63 research outputs found

    Secure Remote Storage of Logs with Search Capabilities

    Get PDF
    Dissertação de Mestrado em Engenharia InformáticaAlong side with the use of cloud-based services, infrastructure and storage, the use of application logs in business critical applications is a standard practice nowadays. Such application logs must be stored in an accessible manner in order to used whenever needed. The debugging of these applications is a common situation where such access is required. Frequently, part of the information contained in logs records is sensitive. This work proposes a new approach of storing critical logs in a cloud-based storage recurring to searchable encryption, inverted indexing and hash chaining techniques to achieve, in a unified way, the needed privacy, integrity and authenticity while maintaining server side searching capabilities by the logs owner. The designed search algorithm enables conjunctive keywords queries plus a fine-grained search supported by field searching and nested queries, which are essential in the referred use case. To the best of our knowledge, the proposed solution is also the first to introduce a query language that enables complex conjunctive keywords and a fine-grained search backed by field searching and sub queries.A gerac¸ ˜ao de logs em aplicac¸ ˜oes e a sua posterior consulta s˜ao fulcrais para o funcionamento de qualquer neg´ocio ou empresa. Estes logs podem ser usados para eventuais ac¸ ˜oes de auditoria, uma vez que estabelecem uma baseline das operac¸ ˜oes realizadas. Servem igualmente o prop´ osito de identificar erros, facilitar ac¸ ˜oes de debugging e diagnosticar bottlennecks de performance. Tipicamente, a maioria da informac¸ ˜ao contida nesses logs ´e considerada sens´ıvel. Quando estes logs s˜ao armazenados in-house, as considerac¸ ˜oes relacionadas com anonimizac¸ ˜ao, confidencialidade e integridade s˜ao geralmente descartadas. Contudo, com o advento das plataformas cloud e a transic¸ ˜ao quer das aplicac¸ ˜oes quer dos seus logs para estes ecossistemas, processos de logging remotos, seguros e confidenciais surgem como um novo desafio. Adicionalmente, regulac¸ ˜ao como a RGPD, imp˜oe que as instituic¸ ˜oes e empresas garantam o armazenamento seguro dos dados. A forma mais comum de garantir a confidencialidade consiste na utilizac¸ ˜ao de t ´ecnicas criptogr ´aficas para cifrar a totalidade dos dados anteriormente `a sua transfer ˆencia para o servidor remoto. Caso sejam necess´ arias capacidades de pesquisa, a abordagem mais simples ´e a transfer ˆencia de todos os dados cifrados para o lado do cliente, que proceder´a `a sua decifra e pesquisa sobre os dados decifrados. Embora esta abordagem garanta a confidencialidade e privacidade dos dados, rapidamente se torna impratic ´avel com o crescimento normal dos registos de log. Adicionalmente, esta abordagem n˜ao faz uso do potencial total que a cloud tem para oferecer. Com base nesta tem´ atica, esta tese prop˜oe o desenvolvimento de uma soluc¸ ˜ao de armazenamento de logs operacionais de forma confidencial, integra e autˆ entica, fazendo uso das capacidades de armazenamento e computac¸ ˜ao das plataformas cloud. Adicionalmente, a possibilidade de pesquisa sobre os dados ´e mantida. Essa pesquisa ´e realizada server-side diretamente sobre os dados cifrados e sem acesso em momento algum a dados n˜ao cifrados por parte do servidor..

    Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM

    Get PDF
    Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns as seen by untrusted storage. Recently, ORAM has been architected into secure processors. A big challenge for hardware ORAM schemes is how to efficiently manage the Position Map (PosMap), a central component in modern ORAM algorithms. Implemented naively, the PosMap causes ORAM to be fundamentally unscalable in terms of on-chip area. On the other hand, a technique called Recursive ORAM fixes the area problem yet significantly increases ORAM's performance overhead. To address this challenge, we propose three new mechanisms. We propose a new ORAM structure called the PosMap Lookaside Buffer (PLB) and PosMap compression techniques to reduce the performance overhead from Recursive ORAM empirically (the latter also improves the construction asymptotically). Through simulation, we show that these techniques reduce the memory bandwidth overhead needed to support recursion by 95%, reduce overall ORAM bandwidth by 37% and improve overall SPEC benchmark performance by 1.27x. We then show how our PosMap compression techniques further facilitate an extremely efficient integrity verification scheme for ORAM which we call PosMap MAC (PMMAC). For a practical parameterization, PMMAC reduces the amount of hashing needed for integrity checking by >= 68x relative to prior schemes and introduces only 7% performance overhead. We prototype our mechanisms in hardware and report area and clock frequency for a complete ORAM design post-synthesis and post-layout using an ASIC flow in a 32~nm commercial process. With 2 DRAM channels, the design post-layout runs at 1~GHz and has a total area of .47~mm2. Depending on PLB-specific parameters, the PLB accounts for 10% to 26% area. PMMAC costs 12% of total design area. Our work is the first to prototype Recursive ORAM or ORAM with any integrity scheme in hardware.Qatar Computing Research Institute (QCRI-CSAIL Parternship)National Science Foundation (U.S.)American Society for Engineering Education. National Defense Science and Engineering Graduate Fellowshi

