737 research outputs found
Secure, Reliable and Efficient Data Integrity Auditing (DIA) Solution for Public Cloud Storage (PCS)
Trusted Computing and Secure Virtualization in Cloud Computing
Large-scale deployment and use of cloud computing in industry
is accompanied and in the same time hampered by concerns regarding protection of
data handled by cloud computing providers. One of the consequences of moving
data processing and storage off company premises is that organizations have
less control over their infrastructure. As a result, cloud service (CS) clients
must trust that the CS provider is able to protect their data and
infrastructure from both external and internal attacks. Currently however, such
trust can only rely on organizational processes declared by the CS
provider and can not be remotely verified and validated by an external party.
Enabling the CS client to verify the integrity of the host where the
virtual machine instance will run, as well as to ensure that the virtual
machine image has not been tampered with, are some steps towards building
trust in the CS provider. Having the tools to perform such
verifications prior to the launch of the VM instance allows the CS
clients to decide in runtime whether certain data should be stored- or calculations
should be made on the VM instance offered by the CS provider.
This thesis combines three components -- trusted computing, virtualization technology
and cloud computing platforms -- to address issues of trust and
security in public cloud computing environments. Of the three components,
virtualization technology has had the longest evolution and is a cornerstone
for the realization of cloud computing. Trusted computing is a recent
industry initiative that aims to implement the root of trust in a hardware
component, the trusted platform module. The initiative has been formalized
in a set of specifications and is currently at version 1.2. Cloud computing
platforms pool virtualized computing, storage and network resources in
order to serve a large number of customers customers that use a multi-tenant
multiplexing model to offer on-demand self-service over broad network.
Open source cloud computing platforms are, similar to trusted computing, a
fairly recent technology in active development.
The issue of trust in public cloud environments is addressed
by examining the state of the art within cloud computing security and
subsequently addressing the issues of establishing trust in the launch of a
generic virtual machine in a public cloud environment. As a result, the thesis
proposes a trusted launch protocol that allows CS clients
to verify and ensure the integrity of the VM instance at launch time, as
well as the integrity of the host where the VM instance is launched. The protocol
relies on the use of Trusted Platform Module (TPM) for key generation and data protection.
The TPM also plays an essential part in the integrity attestation of the
VM instance host. Along with a theoretical, platform-agnostic protocol,
the thesis also describes a detailed implementation design of the protocol
using the OpenStack cloud computing platform.
In order the verify the implementability of the proposed protocol, a prototype
implementation has built using a distributed deployment of OpenStack.
While the protocol covers only the trusted launch procedure using generic
virtual machine images, it presents a step aimed to contribute towards
the creation of a secure and trusted public cloud computing environment
Levels of Privacy for eHealth Systems in the Cloud Era
Enforcing in code privacy laws, internal company rules and principles like Privacy by Design is recognized as a challenge for the IT industry. In this paper we analyze the steps required and propose a guide towards this major goal. Our proposal is to emphasize the need to overcome the limits of service orchestration and create strong privacy and security enabling architectures based on two main ideas. The first idea is to use a semantic firewall that is capable to check privacy properties for the communication between applications and cloud and between cloud\u27s sub-systems. The second idea is to improve current SOA architectures with architectures based on executable choreographies that can be formally verified. In this paper we identify three types of executable choreographies. New types of abstraction which machines can verify and humans can trust are enabled by executable choreographies that act like truly verifiable environments for cloud applications
Blockchain-Enabled DPKI Framework
Public Key Infrastructures (PKIs), which rely on digital signature technology and establishment
of trust and security association parameters between entities, allow entities
to interoperate with authentication proofs, using standardized digital certificates (with
X.509v3 as the current reference). Despite PKI technology being used by many applications
for their security foundations (e.g. WEB/HTTPS/TLS, Cloud-Enabled Services,
LANs/WLANs Security, VPNs, IP-Security), there are several concerns regarding their
inherent design assumptions based on a centralized trust model.
To avoid some problems and drawbacks that emerged from the centralization assumptions,
a Decentralized Public Key Infrastructure (DPKI), is an alternative approach. The
main idea for DPKIs is the ability to establish trust relations between all parties, in a
web-of-trust model, avoiding centralized authorities and related root-of-trust certificates.
As a possible solution for DPKI frameworks, the Blockchain technology, as an enabler
solution, can help overcome some of the identified PKI problems and security drawbacks.
Blockchain-enabled DPKIs can be designed to address a fully decentralized ledger for
managed certificates, providing data-replication with strong consistency guarantees, and
fairly distributed trust management properties founded on a P2P trust model. In this
approach, typical PKI functions are supported cooperatively, with validity agreement
based on consistency criteria, for issuing, verification and revocation of X509v3 certificates.
