Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rekeying for Encrypted Deduplication Storage

Published byNicholas Stafford Modified over 6 years ago

Similar presentations

Presentation on theme: "Rekeying for Encrypted Deduplication Storage"— Presentation transcript:

1 Rekeying for Encrypted Deduplication Storage
Jingwei Li*, Chuan Qin*, Patrick P. C. Lee*, Jin Li# *The Chinese University of Hong Kong #Guangzhou University DSN 2016

2 Cloud Storage Outsourcing data management to public cloud storage is common today Challenges: Security in outsourced storage Storage efficiency Solutions: Encryption: encrypts data before outsourcing Deduplication: stores one message for redundant messages with same content Compression can be further applied

3 Encryption vs. Deduplication
K Message M1 C Can be dedup’ed Can’t be dedup’ed K’ Message M2 C’ Traditional encryption prohibits deduplication Same messages encrypted with different keys  different ciphers

4 Encrypted Deduplication
Message-locked encryption [Bellare, EUROCRYPT’13] Derive encryption key from message itself Same message  Identical cipher text e.g., convergent encryption: key = message hash DupLESS [Bellare, USENIX Security’13] Realizes message-locked encryption A dedicated key manager for key generation MLE key generated by a derivation function Same messages  same ciphers Ciphers appear random

5 Rekeying Rekeying renews security protection Benefits: Challenges:
Replaces an existing key with a new encryption key Benefits: Protects against key compromise Revokes unauthorized users from accessing data Challenges: Renewing derivation function makes new data fail to be dedup’ed with old data Cipher re-encryption is expensive

6 Rekeying Challenges Renewing derivation function (e.g., K  K’): new data can’t be dedup’ed with old data: Cipher re-encryption with new key K’: Message Message K K’ Old Cipher New Cipher Message K K’ Old Cipher New Cipher

7 Our Contributions Design REED, a Rekeying-aware Encrypted Deduplication storage system Provides secure and lightweight rekeying Preserves content similarity for deduplication Two encryption schemes for REED Basic: high performance (203MB/s) Enhanced: resilient against key leakage (155MB/s) Enabling dynamic access control Testbed experiments

8 Threat Model Honest-but-curious adversary, who can: Assumptions:
Compromise storage backend Collude with any revoked client Attempt to learn files beyond access scope Monitor keys returned by key manager Assumptions: Encrypted and authenticated communication between client and key manager (e.g., by SSL/TLS) Key manager cannot infer message content (OPRF) Key manager is deployed in protected zone

9 Main Idea Build security on two symmetric keys:
File key: renewable, controlling access for files MLE key: unchanged, preserving deduplication Extends convergent all-or-nothing transform (CAONT) [Li, USENIX ATC’15] Encrypts entire message using MLE key; and further encrypts a small part (stub) using file key Performs deduplication on large part; yet message is unrecoverable with any small part unavailable Rekeying on stub (64 bytes, 0.78% for 8KB chunks)

10 REED Overview Target workload: backup and archival storage Client
Cloud File Server Chunk Storage Backend File Chunk Client Key Manager Our work is applicable to general distributed storage systems. Target workload: backup and archival storage

11 [Li, USENIX ATC’15] CAONT Hash Key Chunk h XOR t CAONT Package M M C G H XOR Limitation: Secure for unpredictable messages only (otherwise, vulnerable to brute-force dictionary attacks)

12 Basic Encryption Two modifications to CAONT
MLE Key Chunk KM XOR t Stub M M C G H Trimmed Package XOR Fix value canary c Two modifications to CAONT Replaces hash key by MLE key from key manager Add a canary for integrity checking Limitation: vulnerable to MLE key compromise

13 Enhanced Encryption Resilient against MLE key leakage:
Chunk KM KM KM h XOR t Stub M M C1 C2 C1 G Self-XOR Trimmed Package E XOR MLE CAONT Resilient against MLE key leakage: First applies MLE to form a ciphertext Then applies CAONT to the MLE ciphertext Rationale: MLE ciphertext is further protected by CAONT

14 Comparison Basic encryption: Enhanced encryption:
Vulnerable to MLE key compromise Adversary can recover large part (trimmed package) of the original message with MLE key obtained Faster encryption Enhanced encryption: Higher security level Adversary needs both MLE key and file key to recover a message Even if MLE key is disclosed, remains secure for unpredictable messages Slower encryption

15 Dynamic Access Control
REED Client MLE Key File encryption File key File decryption H CP-ABE enc. Key state REED Server Key regression CP-ABE dec. Private Derivation Key Private Access Key Uses CP-ABE for access control [Bethencourt, S&P’07] Uses key regression for lazy revocation [Kamara, NDSS’06]

16 Dynamic Access Control
Lazy revocation Current key state can derive previous states Revoked user cannot access future key states Allows user to access not-yet-updated files Defers file re-encryption (e.g. midnight update) Active revocation Re-encryption happens immediately with new key

