Xiaohua Jia Shen Zhen Graduate School Harbin Institute of Technology Data Security for Cloud Storage Systems 1

Outline Dept. of Computer Science City University of Hong Kong 2  Cloud Storage Systems  Auditing as a Service  Access Control as a Service

Cloud Storage Systems Dept. of Computer Science City University of Hong Kong 3

Cloud Storage Systems – data owners  A model of online storage Dept. of Computer Science City University of Hong Kong 4 Cloud Service Providers Operate large data centers Virtualize storage pools Data Owners Buy or rent storage in a pay-as-you-go model Data stored in virtual storage

Cloud Storage Systems - users Dept. of Computer Science City University of Hong Kong 5 Owners Users  Separation of data ownership and service provider Users can access data from anywhere and at anytime

Security Challenges Cloud Servers are not fully trustable:  Data Integrity Data could be corrupted or even deleted in the cloud.  Data Access control Data may be given access to unauthorized users. Dept. of Computer Science City University of Hong Kong 6

Data Integrity Auditing as a Service Dept. of Computer Science City University of Hong Kong 7

Auditing as a Service Checking On Retrieval is not adequate:  Not sufficient: random sampling cannot cover large size of data  Not convenient: overhead is too high Dept. of Computer Science City University of Hong Kong 8 Auditing as a Service  A service to check the cloud data integrity  Conducted by a Third Party Auditor

Why Third Party Auditing? Dept. of Computer Science City University of Hong Kong 9 A third party auditor can  Provide unbiased auditing results  Benefit for both data owners and service providers  Data Owners – be ensured data integrity  Service Providers – Build good reputation  Able to do a good job efficiently  Professional Expertise  Computing Capabilities

Research Issues  Privacy Preservation  Keep the data confidential against the auditor  Dynamic Auditing  Allow dynamic updates of data in the cloud  Batch Auditing  Combine multiple auditing tasks together to improve efficiency Dept. of Computer Science City University of Hong Kong 10

Architecture of 3 rd Party Auditing Initialization: Data owner sends 1) encrypted data & verification tags to server, and 2) data index to auditor  Challenge: Auditor sends Challenge to cloud server  Proof: Server responses with Proof  Verification: Auditor verifies correctness of the Proof Dept. of Computer Science City University of Hong Kong 11 Auditor Owners Cloud Servers

An Auditing Algorithm  Initialization  Data Segmentation – Improve Efficiency  Homomorphic Tag – Batch Auditing Dept. of Computer Science City University of Hong Kong 12 m m1m1 mimi mnmn mimi m i1 m ij …… m il …… Divide m into n blocks Split m i into l sectors System Parameters: G 1, G 2, G T : multiplicative groups with the same prime order p e: pairing operation maps a pair of points from G 1 and G 2 to a point in G T g 1 : generator of G 1 ; g 2 : generator of G 2

Initialization (cont’d) Dept. of Computer Science City University of Hong Kong 13 m m1m1 mimi mnmn mimi m i1 m ij …… m il …… abstract information of m: FID, # of blocks, index table, etc. Cloud Servers Auditor t i = (h(sk h, FID||i)Π j=1->l g 1 x j m ij ) sk t sk t : secret tag key kept by owner sk h : secret hash key shared with auditor g 2 skt : public tag key shared with auditor g 1 xj : random key shared with the cloud

Sampling Auditing  Challenge from auditor: C = ({i, v i } i  Q, R = (g 2 sk t ) r )  Proof by Cloud: P = (DP, TP)  Data Proof: DP = Π j=1->l e(g 1 x j, R) MP j where MP j = Σ i  Q v i m ij  Tag Proof: TP = Π i  Q t i v i Dept. of Computer Science City University of Hong Kong 14 m1m1 m 11 m 1j m1lm1l …… mimi m i1 m ij m il …… mqmq m q1 m qj m ql …… MP 1 MP j MP l

Sampling Auditing  Challenge from auditor : C = ({i, v i } i  Q, R = (g 2 sk t ) r )  Proof by Cloud: P = (DP, TP)  Data Proof: DP = Π j=1->l e(g 1 x j, R) MP j where MP j = Σ i  Q v i m ij  Tag Proof: TP = Π i  Q t i v i  Verification by auditor: H chal = Σ i  Q h(sk h, FID||i) rv i DP·e(H chal, g 2 sk t ) = e(TP, g 2 r ) Dept. of Computer Science City University of Hong Kong 15 ?

