Dongyoung Koo

Secure and efficient data retrieval over encrypted data using attribute-based encryption in cloud storage

The cloud storage based information retrieval service is a promising technology that will form a vigorous market in the near future. Although there have been numerous studies proposed about secure data retrieval over encrypted data in cloud services, most of them focus on providing the strict security for the data stored in a third party domain. However, those approaches require stupendous costs centralized on the cloud service provider, which could be a principal impediment to achieve efficient data retrieval in cloud storage. In this paper, we propose an efficient data retrieval scheme using attribute-based encryption. The proposed scheme is best suited for cloud storage systems with massive amount of data. It provides rich expressiveness as regards access control and fast searches with simple comparisons of searching entities. The proposed scheme also guarantees data security and user privacy during the data retrieval process.

A Survey of Secure Data Deduplication Schemes for Cloud Storage Systems

Data deduplication has attracted many cloud service providers (CSPs) as a way to reduce storage costs. Even though the general deduplication approach has been increasingly accepted, it comes with many security and privacy problems due to the outsourced data delivery models of cloud storage. To deal with specific security and privacy issues, secure deduplication techniques have been proposed for cloud data, leading to a diverse range of solutions and trade-offs. Hence, in this article, we discuss ongoing research on secure deduplication for cloud data in consideration of the attack scenarios exploited most widely in cloud storage. On the basis of classification of deduplication system, we explore security risks and attack scenarios from both inside and outside adversaries. We then describe state-of-the-art secure deduplication techniques for each approach that deal with different security issues under specific or combined threat models, which include both cryptographic and protocol solutions. We discuss and compare each scheme in terms of security and efficiency specific to different security goals. Finally, we identify and discuss unresolved issues and further research challenges for secure deduplication in cloud storage.

A novel Adaptive Cluster Transformation (ACT)-based intrusion tolerant architecture for hybrid information technology

Recently, the building of strong intrusion tolerant systems is in great demand since the openness and the distributed nature of information systems are easily used to compromise the systems by intentional attacks. To achieve intrusion tolerance by enabling the systems to survive various types of intrusions, we suggest a novel approach, Adaptive Cluster Transformation (ACT), in this paper. Instead of using a fixed cluster size as in conventional approaches, ACT adapts a variable cluster size depending on the system status. This is proved to maintain good quality of service (QoS). In addition, the early prediction of incoming massive packets makes ACT possible to replace any damaged clusters with new ones consisting of pristine virtual machines (VMs). This also contributes to defend the system against a Denial of Service (DoS). The performance of ACT is compared with other fixed sizes of VM cluster architectures by CSIM 20. And it is verified that the proposed method is more effective in maintaining the specific level of QoS as well as providing strong security to the targeted system.

Removing escrow from ciphertext policy attribute-based encryption

Abstract Attribute-based encryption (ABE) is a promising cryptographic primitive for fine-grained access control of distributed data. In ciphertext policy attribute-based encryption (CP-ABE), each user is associated with a set of attributes and data are encrypted with access policies on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the access policy embedded in the ciphertext. However, key escrow is inherent in ABE systems. A curious key generation center in that construction has the power to decrypt every ciphertext. We found that most of the existing ABE schemes depending on a single key authority suffer from the key escrow problem. In this study, we propose a novel CP-ABE key issuing architecture that solves the key escrow problem. The proposed scheme separates the power of issuing user keys into two parties: the key generation center and the attribute authority. In the proposed construction, the key generation center and the attribute authority issue different parts of secret key components to users through a secure two-party computation protocol such that none of them can determine the whole set of keys of users individually. We demonstrate how the proposed key issuing protocol can be applied in the existing CP-ABE scheme and resolve the key escrow problem.

Privacy-preserving deduplication of encrypted data with dynamic ownership management in fog computing

Abstract The explosion in the volume of data generated by end-point devices, arising from IoT proliferation, has lead to the adoption of data outsourcing to dedicated data centers. However, centralized data centers such as cloud storage cannot afford to manage large stores of data in a timely manner. To allow low latency access to large amounts of data, a new computing paradigm, called fog computing, has been introduced. In a fog computing environment, privacy issues surrounding outsourced data become more critical due to its complicated innards of the system. In addition, efficient resource management is another important criterion considering the application of pay-per-use in commercial fog storage. As an extension of cloud storage, most fog storage service providers will choose to adopt data deduplication techniques to minimize resource dissipation. At the same time, data owners may update or remove outsourced data stored in the remote storage to reduce expenses. In this paper, we propose the first privacy-preserving deduplication protocol capable of efficient ownership management in fog computing. It achieves fine-grained access control by introducing user-level key management and update mechanisms. Data-invariant user-level private keys enable data owners to maintain a constant number of keys regardless of the number of outsourced data files. The update of user-level public keys for valid data owners at the remote storage dramatically reduces communication overhead. Security and performance analyses demonstrate the efficiency of the proposed scheme in terms of communication and key management in fog storage.