It is also possible to address mechanisms to provide rapid reaction of principals in
the verification of traceable, shared and immutable history logs of state-changes related
to the life-cycle of certificates, with certificate validation rules established consistently by
programmable Smart Contracts executed by peers.
In this dissertation we designed, implemented and evaluated a Blockchain-Enabled
Decentralized Public Key Infrastructure (DPKI) framework, providing an implementation
prototype solution that can be used and to support experimental research. The
proposal is based on a framework instantiating a permissioned collaborative consortium
model, using the service planes supported in an extended Blockchain platform leveraged
by the Hyperledger Fabric (HLF) solution. In our proposed DPKI framework model,
X509v3 certificates are issued and managed following security invariants, processing
rules, managing trust assumptions and establishing consistency metrics, defined and executed in a decentralized way by the Blockchain nodes, using Smart Contracts. Certificates
are issued cooperatively and can be issued with group-oriented threshold-based
Byzantine fault-tolerant (BFT) signatures, as group-oriented authentication proofs. The
Smart Contracts dictate how Blockchain peers participate consistently in issuing, signing,
attestation, validation and revocation processes. Any peer can validate certificates
obtaining their consistent states consolidated in closed blocks in a Meckle tree structure
maintained in the Blockchain. State-transition operations are managed with serializability
guarantees, provided by Byzantine Fault Tolerant (BFT) consensus primitives
Virtual HSM: Building a Hardware-backed Dependable Cryptographic Store
Cloud computing is being used by almost everyone, from regular consumer to IT
specialists, as it is a way to have high availability, geo-replication, and resource elasticity
with pay-as-you-go charging models. Another benefit is the minimal management effort
and maintenance expenses for its users.
However, security is still pointed out as the main reason hindering the full adoption
of cloud services. Consumers lose ownership of their data as soon as it goes to the cloud;
therefore, they have to rely on cloud provider’s security assumptions and Service Level
Agreements regarding privacy and integrity guarantees for their data.
Hardware Security Modules (HSMs) are dedicated cryptographic processors, typically
used in secure cloud applications, that are designed specifically for the protection of
cryptographic keys in all steps of their life cycles. They are physical devices with tamperproof
resistance, but rather expensive. There have been some attempts to virtualize
HSMs. Virtual solutions can reduce its costs but without much success as performance is
incomparable and security guarantees are hard to achieve in software implementations.
In this dissertation, we aim at developing a virtualized HSM supported by modern
attestation-based trusted hardware in commodity CPUs to ensure privacy and reliability,
which are the main requirements of an HSM. High availability will also be achieved
through techniques such as cloud-of-clouds replication on top of those nodes. Therefore
virtual HSMs, on the cloud, backed with trusted hardware, seem increasingly promising
as security, attestation, and high availability will be guaranteed by our solution, and it
would be much cheaper and as reliable as having physical HSMs
Data security in cloud storage services
Cloud Computing is considered to be the next-generation architecture for ICT where it moves the application software and databases to the centralized large data centers. It aims to offer elastic IT services where clients can benefit from significant cost savings of the pay-per-use model and can easily scale up or down, and do not have to make large investments in new hardware. However, the management of the data and services in this cloud model is under the control of the provider. Consequently, the cloud clients have less control over their outsourced data and they have to trust cloud service provider to protect their data and infrastructure from both external and internal attacks. This is especially true with cloud storage services. Nowadays, users rely on cloud storage as it offers cheap and unlimited data storage that is available for use by multiple devices (e.g. smart phones, tablets, notebooks, etc.). Besides famous cloud storage providers, such as Amazon, Google, and Microsoft, more and more third-party cloud storage service providers are emerging. These services are dedicated to offering more accessible and user friendly storage services to cloud customers. Examples of these services include Dropbox, Box.net, Sparkleshare, UbuntuOne or JungleDisk. These cloud storage services deliver a very simple interface on top of the cloud storage provided by storage service providers. File and folder synchronization between different machines, sharing files and folders with other users, file versioning as well as automated backups are the key functionalities of these emerging cloud storage services. Cloud storage services have changed the way users manage and interact with data outsourced to public providers. With these services, multiple subscribers can collaboratively work and share data without concerns about their data consistency, availability and reliability. Although these cloud storage services offer attractive features, many customers have not adopted these services. Since data stored in these services is under the control of service providers resulting in confidentiality and security concerns and risks. Therefore, using cloud storage services for storing valuable data depends mainly on whether the service provider can offer sufficient security and assurance to meet client requirements. From the way most cloud storage services are constructed, we can notice that these storage services do not provide users with sufficient levels of security leading to an inherent risk on users\u27 data from external and internal attacks. These attacks take the form of: data exposure (lack of data confidentiality); data tampering (lack of data integrity); and denial of data (lack of data availability) by third parties on the cloud or by the cloud provider himself. Therefore, the cloud storage services should ensure the