1 / 49

Cryptographic Cloud Storage

Cryptographic Cloud Storage. Seny Kamara & Kristin Lauter senyk@microsoft .com klauter@microsoft.com Micorsoft Reaserch. B99705013 廖以圻 B99705025 陳育旋. outline. Introduction of the cloud storage service The basic concept of cryptography Architecture of a cryptographic storage service

darryl
Download Presentation

Cryptographic Cloud Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic Cloud Storage SenyKamara& Kristin Lauter senyk@microsoft .com klauter@microsoft.com MicorsoftReaserch B99705013 廖以圻 B99705025 陳育旋

  2. outline • Introduction of the cloud storage service • The basic concept of cryptography • Architecture of a cryptographic storage service • Benefit of a cryptographic storage service • The core component of a cryptographic storage service • Summary

  3. outline • Introduction of the cloud storage service • The basic concept of cryptography • Architecture of a cryptographic storage service • Benefit of a cryptographic storage service • The core component of a cryptographic storage service • Summary

  4. Introduction of the cloud storage service • Cloud infrastructure can be categorized as private or public • Benefit of public storage service : availability reliability efficient retrieval data sharing

  5. Introduction of the cloud storage service • Main concern for a public storage service : 1. confidentiality 2. integrity we argue for designing a virtual private storage service based on recently cryptographic techniques.

  6. outline • Introduction of the cloud storage service • The basic concept of cryptography • Architecture of a cryptographic storage service • Benefit of a cryptographic storage service • The core component of a cryptographic storage service • Summary

  7. cryptography symmetric & asymmetric encryption Symmetric encryption

  8. cryptography Asymmetric encryption

  9. cryptography Asymmetric encryption

  10. outline • Introduction of the cloud storage service • The basic concept of cryptography • Architecture of a cryptographic storage service • Benefit of a cryptographic storage service • The core component of a cryptographic storage service • Summary

  11. Architecture of a Cryptographic Storage Service

  12. Basic Components • Data processor (aka. DP): process data before it is sent to cloud. • Data verifier(aka. DV):checks whether the data in the cloud has been tempered with. • Token generator(aka. TG): generate tokens that enablethe cloud storage to retrieve segments of customer data. • credential generator(CG): implementsan access control policy by issuing credentials (憑據)to the various parties in the system

  13. 2 kinds of architecture • A CUMSTOMER ARCHITECTURE • AN ENTERPRISE ARCHITECTURE

  14. A customer architecture

  15. A customer architecture • A story begin with three party: Alice, Bob and storage provider. • Alice wants to share data with Bob. • HOW TO DO THAT??

  16. A customer architecture • First, Alice and Bob using the same DP, DV, TG. • Alice generate a cryptography key (master key), which is kept in local.

  17. A customer architecture • When Alice wants to upload files. • Using DP: • Attaches metadata and encrypt and encode. • Using DV: • Verifying the integrity of data. • Using TG: • Wants to retrieve data. • Send token to the cloud storage to search the appropriate encrypted file.

  18. A customer architecture • When Bob wants to retrieve some file. • Alice uses TGto make a token to Bob, and also uses a CGto make a credential to Bob. • After Bob receive token and credential, he uses the token to retrieve data, and decrypt it with credential.

  19. A customer architecture

  20. 2 kinds of architecture • A CUMSTOMER ARCHITECTURE • AN ENTERPRISE ARCHITECTURE

  21. A customer architecture

  22. An Enterprise Architecture

  23. An Enterprise Architecture • MegaCorp wants to share data with PartnerCorp, MegaCorp store data in cloud storage provider. • Depending on the particular scenario, dedicated machines will run various core components.

  24. An Enterprise Architecture • each MegaCorp and PartnerCorp employee receives a credential from the credential generator. • 所有人的credential都不同,依職位劃分。 • Whenever a MegaCorp employee generates data that needs to be stored in the cloud, it sends the data together with an associated decryption policy to the dedicated machine for processing.

  25. An Enterprise Architecture • To retrieve data from the cloud, an employee requests an appropriate token from the dedicated machine. • Different TOKENS can access different information. • Usage of DV is the same as before.

  26. An Enterprise Architecture • A PartnerCorp employee needs access to MegaCorp's data, he authenticates itself to MegaCorp's dedicated machine and sends it a keyword. • The dedicated machine returns an appropriate token which the employee uses to recover the appropriate files.

