Storage security in cloud computing pdf

There may additionally be some parties that interact with the clients and servers to provide extra functionality, such as a key- server [KBR13] or an auditing mechanism [YJ13, LLXC16]. We regard users as the entities with distinct logins to a system, and clients as the devices that interact with the server on behalf of their owner, the user.

This allows us to consider two clients that have the same key material, e. In traditional SKE, two parties agree some key in advance and then communicate over some presumed insecure channel.

In the context of outsourced storage the two parties are often the same user at different points in time. We fix the syntax of a symmetric encryption scheme.

Our results in Sections 4 and 5 consider au- thenticated encryption with the ability to handle some associated data AEAD , but for now we consider SKE without associated data as a distinct primitive. Key generation is a randomized algorithm, the encryption algorithm may be randomized or stateful, and decryption is deterministic.

Note that many authors use the notation E k, m to denote that message m is encrypted under key k; we will use the subscript notation throughout. In this game, an adversary selects a sequence of pairs of equal-length messages1. A left-or-right en- cryption oracle O. We also include non-triviality conditions on messages that the adversary provides to O. LR: we will often omit these conditions in the rest of the paper for clarity. LR oracle to simulate an encryption oracle E: many authors make such an oracle explicit because in many scenarios a tight reduction is desired in terms of the number of O.

LR queries the adversary makes. We do not require this distinction and so we only consider a single O. LR oracle. We define two variants of left-or-right indistinguishability: one for a chosen plaintext attack IND-CPA , and one for a chosen ciphertext attack IND-CCA2 where the adversary is allowed to decrypt any chosen ciphertexts with the obvious exception of decrypting the challenge ciphertexts that have been output by O.

ExpIND -atk O. LRb , O. This was the idea behind the convergent encryption CE protocol of Douceur et al. This inherently enables perfect data deduplication, since there is only one possible ciphertext for each plaintext file. Many authors simply assume that files are bitstrings of finite length and thus security experiments and results are straightforward. To see this for CE: adversary chooses distinct m0 , m1 , computes the key and thus the ciphertext for each value, sends just a single query to O.

LR and compares. In Fig. In the challenge phase the challenger runs MS, then encrypts the output plaintext messages and returns the resulting ciphertexts and Z to the adversary. Bellare et al. Note that unlike the other definitions in this section, we do not include associated data. For ordinary encryption schemes we would use associated data to achieve integrity, but for MLE-like schemes a specific integrity mechanism is often provided by means of a tag, which for example could be the hash of the ciphertext.

A secure AE scheme will simultaneously provide confidentiality and integrity. We attempt to avoid ambiguity by referring to files where possible in this paper.

In many definitions of AEAD security, including the original formulation by Rogaway [Rog02], the encryption oracle either works correctly in the real game or returns a random string. We consider generic ciphertext spaces in the following definition, and follow e. Paterson et al. Definition 3. To this end we will define integrity in terms schemes that can handle associated data, but of course this input can be ignored to get notions for the setting in which AD is not used.

There are three main notions of integrity for symmetric encryption: non-malleability, plaintext integrity and ciphertext integrity [BN00]. Ciphertext integrity implies plaintext integrity, but the two notions are not equivalent. The two in- tegrity notions are usually independent of non-malleability: non-malleability usually implies confiden- tiality, while the two integrity notions do not.

Plaintext integrity is often the intuitively correct notion for an application, but usually ciphertext integrity is needed for proofs. This is why we only consider ciphertext integrity in this paper. Formally, this simply means that AD is an input to both Ek and Dk.

Such anal- ysis is only possible if the model provides sufficient detail about adversarial capabilities. The challenge is to provide a sufficiently detailed model that allows analysis, yet is generic enough to facilitate study of natural schemes. It is desirable that the model can easily be extended to incorporate particular exotic design choices. We present here what is to our knowledge the first such model for secure outsourced storage that accommodates both widely-deployed and conceptually straightforward solutions as well as much of the literature in particular schemes facilitating encrypted data deduplication.

As for any storage scheme, a user of a cloud storage scheme should be able to store, retrieve and delete files. A user must be able to specify which previously stored files to retrieve or delete, and we shall achieve that by having the user choose a unique file handle identifier for each file when storing.

Correctness can then be defined in the expected way, stated here for a notational introduction: Definition 5 Correctness.

If user uid previously stored F under handle id then when it later retrieves id the result will be F, unless client has sent del id. We use storage handles, denoted by id, to indicate the value that the user wishes to use in the future to retrieve that file. We regard the generation of id as outside the scope of the model.

In practice all a user sees is a list of filenames which are certainly not suitable for our purposes due to non- uniqueness : this approach allows us to focus on issues directly related to confidentiality and integrity.

