ACAFD: Secure and Scalable Access Control with Assured File Deletion for Outsourced Data in Cloud

Cloud storage has emerged as a popular paradigm to outsource data to third party and share it with the collaborators. While this new paradigm enables users to outsource their sensitive data and reduces data management costs, it brings forth the new challenges to the user to keep their data secure. Data storage security and access control in the cloud is one of the challenging ongoing research works to alleviate the data leakage problem from unauthorized users. Existing solutions that use pure cryptographic techniques suffers from heavy computation work with respect to key management and key distribution.  Attribute based encryption is an alternative solution that map the user access structure with the data file attributes to control the data access. However any of the existing schemes doesn't address the access control with assured deletion of the files upon revocation of user access. This article addresses this open issue using a trusted authority that manages the access control list and takes care of key management and key distribution and file deletion upon user revocation. The prototype of model has been presented and analyzed the security features over existing scheme

Assured deletion in the cloud:requirements, challenges and future directions

Inadvertent exposure of sensitive data is a major concern for potential cloud customers. Much focus has been on other data leakage vectors, such as side channel attacks, while issues of data disposal and assured deletion have not received enough attention to date. However, data that is not properly destroyed may lead to unintended disclosures, in turn, resulting in heavy financial penalties and reputational damage. In non-cloud contexts, issues of incomplete deletion are well understood. To the best of our knowledge, to date, there has been no systematic analysis of assured deletion challenges in public clouds. In this paper, we aim to address this gap by analysing assured deletion requirements for the cloud, identifying cloud features that pose a threat to assured deletion, and describing various assured deletion challenges. Based on this discussion, we identify future challenges for research in this area and propose an initial assured deletion architecture for cloud settings. Altogether, our work offers a systematization of requirements and challenges of assured deletion in the cloud, and a well-founded reference point for future research in developing new solutions to assured deletion

A Practical Framework for Storing and Searching Encrypted Data on Cloud Storage

Security has become a significant concern with the increased popularity of cloud storage services. It comes with the vulnerability of being accessed by third parties. Security is one of the major hurdles in the cloud server for the user when the user data that reside in local storage is outsourced to the cloud. It has given rise to security concerns involved in data confidentiality even after the deletion of data from cloud storage. Though, it raises a serious problem when the encrypted data needs to be shared with more people than the data owner initially designated. However, searching on encrypted data is a fundamental issue in cloud storage. The method of searching over encrypted data represents a significant challenge in the cloud. Searchable encryption allows a cloud server to conduct a search over encrypted data on behalf of the data users without learning the underlying plaintexts. While many academic SE schemes show provable security, they usually expose some query information, making them less practical, weak in usability, and challenging to deploy. Also, sharing encrypted data with other authorized users must provide each document's secret key. However, this way has many limitations due to the difficulty of key management and distribution. We have designed the system using the existing cryptographic approaches, ensuring the search on encrypted data over the cloud. The primary focus of our proposed model is to ensure user privacy and security through a less computationally intensive, user-friendly system with a trusted third party entity. To demonstrate our proposed model, we have implemented a web application called CryptoSearch as an overlay system on top of a well-known cloud storage domain. It exhibits secure search on encrypted data with no compromise to the user-friendliness and the scheme's functional performance in real-world applications.Comment: 146 Pages, Master's Thesis, 6 Chapters, 96 Figures, 11 Table

Secure overlay cloud storage with access control and file assured deletion

Tang, Yang.Thesis (M.Phil.)--Chinese University of Hong Kong, 2011.Includes bibliographical references (p. 60-65).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 2 --- Policy-based File Assured Deletion --- p.7Chapter 2.1 --- Background --- p.7Chapter 2.2 --- Policy-based Deletion --- p.9Chapter 3 --- Basic Design of FADE --- p.13Chapter 3.1 --- Entities --- p.13Chapter 3.2 --- Deployment --- p.15Chapter 3.3 --- "Security Goals, Threat Models, and Assumptions" --- p.16Chapter 3.4 --- The Basics - File Upload/Download --- p.18Chapter 3.5 --- Policy Revocation for File Assured Deletion --- p.23Chapter 3.6 --- Multiple Policies --- p.23Chapter 3.7 --- Policy Renewal --- p.25Chapter 4 --- Extensions of FADE --- p.27Chapter 4.1 --- Access Control with ABE --- p.27Chapter 4.2 --- Multiple Key Managers --- p.31Chapter 5 --- Implementation --- p.35Chapter 5.1 --- Representation of Metadata --- p.36Chapter 5.2 --- Client --- p.37Chapter 5.3 --- Key Managers --- p.38Chapter 6 --- Evaluation --- p.40Chapter 6.1 --- Experimental Results on Time Performance of FADE --- p.41Chapter 6.1.1 --- Evaluation of Basic Design --- p.42Chapter 6.1.2 --- Evaluation of Extensions --- p.46Chapter 6.2 --- Space Utilization of FADE --- p.49Chapter 6.3 --- Cost Model --- p.51Chapter 6.4 --- Lessons Learned --- p.53Chapter 7 --- Related Work --- p.54Chapter 8 --- Conclusions --- p.58Bibliography --- p.6

