Changhee Hahn

Secure deduplication for multimedia data with user revocation in cloud storage

Increment of multimedia data motivates users to utilize cloud storage (CS) to exploit its massive size. For this extensible storage system, there are two desirable requirements: (1) the users should be able to ensure that their outsourced data is securely protected and (2) the cloud service provider should be able to eliminate redundant copies of data for improvement of storage utilization. Conventional encryption scheme does not satisfy the deduplication on ciphertext as it destroys message equality. Recent study, DupLESS, has enhanced Convergent Encryption (CE) and provided strong privacy. However, CE-based scheme allows the users to possibly decrypt cloud data even if the user loses his ownership to the data. In order to solve this problem, we propose a secure deduplication scheme with user revocation. Our scheme leverages oblivious pseudo-random function to generate encryption key. The CS enforces data access policy using privilege-based encryption to provide user revocation. The security analysis proves that the proposed scheme is secure against unauthorized decryption by revoked users or the cloud server, and brute-force attack on predictable set of data.

Privacy-preserving public auditing for educational multimedia data in cloud computing

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.

Secure authentication using ciphertext policy attribute-based encryption in mobile multi-hop networks

With the dramatic increase of the number of mobile devices such as smartphones and tablet PCs, mobile traffic has increased enormously. Especially, the multimedia data accounts for bulk of the traffic transmitted in mobile networks. To accommodate this growth, device-to-device connection (D2D), which provides infra-connection off-loading, is receiving significant attention. However, we have observed that the majority of the current D2D protocols including Bluetooth and Wi-Fi Direct are vulnerable to man-in-the-middle (MITM) and replay attacks in mobile multi-hop networks. To resolve this problem, in this paper, we propose a novel D2D authentication protocol with a secure initial key establishment using ciphertext-policy attribute-based encryption (CP-ABE). By leveraging CP-ABE, the proposed scheme allows the communicating parties to mutually authenticate and derive the link key in an expressive and secure manner in a multi-hop network environment. We also propose several variations of the proposed scheme for different scenarios in a multi-hop networks without network infrastructure. We prove that the proposed scheme is secure against MITM and replay attack in D2D mobile multi-hop networks. Experimental results indicate that the proposed scheme incurs reasonable computation cost in the real world.

Secure Device-to-Device Authentication in Mobile Multi-hop Networks

In order to deal with drastically increasing mobile traffic these days, device to device connection (D2D) which provides infra-connections off-loading is getting a lot of attention. However, we observed that most of the current D2D protocols such as Bluetooth and Wi-Fi Direct are not scalable, and vulnerable to main-in-the-middle (MITM) and replay attacks in mobile multi-hop networks. In this paper, we propose novel D2D authentication protocols with a secure initial key establishment using ciphertext-policy attribute-based encryption(CP-ABE) to solve this problem. By exploiting CP-ABE, the proposed scheme allows the communicating parties to mutually authenticate each other and derive the link key in an expressive and secure way in the multi-hop network environment. According to the analysis results, the proposed scheme is secure against MITM and replay attacks in the D2D mobile multi-hop networks.

Efficient Attribute-Based Secure Data Sharing with Hidden Policies and Traceability in Mobile Health Networks

Mobile health (also written as mHealth) provisions the practice of public health supported by mobile devices. mHealth systems let patients and healthcare providers collect and share sensitive information, such as electronic and personal health records (EHRs) at any time, allowing more rapid convergence to optimal treatment. Key to achieving this is securely sharing data by providing enhanced access control and reliability. Typically, such sharing follows policies that depend on patient and physician preferences defined by a set of attributes. In mHealth systems, not only the data but also the policies for sharing it may be sensitive since they directly contain sensitive information which can reveal the underlying data protected by the policy. Also, since the policies usually incur linearly increasing communication costs, mHealth is inapplicable to resource-constrained environments. Lastly, access privileges may be publicly known to users, so a malicious user could illegally share his access privileges without the risk of being traced. In this paper, we propose an efficient attribute-based secure data sharing scheme in mHealth. The proposed scheme guarantees a hidden policy, constant-sized ciphertexts, and traces, with security analyses. The computation cost to the user is reduced by delegating approximately 50% of the decryption operations to the more powerful storage systems.

