Jiangchun Ren

Efficient revocation in ciphertext-policy attribute-based encryption based cryptographic cloud storage

It is secure for customers to store and share their sensitive data in the cryptographic cloud storage. However, the revocation operation is a sure performance killer in the cryptographic access control system. To optimize the revocation procedure, we present a new efficient revocation scheme which is efficient, secure, and unassisted. In this scheme, the original data are first divided into a number of slices, and then published to the cloud storage. When a revocation occurs, the data owner needs only to retrieve one slice, and re-encrypt and re-publish it. Thus, the revocation process is accelerated by affecting only one slice instead of the whole data. We have applied the efficient revocation scheme to the ciphertext-policy attribute-based encryption (CP-ABE) based cryptographic cloud storage. The security analysis shows that our scheme is computationally secure. The theoretically evaluated and experimentally measured performance results show that the efficient revocation scheme can reduce the data owner’s workload if the revocation occurs frequently.

RIM4J: An Architecture for Language-Supported Runtime Measurement against Malicious Bytecode in Cloud Computing

While cloud customers can benefit from migrating applications to the cloud, they are concerned about the security of the hosted applications. This is complicated by the customers not knowing whether their cloud applications are working as expected. Although memory-safety Java Virtual Machine (JVM) can alleviate their anxiety due to the control flow integrity, their applications are prone to a violation of bytecode integrity. The analysis of some Java exploits indicates that the violation results primarily from the given excess sandbox permission, loading flaws in Java class libraries and third-party middlewares and the abuse of sun.misc.UnsafeAPI. To such an end, we design an architecture, called RIM4J, to enforce a runtime integrity measurement of Java bytecode within a cloud system, with the ability to attest this to a cloud customer in an unforgeable manner. Our RIM4J architecture is portable, such that it can be quickly deployed and adopted for real-world purposes, without requiring modifications to the underlying systems and access to application source code. Moreover, our RIM4J architecture is the first to measure dynamically-generated bytecode. We apply our runtime measurement architecture to a messaging server application where we show how RIM4J can detect undesirable behaviors, such as uploading arbitrary files and remote code execution. This paper also reports the experimental evaluation of a RIM4J prototype using both a macroand a micro-benchmark; the experimental results indicate that RIM4J is a practical solution for real-world applications.

Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing

Abstract Due to the structure of fog systems, ciphertext-policy attribute-based encryption (CP-ABE) is regarded as a promising technique to address certain security problems present in the fog. Unfortunately, in most traditional CP-ABE systems, a user can deliberately leak his attribute keys to others or use his private key to build a decryption device and provide a decryption service with little risk of being caught (untraceable). We refer to this behavior as privilege abuse. The privilege abuse problem will seriously hinder the adoption of CP-ABE. To address the problem, we propose a novel black-box traceable CP-ABE scheme that is much simpler than the existing white-box traceable schemes. A malicioususer who builds a decryption black-box can be tracked and exposed by our scheme. Due to its scalability and relatively high efficiency, the scheme could be practical for fog systems. Furthermore, we point out that, if the adversary can distinguish the tracing ciphertext from the normal ciphertext, he can frustrate tracking by outputting incorrect decryption results. Thus, the traceability must be compulsory, so as to ensure that the adversary cannot distinguish between the tracing ciphertext and the normal ciphertext. Therefore, we present a formal definition of compulsory traceability with a new security game, and our scheme is proved to be secure and compulsory traceable under the generic group model.

Application-Assisted Dynamic Attestation for JVM-Based Cloud

In the recent years, cloud computing has expanded rapidly and improved the working efficiency for a number of cloud users, however, a few enterprises hesitate to move to the cloud because of the runtime security challenges of applications although cloud vendors promise to provide a trustworthy execution platform. In this paper, we propose Trusted Cloud Root Broker to give robust trustworthy guarantees to those JVM-Based applications. The broker as the application-root of the trust is to make the evaluation of the runtime trustworthiness and support dynamic attestation about the integrity state of an application with the assistance of Java virtual machine. It could not just prove the authenticity but also offer the availability for these targeting applications. What is more, our broker has less performance overheads.

JVM-Based Dynamic Attestation in Cloud Computing

Cloud computing has brought academic and industry tremendous benefits and improved computing efficiency compared with the traditional model, however, the adoption of this unique model also exacerbates security challenges and raises trust risks. And existing security solutions have less effectiveness and efficiency upon these unchartered cloud threats. We introduce trusted computing into current cloud platform to address the above issues and design JVM-based Dynamic Attestation Architecture, DTEM, to support application services with robust security guarantee. This framework gives trusted-degree estimate for the deployment and runtime status of an application as well as dynamically responds remote attestation with integrity proof of running applications.

