Seny Kamara & Kristin Lauter Micorsoft Reaserch B99705013 廖以圻 B99705025 陳育旋.

Slides:

Advertisements

Similar presentations

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Advertisements

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Secure Data Storage in Cloud Computing Submitted by A.Senthil Kumar( ) C.Karthik( ) H.Sheik mohideen( ) S.Lakshmi rajan( )

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

SECURING THE CLOUDS Presented By: Dr. Mohammed Imtiaz Ahmed Librarian, Pt. Ravi Shankar Shukla University Raipur (C.G), Mohammed Bakhtawar Ahmed.

多媒體網路安全實驗室 Towards Secure and Effective Utilization over Encrypted Cloud Data 報告人 : 葉瑞群日期 :2012/05/09 出處 :IEEE Transactions on Knowledge and Data Engineering.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Chapter 31 Network Security

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

A Survey on Secure Cloud Data Storage ZENG, Xi CAI, Peng

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.

Module 9 Configuring Messaging Policy and Compliance.

COEN 351 E-Commerce Security Essentials of Cryptography.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

SEC835 Practical aspects of security implementation Part 1.

Cryptography, Authentication and Digital Signatures

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Archiving s. How to Manage Auto-Archive in Outlook Your Microsoft Outlook mailbox grows as you create and receive items. To manage the space.

Electronic Records Management: A Checklist for Success Jesse Wilkins April 15, 2009.

CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Module 9 Configuring Messaging Policy and Compliance.

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

Presented by: Sanketh Beerabbi University of Central Florida.

CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

COEN 351 E-Commerce Security

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Final Exam Review. Common Attack Techniques Stack overflow – Basic version – Advanced versions Mitigations – Canary – W^X page – ASLR.

Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

LOGO Cloud Storage Oriented Cipher-text Search Protocol.

INTRODUCTION  netCORE offers 360 degree digital communication solutions Messaging and Mobility  Pioneers in Linux based mailing solution and catering.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

The Secure Sockets Layer (SSL) Protocol

Computer Communication & Networks

e-Health Platform End 2 End encryption

pVault Sharing Architecture

The Secure Sockets Layer (SSL) Protocol

Building an Encrypted and Searchable Audit Log

Instructor Materials Chapter 5: Ensuring Integrity

Presentation transcript:

Seny Kamara & Kristin Lauter Micorsoft Reaserch B 廖以圻 B 陳育旋

 Introduction of the cloud storage service  The basic concept of cryptography  Architecture of a cryptographic storage service  Benefit of a cryptographic storage service  The core component of a cryptographic storage service  Summary

 Introduction of the cloud storage service  The basic concept of cryptography  Architecture of a cryptographic storage service  Benefit of a cryptographic storage service  The core component of a cryptographic storage service  Summary

 Cloud infrastructure can be categorized as private or public  Benefit of public storage service : availability reliability efficient retrieval data sharing

 Main concern for a public storage service : 1. confidentiality 2. integrity we argue for designing a virtual private storage service based on recently cryptographic techniques.

 Introduction of the cloud storage service  The basic concept of cryptography  Architecture of a cryptographic storage service  Benefit of a cryptographic storage service  The core component of a cryptographic storage service  Summary

symmetric & asymmetric encryption Symmetric encryption

Asymmetric encryption

 Introduction of the cloud storage service  The basic concept of cryptography  Architecture of a cryptographic storage service  Benefit of a cryptographic storage service  The core component of a cryptographic storage service  Summary

 Data processor (aka. DP): process data before it is sent to cloud.  Data verifier(aka. DV): checks whether the data in the cloud has been tempered with.  Token generator(aka. TG): generate tokens that enable the cloud storage to retrieve segments of customer data.  credential generator(CG): implements an access control policy by issuing credentials ( 憑據 ) to the various parties in the system

 A CUMSTOMER ARCHITECTURE  AN ENTERPRISE ARCHITECTURE

 A story begin with three party: Alice, Bob and storage provider.  Alice wants to share data with Bob.  HOW TO DO THAT??

 First, Alice and Bob using the same DP, DV, TG.  Alice generate a cryptography key (master key), which is kept in local.

 When Alice wants to upload files.  Using DP:  Attaches metadata and encrypt and encode.  Using DV:  Verifying the integrity of data.  Using TG:  Wants to retrieve data.  Send token to the cloud storage to search the appropriate encrypted file.

 When Bob wants to retrieve some file.  Alice uses TG to make a token to Bob, and also uses a CG to make a credential to Bob.  After Bob receive token and credential, he uses the token to retrieve data, and decrypt it with credential.