Data security in cloud storage services

Cloud Computing is considered to be the next-generation architecture for ICT where it moves the application software and databases to the centralized large data centers. It aims to offer elastic IT services where clients can benefit from significant cost savings of the pay-per-use model and can easily scale up or down, and do not have to make large investments in new hardware. However, the management of the data and services in this cloud model is under the control of the provider. Consequently, the cloud clients have less control over their outsourced data and they have to trust cloud service provider to protect their data and infrastructure from both external and internal attacks. This is especially true with cloud storage services. Nowadays, users rely on cloud storage as it offers cheap and unlimited data storage that is available for use by multiple devices (e.g. smart phones, tablets, notebooks, etc.). Besides famous cloud storage providers, such as Amazon, Google, and Microsoft, more and more third-party cloud storage service providers are emerging. These services are dedicated to offering more accessible and user friendly storage services to cloud customers. Examples of these services include Dropbox, Box.net, Sparkleshare, UbuntuOne or JungleDisk. These cloud storage services deliver a very simple interface on top of the cloud storage provided by storage service providers. File and folder synchronization between different machines, sharing files and folders with other users, file versioning as well as automated backups are the key functionalities of these emerging cloud storage services. Cloud storage services have changed the way users manage and interact with data outsourced to public providers. With these services, multiple subscribers can collaboratively work and share data without concerns about their data consistency, availability and reliability. Although these cloud storage services offer attractive features, many customers have not adopted these services. Since data stored in these services is under the control of service providers resulting in confidentiality and security concerns and risks. Therefore, using cloud storage services for storing valuable data depends mainly on whether the service provider can offer sufficient security and assurance to meet client requirements. From the way most cloud storage services are constructed, we can notice that these storage services do not provide users with sufficient levels of security leading to an inherent risk on users\u27 data from external and internal attacks. These attacks take the form of: data exposure (lack of data confidentiality); data tampering (lack of data integrity); and denial of data (lack of data availability) by third parties on the cloud or by the cloud provider himself. Therefore, the cloud storage services should ensure the data confidentiality in the following state: data in motion (while transmitting over networks), data at rest (when stored at provider\u27s disks). To address the above concerns, confidentiality and access controllability of outsourced data with strong cryptographic guarantee should be maintained. To ensure data confidentiality in public cloud storage services, data should be encrypted data before it is outsourced to these services. Although, users can rely on client side cloud storage services or software encryption tools for encrypting user\u27s data; however, many of these services fail to achieve data confidentiality. Box, for example, does not encrypt user files via SSL and within Box servers. Client side cloud storage services can intentionally/unintentionally disclose user decryption keys to its provider. In addition, some cloud storage services support convergent encryption for encrypting users\u27 data exposing it to “confirmation of a file attack. On the other hand, software encryption tools use full-disk encryption (FDE) which is not feasible for cloud-based file sharing services, because it encrypts the data as virtual hard disks. Although encryption can ensure data confidentiality; however, it fails to achieve fine-grained access control over outsourced data. Since, public cloud storage services are managed by un-trusted cloud service provider, secure and efficient fine-grained access control cannot be realized through these services as these policies are managed by storage services that have full control over the sharing process. Therefore, there is not any guarantee that they will provide good means for efficient and secure sharing and they can also deduce confidential information about the outsourced data and users\u27 personal information. In this work, we would like to improve the currently employed security measures for securing data in cloud store services. To achieve better data confidentiality for data stored in the cloud without relying on cloud service providers (CSPs) or putting any burden on users, in this thesis, we designed a secure cloud storage system framework that simultaneously achieves data confidentiality, fine-grained access control on encrypted data and scalable user revocation. This framework is built on a third part trusted (TTP) service that can be employed either locally on users\u27 machine or premises, or remotely on top of cloud storage services. This service shall encrypts users data before uploading it to the cloud and decrypts it after downloading from the cloud; therefore, it remove the burden of storing, managing and maintaining encryption/decryption keys from data owner\u27s. In addition, this service only retains user\u27s secret key(s) not data. Moreover, to ensure high security for these keys, it stores them on hardware device. Furthermore, this service combines multi-authority ciphertext policy attribute-based encryption (CP-ABE) and attribute-based Signature (ABS) for achieving many-read-many-write fine-grained data access control on storage services. Moreover, it efficiently revokes users\u27 privileges without relying on the data owner for re-encrypting massive amounts of data and re-distributing the new keys to the authorized users. It removes the heavy computation of re-encryption from users and delegates this task to the cloud service provider (CSP) proxy servers. These proxy servers achieve flexible and efficient re-encryption without revealing underlying data to the cloud. In our designed architecture, we addressed the problem of ensuring data confidentiality against cloud and against accesses beyond authorized rights. To resolve these issues, we designed a trusted third party (TTP) service that is in charge of storing data in an encrypted format in the cloud. To improve the efficiency of the designed architecture, the service allows the users to choose the level of severity of the data and according to this level different encryption algorithms are employed. To achieve many-read-many-write fine grained access control, we merge two algorithms (multi-authority ciphertext policy attribute-based encryption (MA- CP-ABE) and attribute-based Signature (ABS)). Moreover, we support two levels of revocation: user and attribute revocation so that we can comply with the collaborative environment. Last but not least, we validate the effectiveness of our design by carrying out a detailed security analysis. This analysis shall prove the correctness of our design in terms of data confidentiality each stage of user interaction with the cloud

