Download presentation
Presentation is loading. Please wait.
1
A PASS Scheme in Clouding Computing - Protecting Data Privacy by Authentication and Secret Sharing Jyh-haw Yeh Dept. of Computer Science Boise State University
2
Cloud Computing Introduction Cloud provides services – software,, platform, Infrastructure. Clients are charged by per-use basis. Capital Expenditure (CapExp) -> Operational Expenditure (OpExp) Multi-tenancy: better resource utilization Reliability: redundant sites Security: better protection from outside attacks. Security: big ? from malicious cloud employees.
3
The Problem to solve Protecting clients’ data privacy from cloud employee. Perfect solution: fully homomophic encryption algorithm (FHEA). No practical algorithm available. Without FHEA, 100% data privacy may not be possible.
4
PASS Scheme Protect data Privacy by Authentication and Secret Sharing (PASS). Objective: minimize the risk of leaking private data. Approach: – Encrypt data by a key shared with the client. – Do not store the key anywhere in the cloud. – Use secret sharing to authenticate users and recover the shared key.
5
PASS Scheme 5 security components: – Public key cryptosystem (PKC): published by cloud. – Key agreement (KA): agree on a shared key and two secret shares at registration. – Key management (KM): keep a profile for each client. – Authentication(AUTH): client’s counter server’s counter; Computed hashed key from client’s request stored hashed key – Access control (ACL): second defense for a time frame that the secret key is in use for processing a query.
6
PASS Scheme Design guideline: – Ensure secret isolation (secret compartment). – Security with a higher priority than efficiency. – Choose a design choice that would benefit multiple security components.
7
PASS Scheme - PKC PASS chooses ECC over RSA. ECC: a curve is chosen over a prime p. A base point G with an order n. Cloud provider publishes the ECC domain parameter. Each cloud entity (server, clients) sets up his own public-private key pair. – Server: public, private, where – Client i: public, private, where
8
PASS Scheme – Key Agreement Each client i and the cloud server s agree on a data encryption key and two secret shares (known to the client) and (known to the server). The secret shares are used to recover the encryption key.
9
PASS Scheme – Key Agreement Encryption key agreement: – Client i chooses a random number and then sends to the server s – Server s chooses a random number and then sends to the client i – Both compute a point – Agree on an encryption key : the x-coordinate of
10
PASS Scheme – Key Agreement Secret shares agreement: – Both computes a point and let be the x-coordinate of the point – Both construct a same poly – – With both secret shares, the poly and then the secret key can be recovered
11
PASS Scheme – Key Management The cloud keeps a profile for each client i Hashed key and server request counter for authentication Security label for access control Client ID Security Label
12
PASS Scheme – Client Authentication Client keeps his own request counter Client Server: Server decrypt and get both and Client authentication succeeds if both – the stored hashed key matches the hashed key derived from secret shares – The server and client request counters are matched
13
PASS Scheme – Access Control Security label: (security level, {categories}) Security level: secret, non-secret Each client i is a category All query servers/processes are in category “query-system” {all } Security label for client i’s profile: (secret, { })
14
PASS Scheme – Integrating five Components Step1 - 4 for initial client registration: key agreement and data encryption Step 5-12 for a query processing Diagram in the following link shows these steps. http://cs.boisestate.edu/~jhyeh/pass_diagram.pdf http://cs.boisestate.edu/~jhyeh/pass_diagram.pdf
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.