Secure Cloud Storage with Client-Side Encryption Using a Trusted Execution Environment

With the evolution of computer systems, the amount of sensitive data to be stored as well as the number of threats on these data grow up, making the data confidentiality increasingly important to computer users. Currently, with devices always connected to the Internet, the use of cloud data storage services has become practical and common, allowing quick access to such data wherever the user is. Such practicality brings with it a concern, precisely the confidentiality of the data which is delivered to third parties for storage. In the home environment, disk encryption tools have gained special attention from users, being used on personal computers and also having native options in some smartphone operating systems. The present work uses the data sealing, feature provided by the Intel Software Guard Extensions (Intel SGX) technology, for file encryption. A virtual file system is created in which applications can store their data, keeping the security guarantees provided by the Intel SGX technology, before send the data to a storage provider. This way, even if the storage provider is compromised, the data are safe. To validate the proposal, the Cryptomator software, which is a free client-side encryption tool for cloud files, was integrated with an Intel SGX application (enclave) for data sealing. The results demonstrate that the solution is feasible, in terms of performance and security, and can be expanded and refined for practical use and integration with cloud synchronization services

Multiplexing of encrypted data using fractal masks

This paper was published in OPTICS LETTERS and is made available as an electronic reprint with the permission of OSA. The paper can be found at the following URL on the OSA website: http://dx.doi.org/10.1364/OL.37.002895. Systematic or multiple reproduction or distribution to multiple locations via electronic or other means is prohibited and is subject to penalties under lawIn this Letter, we present to the best of our knowledge a new all-optical technique for multiple-image encryption and multiplexing, based on fractal encrypting masks. The optical architecture is a joint transform correlator. The multiplexed encrypted data are stored in a photorefractive crystal. The fractal parameters of the key can be easily tuned to lead to a multiplexing operation without cross talk effects. Experimental results that support the potential of the method are presented.This research was performed under grants TWAS-UNESCO Associateship Scheme at Centres of Excellence in the South, CONICET No. 0863 (Argentina), ANCYT PICT 1167 (Argentina), and Facultad de Ingenieria, Universidad Nacional de La Plata No. 11/I125 (Argentina), Sostenibilidad 2011-2012, and CODI (Universidad de Antioquia-Colombia). W. D. Furlan and J. A. Monsoriua acknowledge financial support from Ministerio de Economia y Competitividad (grant FIS2011-23175), Generalitat Valenciana (grant PROMETEO2009-077), and Universitat Politecnica de Valencia (grants PAID-05-11 and PAID-02-11), Spain.Barrera, J.; Tebaldi, M.; Amaya, D.; Furlan, W.; Monsoriu Serra, JA.; Bolognini, NA.; Torroba, RD.... (2012). Multiplexing of encrypted data using fractal masks. Optics Letters. 37(14):2895-2897. doi:10.1364/OL.37.002895S289528973714Refregier, P., & Javidi, B. (1995). Optical image encryption based on input plane and Fourier plane random encoding. Optics Letters, 20(7), 767. doi:10.1364/ol.20.000767Matoba, O., & Javidi, B. (1999). Encrypted optical memory system using three-dimensional keys in the Fresnel domain. Optics Letters, 24(11), 762. doi:10.1364/ol.24.000762Unnikrishnan, G., Joseph, J., & Singh, K. (2000). Optical encryption by double-random phase encoding in the fractional Fourier domain. Optics Letters, 25(12), 887. doi:10.1364/ol.25.000887Nomura, T. (2000). Polarization encoding for optical security systems. Optical Engineering, 39(9), 2439. doi:10.1117/1.1288369Tebaldi, M., Furlan, W. D., Torroba, R., & Bolognini, N. (2009). Optical-data storage-readout technique based on fractal encrypting masks. Optics Letters, 34(3), 316. doi:10.1364/ol.34.000316Situ, G., & Zhang, J. (2005). Multiple-image encryption by wavelength multiplexing. Optics Letters, 30(11), 1306. doi:10.1364/ol.30.001306Liu, Z., & Liu, S. (2007). Double image encryption based on iterative fractional Fourier transform. Optics Communications, 275(2), 324-329. doi:10.1016/j.optcom.2007.03.039Hwang, H.-E., Chang, H. T., & Lie, W.-N. (2009). Multiple-image encryption and multiplexing using a modified Gerchberg-Saxton algorithm and phase modulation in Fresnel-transform domain. Optics Letters, 34(24), 3917. doi:10.1364/ol.34.003917Matoba, O., & Javidi, B. (1999). Encrypted optical storage with angular multiplexing. Applied Optics, 38(35), 7288. doi:10.1364/ao.38.007288Fredy Barrera, J., Henao, R., Tebaldi, M., Torroba, R., & Bolognini, N. (2006). Multiplexing encryption–decryption via lateral shifting of a random phase mask. Optics Communications, 259(2), 532-536. doi:10.1016/j.optcom.2005.09.027Henao, R., Rueda, E., Barrera, J. F., & Torroba, R. (2010). Noise-free recovery of optodigital encrypted and multiplexed images. Optics Letters, 35(3), 333. doi:10.1364/ol.35.000333Barrera, J. F., Henao, R., Tebaldi, M., Torroba, R., & Bolognini, N. (2006). Multiple image encryption using an aperture-modulated optical system. Optics Communications, 261(1), 29-33. doi:10.1016/j.optcom.2005.11.055Mosso, F., Barrera, J. F., Tebaldi, M., Bolognini, N., & Torroba, R. (2011). All-optical encrypted movie. Optics Express, 19(6), 5706. doi:10.1364/oe.19.005706Monsoriu, J. A., Saavedra, G., & Furlan, W. D. (2004). Fractal zone plates with variable lacunarity. Optics Express, 12(18), 4227. doi:10.1364/opex.12.00422

Device-Based Isolation for Securing Cryptographic Keys

In this work, we describe an eective device-based isolation approach for achieving data security. Device-based isolation leverages the proliferation of personal computing devices to provide strong run-time guarantees for the condentiality of secrets. To demonstrate our isolation approach, we show its use in protecting the secrecy of highly sensitive data that is crucial to security operations, such as cryptographic keys used for decrypting ciphertext or signing digital signatures. Private key is usually encrypted when not used, however, when being used, the plaintext key is loaded into the memory of the host for access. In our threat model, the host may be compromised by attackers, and thus the condentiality of the host memory cannot be preserved. We present a novel and practical solution and its prototype called DataGuard to protect the secrecy of the highly sensitive data through the storage isolation and secure tunneling enabled by a mobile handheld device. DataGuard can be deployed for the key protection of individuals or organizations