    Power Analysis Attacks on Keccak

    Get PDF
    Side Channel Attacks (SCA) exploit weaknesses in implementations of cryptographic functions resulting from unintended inputs and outputs such as operation timing, electromagnetic radiation, thermal/acoustic emanations, and power consumption to break cryptographic systems with no known weaknesses in the algorithm’s mathematical structure. Power Analysis Attack (PAA) is a type of SCA that exploits the relationship between the power consumption and secret key (secret part of input to some cryptographic process) information during the cryptographic device normal operation. PAA can be further divided into three categories: Simple Power Analysis (SPA), Differential Power Analysis (DPA) and Correlation Power Analysis (CPA). PAA was first introduced in 1998 and mostly focused on symmetric-key block cipher Data Encryption Standard (DES). Most recently this technique has been applied to cryptographic hash functions. Keccak is built on sponge construction, and it provides a new Message Authentication Code (MAC) function called MAC-Keccak. The focus of this thesis is to apply the power analysis attacks that use CPA technique to extract the key from the MAC-Keccak. So far there are attacks of physical hardware implementations of MAC-Keccak using FPGA development board, but there has been no side channel vulnerability assessment of the hardware implementations using simulated power consumption waveforms. Compared to physical power extraction, circuit simulation significantly reduces the complexity of mounting a power attack, provides quicker feedback during the implementation/study of a cryptographic device, and that ultimately reduces the cost of testing and experimentation. An attack framework was developed and applied to the Keccak high speed core hardware design from the SHA-3 competition, using gate-level circuit simulation. The framework is written in a modular fashion to be flexible to attack both simulated and physical power traces of AES, MAC-Keccak, and future crypto systems. The Keccak hardware design is synthesized with the Synopsys 130-nm CMOS standard cell library. Simulated instantaneous power consumption waveforms are generated with Synopsys PrimeTime PX. 1-bit, 2-bit, 4-bit, 8-bit, and 16-bit CPA selection function key guess size attacks are performed on the waveforms to compare/analyze the optimization and computation effort/performance of successful key extraction on MAC-Keccak using 40 byte key size that fits the whole bottom plane of the 3D Keccak state. The research shows the larger the selection function key guess size used, the better the signal-noise-ratio (SNR), therefore requiring fewer numbers of traces needed to be applied to retrieve the key but suffer from higher computation effort time. Compared to larger selection function key guess size, smaller key guess size has lower SNR that requires higher number of applied traces for successful key extraction and utilizes less computational effort time. The research also explores and analyzes the attempted method of attacking the second plane of the 3D Keccak state where the key expands beyond 40 bytes using the successful approach against the bottom plane

    A Novel System for Confidential Medical Data Storage Using Chaskey Encryption and Blockchain Technology

    Get PDF
    يعد التخزين الآمن للمعلومات الطبية السرية أمرًا بالغ الأهمية لمنظمات الرعاية الصحية التي تسعى إلى حماية خصوصية المريض والامتثال للمتطلبات التنظيمية. في هذا البحث، نقدم نظامًا جديدًا للتخزين الآمن للبيانات الطبية باستخدام تقنية تشفير Chaskey و blockchain. يستخدم النظام تشفير Chaskey لضمان سرية وسلامة البيانات الطبية، وتكنولوجيا blockchain لتوفير حلول تخزين البيانات الطبية بحيث يكون قابل للتطوير ويتميز باللامركزية. يستخدم النظام أيضًا تقنيات Bflow للتجزئة ومنها التجزئة الرأسية لتعزيز قابلية التوسع وإدارة البيانات المخزنة. بالإضافة إلى ذلك، يستخدم النظام العقود الذكية لفرض سياسات التحكم في الوصول والتدابير الأمنية الأخرى. سنقدم وصف للنظام المقترح بالتفصيل ونقدم تحليلاً لخصائصه الأمنية والأداء. تظهر نتائجنا أن النظام يوفر حلاً آمنًا للغاية وقابل للتطوير لتخزين البيانات الطبية السرية، مع تطبيقات محتملة في مجموعة واسعة من إعدادات الرعاية الصحية.Secure storage of confidential medical information is critical to healthcare organizations seeking to protect patient's privacy and comply with regulatory requirements. This paper presents a new scheme for secure storage of medical data using Chaskey cryptography and blockchain technology. The system uses Chaskey encryption to ensure integrity and confidentiality of medical data, blockchain technology to provide a scalable and decentralized storage solution. The system also uses Bflow segmentation and vertical segmentation technologies to enhance scalability and manage the stored data. In addition, the system uses smart contracts to enforce access control policies and other security measures. The description of the system detailing and provide an analysis of its security and performance characteristics. The resulting images were tested against a number of important metrics such as Peak Signal-to-Noise Ratio (PSNR), Mean Squared Error (MSE), bit error rate (BER), Signal-to-Noise Ratio (SNR), Normalization Correlation (NC) and Structural Similarity Index (SSIM). Our results showing that the system provides a highly secure and scalable solution for storing confidential medical data, with potential applications in a wide range of healthcare settings

