Towards Practical Access Control and Usage Control on the Cloud using Trusted Hardware

Cloud-based platforms have become the principle way to store, share, and synchronize files online. For individuals and organizations alike, cloud storage not only provides resource scalability and on-demand access at a low cost, but also eliminates the necessity of provisioning and maintaining complex hardware installations. Unfortunately, because cloud-based platforms are frequent victims of data breaches and unauthorized disclosures, data protection obliges both access control and usage control to manage user authorization and regulate future data use. Encryption can ensure data security against unauthorized parties, but complicates file sharing which now requires distributing keys to authorized users, and a mechanism that prevents revoked users from accessing or modifying sensitive content. Further, as user data is stored and processed on remote ma- chines, usage control in a distributed setting requires incorporating the local environmental context at policy evaluation, as well as tamper-proof and non-bypassable enforcement. Existing cryptographic solutions either require server-side coordination, offer limited flexibility in data sharing, or incur significant re-encryption overheads on user revocation. This combination of issues are ill-suited within large-scale distributed environments where there are a large number of users, dynamic changes in user membership and access privileges, and resources are shared across organizational domains. Thus, developing a robust security and privacy solution for the cloud requires: fine-grained access control to associate the largest set of users and resources with variable granularity, scalable administration costs when managing policies and access rights, and cross-domain policy enforcement. To address the above challenges, this dissertation proposes a practical security solution that relies solely on commodity trusted hardware to ensure confidentiality and integrity throughout the data lifecycle. The aim is to maintain complete user ownership against external hackers and malicious service providers, without losing the scalability or availability benefits of cloud storage. Furthermore, we develop a principled approach that is: (i) portable across storage platforms without requiring any server-side support or modifications, (ii) flexible in allowing users to selectively share their data using fine-grained access control, and (iii) performant by imposing modest overheads on standard user workloads. Essentially, our system must be client-side, provide end-to-end data protection and secure sharing, without significant degradation in performance or user experience. We introduce NeXUS, a privacy-preserving filesystem that enables cryptographic protection and secure file sharing on existing network-based storage services. NeXUS protects the confidentiality and integrity of file content, as well as file and directory names, while mitigating against rollback attacks of the filesystem hierarchy. We also introduce Joplin, a secure access control and usage control system that provides practical attribute-based sharing with decentralized policy administration, including efficient revocation, multi-domain policies, secure user delegation, and mandatory audit logging. Both systems leverage trusted hardware to prevent the leakage of sensitive material such as encryption keys and access control policies; they are completely client-side, easy to install and use, and can be readily deployed across remote storage platforms without requiring any server-side changes or trusted intermediary. We developed prototypes for NeXUS and Joplin, and evaluated their respective overheads in isolation and within a real-world environment. Results show that both prototypes introduce modest overheads on interactive workloads, and achieve portability across storage platforms, including Dropbox and AFS. Together, NeXUS and Joplin demonstrate that a client-side solution employing trusted hardware such as Intel SGX can effectively protect remotely stored data on existing file sharing services

A Distributed Architecture for Certificate-based Delegation of Business Process Accessibility in Virtual Organizations

In this paper, a distributed architecture has been proposed in order to support an authorization service more precisely in dynamically created Virtual Organizations (VO). In comparison to other existing architectures such as Akenti, VOMS and TAS, our architecture uses certificates on top a of the distributed agent architecture for managing requested resources among the VOs. The most obscure issue in distributed agents is finding the proper node that keeps the particular requested certificates In this paper, Chord’s Finger Table has been improved to add extra search abilities on the ring architecture of Chord. The process of locating keys can be implemented on the top of the improved Chord by associating a key with each data item, and storing the key/data item pair at the node to which the key maps. In this article, a theatrical analysis is presented for simulations, which shows improvement in the number of passed hops to locate keys in the proposed method in comparison of standard chord, so it’s more cost efficient

Enhanced security architecture for support of credential repository in grid computing.

Grid Computing involves heterogeneous computers and resources, multiple administrative domains and the mechanisms and techniques for establishing and maintaining effective and secure communications between devices and systems. Both authentication and authorization are required. Current authorization models in each domain vary from one system to another, which makes it difficult for users to obtain authorization across multiple domains at one time. We propose an enhanced security architecture to provide support for decentralized authorization based on attribute certificates which may be accessed via the Internet. This allows the administration of privileges to be widely distributed over the Internet in support of autonomy for resource owners and providers. In addition, it provides a uniform approach for authorization which may be used by resource providers from various domains. We combine authentication with the authorization mechanism by using both MyProxy online credential repository and LDAP directory server. In our architecture, we use MyProxy server to store identity certificates for authentication, and utilize an LDAP server-based architecture to store attribute certificates for authorization. Using a standard web browser, a user may connect to a grid portal and allow the portal to retrieve those certificates in order to access grid resources on behalf of the user. Thus, our approach can make use of the online credential repository to integrate authentication, delegation and attribute based access control together to provide enhanced, flexible security for grid system. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2004 .C54. Source: Masters Abstracts International, Volume: 43-01, page: 0231. Adviser: R. D. Kent. Thesis (M.Sc.)--University of Windsor (Canada), 2004

Greenpass RADIUS Tools for Delegated Authorization in Wireless Networks

Dartmouth\u27s Greenpass project extends how public key cryptography can be used to secure the wireless LAN with a RADIUS (Remote Authentication Dial In User Service) server that is responsible for handling authentication requests from clients (called supplicants in the 802.1x authentication model). This thesis describes the design and implementation of the authentication process of Greenpass, specifically what decisions are made in determining who is granted access and how a small modification of already existing protocols can be used to provide guest access in a way that better reflects how delegation of authority works in the real world. Greenpass takes advantage of the existing PKI to authenticate local Dartmouth users via X.509 identity certificates using EAP-TLS. We use the flexibility of SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure) authorization certificates to distribute the responsibility of delegating access to guests to certain authorized delegators, avoiding some of the necessary steps and paperwork associated with having a large centralized entity responsible for the entire institution. This thesis also discusses how our solution can be adapted to support different methods of guest delegation and investigates the possibility of eliminating the cumbersome central entity and administrative overhead traditionally associated with public key cryptography