 A CUMSTOMER ARCHITECTURE  AN ENTERPRISE ARCHITECTURE

 MegaCorp wants to share data with PartnerCorp, MegaCorp store data in cloud storage provider.  Depending on the particular scenario, dedicated machines will run various core components.

 each MegaCorp and PartnerCorp employee receives a credential from the credential generator.  所有人的 credential 都不同，依職位劃分。  Whenever a MegaCorp employee generates data that needs to be stored in the cloud, it sends the data together with an associated decryption policy to the dedicated machine for processing.

 To retrieve data from the cloud, an employee requests an appropriate token from the dedicated machine.  Different TOKENS can access different information.  Usage of DV is the same as before.

 A PartnerCorp employee needs access to MegaCorp's data, he authenticates itself to MegaCorp's dedicated machine and sends it a keyword.  The dedicated machine returns an appropriate token which the employee uses to recover the appropriate files.

 In the case that MegaCorp is a very large organization, Data processor may have great loading. v

 Another case the dedicated machines only run data verifiers, token generators and credential generators while the data processing is distributed to each employee.

 Introduction of the cloud storage service  The basic concept of cryptography  Architecture of a cryptographic storage service  Benefit of a cryptographic storage service  The core component of a cryptographic storage service  Summary

 Control of the data is maintained by the customer.  the security properties are derived from cryptography.

 Regulatory compliance  Geographic restrictions  Subpoenas  Security breaches  Electronic discovery  Data retention and destruction

 Regulatory compliance ( 保護資料 )  Laws for protecting data.  Sol: Data processor and encryption may help.  Geographic restrictions  It can be difficult to ascertain exactly where one's data is being stored once it is sent to the cloud. some customers may be reluctant to use a public cloud for fear of increasing their legal exposure.  Sol: All data are stored in encrypted form.

 Subpoenas  If the data is stored in a public cloud, the request may be made to the cloud provider and the latter could even be prevented from notifying the customer.  Sol: data is stored in encrypted form and since the customer retains possession of all the keys.  Security breaches( 漏洞 )  There is always the possibility of a security breach.  Sol: data integrity can be verified at any time.

 Electronic discovery  organizations are required to preserve and produce records for litigation. Organizations with high levels of litigation may need to keep a copy of large amounts of data.  Sol: a customer can verify the integrity of its data at any point in time.  Data retention and destruction( 資料保留或刪除 )  It can be difficult for a customer to ascertain the integrity of the data or to verify whether it was properly discarded.  Sol: Secure data erasure can be electively achieved by just erasing the master key

 Anyway, it’s all about the point:  Encrypted data and Data Verifier.

 Introduction of the cloud storage service  The basic concept of cryptography  Architecture of a cryptographic storage service  Benefit of a cryptographic storage service  The core component of a cryptographic storage service  Summary

 The drawback of the cryptographic storage service : We have to download all the data, decrypt it and search locally. The organization have to retrieve all the data to verify the integrity

 Improvement : 1.DP index the data and encrypt it under a unique key 2.Encrypt the index using searchable encryption 3.encrypt the unique key with attribute- based encryption 4.data verifier can verify their integrity using a proof of storage

 A way to encrypt a search index  Given a token for a keyword, one can retrieve pointers to the encrypted files  But sometimes the searching may leak some information to service provider  SSE /ASE /ESE /mSSE

 Symmetric searchable encryption (SSE)  Single writer /single reader (SWSR)  based on symmetric primitives  Without any token the server learn nothing about the data except its length  Given a token with keyword w, the provider learn which document contain w without learn w Disadvantage : search time / update Disadvantage : search time / update

 Asymmetric searchable encryption (ASE)  Many writer /single reader (MWSR)  based on symmetric primitives  Without any token the server learn nothing about the data except its length  Given a token with keyword w, the provider learn which document contain w Disadvantage : the token w can be learned Disadvantage : the token w can be learned

 Efficient ASE (ESE)  Search time is more efficient than ASE Disadvantage : the token w can be learned Disadvantage : the token w can be learned

 Multi-user SSE  Single writer /many reader (SWMR)  The owner can add and revoke users’ search privilege over his data

 Improvement : 1.DP index the data and encrypt it under a unique key 2.Encrypt the index using searchable encryption 3.encrypt the unique key with attribute- based encryption 4.data verifier can verify their integrity using a proof of storage

 Each user in the system is provided with a decryption key that has a set of attribute with it (credentials)  Decryption will only work if the attribute associated with the decryption key match the policy used to encrypt the massage

 Improvement : 1.DP index the data and encrypt it under a unique key 2.Encrypt the index using searchable encryption 3.encrypt the unique key with attribute- based encryption 4.data verifier can verify their integrity using a proof of storage

 Which the server can prove to the client that it did not tamper with the data  The protocol can be executed an arbitray number of times  The amount of information exchanged is independent of the size of the data  Private /public verifiable