Guowen Xu,Shengmin Xu,Jinhua Ma,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2023.3305870

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud computing has been widely accepted as a computing paradigm to offer high-quality data services on demand. However, it suffers from various attacks as the cloud service provider and data owners are not in the same trusted domain. To support data confidentiality, existing cloud-based systems apply cryptographic tools to issue the decryption key to data users to share data in a controlled way. However, fine-grained cloud data sharing still faces many challenges, especially when dealing with dynamic user groups. In this paper, we introduce a secure and efficient cloud-based data-sharing system with fine-grained access control and dynamic user groups. Our system enjoys 1) adaptive security in prime-order groups, 2) forward secrecy against revoked user fetches data generated before being revoked, and 3) decryption key exposure resistance against the compromise of the frequently used decryption key, where the previous solutions only concentrate on one or two above-mentioned properties. More specifically, we introduce two timestamp management mechanisms that manage the timestamp in each ciphertext to support dynamic user groups with forward secrecy. By applying the proposed timestamp management mechanisms, we introduce two novel designs of attribute-based encryption schemes with formal definition and security analyses. The proposed schemes are adaptively secure in prime-order groups under a standard assumption and support decryption key exposure resistance. We conduct theoretical analysis and experimental simulation to demonstrate the outperformance of our solutions.

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

Jianfei Sun,Guowen Xu,Tianwei Zhang,Hu Xiong,Hongwei Li,Robert H. Deng

DOI: https://doi.org/10.1109/tcc.2021.3117998

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:Benefiting from the powerful computing and storage capabilities of cloud services, data sharing in the cloud has been permeated across various applications including social networks, e-health and crowdsourcing transportation system. Intuitively, outsourcing data to untrusted cloud commonly raises concerns about data privacy breaches. To combat this, one approach is exploiting Broadcast Based Searchable Encryption (BBSE) for secure data sharing. Nevertheless, the latest proposed BBSE is still defective in either security or efficiency. In this article, we propose ESPD, an Efficient, Scalable and Privacy-preserving Data sharing framework over encrypted cloud dataset. Different from previous works, ESPD supports sharing target data to multiple users with distinct secret keys, and keeps a constant ciphertext length with the changes of the amount of system users. This feature significantly improves search efficiency and makes ESPD scalable in real-world scenarios. We show a formal analysis to prove the security of ESPD in terms of file privacy, keyword privacy and trapdoor privacy. Also, extensive experiments on real-world dataset are conducted to indicate the desirable performance of ESPD compared to other similar schemes.

LI Liangbin,WANG Jinlin,CHEN Jun

DOI: https://doi.org/10.3969/j.issn.2095-347x.2011.05.001

2011-01-01

Abstract:Data dispersal is a key technology for survivable storage system,based on the analysis of features and shortcomings of existing data dispersal scheme,a verifiable short secret sharing data dispersal scheme supporting general access structure is proposed.The fragment generated by our scheme is composed of cipher-text portion and cipher-key portion.Firstly the original data is encrypted and dispersed with erasure coding,secondly the cipher-key is dispersed with an improved verifiable secret sharing algorithm,and dispersal of the cipher-key must depend on the cipher-text portion.Comparing to existing work,our scheme achieves high performance in all aspects of space cost,secrecy and verifiability,and the general access structure is also supported.

Jun Feng,Yu Chen,Wei-Shinn Ku,Zhou Su

DOI: https://doi.org/10.1109/ICC.2010.5502417

2010-01-01

Abstract:Migrating from server-attached storage to distributed storage brings new vulnerabilities in creating a secure data storage and access facility. Particularly it is a challenge on top of insecure networks or unreliable storage service providers. For example, in applications such as cloud computing where data storage is transparent to the owner. It is even harder to protect the data stored in unreliable hosts. More robust security scheme is desired to prevent adversaries from obtaining sensitive information when the data is in their hands. Meanwhile, the performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close the performance gap is through hardware implementation. This paper proposes D-DOG (Data Division and Out-of-order keystream Generation), a novel encryption method to protect data in the distributed storage environments. Aside from verifying the correctness and effectiveness of the D-DOG scheme through theoretical analysis and experimental study, we also preliminarily evaluated its hardware implementation.

