File system extension to support secure cloud-based sharing

Cloud storage is a common platform for multiple users to share data over the Internet. It offers a huge storage capacity at low cost and an easy-to-access interface for all users. However, data protection is considered to be an issue, especially for highly secret information. Users usually trust cloud storage providers who do not leak information, but the administrator and tools they use can access arbitrary storage data. One approach against these problems is encrypting files stored in cloud storage. Using encryption, files are kept confidential, but this requires a complicated procedure and understanding of some specific level of cryptography. In this paper, we propose a secure cloud filesystem that enables files to be encrypted and decrypted transparently when storing to or extracting from the filesystem. Each file is protected using a key-based encryption mechanism, and the keys are also stored on the cloud filesystem in secure indexed with the pathname of the target files. This enables users to easily use secure cloud storage that maintains confidentiality and share data using multiple cloud storages without the users needing special knowledge on encryption

Portable TPM based user Attestation Architecture for Cloud Environments

Cloud computing is causing a major shift in the IT industry. Research indicates that the cloud computing industry segment is substantial and growing enormously. New technologies have been developed, and now there are various ways to virtualize IT systems and to access the needed applications on the Internet, through web based applications. Users, now can access their data any time and at any place with the service provided by the cloud storage. With all these benefits, security is always a concern. Even though the cloud provides accessing the data stored in cloud storage in a flexible and scalable manner, the main challenge it faces is with the security issues. Thus user may think it2019;s not secure since the encryption keys are managed by the software, therefore there is no attestation on the client software integrity. The cloud user who has to deploy in the reliable and secure environment should be confirmed from the Infrastructure as a Service (IaaS) that it has not been corrupted by the mischievous acts. Thus, the user identification which consists user ID and password can also be easily compromised. Apart from the traditional network security solutions, trusted computing technology is combined into more and more aspects of cloud computing environment to guarantee the integrity of platform and provide attestation mechanism for trustworthy services. Thus, enhancing the confidence of the IaaS provider. A cryptographic protocol adopted by the Trusted Computing Group enables the remote authentication which preserves the privacy of the user based on the trusted platform. Thus we propose a framework which defines Trusted Platform Module (TPM), a trusted computing group which proves the secure data access control in the cloud storage by providing additional security. In this paper, we define the TPMbased key management, remote client attestation and a secure key share protocol across multiple users. Then we consider some of the challenges with the current TPM based att

Strong Monitor Of Admission Manager With Multi-Level Ability For Open Cloud

Controlling data access is a difficult issue in public cloud storage systems. Attribute-Based Encryption (CP-ABE) Cipher text-Policy has been adopted as a promising technology to provide flexible, accurate and secure control of data access for cloud storage with honest but weird cloud servers. However, in current CP-EBA schemes, the single attribute authority must implement a validation of the legality of time-consuming users and the distribution of the secret key, resulting in a one-point performance block when a CP-EBA scheme is adopted. in a large-scale system. Cloud storage. Users could be stuck in the queue for a long time to get their secret keys, which could degrade the efficiency of the system. Although multi-agency access control schemes have been proposed, these schemes still cannot overcome the disadvantages of one-point blocking and low efficiency, due to the fact that each authority still independently manages a separate set of attributes. In this paper, we propose a new, heterogeneous framework to eliminate the problem of blocking in single-point performance and to provide a more efficient access control system with an audit mechanism. Our framework uses several proprietary powers to share the burden of validating user legitimacy. Meanwhile, in our scheme, a CA (central authority) is introduced to generate secret keys for users whose legitimacy has been verified. Unlike other multi-body access control systems, each authority in our scheme manages the entire feature set individually. To increase security, we also suggest an audit mechanism to detect AA (Awarding Authority) that has incorrectly or maliciously performed the legitimacy validation procedure. The analysis shows that our system not only ensures the safety requirements, but also improves the outstanding performance of the switches

Towards Practical Access Control and Usage Control on the Cloud using Trusted Hardware

Cloud-based platforms have become the principle way to store, share, and synchronize files online. For individuals and organizations alike, cloud storage not only provides resource scalability and on-demand access at a low cost, but also eliminates the necessity of provisioning and maintaining complex hardware installations. Unfortunately, because cloud-based platforms are frequent victims of data breaches and unauthorized disclosures, data protection obliges both access control and usage control to manage user authorization and regulate future data use. Encryption can ensure data security against unauthorized parties, but complicates file sharing which now requires distributing keys to authorized users, and a mechanism that prevents revoked users from accessing or modifying sensitive content. Further, as user data is stored and processed on remote ma- chines, usage control in a distributed setting requires incorporating the local environmental context at policy evaluation, as well as tamper-proof and non-bypassable enforcement. Existing cryptographic solutions either require server-side coordination, offer limited flexibility in data sharing, or incur significant re-encryption overheads on user revocation. This combination of issues are ill-suited within large-scale distributed environments where there are a large number of users, dynamic changes in user membership and access privileges, and resources are shared across organizational domains. Thus, developing a robust security and privacy solution for the cloud requires: fine-grained access control to associate the largest set of users and resources with variable granularity, scalable administration costs when managing policies and access rights, and cross-domain policy enforcement. To address the above challenges, this dissertation proposes a practical security solution that relies solely on commodity trusted hardware to ensure confidentiality and integrity throughout the data lifecycle. The aim is to maintain complete user ownership against external hackers and malicious service providers, without losing the scalability or availability benefits of cloud storage. Furthermore, we develop a principled approach that is: (i) portable across storage platforms without requiring any server-side support or modifications, (ii) flexible in allowing users to selectively share their data using fine-grained access control, and (iii) performant by imposing modest overheads on standard user workloads. Essentially, our system must be client-side, provide end-to-end data protection and secure sharing, without significant degradation in performance or user experience. We introduce NeXUS, a privacy-preserving filesystem that enables cryptographic protection and secure file sharing on existing network-based storage services. NeXUS protects the confidentiality and integrity of file content, as well as file and directory names, while mitigating against rollback attacks of the filesystem hierarchy. We also introduce Joplin, a secure access control and usage control system that provides practical attribute-based sharing with decentralized policy administration, including efficient revocation, multi-domain policies, secure user delegation, and mandatory audit logging. Both systems leverage trusted hardware to prevent the leakage of sensitive material such as encryption keys and access control policies; they are completely client-side, easy to install and use, and can be readily deployed across remote storage platforms without requiring any server-side changes or trusted intermediary. We developed prototypes for NeXUS and Joplin, and evaluated their respective overheads in isolation and within a real-world environment. Results show that both prototypes introduce modest overheads on interactive workloads, and achieve portability across storage platforms, including Dropbox and AFS. Together, NeXUS and Joplin demonstrate that a client-side solution employing trusted hardware such as Intel SGX can effectively protect remotely stored data on existing file sharing services