong publication order guarantees. This is in contrast to existing publish/subscribe systems achieving much weaker security and reliability properties. Chios is flexible and modular, consisting of four fully-fledged publish/subscribe configurations (each designed to meet different goals). We have deployed and evaluated our system on Amazon EC2. We compare Chios with various publish/subscribe systems. Chios is as efficient as an unreplicated, single-broker publish/subscribe implementation, only marginally slower than Kafka and Kafka with passive replication, and at least an order of magnitude faster than all Hyperledger Fabric modules and publish/subscribe systems using Fabric.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Zhendong Liu,Liang Meng,Qingyuan Zhao,Fei Li,Manrui Song,Dongxu Dai,Xiujuan Yang,Song Guan,Yue Wang,Hongliang Tian

DOI: https://doi.org/10.1155/2022/2381365

2022-10-16

Wireless Communications and Mobile Computing

Abstract:With the dramatically increasing deployment of intelligent devices, the Internet of Things (IoT) has attracted more attention and developed rapidly. It effectively collects and shares data from the surrounding environment to achieve better IoT services. For data sharing, the publish-subscribe (PS) paradigm provides a loosely coupled and scalable communication model. However, due to the loosely coupled nature, it is vulnerable to many attacks, resulting in some security threats to the IoT system, but it cannot provide the basic security mechanisms such as authentication and confidentiality to ensure the data security. Thus, in order to protect the system security and users' privacy, this paper presents a secure blockchain-based privacy-preserving access control scheme for the PS system, which adopt the fully homomorphic encryption (FHE) to ensure the confidentiality of the publishing events and leverage the ledger to store the large volume of data events and access crossdomain information. Finally, we analyze the correctness and security of our scheme; moreover, we deploy our proposed prototype system on two computers and evaluate its performance. The experimental results show that our PS system can efficiently achieve the equilibrium between the system cost and the security requirement.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yaxing Chen,Qinghua Zheng,Dan Liu,Zheng Yan,Wenhai Sun,Ning Zhang,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.48550/arxiv.1912.08454

2019-01-01

Abstract:While the security of the cloud remains a concern, a common practice is to encrypt data before outsourcing them for utilization. One key challenging issue is how to efficiently perform queries over the ciphertext. Conventional crypto-based solutions, e.g. partially/fully homomorphic encryption and searchable encryption, suffer from low performance, poor expressiveness and weak compatibility. An alternative method that utilizes hardware-assisted trusted execution environment, i.e., Intel SGX, has emerged recently. On one hand, such work lacks of supporting scalable access control over multiple data users. On the other hand, existing solutions are subjected to the key revocation problem and knowledge extractor vulnerability. In this work, we leverage the newly hardware-assisted methodology and propose a secure, scalable and efficient SQL-like query framework named QShield. Building upon Intel SGX, QShield can guarantee the confidentiality and integrity of sensitive data when being processed on an untrusted cloud platform. Moreover, we present a novel lightweight secret sharing method to enable multi-user access control in QShield, while tackling the key revocation problem. Furthermore, with an additional trust proof mechanism, QShield guarantees the correctness of queries and significantly alleviates the possibility to build a knowledge extractor. We implemented a prototype for QShield and show that QShield incurs minimum performance cost.

Yao Ma,Elham Kashefi,Myrto Arapinis,Kaushik Chakraborty,Marc Kaplan

DOI: https://doi.org/10.1038/s41534-022-00612-5

2021-09-21

Abstract:We introduce a secure hardware device named a QEnclave that can secure the remote execution of quantum operations while only using classical controls. This device extends to quantum computing the classical concept of a secure enclave which isolates a computation from its environment to provide privacy and tamper-resistance. Remarkably, our QEnclave only performs single-qubit rotations, but can nevertheless be used to secure an arbitrary quantum computation even if the qubit source is controlled by an adversary. More precisely, attaching a QEnclave to a quantum computer, a remote client controlling the QEnclave can securely delegate its computation to the server solely using classical communication. We investigate the security of our QEnclave by modeling it as an ideal functionality named Remote State Rotation. We show that this resource, similar to previously introduced functionality of remote state preparation, allows blind delegated quantum computing with perfect security. Our proof relies on standard tools from delegated quantum computing. Working in the Abstract Cryptography framework, we show a construction of remote state preparation from remote state rotation preserving the security. An immediate consequence is the weakening of the requirements for blind delegated computation. While previous delegated protocols were relying on a client that can either generate or measure quantum states, we show that this same functionality can be achieved with a client that only transforms quantum states without generating or measuring them.

