Fast and secure laptop backups with encrypted de-duplication

Many people now store large quantities of personal and corporate data on laptops or home computers. These often have poor or intermittent connectivity, and are vulnerable to theft or hardware failure. Conventional backup solutions are not well suited to this environment, and backup regimes are frequently inadequate. This paper describes an algorithm which takes advantage of the data which is common between users to increase the speed of backups, and reduce the storage requirements. This algorithm supports client-end per-user encryption which is necessary for confidential personal data. It also supports a unique feature which allows immediate detection of common subtrees, avoiding the need to query the backup system for every file. We describe a prototype implementation of this algorithm for Apple OS X, and present an analysis of the potential effectiveness, using real data obtained from a set of typical users. Finally, we discuss the use of this prototype in conjunction with remote cloud storage, and present an analysis of the typical cost savings.

Authentication of Freshness for OutsourcedMulti-Version Key-Value Stores

Data outsourcing offers cost-effective computing power to manage massive data streams and reliable access to data. For example, data owners can forward their data to clouds, and the clouds provide data mirroring, backup, and online access services to end users. However, outsourcing data to untrusted clouds requires data authentication and query integrity to remain in the control of the data owners and users. In this paper, we address this problem specifically for multiversion key-value data that is subject to continuous updates under the constraints of data integrity, data authenticity, and “freshness” (i.e., ensuring that the value returned for a key is the latest version).We detail this problem and propose INCBMTREE, a novel construct delivering freshness and authenticity. Compared to existing work, we provide a solution that offers (i) lightweight signing and verification on massive data update streams for data owners and users (e.g., allowing for small memory footprint and CPU usage on mobile user devices), (ii) integrity of both real-time and historic data, and (iii) support for both real-time and periodic data publication. Extensive benchmark evaluations demonstrate that INCBMTREE achieves more throughput (in an order of magnitude) for data stream authentication than existing work. For data owners and end users that have limited computing power, INCBM-TREE can be a practical solution to authenticate the freshness of outsourced data while reaping the benefits of broadly available cloud services

Group sharing and random access in cryptographic storage file systems

Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1999.Vita.Includes bibliographical references (p. 79-83).by Kevin E. Fu.M.Eng

UNDO: A System for Neutralizing Nuisance Attacks

In recent years, our society has seen a shift towards a reliance on digital means of data storage. This paper considers the problem of digital data integrity protection, which is defined as preventing unauthorized writing of data. Numerous examples of successful attacks against seemingly secure targets are examined to support the assertion of the author that, at least in some circumstances, the integrity of digital data is difficult to preserve. An approach to securing data is proposed in which a security administrator first assumes that a system will be compromised. This approach limits its focus to a nuisance-type attack, which is defined as an attempt to obscure shared non-sensitive data by limited-experience attackers. A trusted third party, the Universal Nuisance Defense Object (UNDO), is employed to monitor the system and automatically detect and abate unauthorized writing of data. This approach is further expanded upon by utilizing a tool set of metrics that allows one to measure the performance of UNDO, and appropriately configure it. This allows an administrator to optimize its efficiency, ideally to the point where this category of attack on the data integrity will be nullified

VerSum: Verifiable Computations over Large Public Logs

VerSum allows lightweight clients to outsource expensive computations over large and frequently changing data structures, such as the Bitcoin or Namecoin blockchains, or a Certificate Transparency log. VerSum clients ensure that the output is correct by comparing the outputs from multiple servers. VerSum assumes that at least one server is honest, and crucially, when servers disagree, VerSum uses an efficient conflict resolution protocol to determine which server(s) made a mistake and thus obtain the correct output. VerSum's contribution lies in achieving low server-side overhead for both incremental re-computation and conflict resolution, using three key ideas: (1) representing the computation as a functional program, which allows memoization of previous results; (2) recording the evaluation trace of the functional program in a carefully designed computation history to help clients determine which server made a mistake; and (3) introducing a new authenticated data structure for sequences, called SeqHash, that makes it efficient for servers to construct summaries of computation histories in the presence of incremental re-computation. Experimental results with an implementation of VerSum show that VerSum can be used for a variety of computations, that it can support many clients, and that it can easily keep up with Bitcoin's rate of new blocks with transactions.United States. Defense Advanced Research Projects Agency. Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) Program (Contract N66001-10-2-4089)National Science Foundation (U.S.) (Award CNS-1053143)National Science Foundation (U.S.) (Award CNS-1413920

Implementing EFECT

Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2001.Includes bibliographical references (p. 49-50).This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.This thesis describes the design, implementation, and benchmarking of a software prototype of EFECT [EFECT], a new certificate scheme that handles revocation more gracefully than do current schemes. This prototype includes a client browser, a certificate verification tree library, and a directory server. The thesis includes analysis, both mathematical and empirical, to determine the optimal values of EFECT's parameters in terms of both speed and space. Finally, the thesis includes a benchmark comparison of the optimized EFECT and a comparable X.509 [X509] system. This comparison serves as proof that EFECT does indeed outperform the X.509 scheme in some common scenarios.by Ivan Nestlerode.M.Eng