References  Kan Yang and Xiaohua Jia. “Security for Cloud Storage Systems”, Springer 2014, ISBN  Kan Yang and Xiaohua Jia. “An Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud Computing”. IEEE Trans. on Parallel and Distributed Systems (TPDS), Vol 24, Issue 9, September  Kan Yang and Xiaohua Jia. “Data Storage Auditing Service in Cloud Computing: Challenges, Methods and Opportunities”. World Wide Web, Vol 15, Issue 4, July Dept. of Computer Science City University of Hong Kong 16

Data Access Control Access Control as a Service Dept. of Computer Science City University of Hong Kong 17

Dept. of Computer Science City University of Hong Kong 18 Access Control as a Service Data stored in server is encrypted.  Encryption-based Access Control  Each authorized user receives a secret key  Users can decrypt ciphertext by their secret keys SK User Owner

Dept. of Computer Science City University of Hong Kong 19 Difficulties in Key Distribution  Asymmetric Key Encryption (users pub-key for encryption)  Multi-copies of encrypted data for difference users  Symmetric Key Encryption  Difficulties in key distribution

A Wish-list for Encryption-based Access Control  Key management is scalable  No need of online trusted server for access control  Expressive access control polices Dept. of Computer Science City University of Hong Kong 20 Attribute-Based Encryption (ABE) is a promising direction to go!

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)  Data are encrypted by the access policy  Secret keys are associated with attributes  Attributes are mathematically incorporated into the key Dept. of Computer Science City University of Hong Kong 21 (CS AND PhD) OR Prof OR AND CS PhD Prof {EE, Prof} Alice SK Bob {CS, PhD}

 Ciphertext can be decrypted iff attributes in the key satisfy the access policy Dept. of Computer Science City University of Hong Kong 22 Ciphertext-Policy Attribute-Based Encryption (CP-ABE) No 3 rd party evaluates the policy and makes access decision (server is excluded) Policy checking is embedded in cryptography {EE, Prof} (CS AND PhD) OR Prof Satisfies Alice

Attribute-Based Access Control (ABAC) Dept. of Computer Science City University of Hong Kong 23 PK MSK SK Bob : “CS Dept.” “Professor” SK Kevin : “CS Dept.” “Master” OR Professor AND CS Dept.PhD     Authority Owner

Advantages of ABAC  Access policy is defined by owners  Access policy is enforced by the cryptography  nobody explicitly evaluates the policies and makes an access decision  Only one copy of ciphertext is generated for each file Dept. of Computer Science City University of Hong Kong 24

Basic Construction  G: multiplicative group of prime order p.  Intuitive Hardness Discrete Log: Given: g, g a Hard to find: a  Bilinear map e: G  G  G T Def: An admissible bilinear map e: G  G  G T is: – Non-degenerate: g generates G  e(g, g) generates G T. – Bilinear: e(g a, g b ) = (e(g,g)) ab  a,b  Z p, g  G – Efficiently computable Dept. of Computer Science City University of Hong Kong 25

CP-ABE Algorithms Dept. of Computer Science City University of Hong Kong 26 Setup(λ) -> MSK, PK PK MSK Encrypt(PK,M, Access policy) -> CT KeyGen(MSK, Attrs.) -> SK “CS Dept.” “PhD” SK Decrypt(SK, CT) -> M “CS Dept.” “PhD” SK OR Professor AND CS Dept. PhD OR Professor AND CS Dept. PhD

System Setup Dept. of Computer Science City University of Hong Kong 27 PK = ( g, g b, e(g, g) a, H: {0,1} *  G ) MSK = a MSK Public Key Authority a, b  R Z P