Quantum Physics,Cryptography and Security

Yuchao Zhang,Xiaotian Wang,Xiaofeng He,Ning Zhang,Zibin Zheng,Ke Xu

DOI: https://doi.org/10.1109/jiot.2023.3307073

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The emergence of the Internet of Things (IoT) technology in recent years has led to a considerable amount of data to be shared across different organizations. The publish and subscribe (Pub/Sub) paradigm, with its asynchronous, one-to-many and decoupling characteristics, is considered to be a promising communication model in IoT. However, designing a Pub/Sub framework for IoT data sharing confronts two challenges: Byzantine faults and privacy concerns. Byzantine nodes that are subjectively malicious or hacked by attackers may discard or forge data in the broker network composed of untrusted IoT organizations. Unauthorized brokers or clients may try to obtain the content of publications or subscriptions, thus violating the IoT data privacy. Existing works have limitations in terms of relatively low scalability and high overhead in tackling these two challenges. In this paper, we propose Galaxy, a blockchain based Pub/Sub IoT data sharing framework. To achieve Byzantine fault-tolerant (BFT) Pub/Sub, Galaxy adopts sharding to improve scalability and achieve efficient BFT Pub/Sub workflow within each shard with a novel leader rotation scheme. In attaining privacy-preserving Pub/Sub, a secret key sharing and encrypted Pub/Sub scheme is designed in Galaxy to achieve low overhead without breaking the decoupling of the system. We implemented a prototype of Galaxy and deployed it on Alibaba Cloud for experimental evaluation. The experiment results show the feasibility and efficiency of Galaxy.

Huijie Li,Run-hua Shi,Qianqian Jia

DOI: https://doi.org/10.1088/1402-4896/ad59d8

2024-06-20

Physica Scripta

Abstract:In this paper, we consider an interesting and important privacy-preserving issue, i.e., how to implement anonymous and secure communications for several intelligence agents, hiding in n participants. To solve this issue, we first propose a quantum Secure Multiparty Computing XOR (SMC_XOR) protocol based on single photons, which can guarantee the unconditional security of the protocol. By implementing rotation encryption, the practicality of quantum SMC_XOR protocol can be significantly improved without other complex quantum techniques. Security analysis shows that the proposed protocol can resist various types of attacks. Furthermore, a special network model is designed to solve this issue, using hash function to verify the identity of the communication parties and key recycling to reduce resource consumption. Finally, the proposed quantum SMC_XOR protocol is simulated in IBM Qiskit, and the simulation results show that the protocol is correct and feasible.

physics, multidisciplinary

Shengmin Xu,Jianting Ning,Yingjiu Li,Yinghui Zhang,Guowen Xu,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tdsc.2020.3001557

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cloud-fog computing is a novel paradigm to extend the functionality of cloud computing to provide a variety of on-demand data services via the edge network. Many cryptographic tools have been introduced to preserve data confidentiality against the untrustworthy network and cloud servers. However, how to efficiently identify and retrieve useful data from a large number of ciphertexts without a costly decryption mechanism remains a challenging problem. In this article, we introduce a cloud-fog-device data sharing system (CFDS) with data confidentiality and data source identification simultaneously based on a new cryptographic primitive named matchmaking attribute-based encryption (MABE) by extending matchmaking encryption in CRYPTO'19. Our solution offers a secure fine-grained bilateral access control that includes (1) fine-grained sender access control, (2) fine-grained receiver access control, (3) sender privacy, and (4) performance optimization via outsourcing data source identification to fog nodes. We give the formal definition and security models of MABE, and present a concrete construction with formal security proofs. We also offer a detailed security analysis of our proposed CFDS against real-world security threats. The extensive comparison and experimental simulation demonstrate that, by immigrating heavy workload to fog nodes, our scheme has better functionalities and performances than the most related solutions.