  27. An Enterprise Architecture • In the case that MegaCorp is a very large organization, Data processor may have great loading. v

  28. An Enterprise Architecture • Another case the dedicated machines only run data verifiers, token generators and credential generators while the data processing is distributed to each employee.

  29. An Enterprise Architecture

  30. outline • Introduction of the cloud storage service • The basic concept of cryptography • Architecture of a cryptographic storage service • Benefit of a cryptographic storage service • The core component of a cryptographic storage service • Summary

  31. Benefits of a Cryptographic Storage Service

  32. Core Properties • Control of the data is maintained by the customer. • the security properties are derived from cryptography.

  33. Concerns • Regulatory compliance • Geographic restrictions • Subpoenas • Security breaches • Electronic discovery • Data retention and destruction

  34. Concerns • Regulatory compliance (保護資料) • Laws for protecting data. • Sol: Data processor and encryption may help. • Geographic restrictions • It can be difficult to ascertain exactly where one's data is being stored once it is sent to the cloud. some customers may be reluctant to use a public cloud for fear of increasing their legal exposure. • Sol: All data are stored in encrypted form.

  35. Concerns • Subpoenas • If the data is stored in a public cloud, the request may be madeto the cloud provider and the latter could even be prevented from notifying the customer. • Sol: data is stored in encrypted form and since the customer retains possession of all the keys. • Security breaches(漏洞) • There is always the possibility of a security breach. • Sol: data integrity can be verified at any time.

  36. Concerns • Electronic discovery • organizations are required to preserve and produce records for litigation. Organizations with high levels of litigation may need to keep a copy of large amounts of data. • Sol: a customer can verify the integrity of its data at any point in time. • Data retention and destruction(資料保留或刪除) • Itcan be difficult for a customer to ascertain the integrity of the data or to verify whether it was properly discarded. • Sol: Secure data erasure can be electively achieved by just erasing the master key

  37. Benefits of a Cryptographic Storage Service • Anyway, it’s all about the point: • Encrypted data and Data Verifier.

  38. outline • Introduction of the cloud storage service • The basic concept of cryptography • Architecture of a cryptographic storage service • Benefit of a cryptographic storage service • The core component of a cryptographic storage service • Summary

  39. The core component of a cryptographic storage service • The drawback of the cryptographic storage service : We have to download all the data , decrypt it and search locally. The organization have to retrieve all the data to verify the integrity

  40. The core component of a cryptographic storage service • Improvement : 1.DP index the data and encrypt it under a unique key 2.Encrypt the index using searchable encryption 3.encrypt the unique key with attribute- basedencryption 4.data verifier can verify their integrity using a proof of storage

  41. Searchable encryption • A way to encrypt a search index • Given a token for a keyword , one can retrieve pointers to the encrypted files • But sometimes the searching may leak some information to service provider • SSE /ASE /ESE /mSSE

  42. Searchable encryption (SSE) • Symmetric searchable encryption (SSE) • Single writer /single reader (SWSR) • based on symmetric primitives • Without any token the server learn nothing about the data except its length • Given a token with keyword w , the provider learn which document contain w without learn w Disadvantage : search time / update

  43. Searchable encryption (ASE) • Asymmetric searchable encryption (ASE) • Many writer /single reader (MWSR) • based on symmetric primitives • Without any token the server learn nothing about the data except its length • Given a token with keyword w , the provider learn which document contain w Disadvantage : the token w can be learned

  44. Searchable encryption (ESE) • Efficient ASE (ESE) • Search time is more efficient than ASE Disadvantage : the token w can be learned

  45. Searchable encryption (mSSE) • Multi-user SSE • Single writer /many reader (SWMR) • The owner can add and revoke users’ search privilege over his data

  46. The core component of a cryptographic storage service • Improvement : 1.DP index the data and encrypt it under a unique key 2.Encrypt the index using searchable encryption 3.encrypt the unique key with attribute- basedencryption 4.data verifier can verify their integrity using a proof of storage

  47. attribute-based encryption • Each user in the system is provided with a decryption key that has a set of attribute with it (credentials) • Decryption will only work if the attribute associated with the decryption key match the policy used to encrypt the massage

  48. The core component of a cryptographic storage service • Improvement : 1.DP index the data and encrypt it under a unique key 2.Encrypt the index using searchable encryption 3.encrypt the unique key with attribute- basedencryption 4.data verifier can verify their integrity using a proof of storage

  49. Proof of storage protocol • Which the server can prove to the client that it did not tamper with the data • The protocol can be executed an arbitray number of times • The amount of information exchanged is independent of the size of the data • Private /public verifiable

More Related