Secret Key Generation Dept. of Computer Science City University of Hong Kong 28 Authority Authority issues secret keys for users who have attributes Bob Alice Charlie “CS Dept.” “Professor” “CS Dept.” “Master” “EE Dept.” “PhD”

Collusion Attack Dept. of Computer Science City University of Hong Kong 29  Users may collude to decrypt data by combining their attributes “EE Dept.” “PhD” Charlie Bob “CS Dept.” “Master” OR AND CS Dept. PhD Prof 

Prevent Collusion Attack Dept. of Computer Science City University of Hong Kong 30 SK = ( g a+bt, g t, H(“Master”) t, H(“CS Dept.”) t, H(“TA”) t ) t: random number in Z p. It ties components in SK together Authority MSK = a Bob has attributes: {“Master”, “CS Dept.”, “TA”} Personalization! Collusion Resistance

Key Personalization Dept. of Computer Science City University of Hong Kong 31 Bob: “CS Dept.” … Charlie: “PhD” … Random t Random t’ Components are incompatible g a+bt, g t, H(“CS Dept.”) t, g a+bt’, g t’, H(“PhD”) t’ SK

Data Encryption Dept. of Computer Science City University of Hong Kong 32 M Given M and policy, owner generates a random secret s OR AND CS Dept. PhD Prof s s s 3 =rs 2 =s-r s 1 =s Data Owner OR Professor AND CS Dept. PhD Ciphertext: CT = ( M e(g,g) as, g s, C 1 = (g bs 1 H(“Prof”) r 1, g r 1 ), C 2 = (g bs 2 H(“PhD”) r 2, C 3 = (g bs 3 H(“CS Dept.”) r 3, g r 3 ) ). PK = ( g, g b, e(g, g) a, H: {0,1} *  G )

Data Decryption Dept. of Computer Science City University of Hong Kong 33 Ciphertext CT Secret Key SK CT = ( M  e(g,g) as, g s, C 1 = (g bs 1 H(“Prof”) r 1, g r 1 ), C 2 = (g bs 2 H(“PhD”) r 2, g r 2 ), C 3 = (g bs 3 H(“CS Dept.”) r 3, g r 3 ) ) SK = ( g a+bt, g t, H(“Prof”) t, H(“PhD”) t, H(“CS Dept.”) t ) e(g,g) bts = e(g bs 1 H(“Prof”) r 1, g t ) e(g r 1, H(“Prof”) t ) e(g a+bt, g s ) = e(g,g) as e(g,g) bts “ Prof ” “PhD” AND “CS Dept.” OR = e(g,g) bts 2 e(g,g) bts 3 = e(g,g) bts e(g bs 2 H(“PhD”) r 2, g t ) e(g r 2, H(“PhD”) t ) e(g bs 3 H(“CS Dept.”) r3, g t ) e(g r 3, H(“CS Dept.”) t ).

Research Challenges Dept. of Computer Science City University of Hong Kong 34  Multiple Authorities Bob: “CS dept.” Kevin: “manager” AND CS dept. OR managermarketing Authority in CityU Authority in Google

Research Challenges Dept. of Computer Science City University of Hong Kong 35  Attribution Revocation  Prevent revoked users from decrypting new ciphertexts  Guarantee new users to decrypt previous ciphertexts  Decryption Efficiency  Mobile Devices  Policy Hidden K Yang, X Jia, K Ren, R Xie and L Huang. “Enabling Efficient Access Control with Dynamic Policy Updating for Big Data in the Cloud”, INFOCOM’14. K Yang, X Jia, K Ren and B Zhang. “DAC-MACS: Effective Data Access Control for Multi- Authority Cloud Storage Systems”, INFOCOM’13, extended version in IEEE Trans on Information Forensics and Security 8(11), K Yang and X Jia. “Attributed-based Access Control for Multi-authority Systems in Cloud Storage,” ICDCS’12.

Summary  Cloud server is not fully trusted by data owners  Data Integrity  Auditing as a Service  Data Access Control  Access Control as a Service Dept. of Computer Science City University of Hong Kong 36

Q&A Thank You! Dept. of Computer Science City University of Hong Kong 37