Atul Kumar Srivastava,Dhiraj Pandey,Alok Agarwal

DOI: https://doi.org/10.1007/s11277-024-11021-6

IF: 2.017

2024-04-27

Wireless Personal Communications

Abstract:Due to the exponential growth of cloud data and network services, computational resources and cloud data security have one of the most attractive research issues in the real-time cloud environment. Numerous types of cloud services are combined into various domain applications, including, e-health, defence, clinical databases, and so on, for data storage and resource computing. However, a traditional challenge to consider is that the Data Owner (DO) no longer has the ability to modify the access control policy or key policy, resulting in data sharing inflexibility, inefficiency, and key abusers. To address these concerns, we propose an enhanced d level cut-off point-Quantum Secret Sharing (EdLCp-QSS) scheme based on an efficient Monitoring Key Ciphertext-ABE (MKCABE) –access control with Blockchain and Key Controller (EQMBK) mechanism for security. The proposed EQMBK mechanism provides security for monitoring the data from getting accessed by un-authorized users as well as offers updating security when a new user joins the cloud environment. The proposed EQMBK system ensures that data is not accessible by unauthorised users and that security is updated when a new user joins the cloud environment. Finally, experimental simulation reveals that the suggested technique is very efficient in preserving the privacy of the user's data against unauthorised parties in terms of computation time encryption time, system initialization time, key generation time, and decryption time. Furthermore, when compared to state-of-the-art techniques, the proposed methods are more resilient and provide greater performance.

telecommunications

Jatinder Kumar,Ashutosh Kumar Singh

DOI: https://doi.org/10.1007/s10586-024-04350-5

2024-03-25

Cluster Computing

Abstract:A smart meter is an automation technology that sends real-time power consumption of electric appliances to the outsourced cloud through the aggregator node. An outsourced cloud is used by the Utility providers to release computation and storage overhead. The real-time smart meter data helps in the management of demand and supply in the smart grid. However, the real-time smart meter data exposes the privacy of smart meter customers and inefficient aggregated smart meter data results in unbalanced power management decisions in the smart grid. Therefore, a smart meter data storage (SMDS) model is proposed that aggregates the encrypted smart meter data at the fog node with the property of homomorphic encryption and stores it on the outsourced cloud. Two clouds are used to process the smart meter data and only the utility provider is able to retrieve the actual power consumption of the smart meter. Additionally, a secure query processing model is designed to retrieve the smart meter data on the outsourced cloud. Experimental results show the effectiveness of the proposed work and the feature comparison demonstrates the superiority of the proposed over the existing works.

computer science, information systems, theory & methods

Xuyang Zhao,Mingyu Li,Erhu Feng,Yubin Xia

DOI: https://doi.org/10.1109/jcc56315.2022.00019

2022-01-01

Abstract:As data security in public clouds attracts more attention and concerns, researchers and practitioners have proposed techniques to secure cloud computing. Confidential computing (CC) is a compelling approach that guarantees both privacy and integrity of data and code in public clouds. In this paper, we first survey the status of CC in today’s commercialized public clouds, including the cloud CC abstractions, infrastructures, metrics, third-party service vendors, and real-world cloud use cases. We also discover the limitations such as re-programming efforts, extra cost, limited availability, etc. We further take a step forward to prospect CC in the joint cloud scenario. We finally showcase the challenges of realizing a secure joint cloud and propose possible solutions.