Su Huang,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1263

2014-01-01

Abstract:Cloud storage services enable users to remotely store their data and conveniently share their information. One critical issue is how to achieve data security and realize data access policy in cloud storage services. Existing schemes based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve secure access control for outsourced data in cloud computing. However, due to the inefficiency of decryption and the inflexibility, most of these schemes are not suitable to realize distributed access control for cloud storage systems. In this paper, we propose a fully distributed, scalable and effective data access control scheme to encrypt and decrypt data, which bases on the lowest density maximum distance separable (LD-MDS) code.The introduction of the LD-MDS code in this field improves performance greatly in decryption stage. Security analysis indicates that the proposed scheme is secure and achieves fine-grained access control, collusion resistant, backward security and forward security simultaneously. Extensive performance analysis and experiment show that our scheme is much more efficient than existing CP-ABE system in cloud storage services.

Jian Zhang,Yang,Yanjiao Chen,Jing Chen,Qian Zhang

DOI: https://doi.org/10.1016/j.comnet.2017.08.019

IF: 5.493

2017-01-01

Computer Networks

Abstract:With the growing popularity of cloud storage, to guarantee the security of outsourced data becomes more and more important. In this paper, we make the first attempt to explore the intrinsic relationship between secure cloud storage and homomorphic encryption scheme, based on which we present a Generic way to design a Secure Cloud Storage protocol, denoted as G-SCS, using any homomorphic encryption scheme (HES). The proposed G-SCS is secure under a definition that satisfy the security requirement of cloud storage. To address various issues in real application scenarios, we further extend the protocol to support deterministic and randomized auditing, data dynamics (i.e., data insertion, deletion and modification), as well as third-party public auditing, while preserving the efficiency and security of the protocol. By instantiating all abstract semantics in G-SCS, we construct three concrete secure cloud storage protocols using RSA-based, Paillier-based and DGHV-based HESs, which are multiplicatively, additively and fully HESs, respectively. We conduct extensive theoretical analysis and experimental evaluations to validate the practicability of the proposed protocol.

Yanping Wang,Xiaosong Zhang,Xiaofen Wang,Teng Hu,Peng Lu,Mingyong Yin

DOI: https://doi.org/10.1155/2022/1317626

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:With the increasingly prominent value of big data, data sharing within enterprises and organizations has become increasingly popular, and many institutions have established data centers to achieve effective data storage and sharing. Meanwhile, cyberspace data security and privacy have become the most critical issue that people are concerned about since shared data often involves commercial secrets and sensitive information. At present, data encryption techniques have been applied to protect the security of the sensitive data stored in and shared by the data centers. However, the challenges of efficient data sharing, secure management of decryption keys, deduplication of the plaintext, and transparency and auditability of the data access arise. These challenges may obstruct the development of data sharing in data-driven systems. To meet these challenges, we propose a secure and trustworthy data sharing scheme and introduce blockchain, proxy re-encryption (PRE), and trusted execution environments (TEEs) into the data-driven systems. Our scheme mainly enables (1) automatic distribution and management of the decryption keys, (2) reduction of the reduplicative data, and (3) trustworthy data sharing and recording. Finally, we implement the proposed scheme and compare it with other existing schemes. It is demonstrated that our scheme reduces the computation and communication overhead.

xuejiao liu,yingjie xia,yang xiang,mohammad mehedi hassan,abdulhameed alelaiwi

DOI: https://doi.org/10.1109/SocialSec2015.13

2015-01-01

Abstract:Hybrid cloud is a widely used cloud architecture in large companies that can outsource data to the publiccloud, while still supporting various clients like mobile devices. However, such public cloud data outsourcing raises serious security concerns, such as how to preserve data confidentiality and how to regulate access policies to the data stored in public cloud. To address this issue, we design a hybrid cloud architecture that supports data sharing securely and efficiently, even with resource-limited devices, where private cloud serves as a gateway between the public cloud and the data user. Under such architecture, we propose an improved construction of attribute-based encryption that has the capability of delegating encryption/decryption computation, which achieves flexible access control in the cloud and privacy-preserving in datautilization even with mobile devices. Extensive experiments show the scheme can further decrease the computational cost and space overhead at the user side, which is quite efficient for the user with limited mobile devices. In the process of delegating most of the encryption/decryption computation to private cloud, the user can not disclose any information to the private cloud. We also consider the communication securitythat once frequent attribute revocation happens, our scheme is able to resist some attacks between private cloud and data user by employing anonymous key agreement.