A secure and efficient audit mechanism for dynamic shared data in cloud storage.

With popularization of cloud services, multiple users easily share and update their data through cloud storage. For data integrity and consistency in the cloud storage, the audit mechanisms were proposed. However, existing approaches have some security vulnerabilities and require a lot of computational overheads. This paper proposes a secure and efficient audit mechanism for dynamic shared data in cloud storage. The proposed scheme prevents a malicious cloud service provider from deceiving an auditor. Moreover, it devises a new index table management method and reduces the auditing cost by employing less complex operations. We prove the resistance against some attacks and show less computation cost and shorter time for auditing when compared with conventional approaches. The results present that the proposed scheme is secure and efficient for cloud storage services managing dynamic shared data.

Secure proof of storage with deduplication for cloud storage systems

Explosion of multimedia content brings forth the needs of efficient resource utilization using the state of the arts cloud computing technologies such as data deduplication. In the cloud computing environments, achieving both data privacy and integrity is the challenging issue for data outsourcing service. Proof of Storage with Deduplication (POSD) is a promising solution that addresses the issue for the cloud storage systems with deduplication enabled. However, the validity of the current POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of this approach under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improved POSD scheme to mitigate our attack.

Decentralized Server-aided Encryption for Secure Deduplication in Cloud Storage

Cloud storage provides scalable and low cost resources featuring economies of scale based on multi-tenant architecture. As the amount of data outsourced grows explosively, data deduplication, a technique that eliminates data redundancy, becomes essential. However, deduplication leads to problems with data confidentiality, thereby necessitating secure deduplication solutions. Server-aided encryption schemes have been proposed to achieve the strongest confidentiality but with the cost of managing a key server (KS). Previous schemes, however, are based on a centralized KS that uses only a single secret key assuming a single KS in the system. In cloud storage where multi-tenancy and scalability are crucial, such schemes degrade not only the effectiveness of deduplication but also the scalability with increasing users. In this paper, we extend server-aided encryption to a decentralized setting that consists of multiple KSs. The key idea of our proposed scheme is to construct an inter-KS deduplication algorithm, by which a cloud storage service provider can perform deduplication over ciphertexts from different KSs within a tenant or across tenants. This way, our scheme simultaneously offers flexibility of KS management and cross-tenant deduplication over encrypted data. The novelty of the approach is using a decentralized architecture that does not require any centralized entities for the coordination or pre-sharing of secrets among KSs. Therefore, it allows cloud storage services to offer high deduplication efficiency and scalability while preserving strong data confidentiality. We show the result of performance analysis on the proposed scheme by conducting extensive experiments. In addition, our security analysis demonstrate that the proposed scheme satisfies all desired security properties.

Secure and Efficient Deduplication over Encrypted Data with Dynamic Updates in Cloud Storage

Cloud service providers adopt a deduplication technique to minimize resource utility costs. However, it is one of the most challenging issues to manage the outsourced data in a storage-efficient way when users encrypt data for preserving privacy and frequently update it. When the data is updated, file-level deduplication makes entire copy of updated file although there are small modifications. Block-level deduplication solves this problem, but it requires metadata larger than the outsourced blocks. To address this problem, we propose a hybrid deduplication scheme that minimizes storage overhead. Our scheme performs file-level deduplication along with isolation of only updated blocks with augmented metadata. The analysis results show that our scheme minimizes storage costs while guaranteeing secure update with efficient verification.

A Survey on Intrusion-Tolerant System

Many information systems that provide useful services to people are connected to the Internet for convenience and efficiency. However, improper accessibility might make the systems susceptible to a variety of attacks. Although existing security solutions such as an intrusion detection system, intrusion prevention system, and firewalls have been designed to protect against such attacks, it is impossible to block all kinds of attacks. Furthermore, most of the proposed solutions require information about attacks for efficient prevention. Research on intrusion-tolerant systems (ITSs) have been conducted in order to continue providing proper services in threatening environments. The purpose of an ITS is to survive against every intrusion, rather than to prevent them. In this paper, previous studies on ITS are introduced and classified according to the centric scheme as middleware-based ITS, hardware-based ITS, and recovery-based ITS. Recent research focusing on adaptive transformation schemes is also introduced.