Note that this process also occurs in deduplicating schemes that do not use any encryption. In this context, this tag is all that is required to claim ownership of a file. In Section 5 we will discuss integrity in the context of deduplicating and non-deduplicating cloud storage, and differences between our handles and these tags in more detail.

Each user is associated with a user identification uid, and each file is identified by a storage handle id. We define per-user keys uk and per-file keys fk. Each user has some preferably small local storage and the server maintains what is from an abstract perspective at least a vast data structure.

Generation of per-user key material uk line 02 may include keys for a number of different purposes. This means that there is only one ST but there could be many KTs. Our model retains generality: to our knowledge it incorporates almost all intuitive schemes and all protocols from the literature more details in next subsection.

The model that follows is, by design, modular and generic enough to cope with straightforward modifications to incorporate such processes. We now discuss the design choices that require further attention. In line 02 we explicitly regard the per-user key generation procedure as occurring separately from the other procedures, this is to retain generality and to allow us to focus on file-key generation.

ST tracks deletion status of each file for each user lines , using a bit as the fourth value in each entry. In deployed systems this abstract procedure may not be done as directly as we describe. The definition generalizes 3 Many CSPs never actually delete files at the backend, and this is understandable: the cost of finding, accessing and removing a file and all its redundant copies is often considerable, and if the CSP uses client-side deduplication then if the user or any other uploads that file in the future this will incur a bandwidth cost.

Any scheme that distributes files among multiple servers is also included, incurring a rather complicated outsourced state ST, however the results in the remainder of this paper will mainly focus on the single server case. To satisfy correctness we require an implicit assumption that the CSP forwards all requests honestly: this approach reflects cryptographic models for key exchange.

If fk used for store encryption is not the same as the one used for retr decryption then no scheme can be correct.

The adversaries that we consider cannot modify KT so key symmetry is implicit in our model and for the rest of the paper. The natural scenarios include a CSP that does not support client-side en- cryption line 1 , a CSP wherein each user holds a per-user key and encrypts all files with that key line 2 , and a CSP wherein a per-file key is randomly chosen at the point of the file being uploaded line 3.

This case also re- flects some enterprise scenarios in which an organization has a storage gateway that may interact with trusted hardware, such as a hardware security module that deduplicates files and encrypts under one key on behalf of all of its employees before sending to some public cloud CSP. The per-file key sce- nario line 3 intuitively provides increased confidentiality, but introduces challenging key management.

A gateway can also be used in this case as described in the Omnicloud architecture [KW14]: this of course requires the gateway to additionally manage the vast number of keys that could be generated in the enterprise scenario. In many schemes such as those of Keelveedhi et al. Stanek et al. The protocol of Duan [Dua14] attempts to avoid the single point of failure inherent in having a single semi-trusted key server KS in DupLESS-like schemes: fkeyGen generates encryption keys using a distributed oblivious key generation DOKG , instantiated using a deterministic threshold signature scheme.

The CDStore protocol of Li et al. The restriction to SKE in line 10 of Fig. Note here that schemes in Fig. In the schemes that do precisely fit our model, generation of file key fk could happen as part of the key generation procedure kgen: for example in the per-user key case line 2 of Fig.

This is one of many potential modular extensions of our framework: we could of course consider a model in which for example the fkeyGen and E algorithms are general functions with arbitrary inputs. Dang and Chang [DC17] similarly assume some trusted entity, in their case hardware.

A trusted enclave uses an oblivious PRF similarly to the key server in DupLESS to get block-derived keys to allow the enclave to perform deduplication: the enclave acts as a deduplication gateway then applies randomized encryption before sending the ciphertexts to the CSP.

In these schemes encryption is essentially done in two phases and the per-block keys are managed by the third party; this does not quite fit our model but it is straightforward to modify how KT and SKE works to analyze such schemes. Recently Shin et al. Again it is straightforward to extend our model to allow this type of scheme.

To simplify much of our analysis later on we require that every time a new file is stored by a client, a new id is generated. This leads to the following assumption: Assumption 1. In all cloud storage schemes CS considered in this paper, store is never called on the same id twice. In this section we turn our attention to confidentiality of files with respect to realistic adversaries.

There are several possible goals. The classical cryptographic goal is indistinguishability, where one of two adversary-chosen files was stored and the adversary is unable to decide which file was stored. This is similar to semantic security, where a file sampled from one of two adversary-chosen probability spaces was stored, and the adversary is unable to decide which distribution the file was sampled from.

A weaker notion is to sample a file from one of two pre-chosen high-entropy probability spaces. The adversary has two distinct capabilities when attacking a cloud storage system. The first is the ability to influence the actions of the honest users. The second is the ability to influence the CSP.