Scalable and Reliable Key Management for Secure Deduplication in Cloud Storage

Secure deduplication using convergent encryption eliminates duplicate data and stores only one copy to save storage costs while preserving the security of the outsourced data. However, convergent encryption produces a number of encryption keys, of which size is linear to the number of different data. Although a deduplication scheme has been proposed for efficient convergent key management recently, it has drawbacks in terms of scalability and key management security. In order to solve these problems, we propose a novel secure deduplication scheme with scalable and reliable key management based on paring-based cryptography. The proposed scheme does not require additional secure channels to distribute key components while still guaranteeing secure key management as opposed to the previous schemes.

Scalable and secure Private Set intersection for big data

In this paper, we investigate Private Set Intersection (PSI) schemes that can be used to output intersection data between a client and a server in a way that only the client learns the output at the end of their joint computation. Recently, Dong et al. proposed a Bloom filter-based PSI scheme for big data. We show that a malicious client is able to learn not only the intersection but other part of the servers set in Dong et al.s scheme. This can be delivered by submitting arbitrary Bloom filters as inputs. To this end, we suggest a Merkle tree-based countermeasure. It prevents malicious clients from learning any part of the servers set except the intersection. The security and performance analysis shows that our scheme is secure against the malicious client with a minor efficiency degradation.

Enhanced authentication for outsourced educational contents through provable block possession

In recent years, the volume of educational contents has been explosively increased thanks to the rapid development of multimedia technologies. Furthermore, the development of smart devices has made various educational institutes use them as effective learning tools. Since more and more educational contents become available not only at school zone but at a variety of online learning systems, it becomes increasingly unaffordable for a single educational contents provider to store and process them locally. Therefore, many educational contents providers are likely to outsource the contents to cloud storage for cost saving. These phenomena raise one serious concern: how to authenticate educational contents users in a secure and efficient way? The most widely used password-based authentication suffers from numerous drawbacks in terms of security. Multi-factor authentication protocols based on diverse communication channels such as SMS, biometric, hardware token could enhance security, however they inevitably bring poor usability. To this end, we present a data block-based authentication scheme, which provides provable security and guarantees usability invariant such that users do nothing but entering a password. In addition, the proposed scheme supports efficient user revocation. To the best of our knowledge, our scheme is the first data block-based authentication scheme for outsourced educational contents that is provably secure without usability degradation. The experiment on Amazon EC2 cloud shows that the proposed scheme guarantees nearly constant time for user authentication.

Cloud-based biometrics processing for privacy-preserving identification

With the increasing number of users enrolled, biometric identification requires more computing resources to scan all records of a database and locate the best match. As such, database owners are willing to delegate user biometric information (in encrypted state) to the cloud to enroll and identify users, while preserving privacy. Wang et al. proposed a cloud-based privacy-preserving biometric scheme, a.k.a. CloudBI, in ESORICS 2015, but their security assumption does not capture practical aspects of real world attacks. In this paper, we show how an attack enrolls fake biometric data and then manipulates them to recover encrypted an identification request in CloudBI. Next, we propose an effective security patch to CloudBI, which is secure against enrollment-level attackers. Experimental results show that the proposed security patch bring about little performance degradation to CloudBI.

A survey on MITM and its countermeasures in the TLS handshake protocol

Transport Layer Security (TLS) is a standard cryptographic protocol that establishes a secure session between a client and a server. TLS consists of two sub protocols, a handshake protocol and a record protocol. The handshake protocol establishes the secure session so that two parties communicate securely. However, Man-In-The-Middle attack (MITM) is possible during the handshaking. We show previous MITM detection schemes and their key feature. In addition, we analyze whether previous schemes can prevent attacks or not.