1,693 research outputs found
Meta-Key: A Secure Data-Sharing Protocol under Blockchain-Based Decentralised Storage Architecture
In this letter we propose Meta-key, a data-sharing mechanism that enables
users share their encrypted data under a blockchain-based decentralized storage
architecture. All the data-encryption keys are encrypted by the owner's public
key and put onto the blockchain for safe and secure storage and easy
key-management. Encrypted data are stored in dedicated storage nodes and proxy
re-encryption mechanism is used to ensure secure data-sharing in the untrusted
environment. Security analysis of our model shows that the proxy re-encryption
adopted in our system is naturally free from collusion-attack due to the
specific architecture of Meta-key
ZeroDB white paper
ZeroDB is an end-to-end encrypted database that enables clients to operate on
(search, sort, query, and share) encrypted data without exposing encryption
keys or cleartext data to the database server. The familiar client-server
architecture is unchanged, but query logic and encryption keys are pushed
client-side. Since the server has no insight into the nature of the data, the
risk of data being exposed via a server-side data breach is eliminated. Even if
the server is successfully infiltrated, adversaries would not have access to
the cleartext data and cannot derive anything useful out of disk or RAM
snapshots.
ZeroDB provides end-to-end encryption while maintaining much of the
functionality expected of a modern database, such as full-text search, sort,
and range queries. Additionally, ZeroDB uses proxy re-encryption and/or delta
key technology to enable secure, granular sharing of encrypted data without
exposing keys to the server and without sharing the same encryption key between
users of the database.Comment: Website of the project: https://www.zerodb.io
Streamforce: outsourcing access control enforcement for stream data to the clouds
As tremendous amount of data being generated everyday from human activity and
from devices equipped with sensing capabilities, cloud computing emerges as a
scalable and cost-effective platform to store and manage the data. While
benefits of cloud computing are numerous, security concerns arising when data
and computation are outsourced to a third party still hinder the complete
movement to the cloud. In this paper, we focus on the problem of data privacy
on the cloud, particularly on access controls over stream data. The nature of
stream data and the complexity of sharing data make access control a more
challenging issue than in traditional archival databases. We present
Streamforce - a system allowing data owners to securely outsource their data to
the cloud. The owner specifies fine-grained policies which are enforced by the
cloud. The latter performs most of the heavy computations, while learning
nothing about the data. To this end, we employ a number of encryption schemes,
including deterministic encryption, proxy-based attribute based encryption and
sliding-window encryption. In Streamforce, access control policies are modeled
as secure continuous queries, which entails minimal changes to existing stream
processing engines, and allows for easy expression of a wide-range of policies.
In particular, Streamforce comes with a number of secure query operators
including Map, Filter, Join and Aggregate. Finally, we implement Streamforce
over an open source stream processing engine (Esper) and evaluate its
performance on a cloud platform. The results demonstrate practical performance
for many real-world applications, and although the security overhead is
visible, Streamforce is highly scalable
On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud (Extended Version)
The ability to enforce robust and dynamic access controls on cloud-hosted
data while simultaneously ensuring confidentiality with respect to the cloud
itself is a clear goal for many users and organizations. To this end, there has
been much cryptographic research proposing the use of (hierarchical)
identity-based encryption, attribute-based encryption, predicate encryption,
functional encryption, and related technologies to perform robust and private
access control on untrusted cloud providers. However, the vast majority of this
work studies static models in which the access control policies being enforced
do not change over time. This is contrary to the needs of most practical
applications, which leverage dynamic data and/or policies. In this paper, we
show that the cryptographic enforcement of dynamic access controls on untrusted
platforms incurs computational costs that are likely prohibitive in practice.