A Survey: Attribute Based Encryption for Secure Cloud

Cloud computing is an enormous area which shares huge amount of data over cloud services and it has been increasing with its on-demand technology. Since, with these versatile cloud services, when the delicate data stored within the cloud storage servers, there are some difficulties which has to be managed like its Security Issues, Data Privacy, Data Confidentiality, Data Sharing and its integrity over the cloud servers dynamically. Also, the authenticity and data access control should be maintained in this wide environment. Thus, Attribute based Encryption (ABE) is a significant version of cryptographic technique in the cloud computing environment. Public Key Encryption acts as the basic technique for ABE where it provides one to many encryptions, here, the private key of users & the cipher-text both rely on attributes such that, when the set of the attributes of users key matches set of attributes of cipher-text with its corresponding access policy, only then decryption is possible. Thus, an opponent could grant access to the sensitive information that holds multiple keys, if it has at least one individual key for accession. The techniques based on ABE consist of two types: KP-ABE (Key- Policy ABE) where the user’s private key is linked to an access structure (or access policy) over attributes and cipher-text is connected to the set of attributes, and CP-ABE (cipher-text policy ABE) is vice versa. Hence, in this, Review we discuss about the various security techniques and relations based on Attributes Based Encryption, especially, the type KP-ABE over data attributes which explains secured methods & its schemes related to time specifications.&nbsp

Data storage security and privacy in cloud computing: A comprehensive survey

Cloud Computing is a form of distributed computing wherein resources and application platforms are distributed over the Internet through on demand and pay on utilization basis. Data Storage is main feature that cloud data centres are provided to the companies/organizations to preserve huge data. But still few organizations are not ready to use cloud technology due to lack of security. This paper describes the different techniques along with few security challenges, advantages and also disadvantages. It also provides the analysis of data security issues and privacy protection affairs related to cloud computing by preventing data access from unauthorized users, managing sensitive data, providing accuracy and consistency of data store

Data security and reliability in cloud backup systems with deduplication.

