1 / 16

Database Laboratory Regular Seminar 2013-07-22 TaeHoon Kim

Article. New Approaches to Security and Availability for Cloud Data Ari Juels , Alina Oprea Communications of ACM Feb. 2013. Database Laboratory Regular Seminar 2013-07-22 TaeHoon Kim. Contents. Introduction Solution Overview Iris - Iris Authenticated file system

komala
Download Presentation

Database Laboratory Regular Seminar 2013-07-22 TaeHoon Kim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Article New Approaches to Security and Availability for Cloud Data Ari Juels, AlinaOprea Communications of ACM Feb. 2013 Database Laboratory Regular Seminar 2013-07-22 TaeHoonKim

  2. Contents • Introduction • Solution Overview • Iris - Iris Authenticated file system - Iris Structure • Auditing Framework • Conclusion

  3. 1. Introduction • Cloud Computing Service Model offers users(called tenants) on-demand network access • A large shared pool of computing resources(cloud) • Many of company adopted private cloud • IBM, HP, VMware, EMC2 • Public cloud are not adopted • Security and operational risk • Including hardware failure, software bugs, power outages, server misconfiguration, malware, and inside threats • Lack of availability and reliability • Striking loss of personal customer data • http://blog.naver.com/PostView.nhn?blogId=lugenzhe&logNo=90100646811&redirect=Dlog&widgetTypeCall=true

  4. 1. Introduction • Potentially malicious tenants • Ristenpart et al,[18], such an attacker an exploit side channels in shared hardware to exfiltrate sensitive data • Our research addresses • The challenge of migrating enterprise data into the public cloud • Devised Cryptographic protocol • Propose auditing framework to verify properties of the internal operation of the cloud and assure enterprise

  5. 2. Solution Overview • Our vision of more-trustworthy cloud-computing model • Manages cryptographic keys • Maintains trusted storage for integrity • Freshness enforcement • Redundancy to data for enhanced availability

  6. 3. Iris Authenticated file system • An authenticated file system • Allows migration of existing internal enterprise systems into cloud • Offer strong integrity and freshness guarantees • Minimizes the effects of network latency on file-system operations • Is designed to use any existing back-end cloud storage system transparently without modification

  7. 3. Iris Structure(2 layers) • The gateway-side • Caches data and meta-data blocks from the file system recently accessed by enterprise users. • Computes integrity checks • Namely MACs on data block • MACs • Fixed-size file segments of typical size 4KB • Enables random access • Verification of individual file-block integrity

  8. 3. Iris Structure(2 layers) • Merkle-tree-based structure • Internal nodes of the tree contain hashes of their children • Tenant can efficiently verify the integrity and freshness data MAC and freshness of the block-version number • Support for existing file-system operations • Support for concurrent operations • http://en.wikipedia.org/wiki/Merkle_tree#How_hash_trees_work

  9. 4. Auditing Framework • When Alice(client) stores data with Bob, she wants to know that Bob(service provider) has not let her data succumb to bit rot, storage-device failure, corruption by buggy software, … etc • Using strong cryptographic approach to assurance : PoR(Proofs of Retrievability) • Bob proves to Alice that a given piece of Data D stored in the cloud is not damaged and retrievable • Cryptographically verify the correctness of all cloud-stored data

  10. 4. Auditing Framework • Notation • D is some piece of data • D* is constructed by appending what are called “parity blocks” • ri denote the ith data block(fixed-size 4KB) • Using secret key k, Alice can compute MACs, secret-key digital signatures over data blocks r1, r2, r3 … rn • To verify the correctness of a block r1, Alice uses k and ci • Alice needs to store only the key k • http://en.wikipedia.org/wiki/Merkle_tree#How_hash_trees_work

  11. 4. Auditing Framework • PoR(Proofs of Retrievability) • efficient only for checks on static data(such as archived data) • PDP(Proof of Data Possession) • Enables public verification of data integrity • Dynamic PoR • Conceals individual parity-block updates from Bob, as well as the code structure • PoS(Proofs of Storage) • Detecting data loss • E.g)drive crash, a large data center is likely to experience thousands of drive failures each year[19]

  12. 4. Auditing Framework • Auditing of drive-failure Solution : RAFT(Remote Assessment of Fault Tolerance • Makes use of bounds on the seek time of a rotational drive • RAFT operates specifically on data stored in rotational drives, exploiting their performance limitations as a bounding parameter

  13. 4. Auditing Framework • If the cloud provider fails to respond correctly to an audit due to data loss? • HAIL(High availability and integrity layer) is the solution • Works by promptly detecting and recovering from data corruption(is similar to RAID) • HAIL • An extension of RAID into the cloud • distributing data across multiple cloud providers to achieve continuous availability • http://blog.naver.com/capemay?Redirect=Log&logNo=40192616466 • http://jaesoo.com/study_board/23324

  14. 4. Auditing Framework • To provide recovery(resilience)cloud-provider failure, the gateway splits the data into fixed-size blocks and encodes it with a new erasure code ; dispersal code • Distributes her data with embedded redundancy • a set of n cloud providers:S1 … Sn

  15. Conclusion • Described new techniques • a range of protections, integrity and freshness verification to high data availability • Proposed an auditing framework • These technique enable an extension from enterprise internal data centers into public clouds • Our hope • alleviate some of the concern over securityin the cloud • facilitate migration of enterprise resources into public clouds

  16. Q/A • Thank you for listening my presentation

More Related