1 / 14

Jyh-haw Yeh Dept. of Computer Science Boise State University

A PASS Scheme in Clouding Computing - Protecting Data Privacy by Authentication and Secret Sharing. Jyh-haw Yeh Dept. of Computer Science Boise State University. Cloud Computing Introduction. Cloud provides services – software,, platform, Infrastructure.

zody
Download Presentation

Jyh-haw Yeh Dept. of Computer Science Boise State University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A PASS Scheme in Clouding Computing - Protecting Data Privacy by Authentication and Secret Sharing Jyh-haw Yeh Dept. of Computer Science Boise State University

  2. Cloud Computing Introduction • Cloud provides services – software,, platform, Infrastructure. • Clients are charged by per-use basis. • Capital Expenditure (CapExp) -> Operational Expenditure (OpExp) • Multi-tenancy: better resource utilization • Reliability: redundant sites • Security: better protection from outside attacks. • Security: big ? from malicious cloud employees.

  3. The Problem to solve • Protecting clients’ data privacy from cloud employee. • Perfect solution: fully homomophic encryption algorithm (FHEA). No practical algorithm available. • Without FHEA, 100% data privacy may not be possible.

  4. PASS Scheme • Protect data Privacy by Authentication and Secret Sharing (PASS). • Objective: minimize the risk of leaking private data. • Approach: • Encrypt data by a key shared with the client. • Do not store the key anywhere in the cloud. • Use secret sharing to authenticate users and recover the shared key.

  5. PASS Scheme • 5 security components: • Public key cryptosystem (PKC): published by cloud. • Key agreement (KA): agree on a shared key and two secret shares at registration. • Key management (KM): keep a profile for each client. • Authentication(AUTH): • client’s counter <-> server’s counter; • Computed hashed key from client’s request<-> stored hashed key • Access control (ACL): second defense for a time frame that the secret key is in use for processing a query.

  6. PASS Scheme • Design guideline: • Ensure secret isolation (secret compartment). • Security with a higher priority than efficiency. • Choose a design choice that would benefit multiple security components.

  7. PASS Scheme - PKC • PASS chooses ECC over RSA. • ECC: a curve is chosen over a prime p. A base point G with an order n. • Cloud provider publishes the ECC domain parameter <p, a, b, G, n>. • Each cloud entity (server, clients) sets up his own public-private key pair. • Server: public , private , where • Client i: public , private , where

  8. PASS Scheme – Key Agreement • Each client iand the cloud server s agree on a data encryption key and two secret shares (known to the client) and (known to the server). • The secret shares are used to recover the encryption key.

  9. PASS Scheme – Key Agreement • Encryption key agreement: • Client i chooses a random number and then sends to the server s • Server s chooses a random number and then sends to the client i • Both compute a point • Agree on an encryption key : the x-coordinate of

  10. PASS Scheme – Key Agreement • Secret shares agreement: • Both computes a point and let be the x-coordinate of the point • Both construct a same poly • With both secret shares, the poly and then the secret key can be recovered

  11. PASS Scheme – Key Management • The cloud keeps a profile for each client i • Hashed key and server request counter for authentication • Security label for access control

  12. PASS Scheme – Client Authentication • Client keeps his own request counter • Client  Server: • Server decrypt and get both and • Client authentication succeeds if both • the stored hashed key matches the hashed key derived from secret shares • The server and client request counters are matched

  13. PASS Scheme – Access Control • Security label: (security level, {categories}) • Security level: secret, non-secret • Each client iis a category • All query servers/processes are in category “query-system”  {all } • Security label for client i’s profile: (secret, { })

  14. PASS Scheme – Integrating five Components • Step1 - 4 for initial client registration: key agreement and data encryption • Step 5-12 for a query processing • Diagram in the following link shows these steps. • http://cs.boisestate.edu/~jhyeh/pass_diagram.pdf

More Related