Upload
mansoor-cp
View
219
Download
0
Embed Size (px)
Citation preview
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
1/27
Enabling Public Auditability and Data
Dynamics for Storage Security in CloudComputing
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
2/27
Introduction
What is Cloud Computing?
A style of computing where massively scalable IT-enabled
capabilities are delivered as a service
Factors boosting cloud growth Cheaper and powerful processors
SaaS technology transforms data centres to pools ofcomputing service
Increasing network bandwidth, reliability and flexibility
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
3/27
Challenges
Data Integrity
Failures at storage provider hidden from user
CSPs may delete rarely accessed data
How to efficiently check integrity of data withouthaving a local copy ?
Stateless verification.
Unbounded use of queries
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
4/27
Challenges
Private Auditability
Higher efficiency
Sacrifice computational cost
Public Auditability
Uses a third party auditor without devotion of theircomputation resources
Either client or TPA can check integrity.
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
5/27
Challenges
Data might not only be accessed but also updatedby clients
State of art technologies support only static data.
Block-less verification
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
6/27
System Model
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
7/27
System Model
Client
An entity which has large data files to be stored incloud for maintenance and computation
An individual or organisation Cloud Storage Server
An entity which is managed by CSP
Has significant storage space & computational resource Third Party Auditor
An entity which has expertise and capabilities inauditing
Trusted to assess and expose risk of CSS.
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
8/27
Key Idea
Use Merkle Hash Tree
A well studied authentication structure to prove a set ofelements is unaltered and undamaged
A challenge is given to cloud provider To compute response, cloud provider need to have
original blocks
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
9/27
Merkle Hash Tree
MHT Construction
Based on set of ordered value .
Build tree based on elements in ordered set
Leaves corresponds to where corresponds tocryptographic one-way hash function.
Proceed to next level by concatenating hash values oftwo adjacent leaves
Continue till root node is formed
Root node is digitally signed.
x1, x2 .......xn
h(x) h()
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
10/27
Merkle Hash Tree
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
11/27
Merkle Hash Tree
Querying MHT
To verify existence of an attribute of value v.
Server will return co-path from specific leaf up to
root node.
Client can recompute the signature values
If it matches the root tag then the data stored is
valid.
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
12/27
Merkle Hash Tree
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
13/27
Bilinear Mapping
Let be two groups of prime order p.
Let P and Q be generators of
Now consider mapping e
, *
G1, G2
G1
e :G1G
1G
2
P , Q G1 a , bZp
e(aP ,bQ)=e(P , Q)ab
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
14/27
Identity Based Encryption
and with a bilinear mapping
e :
g a generator
* S is secret
Public key is
G1 G2
G1 G1 G2
sRZq
Ppub=gs
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
15/27
Identity Based Encryption
Encryption
= ( )
= ( ) Where r is random element
E(g , gs,BOB, m) gr, m xor h2(e (h1(BOB), g
s))r
gr, m xor h2(e (h1(BOB), g))
rs
rZp
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
16/27
Identity Based Encryption
Decryption
Private Key
= ( )
=
= m
w=h1(BOB)s
(u , v) gr, m xor h2(e (h1(BOB), g))rs
D(u , v , w)=v xor h2(e (w , u))
m xor h2(e (h1(BOB), g))rs xor h2(e (h1(BOB)
s, g
r))
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
17/27
Setup
Given
Choose a random element u
Let t=name||n||u
File tag for F be (name||n||u)
Compute signature for all
=
F=(m1, m2, m3, ...... mn)
SSigssk
i
mi
(H(mi). umi)s
= i for1in
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
18/27
Setup
Root of MHT is created using
Client signs the root under private key
Client sends {F,t,, } and deletes{F,t, } from its local storage
H(R)s
H(mi)
SSigsk(H(R))
SSigsk(H(R))
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
19/27
Default Integrity Verification
TPA picks a c-element subset ofset [1,n]
for each TPA chooses randomelement
Verifier sends to CSP
According to the values in CSP responds witha proof.
I=s1, s2, s3, ......sc
v iBZpi I
chal(i , vi)s1isc
chal
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
20/27
Default Integrity Verification
CSP calculates
Co-path { }
CSP responds with P={ }
=i=s1sc v i mi Zp
=i=s1
sc iv iG
()s1is
c
,, H(mi
),i
, Sigsk
(H(R))
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
21/27
Default Integrity Verification
Verification
Verifies
Verifies
e (Sigsk(H(R), g))=e(H(R), gs)
e(, g)=e(i=s1sc H(mi)
v i . u, gs)
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
22/27
Dynamic Data Operation
Modification
Client modifies
Client generates
Send above information to CSP.
CSP replace block .
Sends new co-path to client.
Client verifies H(R) using m.
If it matches, calculate H(R') and update tree.
mimi '
i '=(H(mi ') . umi ')s
mimi '
'
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
23/27
Dynamic Data Operation
Insertion
Client have to add new value
Client generates
Send to CSP
CSP updates MHT and replies
Client generate root R and verifies.
Generate new root R' and send back
mi ' ,i '
i '=(H(mi ') . umi ')s
mi '
H(mi),i , H(R), R '
Sigsk(H(R '))
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
24/27
Dynamic Data Operation
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
25/27
Dynamic Data Operation
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
26/27
Conclusion
Its critical to enable TPA to evaluate service qualityin an independent perspective.
Achieved dynamic data verification
Blockless verification is achieved Stateless verification is achieved
7/27/2019 Enabling public auditability in cloud computing to provide security in storage
27/27
References
(1)Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, Enabling Public Verifiabilityand Data Dynamics for Storage Security in Cloud Computing, IEEETRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL.22, NO. 5, MAY 2011
(2)G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z.Peterson, and D.
Song, Provable Data Possession at UntrustedStores,Proc. 14th ACM Conf.Computer and Comm. Security (CCS07), pp. 598-609, 2007
(3)Lecture notes by Einar Mykletun on Using Merkle hash trees on ODB
(4)Lecture notes by John Bethencourt Intro to Bilinear Maps