Liang Xue,Jianbing Ni,Cheng Huang,Xiaodong Lin,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/PST47121.2019.8949066

2019-01-01

Abstract:Secure task-driven data sharing can improve the sensing data usage and protect data confidentiality in mobile crowdsensing (MCS). However, the existing data sharing schemes lack efficient support of forward secrecy, i.e., if the secret key of a data requester is compromised, all the historically shared data will be leaked. In this paper, we propose a forward secure and fine-grained data sharing scheme in mobile crowdsensing to provide a strong security guarantee and flexible access control over the sensing data. Specifically, by incorporating puncturable encryption and attribute based encryption, a shared symmetric key for data sharing can be encrypted by an access structure over the attributes of data requesters and the introduced Bloom filter attributes. Moreover, the shared key establishment between the MCS server and data requesters can be done jointly with the both sides authentication. By utilizing the structure of the Bloom filter, the update of a private key which is used to achieve forward secrecy only needs several deletion operations and no communication with the key distributor is involved. The security proof shows our scheme is provably secure under the security model. Experiment results demonstrate the practicability of the scheme.

Yuxiang Chen,Yao Hao,Zhongqiang Yi,Xiaoyu Guo,Chunxiang Xu

DOI: https://doi.org/10.1109/nana56854.2022.00042

2022-01-01

Abstract:As file management is widely used in e-government and enterprise office, the file exchange, as the main means of sharing and collaborating in office, has been far from able to meet the needs of data security. Encrypted Storage with its highly security, controllability, can be an effective solution to the limitations of existing authority control services. However, during the data sharing and exchange, the file is separated from the owner, which has the problem of insufficient or over -authorization, thus needs fine-grained hierarchical control and cooperation. In this article, we propose a hierarchical management and control scheme for encrypted storage combined with ciphertext retrieval. The proposed scheme supports top-down privilege division without increasing the number of managed keys, all the data are processed and authorized strictly, the high-level user can deduce the keys of lower authorized users, but not vice versa, thus solving data leakage caused by over-authorization. Through performance and security analysis, we demonstrate that the scheme can better meet the data security and precise authorization requirements.

Qingshui Xue,Chenglong Tan

DOI: https://doi.org/10.1109/iciibms60103.2023.10347872

2023-01-01

Abstract:As the demand for cloud storage continues to grow, both individual users and enterprises are storing their data on cloud servers. However, cloud storage providers' servers are often semi-trusted, leading to frequent occurrences of data leaks in recent years. Currently, searchable encryption is an effective solution to safeguard data stored in the cloud. However, traditional searchable encryption is not well-suited for large-scale data and multiple users in cloud storage, as it results in low retrieval efficiency and consumes substantial resources.To address these issues, this paper proposes a distributed cloud storage solution using dynamic searchable encryption. The data stored in the cluster is verified and partitioned using the consistent hashing algorithm, avoiding single point failures and data loss in the index. The scheme utilizes multi-gate distribution to achieve efficient and parallel keyword retrieval, ensuring secure data searches and implementing a distributed storage system that is efficient, scalable, and load-balanced in a distributed environment.This approach primarily focuses on striking a balance between security, retrieval efficiency, and query accuracy. It achieves secure data storage and retrieval while ensuring high performance and accuracy in a distributed setting.

JIA Ya-ru,LIU Xiang-yang,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.03.043

2012-01-01

Abstract:This paper proposes the decentralized secure distributed storage system.The privacy of data is fulfilled by the combination of public key system and symmetric key system.Symmetric key for data from different sources are different,hence encryptions can be implemented in a distributed way.The employment of decentralized erasure code,together with the distributed encryptions,makes possible the decentralization of the system.RS codes are used to store the encryption of symmetric keys,and the list decoding of RS codes ensures the robust.Analysis result shows that the computing efficiency of this system is higher.