雲存儲是一個新興的服務模式，讓個人和企業的數據備份外包予較低成本的遠程雲服務提供商。本論文提出的方法，以確保數據的安全性和雲備份系統的可靠性。在本論文的第一部分，我們提出 FadeVersion，安全的雲備份作為今天的雲存儲服務上的安全層服務的系統。 FadeVersion實現標準的版本控制備份設計，從而消除跨不同版本備份的冗餘數據存儲。此外，FadeVersion在此設計上加入了加密技術以保護備份。具體來說，它實現細粒度安全删除，那就是，雲客戶可以穩妥地在雲上删除特定的備份版本或文件，使有關文件永久無法被解讀，而其它共用被删除數據的備份版本或文件將不受影響。我們實現了試驗性原型的 FadeVersion並在亞馬遜S3之上進行實證評價。我們證明了，相對於不支援度安全删除技術傳統的雲備份服務 FadeVersion只增加小量額外開鎖。在本論文的第二部分，提出 CFTDedup一個分佈式代理系統，利用通過重複數據删除增加雲存儲的效率，而同時確保代理之間的崩潰容錯。代理之間會進行同步以保持重複數據删除元數據的一致性。另外，它也分批更新元數據減輕同步帶來的開銷。我們實現了初步的原型CFTDedup並通過試驗台試驗，以存儲虛擬機映像評估其重複數據删除的運行性能。我們還討論了幾個開放問題，例如如何提供可靠、高性能的重複數據删除的存儲。我們的CFTDedup原型提供了一個平台來探討這些問題。Cloud storage is an emerging service model that enables individuals and enterprises to outsource the storage of data backups to remote cloud providers at a low cost. This thesis presents methods to ensure the data security and reliability of cloud backup systems.In the first part of this thesis, we present FadeVersion, a secure cloud backup system that serves as a security layer on top of todays cloud storage services. FadeVersion follows the standard version-controlled backup design, which eliminates the storage of redundant data across different versions of backups. On top of this, FadeVersion applies cryptographic protection to data backups. Specifically, it enables ne-grained assured deletion, that is, cloud clients can assuredly delete particular backup versions or files on the cloud and make them permanently in accessible to anyone, while other versions that share the common data of the deleted versions or les will remain unaffected. We implement a proof-of-concept prototype of FadeVersion and conduct empirical evaluation atop Amazon S3. We show that FadeVersion only adds minimal performance overhead over a traditional cloud backup service that does not support assured deletion.In the second part of this thesis, we present CFTDedup, a distributed proxy system designed for providing storage efficiency via deduplication in cloud storage, while ensuring crash fault tolerance among proxies. It synchronizes deduplication metadata among proxies to provide strong consistency. It also batches metadata updates to mitigate synchronization overhead. We implement a preliminary prototype of CFTDedup and evaluate via test bed experiments its runtime performance in deduplication storage for virtual machine images. We also discuss several open issues on how to provide reliable, high-performance deduplication storage. Our CFTDedup prototype provides a platform to explore such issues.Detailed summary in vernacular field only.Detailed summary in vernacular field only.Detailed summary in vernacular field only.Rahumed, Arthur.Thesis (M.Phil.)--Chinese University of Hong Kong, 2012.Includes bibliographical references (leaves 47-51).Abstracts also in Chinese.Chapter 1 --- Introduction --- p.1Chapter 1.1 --- Cloud Based Backup and Assured Deletion --- p.1Chapter 1.2 --- Crash Fault Tolerance for Backup Systems with Deduplication --- p.4Chapter 1.3 --- Outline of Thesis --- p.6Chapter 2 --- Background and Related Work --- p.7Chapter 2.1 --- Deduplication --- p.7Chapter 2.2 --- Assured Deletion --- p.7Chapter 2.3 --- Policy Based Assured Deletion --- p.8Chapter 2.4 --- Convergent Encryption --- p.9Chapter 2.5 --- Cloud Based Backup Systems --- p.10Chapter 2.6 --- Fault Tolerant Deduplication Systems --- p.10Chapter 3 --- Design of FadeVersion --- p.12Chapter 3.1 --- Threat Model and Assumptions for Fade Version --- p.12Chapter 3.2 --- Motivation --- p.13Chapter 3.3 --- Main Idea --- p.14Chapter 3.4 --- Version Control --- p.14Chapter 3.5 --- Assured Deletion --- p.16Chapter 3.6 --- Assured Deletion for Multiple Policies --- p.18Chapter 3.7 --- Key Management --- p.19Chapter 4 --- Implementation of FadeVersion --- p.20Chapter 4.1 --- System Entities --- p.20Chapter 4.2 --- Metadata Format in FadeVersion --- p.22Chapter 5 --- Evaluation of FadeVersion --- p.24Chapter 5.1 --- Setup --- p.24Chapter 5.2 --- Backup/Restore Time --- p.26Chapter 5.3 --- Storage Space --- p.28Chapter 5.4 --- Monetary Cost --- p.29Chapter 5.5 --- Conclusions --- p.30Chapter 6 --- CFTDedup Design --- p.31Chapter 6.1 --- Failure Model --- p.31Chapter 6.2 --- System Overview --- p.32Chapter 6.3 --- Distributed Deduplication --- p.33Chapter 6.4 --- Crash Fault Tolerance --- p.35Chapter 6.5 --- Implementation --- p.36Chapter 7 --- Evaluation of CFTDedup --- p.37Chapter 7.1 --- Setup --- p.37Chapter 7.2 --- Experiment 1 (Archival) --- p.38Chapter 7.3 --- Experiment 2 (Restore) --- p.39Chapter 7.4 --- Experiment 3 (Recovery) --- p.40Chapter 7.5 --- Summary --- p.41Chapter 8 --- Future work and Conclusions of CFTDedup --- p.43Chapter 8.1 --- Future Work --- p.43Chapter 8.2 --- Conclusions --- p.44Chapter 9 --- Conclusion --- p.45Bibliography --- p.4