    Privacy preserving and serverless homomorphic-based searchable encryption as a service (SEaaS)

    Get PDF
    Serverless computing has seen rapid growth, thanks to its adaptability, elasticity, and deployment agility, embraced by both cloud providers and users. However, this surge in serverless adoption has prompted a reevaluation of security concerns and thus, searchable encryption has emerged as a crucial technology. This paper explores the Searchable Encryption as a Service (SEaaS) and introduces an innovative privacy-preserving Multiple Keyword Searchable Encryption (MKSE) scheme within a serverless cloud environment, addressing previously unmet security goals. The proposed scheme employs probabilistic encryption and leverages fully homomorphic encryption to enable operations on ciphertext, facilitating searches on encrypted data. Its core innovation lies in the use of probabilistic encryption for private multi-keyword searches. To validate its practicality, we deploy the scheme on the public cloud infrastructure, “Contabo,” and conduct rigorous testing on a real-world dataset. The results demonstrate that our novel scheme successfully preserves the privacy of search queries and access patterns, achieving robust security. This research contributes to the field of serverless cloud security, particularly in the context of searchable encryption, by providing a refined solution for safeguarding data while maintaining usability in a serverless computing landscape

    Reusable garbled gates for new fully homomorphic encryption service

    Get PDF
    In this paper, we propose a novel way to provide a fully homomorphic encryption service, namely by using garbled circuits. From a high level perspective, garbled circuits and fully homomorphic encryption, both aim at implementing complex computation on ciphertexts. We define a new cryptographic primitive named reusable garbled gate, which comes from the area of garbled circuits, then based on this new primitive we show that it is very easy to construct a fully homomorphic encryption. However, the instantiation of reusable garbled gates is rather difficult, in fact, we can only instantiate this new primitive based on indistinguishable obfuscation. Furthermore, reusable garbled gates can be a core component for constructing the reusable garbled circuits, which can reduce the communication complexity of them from O(n) to O(1). We believe that reusable garbled gates promise a new way to provide fully homomorphic encryption and reusable garbled circuits service fast.Peer ReviewedPostprint (author's final draft

    A gearbox model for processing large volumes of data by using pipeline systems encapsulated into virtual containers

    Get PDF
    Software pipelines enable organizations to chain applications for adding value to contents (e.g., confidentially, reliability, and integrity) before either sharing them with partners or sending them to the cloud. However, the pipeline components add overhead when processing large volumes of data, which can become critical in real-world scenarios. This paper presents a gearbox model for processing large volumes of data by using pipeline systems encapsulated into virtual containers. In this model, the gears represent applications, whereas gearboxes represent software pipelines. This model was implemented as a collaborative system that automatically performs Gear up (by using parallel patterns) and/or Gear down (by using in-memory storage) until all gears produce uniform data processing velocities. This model reduces delays and bottlenecks produced by the heterogeneous performance of applications included in software pipelines. The new container tool has been designed to encapsulate both the collaborative system and the software pipelines into a virtual container and deploy it on IT infrastructures. We conducted case studies to evaluate the performance of when processing medical images and PDF repositories. The incorporation of a capsule to a cloud storage service for pre-processing medical imagery was also studied. The experimental evaluation revealed the feasibility of applying the gearbox model to the deployment of software pipelines in real-world scenarios as it can significantly improve the end-user service experience when pre-processing large-scale data in comparison with state-of-the-art solutions such as Sacbe and Parsl.This work has been partially supported by the “Spanish Ministerio de Economia y Competitividad ” under the project grant TIN2016-79637-P “Towards Unification of HPC and Big Data paradigms”
    corecore