Bobo Huang,Rui Zhang,Zhihui Lu,Yiming Zhang,Jie Wu,Lu Zhan,Patrick C.K. Hung

DOI: https://doi.org/10.1016/j.jpdc.2020.05.005

IF: 4.542

2020-09-01

Journal of Parallel and Distributed Computing

Abstract:<p>In recent years, with the rapid development of smart city, prevalent pub/sub (publish/subscribe) streaming systems have been increasingly employed as upstream middleware layer in multi-tenant edge clouds, and feed large volume of data gathered from IoT devices of different tenants into downstream systems (e.g., data analytics and warehouse). A shared tenancy model where multiple untrusted applications or tenants utilize the same pub/sub system is generally exploited in edge cloud, which poses crucial challenges including privacy-sensitive data/metadata access threat and critical metadata modification by unauthorized tenants. A centralized monitoring node is invariably adopted in existing security strategies (such as ACL, TLS), which causes the pub/sub streaming model vulnerable to external malicious attacks and single point failure.</p><p>In this paper, inspired by outstanding features of blockchain including tamper-resistance, decentralization, strong consistency, and traceability, we propose BPS, a general and decentralized Blockchain-enhanced Pub/Sub communication model for multi-tenant edge cloud, to redesign pub/sub system internal security mechanisms. Specifically, by exploiting blockchain technology, BPS can detect the illegal operations and behaviors from both malicious tenants and untrusted publishers or subscribers. BPS directly leverages Merkel Hash Tree (MHT) of blockchain to verify the integrity of critical and confidential metadata. Regarding authorization, BPS introduces smart-contract-enabled fine-grained control over partition topic-classified messages by storing access control list (ACL) into an append-only blockchain ledger. Additionally, an incentive mechanism is employed in BPS to reward honest publishers and subscribers. We implement BPS prototype based on Kafka and EoS blockchain. Our security analysis and extensive experiments demonstrate that BPS outperforms the state-of-the-art pub/sub streaming system Kafka in security with minimal performance overhead.</p>

computer science, theory & methods

Brandon Broadnax,Alexander Koch,Jeremias Mechler,Tobias Müller,Jörn Müller-Quade,Matthias Nagel

DOI: https://doi.org/10.2478/popets-2021-0072

2021-07-23

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract In practice, there are numerous settings where mutually distrusting parties need to perform distributed computations on their private inputs. For instance, participants in a first-price sealed-bid online auction do not want their bids to be disclosed. This problem can be addressed using secure multi-party computation (MPC), where parties can evaluate a publicly known function on their private inputs by executing a specific protocol that only reveals the correct output, but nothing else about the private inputs. Such distributed computations performed over the Internet are susceptible to remote hacks that may take place during the computation. As a consequence, sensitive data such as private bids may leak. All existing MPC protocols do not provide any protection against the consequences of such remote hacks. We present the first MPC protocols that protect the remotely hacked parties’ inputs and outputs from leaking. More specifically, unless the remote hack takes place before the party received its input or all parties are corrupted, a hacker is unable to learn the parties’ inputs and outputs, and is also unable to modify them. We achieve these strong (privacy) guarantees by utilizing the fact that in practice parties may not be susceptible to remote attacks at every point in time, but only while they are online, i.e. able to receive messages. To this end, we model communication via explicit channels. In particular, we introduce channels with an airgap switch (disconnect-able by the party in control of the switch), and unidirectional data diodes . These channels and their isolation properties, together with very few, similarly simple and plausibly remotely unhackable hardware modules serve as the main ingredient for attaining such strong security guarantees. In order to formalize these strong guarantees, we propose the UC with Fortified Security (UC#) framework, a variant of the Universal Composability (UC) framework.

Dan-Chen Wang,Yang Xu,Xiao-Song Zhang

DOI: https://doi.org/10.1142/9789811223334_0045

2020-01-01

Abstract:The security of data flow is the core technology of data fusion and sharing service. This paper uses MPI communication mechanism for reference to meet the multi-party flow of trusted data, set up a multi-party security computing framework to form a privacy protection computing framework, and considers the actual needs of semantic security and efficient processing capacity. SMPC chooses ElGamal homomorphic encryption system. The paper defines addition and subtraction operations, multiplication operation, set operation, space vector operation and comparison operation. Respective operation process providing simultaneously. Based on multi-party computing, the application methods of data verification and correlation analysis are proposed, and the feasibility of the method is illustrated by the performance evaluation of the calculation.