Hsiao-Ying Lin,Wen-Guey Tzeng

DOI: https://doi.org/10.1109/tpds.2011.252

IF: 5.3

2012-06-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:A cloud storage system, consisting of a collection of storage servers, provides long-term storage services over the Internet. Storing data in a third party's cloud system causes serious concern over data confidentiality. General encryption schemes protect data confidentiality, but also limit the functionality of the storage system because a few operations are supported over encrypted data. Constructing a secure storage system that supports multiple functions is challenging when the storage system is distributed and has no central authority. We propose a threshold proxy re-encryption scheme and integrate it with a decentralized erasure code such that a secure distributed storage system is formulated. The distributed storage system not only supports secure and robust data storage and retrieval, but also lets a user forward his data in the storage servers to another user without retrieving the data back. The main technical contribution is that the proxy re-encryption scheme supports encoding operations over encrypted messages as well as forwarding operations over encoded and encrypted messages. Our method fully integrates encrypting, encoding, and forwarding. We analyze and suggest suitable parameters for the number of copies of a message dispatched to storage servers and the number of storage servers queried by a key server. These parameters allow more flexible adjustment between the number of storage servers and robustness.

computer science, theory & methods,engineering, electrical & electronic

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/NAS.2008.48

2008-01-01

Abstract:Storage systems are more distributed and more subject to attacks. Cryptographic file system gives a promising way to mitigate the danger of exposing data by using encryption and integrity protection methods and guarantee end-to-end security to clients. This paper describes SRSAE, a generic approach to cryptographic file system, as well as its realization in a distributed data storage environment. SRSAE applies authenticated encryption to each data block transferred between clients and the remote block devices. It provides strong data confidentiality and integrity protections through trusted IV (Initialization Vector) and MAC (Message Authentication Code) comparison. Performance is optimized by buffering IV and MAC locally. Integration into original file system is presented with specific implementation. Related model, approach and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure network storage system.

Zaid Alaa Hussien,Zaid Ameen Abduljabbar,Mohammed Abdulridha Hussain,Mustafa A. Al Sibahee,Songfeng Lu,Hamid A. Al-Asadi

DOI: https://doi.org/10.1145/3331453.3361648

2019-01-01

Abstract:People have proposed many data integrity techniques to secure data storage in cloud. The majority of these schemes assume that only the owner of the data can modify their storage in cloud. In recent years, researchers have allowed different cloud users to use integrity assurance for modifying data. As a result, schemes with stronger reality than before have been proposed. Nevertheless, these attempts are impractical due to the large computing costs for cloud users. Clients must also perform numerous computations to ensure the integrity of data storage. A robust and efficient scheme is put forward in this study to maintain data integrity in cases that involve public auditing. In this way, multiuser modification can be used to check the public integrity for cloud data and reduce the auditing cost. The proposed scheme uses public key cryptography equipped with a proxy re-encryption and a cryptographic hash function. We allow a third-party auditor (TPA) to conduct preprocessing of data for the sake of cloud users prior to uploading these data to the cloud service providers (CSPs) and then verify the integrity of data. We also allow the TPA to perform re-encryption of data for sharing data without losing privacy. The scheme is characterised by significant security features, such as management of key, privacy, low-cost computation, exchange of key, freeing clients from burdens, failure of CSPs in creating right verifier response in absence of data and one-time key requirement. Numerical analysis and extensive experimental results verify that the proposed scheme is efficient and scalable.

Haifeng Li,Caihui Lan,Xingbing Fu,Caifen Wang,Fagen Li,He Guo

DOI: https://doi.org/10.3390/s20174720

IF: 3.9

2020-01-01

Sensors

Abstract:With the explosion of various mobile devices and the tremendous advancement in cloud computing technology, mobile devices have been seamlessly integrated with the premium powerful cloud computing known as an innovation paradigm named Mobile Cloud Computing (MCC) to facilitate the mobile users in storing, computing and sharing their data with others. Meanwhile, Attribute Based Encryption (ABE) has been envisioned as one of the most promising cryptographic primitives for providing secure and flexible fine-grained “one to many” access control, particularly in large scale distributed system with unknown participators. However, most existing ABE schemes are not suitable for MCC because they involve expensive pairing operations which pose a formidable challenge for resource-constrained mobile devices, thus greatly delaying the widespread popularity of MCC. To this end, in this paper, we propose a secure and lightweight fine-grained data sharing scheme (SLFG-DSS) for a mobile cloud computing scenario to outsource the majority of time-consuming operations from the resource-constrained mobile devices to the resource-rich cloud servers. Different from the current schemes, our novel scheme can enjoy the following promising merits simultaneously: (1) Supporting verifiable outsourced decryption, i.e., the mobile user can ensure the validity of the transformed ciphertext returned from the cloud server; (2) resisting decryption key exposure, i.e., our proposed scheme can outsource decryption for intensive computing tasks during the decryption phase without revealing the user’s data or decryption key; (3) achieving a CCA security level; thus, our novel scheme can be applied to the scenarios with higher security level requirement. The concrete security proof and performance analysis illustrate that our novel scheme is proven secure and suitable for the mobile cloud computing environment.