When considering corruption of users, it is important to note that an adversary can usually create genuine logins to a system, and thus receive a valid uid and uk for an arbitrary number of users. We model this by distinguishing between two types of newu query: O. For its corrupted users the adversary may not necessarily use uk and fkeyGen correctly which O. We regard the minimum adversarial capability as being able to have full control over a number of corrupted users and to make honest users store files, we refer to this notion as a chosen store attack CSA.

The adversary may even be able to get honest users to retrieve files from the cloud storage system, a chosen retrieve attack5 CRA. Analogously to 4 It is certainly possible to extend this model to adaptive corruptions, however this would add considerable extra complexity to any scheme. And finally, the adversary may have full control over the CSP, an actively corrupt A adversary. When the CSP is honest, it may seem that our model always guarantees confidentiality because the adversary would never have access to ciphertexts.

However, this is not the case, since the file key generation procedure is regarded as a protocol and may leak information as mentioned earlier with the protocol of Liu et al. Roughly speaking, we can say that when the CSP is honest, we consider only the security of the file key generation protocol. When the CSP is passively corrupt, we must additionally consider the confidentiality of the encryption used.

When the CSP is actively corrupt, we must also consider the integrity of the encryption mechanism. This separation of concerns is by design. Just as in our general definition for storage protocols Fig. The security experiment keeps track of the O.

LR queries using a forbidden list CL to prevent trivial wins. These are not functionalities of storage systems so they are not included in Fig. LRb with users that it does not have the key material for, resulting in ciphertexts that it cannot access.

Thus, even a scheme with no encryption can be secure under this notion. This is by design: the only schemes that do not meet this minimum requirement are those that leak information about the file to other users during the store procedure. It is possible to imagine adversaries that may wish to act without being noticed by the users they have infiltrated. This is the nature of adversaries in cloud storage: the clear hierarchy that exists for encryption does not easily translate.

All adversaries have access to the oracles on the left-hand side and O. CRA additionally has access to O. The concept of length equality for files in cloud storage is not as clear cut as it is for bitstrings in an IND-based game for encryption.

If the encryption scheme is not length hiding and the adversary submits one O. LR query and one O. As mentioned earlier, this means that an inherent restriction exists on O. LR queries: if the length of the segmentation of F0 and F1 differs then the experiment does not go ahead with the store procedure7. Relations Between Notions. While we have just defined six adversarial capabilities, in fact only three are distinct.

We give a brief intuition here. This leaves three equivalences and two separation results. If the adversary can observe a distinguishable error symbol as part of its O. LR queries then this may cause issues. We strictly disallow this by not returning anything to the adversary and assuming a stringent restriction on allowed file pairs for O. LR and O. This is indeed possible: the simulator keeps track of such queries in a table. LR query with distinct files and then queries O.

We give the final separation result after Theorem 1. These theorems provide justification for the choices made in defining our adversarial capabilities. Finally Theorem 4 considers the secure deduplication setting with a reduction to PRV-CDA security of the underlying encryption: for this we need a modified security experiment Fig.

For the results here and in the next section, if we are describing key usage for a specific symmetric-key encryption scheme i.

We summarize the results from this section in Fig. LRb oracle when the adversary calls O. LRb or O. In the ith game, the O. LRb oracle will always use F1 for the first i users, and always use F0 for the remaining users. We must now bound this difference. LR0b , O. For queries to the non-specified oracles, the reduction performs the required operations exactly as defined in Fig.

If the left-right oracle always encrypts F1 , the execution proceeds exactly as in Gi. Letting B1 be one of these adversaries with maximal advantage, the claim follows. Remark 1. This is due to a cut-and-paste attack: an adversary can manipulate ST in such a way that it can call O. LR query. See Appendix A for full details of this attack. Theorem 2. The latter two are straightforward: the reduction simply performs the actions according to Fig.

Whenever A2 makes an O. LR on the same two values: this adds the resulting ciphertext to its forbidden list. To deal with this, B2 needs to keep track of the F, id, c tuples that it would be disallowed from decrypting in the event of an O. The reduction is detailed in Fig. Therefore we need to apply a reduction similar to that for proving multi-user security of encryption, for example using techniques similar to those of Bellare, Boldyreva and Micali [BBM00].

Here, however, the loss in the reduction is the number of adversarial calls to its O. LR oracle, rather than the number of users. Perhaps surprisingly, even with an IND-CPA-secure encryption scheme, we get our strongest notion of security for the resulting cloud storage protocol.

Theorem 3. LRb oracle by the adversary. LRb oracle. In the ith game, the oracle will always use F1 for the first i queries, and always use F0 for the remaining queries.