Specifically, we develop lightweight constructions for enforcing role-based
access controls (i.e., ) over cloud-hosted files using
identity-based and traditional public-key cryptography. This is done under a
threat model as close as possible to the one assumed in the cryptographic
literature. We prove the correctness of these constructions, and leverage
real-world datasets and recent techniques developed by the
access control community to experimentally analyze, via simulation, their
associated computational costs. This analysis shows that supporting revocation,
file updates, and other state change functionality is likely to incur
prohibitive overheads in even minimally-dynamic, realistic scenarios. We
identify a number of bottlenecks in such systems, and fruitful areas for future
work that will lead to more natural and efficient constructions for the
cryptographic enforcement of dynamic access controls.Comment: 26 pages; extended version of the IEEE S&P pape
Internet of Cloud: Security and Privacy issues
The synergy between the cloud and the IoT has emerged largely due to the
cloud having attributes which directly benefit the IoT and enable its continued
growth. IoT adopting Cloud services has brought new security challenges. In
this book chapter, we pursue two main goals: 1) to analyse the different
components of Cloud computing and the IoT and 2) to present security and
privacy problems that these systems face. We thoroughly investigate current
security and privacy preservation solutions that exist in this area, with an
eye on the Industrial Internet of Things, discuss open issues and propose
future directionsComment: 27 pages, 4 figure
MessageGuard: A Browser-based Platform for Usable, Content-Based Encryption Research
This paper describes MessageGuard, a browser-based platform for research into
usable content-based encryption. MessageGuard is designed to enable
collaboration between security and usability researchers on long-standing
research questions in this area. It significantly simplifies the effort
required to work in this space and provides a place for research results to be
shared, replicated, and compared with minimal confounding factors. MessageGuard
provides ubiquitous encryption and secure cryptographic operations, enabling
research on any existing web application, with realistic usability studies on a
secure platform. We validate MessageGuard's compatibility and performance, and
we illustrate its utility with case studies for Gmail and Facebook Chat
An efficient framework for privacy-preserving computations on encrypted IoT data
There are two fundamental expectations from Cloud-IoT applications using sensitive and personal data: data utility and user privacy. With the complex nature of cloud-IoT ecosystem, there is a growing concern about data utility at the cost of privacy. While the current state-of-the-art encryption schemes protect users’ privacy, they preclude meaningful computations on encrypted data. Thus, the question remains “how to help IoT device users benefit from cloud computing without compromising data confidentiality and user privacy”? Cloud service providers (CSP) can leverage Fully homomorphic encryption (FHE) schemes to deliver privacy-preserving services. However, there are limitations in directly adopting FHE-based solutions for real-world Cloud-IoT applications. Thus, to foster real-world adoption of FHE-based solutions, we propose a framework called Proxy re-ciphering as a service. It leverages existing schemes such as distributed proxy servers, threshold secret sharing, chameleon hash function and FHE to tailor a practical solution that enables long-term privacy-preserving cloud computations for IoT ecosystem. We also encourage CSPs to store minimal yet adequate information from processing the raw IoT device data. Furthermore, we explore a way for IoT devices to refresh their device keys after a key-compromise. To evaluate the framework, we first develop a testbed and measure the latencies with real-world ECG records from TELE ECG Database. We observe that i) although the distributed framework introduces computation and communication latencies, the security gains outweighs the latencies, ii) the throughput of the servers providing re-ciphering service can be greatly increased with pre-processing iii) with a key refresh scheme we can limit the upper bound on the attack window post a key-compromise. Finally, we analyze the security properties against major threats faced by Cloud-IoT ecosystem. We infer that Proxy re-ciphering as a service is a practical, secure, scalable and an easy-to-adopt framework for long-term privacy-preserving cloud computations for encrypted IoT data
The Design and Implementation of a Rekeying-aware Encrypted Deduplication Storage System
Rekeying refers to an operation of replacing an existing key with a new key
for encryption. It renews security protection, so as to protect against key
compromise and enable dynamic access control in cryptographic storage. However,
it is non-trivial to realize efficient rekeying in encrypted deduplication
storage systems, which use deterministic content-derived encryption keys to
allow deduplication on ciphertexts. We design and implement REED, a
rekeying-aware encrypted deduplication storage system. REED builds on a
deterministic version of all-or-nothing transform (AONT), such that it enables
secure and lightweight rekeying, while preserving the deduplication capability.
We propose two REED encryption schemes that trade between performance and
security, and extend REED for dynamic access control. We implement a REED
prototype with various performance optimization techniques and demonstrate how
we can exploit similarity to mitigate key generation overhead. Our trace-driven
testbed evaluation shows that our REED prototype maintains high performance and
storage efficiency
Security and Privacy Aspects in MapReduce on Clouds: A Survey
MapReduce is a programming system for distributed processing large-scale data
in an efficient and fault tolerant manner on a private, public, or hybrid
cloud. MapReduce is extensively used daily around the world as an efficient
distributed computation tool for a large class of problems, e.g., search,
clustering, log analysis, different types of join operations, matrix
multiplication, pattern matching, and analysis of social networks. Security and
privacy of data and MapReduce computations are essential concerns when a
MapReduce computation is executed in public or hybrid clouds. In order to
execute a MapReduce job in public and hybrid clouds, authentication of
mappers-reducers, confidentiality of data-computations, integrity of
data-computations, and correctness-freshness of the outputs are required.
Satisfying these requirements shield the operation from several types of
attacks on data and MapReduce computations. In this paper, we investigate and
discuss security and privacy challenges and requirements, considering a variety
of adversarial capabilities, and characteristics in the scope of MapReduce. We
also provide a review of existing security and privacy protocols for MapReduce
and discuss their overhead issues.Comment: Accepted in Elsevier Computer Science Revie
Multi-user protocols with access control for computational privacy in public clouds
Computational privacy is a property of cryptographic system that ensures the
privacy of data being processed at an untrusted server. Fully Homomorphic
Encryption Schemes (FHE) promise to provide such property. Contemporary FHE
schemes are suited for applications that have single user and server. In
reality many of the cloud applications involve multiple users with various
degrees of trust and the server need not necessarily be aware of it too. We
present a Complementary Key Pairs technique and protocols based on that to
scale any generic FHE schemes to multi user scenarios. We also use such
technique along with FHE to show how attribute based access control can be
achieved while server being oblivious of the same. We analyze the protocols and
their security. Our protocols don't make any assumptions on how FHE scheme
itself works.Comment: 6 page
- …