Kaifa Zheng,Caiyang Ding,Jinchen Wang

DOI: https://doi.org/10.3390/electronics12122737

IF: 2.9

2023-06-20

Electronics

Abstract:The node–edge–cloud collaborative computation paradigm has introduced new security challenges to data sharing. Existing data-sharing schemes suffer from limitations such as low efficiency and inflexibility and are not easily integrated with the node–edge–cloud environment. Additionally, they do not provide hierarchical access control or dynamic changes to access policies for data privacy preservation, leading to a poor user experience and lower security. To address these issues, we propose a data-sharing scheme using attribute-based encryption (ABE) that supports node–edge–cloud collaborative computation (DS-ABE-CC). Our scheme incorporates access policies into ciphertext, achieving fine-grained access control and data privacy preservation. Firstly, considering node–edge–cloud collaborative computation, it outsources the significant computational overhead of data sharing from the owner and user to the edge nodes and the cloud. Secondly, integrating deeply with the "node–edge–cloud" scenario, the key distribution and agreement between all entities embedded in the encryption and decryption process, with a data privacy-preserving mechanism, improve the efficiency and security. Finally, our scheme supports flexible and dynamic access control policies and realizes hierarchical access control, thereby enhancing the user experience of data sharing. The theoretical analysis confirmed the security of our scheme, while the comparison experiments with other schemes demonstrated the practical feasibility and efficiency of our approach in node–edge–cloud collaborative computation.

engineering, electrical & electronic,computer science, information systems,physics, applied

Shengmin Xu,Xingshuo Han,Guowen Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3321314

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Cloud computing is the widespread acceptance of a promising paradigm offering a substantial amount of storage and data services on demand. To preserve data confidentiality, many cryptosystems have been introduced. However, current solutions are incompatible with the resource-constrained end-devices because of a variety of vulnerabilities in terms of practicality and security. In this article, we propose a practical and secure data-sharing system by introducing a new design of attribute-based encryption with verifiable outsourced decryption-attribute-based encryption (VO-ABE for short). Our system offers: (1) data sharing at a fine-grained level; (2) a scalable key issuing protocol without any secure channel; (3) a verifiable outsourced decryption mechanism for resource-constrained end-devices against the malicious cloud service provider; and (4) adaptive security against the real-world attacks. To formalize our solution with cryptographic analysis, we present the formal definition of VO-ABE and its concrete construction with provable security. In particular, our design leverages the techniques of the traditional ABE, verifiable outsourced decryption, and randomness extractor to support fine-grained access control, cost-effective data sharing, and security assurance with high entropy. Moreover, our design is provably secure in the adaptive model under the standard assumption, which offers a stronger security guarantee since the state-of-the-art solution is selectively secure under the non-standard assumption and suffers from a variety of real-world attacks. The implementation and evaluation demonstrate that our solution enjoys superior functionality and better performance than the relevant solutions. More importantly, our solution is compatible with the resource-constrained end-devices since the decryption mechanism takes around 1.1 ms and is 22.7x faster than the state-of-the-art solution.

Qingni Shen,Xin Yang,Xi Yu,Pengfei Sun,Yahui Yang,Zhonghai Wu

DOI: https://doi.org/10.1109/APSCC.2011.56

2011-01-01

Abstract:Cloud Storage has been turned into a common platform shared among varied organizations, even market competitors, thus has raised many security concerns. Most of the current researches focus on data encryption and decryption, in this paper, however, we take an alternative perspective - access control, to design and implement a secure solution for cloud storage, aiming to solve both the data isolation problem, which ensures that data in storage cloud owned by one company wouldn't be crossly accessed by other ones, and data collaboration problem, which makes data sharing between different organizations through storage cloud possible while still under the restriction of company data isolation. Besides, we have presented a pretty flexible security policy which could be easily customized to fit the variant security requirements in different cooperation. Finally, a prototype has been implemented based on HDFS by this policy, and the time cost is given and evaluated. © 2011 IEEE.