Data Sharing on Untrusted Storage with Attribute-Based Encryption

Storing data on untrusted storage makes secure data sharing a challenge issue. On one hand, data access policies should be enforced on these storage servers; on the other hand, confidentiality of sensitive data should be well protected against them. Cryptographic methods are usually applied to address this issue -- only encrypted data are stored on storage servers while retaining secret key(s) to the data owner herself; user access is granted by issuing the corresponding data decryption keys. The main challenges for cryptographic methods include simultaneously achieving system scalability and fine-grained data access control, efficient key/user management, user accountability and etc. To address these challenge issues, this dissertation studies and enhances a novel public-key cryptography -- attribute-based encryption (ABE), and applies it for fine-grained data access control on untrusted storage. The first part of this dissertation discusses the necessity of applying ABE to secure data sharing on untrusted storage and addresses several security issues for ABE. More specifically, we propose three enhancement schemes for ABE: In the first enhancement scheme, we focus on how to revoke users in ABE with the help of untrusted servers. In this work, we enable the data owner to delegate most computation-intensive tasks pertained to user revocation to untrusted servers without disclosing data content to them. In the second enhancement scheme, we address key abuse attacks in ABE, in which authorized but malicious users abuse their access privileges by sharing their decryption keys with unauthorized users. Our proposed scheme makes it possible for the data owner to efficiently disclose the original key owner\u27s identity merely by checking the input and output of a suspicious user\u27s decryption device. Our third enhancement schemes study the issue of privacy preservation in ABE. Specifically, our proposed schemes hide the data owner\u27s access policy not only to the untrusted servers but also to all the users. The second part presents our ABE-based secure data sharing solutions for two specific applications -- Cloud Computing and Wireless Sensor Networks (WSNs). In Cloud Computing cloud servers are usually operated by third-party providers, which are almost certain to be outside the trust domain of cloud users. To secure data storage and sharing for cloud users, our proposed scheme lets the data owner (also a cloud user) generate her own ABE keys for data encryption and take the full control on key distribution/revocation. The main challenge in this work is to make the computation load affordable to the data owner and data consumers (both are cloud users). We address this challenge by uniquely combining various computation delegation techniques with ABE and allow both the data owner and data consumers to securely mitigate most computation-intensive tasks to cloud servers which are envisaged to have unlimited resources. In WSNs, wireless sensor nodes are often unattendedly deployed in the field and vulnerable to strong attacks such as memory breach. For securing storage and sharing of data on distributed storage sensor nodes while retaining data confidentiality, sensor nodes encrypt their collected data using ABE public keys and store encrypted data on storage nodes. Authorized users are given corresponding decryption keys to read data. The main challenge in this case is that sensor nodes are extremely resource-constrained and can just afford limited computation/communication load. Taking this into account we divide the lifetime of sensor nodes into phases and distribute the computation tasks into each phase. We also revised the original ABE scheme to make the overhead pertained to user revocation minimal for sensor nodes. Feasibility of the scheme is demonstrated by experiments on real sensor platforms

On the Orchestration and Provisioning of NFV-enabled Multicast Services

The paradigm of network function virtualization (NFV) with the support of software-defined networking has emerged as a prominent approach to foster innovation in the networking field and reduce the complexity involved in managing modern-day conventional networks. Before NFV, functions, which can manipulate the packet header and context of traffic flow, used to be implemented at fixed locations in the network substrate inside proprietary physical devices (called middlewares). With NFV, such functions are softwarized and virtualized. As such, they can be deployed in commodity servers as demanded. Hence, the provisioning of a network service becomes more agile and abstract, thereby giving rise to the next-generation service-customized networks which have the potential to meet new demands and use cases. In this thesis, we focus on three complementary research problems essential to the orchestration and provisioning of NFV-enabled multicast network services. An NFV-enabled multicast service connects a source with a set of destinations. It specifies a set of NFs that should be executed at the chosen routes from the source to the destinations, with some resources and ordering relationships that should be satisfied in wired core networks. In Problem I, we investigate a static joint traffic routing and virtual NF placement framework for accommodating multicast services over the network substrate. We develop optimal formulations and efficient heuristic algorithms that jointly handle the static embedding of one or multiple service requests over the network substrate with single-path and multipath routing. In Problem II, we study the online orchestration of NFV-enabled network services. We consider both unicast and multicast NFV-enabled services with mandatory and best-effort NF types. Mandatory NFs are strictly necessary for the correctness of a network service, whereas best-effort NFs are preferable yet not necessary. Correspondingly, we propose a primal-dual based online approximation algorithm that allocates both processing and transmission resources to maximize a profit function that is proportional to the throughput. The online algorithm resembles a joint admission mechanism and an online composition, routing, and NF placement framework. In the core network, traffic patterns exhibit time-varying characteristics that can be cumbersome to model. Therefore, in Problem III, we develop a dynamic provisioning approach to allocate processing and transmission resources based on the traffic pattern of the embedded network service using deep reinforcement learning (RL). Notably, we devise a model-assisted exploration procedure to improve the efficiency and consistency of the deep RL algorithm