data confidentiality in the following state: data in motion (while transmitting over networks), data at rest (when stored at provider\u27s disks). To address the above concerns, confidentiality and access controllability of outsourced data with strong cryptographic guarantee should be maintained. To ensure data confidentiality in public cloud storage services, data should be encrypted data before it is outsourced to these services. Although, users can rely on client side cloud storage services or software encryption tools for encrypting user\u27s data; however, many of these services fail to achieve data confidentiality. Box, for example, does not encrypt user files via SSL and within Box servers. Client side cloud storage services can intentionally/unintentionally disclose user decryption keys to its provider. In addition, some cloud storage services support convergent encryption for encrypting users\u27 data exposing it to “confirmation of a file attack. On the other hand, software encryption tools use full-disk encryption (FDE) which is not feasible for cloud-based file sharing services, because it encrypts the data as virtual hard disks. Although encryption can ensure data confidentiality; however, it fails to achieve fine-grained access control over outsourced data. Since, public cloud storage services are managed by un-trusted cloud service provider, secure and efficient fine-grained access control cannot be realized through these services as these policies are managed by storage services that have full control over the sharing process. Therefore, there is not any guarantee that they will provide good means for efficient and secure sharing and they can also deduce confidential information about the outsourced data and users\u27 personal information. In this work, we would like to improve the currently employed security measures for securing data in cloud store services. To achieve better data confidentiality for data stored in the cloud without relying on cloud service providers (CSPs) or putting any burden on users, in this thesis, we designed a secure cloud storage system framework that simultaneously achieves data confidentiality, fine-grained access control on encrypted data and scalable user revocation. This framework is built on a third part trusted (TTP) service that can be employed either locally on users\u27 machine or premises, or remotely on top of cloud storage services. This service shall encrypts users data before uploading it to the cloud and decrypts it after downloading from the cloud; therefore, it remove the burden of storing, managing and maintaining encryption/decryption keys from data owner\u27s. In addition, this service only retains user\u27s secret key(s) not data. Moreover, to ensure high security for these keys, it stores them on hardware device. Furthermore, this service combines multi-authority ciphertext policy attribute-based encryption (CP-ABE) and attribute-based Signature (ABS) for achieving many-read-many-write fine-grained data access control on storage services. Moreover, it efficiently revokes users\u27 privileges without relying on the data owner for re-encrypting massive amounts of data and re-distributing the new keys to the authorized users. It removes the heavy computation of re-encryption from users and delegates this task to the cloud service provider (CSP) proxy servers. These proxy servers achieve flexible and efficient re-encryption without revealing underlying data to the cloud. In our designed architecture, we addressed the problem of ensuring data confidentiality against cloud and against accesses beyond authorized rights. To resolve these issues, we designed a trusted third party (TTP) service that is in charge of storing data in an encrypted format in the cloud. To improve the efficiency of the designed architecture, the service allows the users to choose the level of severity of the data and according to this level different encryption algorithms are employed. To achieve many-read-many-write fine grained access control, we merge two algorithms (multi-authority ciphertext policy attribute-based encryption (MA- CP-ABE) and attribute-based Signature (ABS)). Moreover, we support two levels of revocation: user and attribute revocation so that we can comply with the collaborative environment. Last but not least, we validate the effectiveness of our design by carrying out a detailed security analysis. This analysis shall prove the correctness of our design in terms of data confidentiality each stage of user interaction with the cloud
Enhanced Cauchy Matrix Reed-Solomon Codes and Role-Based Cryptographic Data Access for Data Recovery and Security in Cloud Environment
In computer systems ensuring proper authorization is a significant challenge, particularly with the rise of open systems and dispersed platforms like the cloud. Role-Based Access Control (RBAC) has been widely adopted in cloud server applications due to its popularity and versatility. When granting authorization access to data stored in the cloud for collecting evidence against offenders, computer forensic investigations play a crucial role. As cloud service providers may not always be reliable, data confidentiality should be ensured within the system. Additionally, a proper revocation procedure is essential for managing users whose credentials have expired. With the increasing scale and distribution of storage systems, component failures have become more common, making fault tolerance a critical concern. In response to this, a secure data-sharing system has been developed, enabling secure key distribution and data sharing for dynamic groups using role-based access control and AES encryption technology. Data recovery involves storing duplicate data to withstand a certain level of data loss. To secure data across distributed systems, the erasure code method is employed. Erasure coding techniques, such as Reed-Solomon codes, have the potential to significantly reduce data storage costs while maintaining resilience against disk failures. In light of this, there is a growing interest from academia and the corporate world in developing innovative coding techniques for cloud storage systems. The research goal is to create a new coding scheme that enhances the efficiency of Reed-Solomon coding using the sophisticated Cauchy matrix to achieve fault toleranc
- …