TTP-ACE: A Trusted Third Party for Auditing in Cloud Environment

Cloud computing offers an appealing business model, and it is tempting for companies to delegate their IT services, as well as data, to the cloud. But in cloud environment, lack of practical auditing party always put the users’ data in danger. Users may suffer a serious data loss without any compensation for they have lost all their control on their data. We present in this paper a novel way to implement a trusted third party for auditing in cloud environment (TTP-ACE), a trusted and easy-to-use auditor for cloud environment. TTP-ACE enables the cloud service providers’ accountability and protects the cloud users’ benefits.

Re-encryption Optimization in CP-ABE Based Cryptographic Cloud Storage

Nowadays, more and more customers begin to use the cryptographic cloud storage for protecting their data security. But the re-encryption caused by revocation is a sure performance killer in such a cryptographic access control system. We propose a novel scheme to reduce the consumption of the re-encryption process. This scheme is built on a series of cryptographic algorithms. The original data is split into several slices and these slices are published to the cloud storage. After a revocation occurs, we re-encrypt only one slice instead of the whole data. The comparison between our scheme and original one shows that the optimized scheme can reduce the costs of re-encryption significantly.

Research of a Secure File System for Protection of Intellectual Property Right

This paper analyses the architecture of current secure file system and the security needs for protection of intellectual property rights and especially the major problems of it. Then we propose a secure data container model based on data encapsulation from the realization concept of virtual file system (VFS) in Linux. Based on this model, we design and implant a secure file system IPR-SFS on Windows platform for protection of intellectual property which achieves perfect combination between data encryption and access control. Compared with the previous systems, the IPR-SFS file system is more convenient and flexible, safe and scalable, also comparable to the existing file.

Practical, Provably Secure, and Black-Box Traceable CP-ABE for Cryptographic Cloud Storage

Cryptographic cloud storage (CCS) is a secure architecture built in the upper layer of a public cloud infrastructure. In the CCS system, a user can define and manage the access control of the data by himself without the help of cloud storage service provider. The ciphertext-policy attribute-based encryption (CP-ABE) is considered as the critical technology to implement such access control. However, there still exists a large security obstacle to the implementation of CP-ABE in CCS. That is, how to identify the malicious cloud user who illegally shares his private keys with others or applies his keys to construct a decryption device/black-box, and provides the decryption service. Although several CP-ABE schemes with black-box traceability have been proposed to address the problem, most of them are not practical in CCS systems, due to the absence of scalability and expensive computation cost, especially the cost of tracing. Thus, we present a new black-box traceable CP-ABE scheme that is scalable and high efficient. To achieve a much better performance, our work is designed on the prime order bilinear groups that results in a great improvement in the efficiency of group operations, and the cost of tracing is reduced greatly to O(N) or O(1), where N is the number of users of a system. Furthermore, our scheme is proved secure in a selective standard model. To the best of our knowledge, this work is the first such practical and provably secure CP-ABE scheme for CCS, which is black-box traceable.

Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption

Cloud computing emerges as a change in the business paradigm that offers pay-as-you-go computing capability and brings enormous benefits, but there are numerous organizations showing hesitation for the adoption of cloud computing due to security concerns. Remote attestation has been proven to boost confidence in clouds to guarantee hosted cloud applications’ integrity. However, the state-of-the-art attestation schemes do not fit that multiple requesters raise their challenges simultaneously, thereby leading to larger performance overheads on the attester side. To address that, we propose an efficient and trustworthy concurrent attestation architecture under multi-requester scenarios, Astrape, to improve efficiency in the integrity and confidentiality protection aspects to generate an unforgeable and encrypted attestation report. Specifically, we propose two key techniques in this paper. The first one—aggregated attestation signature—reliably protects the attestation content from being compromised even in the presence of adversaries who have full control of the network, therefore successfully providing attestation integrity. The second one—delegation-based controlled report—introduces a third-party service to distribute the attestation report to requesters in order to save computation and communication overload on the attested party. The report is encrypted with an access policy by using attribute-based encryption and accessed by a limited number of qualified requesters, hence supporting attestation confidentiality. The experimental results show that Astrape can take no more than 0.4 s to generate an unforgeable and encrypted report for 1000 requesters and deliver a throughput speedup of approximately 30× in comparison to the existing attestation systems.