The proof now proceeds exactly as the proof of Theorem 1, using the reduction B3,i as defined in Fig. In particular, since a random key is chosen for O. LRb queries, the reduction can simulate all encryptions except those it needs to send to its own O. These values are added to CL so cannot be acquired via an O.

The claim follows. Remark 2. E oracle, and uses its OSKE. LR oracle exactly once. This means that we could in principle use a one-time secure symmetric cryptosystem, and still get security. Cloud storage schemes with this property cannot achieve the usual indistin- guishability notion because the adversary knows the possible files and therefore the possible encryption keys used. For encryption schemes that derive encryption keys from the file itself as defined in Section 2.

The probability space must be independent of the encryption scheme to avoid pathological situations, hence pre-chosen. We define a notion of security for such cloud storage similar to PRV-CDA, where we sample two vectors of files and store every file from one of those vectors.

We then prove the natural theorem. The relations between IND notions from Fig. Theorem 4. While our model Fig. In order to consider the confidentiality of such schemes within our model it is necessary to incorporate a simple extension: an O. Our model is also easily extensible to the distributed storage context: the O. ExpPRV -atk-csp : O. The algorithms from Fig. The oracles to which the adversary has access are the same as for our IND notions.

The O. It is straightforward to create a variant of our generic IND experiment for deterministic encryption: the adversary is not allowed to send the same file to O. LR or O. In particular, the experiment initializes an empty list, and on each F or F0 , F1 query to store, resp.

LR, that value is added to the list. If the adversary later attempts to perform O. The attack is straightforward: The adversary calls its fkeyGen oracle on F0 to get fkF0 ; then again for some distinct F1 to get fkF1 ; calls O.

LRb F0 , F1 for some uid, id and does O. All that is left to do is to attempt to decrypt c using the two keys it got from fkeyGen earlier to get Fb , then output b. One approach to this requirement is to use proofs of retrievability PoR [JJ07, SW13], where users embed some data in their files ciphertexts and periodically engage in some protocol with the CSP to check that the files have not been deleted or modified.

We consider the simpler problem of ensuring that retrieved files are correct. Our approach is inspired by the ciphertext integrity notions from the cryptography literature. As before, we focus on generic results rather than concrete instantiations. The experiment is given in Fig. An adversary, in control of a number of users of the cloud storage scheme CS, wins the game by making a user retrieve a file that either the user had previously deleted, or that the user did not store in the first place.

The other ST tracks all of these activities in addition to the oracles mod- elling active server compromise: O. In Section 5. We will later consider integrity in client-side dedupli- cating systems: a scenario where an adversarial client INT-SC-Z is inherently given more power by the mechanism that saves communication bandwidth. Note that in the description of O. This means that the ciphertext component or the deletion bit or both being different means that this condition is achieved.

Let CS be a cloud storage system based on a symmetric cryptosystem as in Fig. The adversary has access to O. The oracles that are not explicitly stated are as defined in Fig. Our definition of del in Fig. This formulation makes it extremely difficult for an adversary to win the INT-SC-csp game by retrieving a file it previously deleted since it has no ability to edit KT entries.

We acknowledge that this technical issue is awkward but believe that this exposition gives the clearest possible definition of ciphertext integrity for cloud storage systems as we have defined them. The construction is straightforward: each user holds their own symmetric key and uses an encryption scheme that is INT-CTXT secure during the store procedure line 2 from Fig.

Unlike other encryption algorithms, this encryption algorithm needs lesser computation overhead. Encryption and decryption algorithms are developed in java and Remote Method Invocation RMI concepts are used for communication between client and server. Abstract— Cloud comput in g provides convenient on-demand network access to a shared pool of configurable comput in g.

The resources can be rapidly deployed with great efficiency and m in imal management overhead. Cloud is an in secure. In this paper, we propose a new data encod in g scheme called layered in terleav in g, designed. It is high-speed data recovery scheme with m in imal loss. Skip to Main Content. A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.

Use of this web site signifies your agreement to the terms and conditions. Purchase Full Source code and Download Instantly. In contrast to traditional solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the large data centers, where the management of the data and services may not be fully trustworthy. This unique attribute, however, poses many new security challenges which have not been well understood.

In this article, we focus on cloud data storage security, which has always been an important aspect of quality of service. The accountability of armed groups under human rights law pdf experience psychology 3rd edition laura king free pdf download.

While cloud computing is gaining popularity, diverse security and privacy issues are emerging that hinder the rapid adoption of this new computing paradigm.

Data Storage Security Model for Cloud Computing data storage security in cloud computing Security Issues in Cloud Computing and Associated Mitigation Techniques Ensuring Data Storage Security in Cloud Computing Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. Share :.