1 / 152

Cryptography for Cloud Storage Service

Cryptography for Cloud Storage Service. Kaoru Kurosawa Ibaraki University, Japan. CRYPTOLOGY 2012, 4-6 June, Langkawi , Malaysia . Cloud Storage Service. ( or online storage service) is now available on the commercial basis . Big Internet enterprises such as Google , Amazon, Yahoo

oni
Download Presentation

Cryptography for Cloud Storage Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia

  2. Cloud Storage Service • (or online storage service) • is now available on the commercial basis. • Big Internet enterprises such as • Google, Amazon, Yahoo • are providing these services.

  3. The Advantages are • Companies need only pay for the storage they actually use • Companies do not need to install physical storage devices in their own data center • Storage maintenance tasks, such as backup, are offloaded to the responsibility of a service provider

  4. In Japan • After the big earthquake last year, many local governments are considering using cloud storage service to store their important data which includes the original copy of family registers.

  5. But Potential Threats • The number of people with access to the data who could be compromised (bribed, or coerced) increases dramatically. • It is possible for other customers to access your data. Sometimes because of human error, faulty equipment, a bug or criminal intent.

  6. In such systems • The role of cryptography is crucial.

  7. A Searchable Symmetric Encryption(SSE) scheme • Consists of a store phase and a search phase

  8. In the store phase, • A client stores encrypted files (or documents) on a server E(D1), ⋯, E(DN) Client Server

  9. In the search phase, • The client sends an encrypted keyword to the server E(keyword) Client Server

  10. The server somehow returns • The encrypted files E(D3), E(D6), E(D10) which contains the keyword E(keyword) E(D3), E(D6), E(D10) Client Server

  11. So the client can • retrieve some of the encrypted files • which contains a specific keyword, • keeping the keywordsecret E(keyword) E(D3), E(D6), E(D10) Client Server

  12. By Passive Attack • A malicious server breaks the privacy • Shetries to find • the keyword and the documents Malicious E(keyword) E(D3), E(D6), E(D10) Client Server

  13. By Active Attack • A malicious server breaks the reliability • Shetries to forge/delete some files. • or replace E(D3) with another E(D100). Malicious E(keyword) E(D3), E(D6), E(D10) E(D100) Client Server

  14. The security against passive attacks has been studied by several researchers. • Song, Wagner, Perrig • Goh • Bellovin and Cheswick • Chang and Mitzenmacher

  15. Finally • Curtmola, Garay, Kamara and Ostrovsky • showed a rigorous definitionof security against passive attacks. • They also gave a scheme which satisfies their definition.

  16. However • The security against active attacks has not been considered so far.

  17. In this talk • Extend the model of SSE to verifiable SSE • Define the security against active attacks. • Next formulate the UC-security • Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme

  18. In this talk • Extend the model of SSE to verifiable SSE • Define the security against active attacks. • Next formulate the UC-security • Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme

  19. In this talk • Extend the model of SSE to verifiable SSE • Define the security against active attacks. • Next formulate the UC-security • Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme

  20. In this talk • Extend the model of SSE to verifiable SSE • Define the security against active attacks. • Next formulate the UC-security • Then prove the equivalence between (2) and (3) (5)Finally show a UC-secure scheme

  21. In this talk • Extend the model of SSE to verifiable SSE • Define the security against active attacks. • Next formulate the UC-security • Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme

  22. Overview

  23. Outline of this talk (1) Curtmola et al. ‘s scheme (2) Our UC-secure scheme (3) Our theoretical results

  24. Curtmola et al. Showed a scheme such as follows. (It is secure against passive attacks.) Consider the following “Index” Index

  25. The client first constructsE(Index) • as follows. • He first chooses a pseudorandom permutation π. E(Index) =

  26. He next computes • π(Austin, 1), π(Austin, 2) and π(Austin, 3), • Writes the indexes (3, 6, 10) in these addresses Address π(Austin, 1) π(Austin, 2) E(Index) π(Austin, 3)

  27. Do the same for each keyword Address π(Austin, 1) π(Austin, 2) E(Index) π(Austin, 3) π(Boston, 1) π(Boston, 2)

  28. In the store phase, • The client stores E(D1), ⋯, E(DN), and E(Index) Client Server

  29. In the search phase, E(Index) • The client sends t(Austin)= ( π(Austin, 1), π(Austin, 2), π(Austin, 3) ) Client Server

  30. The server sees that the corresponding indexes are π(Austin, 1), π(Austin, 2), π(Austin, 3) Client Server E(Index)

  31. Hence the server can return π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D3), E(D6), E(D10) Client Server E(Index)

  32. This scheme • Is secure against passive attacks. • But it is not secure against active attacks.

  33. A naive approach is to add MAC to each E(Di) Client Server π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D3), MAC(E(D3)), E(D6), MAC(E(D6)), E(D10), MAC(E(D10)) The server returns these files together with their MACs

  34. But a malicious server will Malicious Client π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D3), MAC(E(D3)), E(D6), MAC(E(D6)), E(D10), MAC(E(D10)) E(D100), MAC(E(D100)) Replace some pair with another pair

  35. The client cannot detect this cheating Malicious Client π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D3), MAC(E(D3)), E(D6), MAC(E(D6)), E(D10), MAC(E(D10)) E(D100), MAC(E(D100)) Because this is a valid pair of MAC

  36. The proposed scheme We includeπ(Austin, 1) in the input of MAC Client π(Austin, 1) E(D3), Tag3=MAC(π(Austin, 1), E(D3)) So the server returns

  37. This method works Client π(Austin, 1) E(D3), Tag3=MAC(π(Austin, 1),E(D3)) Because the MAC binds the query and the answer pair

  38. More precisely, • The client writes such MAC values in E(Index), and stores it on the server π(Austin, 1) π(Austin, 2) E(Index) π(Austin, 3)

  39. For a query π(Austin, 1) E(Index) π(Austin, 1) π(Austin, 1) The server returns E(D3) and tag3=MAC( π(Austin, 1), E(D3) )

  40. The client checks the validity of π(Austin, 1) E(D3) tag3=MAC( π(Austin, 1), E(D3) ) The details are written in the paper.

  41. Another Subtle Point • If 3 appears many times in E(Index), • the adversary sees that • D3 includes more keywords than the other documents. E(Index) =

  42. Hence • the index i of each Di should appear the same number of times. • Curtmola et al. didn’t show such a method. E(Index) =

  43. We solve this problem as follows Suppose that there are 5 documents and Index

  44. Since Austin ∈{D1, D2}. we consider a list such that

  45. We consider another list which includes (3,4,5)

  46. E(Index) is constructed by permuting them randomly by using a PRP πas follows. address address

  47. In the search phase, the client sends π(0, Austin, *) to the server address address

  48. The server returns the corresponding contents address address

  49. Now each i ∈{1,2,3,4,5} appears once for each keyword address address E(Index)

  50. Later • We will prove that our scheme is UC-secure • Hence it is secure against active attacks.

More Related