17 Confidentiality Level 1: same as DupLESS
Adversary can access all trimmed packages, encrypted stubs, and encrypted key states Level 2: colluding with revoked users Adversary can learn a set of private access keys from any revoked user Level 3: monitoring key generation Adversary can monitor a subset of revoked users and identify MLE keys returned by key manager

18 Integrity Basic encryption Enhanced encryption
By checking the canary attached to recovered chunks Enhanced encryption By comparing the hash of MLE ciphertext

19 Implementation Entities: Optimization:
Client: chunking, encryption/decryption, upload/download Key manager: MLE key generation Server: deduplication, metadata storage Cloud: file recipe, stub, key states Optimization: Batch key generation requests to mitigate I/O Cache previous MLE keys to reduce computation Parallelize key generation, encryption and upload via multi-threading

20 Evaluation Datasets Testbed
Synthetic dataset (2 GB files with unique chunks) FSL data trace (147 daily snapshots, 56.2 TB in total) Testbed Servers connected over a Gigabit LAN

21 MLE Key Generation Key generation is expensive (for unique data)
REED achieves MB/s

22 Encryption Encryption is not a bottleneck Basic: 203MB/s
Enhanced:155MB/s

23 Data Transfer Caching boosts overall performance
First upload bounded by key generation (17MB/s) Second upload of identical data bounded by network (106MB/s)

24 Rekeying Performance Rekeying delays remain small 3.4s for 8 GB data

25 Storage Efficiency Storage overhead of FSL traces
Storage saving of 98.6% Reduces storage space for ~56 TB logical data to ~431 GB physical data plus ~380 GB stub data

26 Trace-driven Upload/Download
7 consecutive daily backups First day around 13.1 MB/s due to key generation Later transfers reach around 105 MB/s

27 Conclusions REED: Enables rekeying for encrypted deduplication storage Proposes two encryption schemes Enables dynamic access control Implements a prototype Conducts extensive trace-driven evaluation Software:

Download ppt "Rekeying for Encrypted Deduplication Storage"

Similar presentations

Cloud Computing Security Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧ nen, Pasquale Puzio December 18, 2013 – Sophia-Antipolis, France.

Cloud Computing Security Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧ nen, Pasquale Puzio December 18, 2013 – Sophia-Antipolis, France.
Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
1 NCFS: On the Practicality and Extensibility of a Network-Coding-Based Distributed File System Yuchong Hu 1, Chiu-Man Yu 2, Yan-Kit Li 2 Patrick P. C.

1 NCFS: On the Practicality and Extensibility of a Network-Coding-Based Distributed File System Yuchong Hu 1, Chiu-Man Yu 2, Yan-Kit Li 2 Patrick P. C.
SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
Yuchong Hu1, Henry C. H. Chen1, Patrick P. C. Lee1, Yang Tang2

Yuchong Hu1, Henry C. H. Chen1, Patrick P. C. Lee1, Yang Tang2
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
1 Simultaneous Distribution Control and Privacy Protection for Proxy based Media Distribution George Mason University Songqing Chen (George Mason University)

1 Simultaneous Distribution Control and Privacy Protection for Proxy based Media Distribution George Mason University Songqing Chen (George Mason University)
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.

Mobile Data Sharing over Cloud Group No. 8 - Akshay Kantak - Swapnil Chavan - Harish Singh.
MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,

MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,
Multi-level Selective Deduplication for VM Snapshots in Cloud Storage Wei Zhang*, Hong Tang †, Hao Jiang †, Tao Yang*, Xiaogang Li †, Yue Zeng † * University.

Multi-level Selective Deduplication for VM Snapshots in Cloud Storage Wei Zhang*, Hong Tang †, Hao Jiang †, Tao Yang*, Xiaogang Li †, Yue Zeng † * University.
Network Coding Distributed Storage Patrick P. C. Lee Department of Computer Science and Engineering The Chinese University of Hong Kong 1.

Network Coding Distributed Storage Patrick P. C. Lee Department of Computer Science and Engineering The Chinese University of Hong Kong 1.
1 Convergent Dispersal: Toward Storage-Efficient Security in a Cloud-of-Clouds Mingqiang Li 1, Chuan Qin 1, Patrick P. C. Lee 1, Jin Li 2 1 The Chinese.

1 Convergent Dispersal: Toward Storage-Efficient Security in a Cloud-of-Clouds Mingqiang Li 1, Chuan Qin 1, Patrick P. C. Lee 1, Jin Li 2 1 The Chinese.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Min Xu1, Yunfeng Zhu2, Patrick P. C. Lee1, Yinlong Xu2

Min Xu1, Yunfeng Zhu2, Patrick P. C. Lee1, Yinlong Xu2
A Survey on Secure Cloud Data Storage ZENG, Xi 1010105140 CAI, Peng 1010121750.

A Survey on Secure Cloud Data Storage ZENG, Xi CAI, Peng
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Similar presentations

Ads by Google