Jiangjiang Wu

Efficient revocation in ciphertext-policy attribute-based encryption based cryptographic cloud storage

It is secure for customers to store and share their sensitive data in the cryptographic cloud storage. However, the revocation operation is a sure performance killer in the cryptographic access control system. To optimize the revocation procedure, we present a new efficient revocation scheme which is efficient, secure, and unassisted. In this scheme, the original data are first divided into a number of slices, and then published to the cloud storage. When a revocation occurs, the data owner needs only to retrieve one slice, and re-encrypt and re-publish it. Thus, the revocation process is accelerated by affecting only one slice instead of the whole data. We have applied the efficient revocation scheme to the ciphertext-policy attribute-based encryption (CP-ABE) based cryptographic cloud storage. The security analysis shows that our scheme is computationally secure. The theoretically evaluated and experimentally measured performance results show that the efficient revocation scheme can reduce the data owner’s workload if the revocation occurs frequently.

Trusted Bytecode Virtual Machine Module: A Novel Method for Dynamic Remote Attestation in Cloud Computing

Abstract Cloud computing bring a tremendous complexity to information security. Remote attestation can be used to establish trust relationship in cloud. TBVMM is designed to extend the existing chain of trust into the software layers to support dynamic remote attestation for cloud computing. TBVMM uses Bayesian network and Kalman filter to solve the dynamicity of the trusted relationship. It is proposed to fill the trust gap between the infrastructure and upper software stacks.

An Active Data Leakage Prevention Model for Insider Threat

Insider threat has become the main vector of data leakage. Existing research on it mainly focuses on sensing and detection without defense capabilities. Meanwhile, traditional technologies for data leakage prevention rely on the terminal or boundary control which is difficult for data leakage in distributed environment. This paper presents an active data leakage prevention model for insider threat that combines trusted storage with virtual isolation technologies and expresses the protection requirements from the aspect of data object. We also show an implementation framework and give formal description as well as security properties proof. Finally, we give implementation strategies of dynamic isolation mechanisms.

Trusted Bytecode Virtual Machine Module: Towards Dynamic Remote Attestation in Cloud Computing

Cloud computing bring a tremendous complexity to information security. Many researches have been done to establish and maintain the trust relationship in cloud. Remote attestation is one of the most important feature of trusted computing. But conventional ways of remote attestation can only attest to the presence of a particular binary. They cannot measure program behavior. Existing dynamic remote attestation technologies can solve some of these problems. But they are not suitable for cloud computing when users lose their control over their critical data and business processes. In our opinion, cloud should give controls back to the users at some extent. So we propose TBVMM, a novel mechanism for cloud computing to fill the trust gap between the infrastructure and upper software stacks. TBVMM will pave a way for establishing better trust relationships in cloud environments.

A case for the cloud storage system supporting sensitive data application

With more and more users are willing to store their data in the cloud storage system, while they get many benefits from the cloud, their data faces potential serious security threats, especially about the sensitive data applications. In this paper, we analyze the unique security requirements of the sensitive data application in the cloud, and we propose improved structure for the typical cloud storage system architecture. The hardware USBKey is introduced to the architecture for purpose of enhancing user identity security and interaction security between the users and the cloud storage system. Moreover, drawn on the idea of data active protection, a data security container is introduced to the system to enhancing the security of the data transmission process; by encapsulating the encrypted data, increasing appropriate access control and data management functions, we turn the static data blocks into a dynamic executable data security container. Then, we design security enhanced cloud storage terminal software architecture to adapt to the users specific requirements, and its functions and components can be customizable; moreover, the architecture can detect whether the execution environment is accord with the pre-defined environment requirements.

A service recovery mechanism by recovering service's data

Service recovery technology is an important constituent part of the emergency response technologies. The service recovery goal is to build a technology system of service recovery focusing on the survival of information system services. By analyzing the relationship between service and data, we present a service recovery mechanism by recovering services data. We introduce a third party service monitor to monitor the state changes of the service, design the data recovery model, and give a example of quick data recovery. At last, we present a prototype system of service recovery; the experiment results toward the prototype system show that the mechanism designed by us can greatly improve the service recovery efficiency and it can meet the timeliness requirements of the information service.

VerFAT: A Transparent and Efficient Multi-versioning Mechanism for FAT File System

Ensuring data reliability and continuity has played an important role for ensuring the information system still working normally when suffering from attack or other abnormal events. The existing data protection technologies are difficult to meet the fine-grained and precise data protection requirements on the widely used Windows platform. Inspiring from the data organization in the FAT file system, dedicating to reduce the number of direct disk write requests, we have designed a transparent and efficient multi-versioning mechanism for FAT file system, named VerFAT. During the data backup generation, responding to each file updating request, VerFAT generates multi-versioning data blocks. While we have achieved the goal of greatly improving the efficiency of data failure recovery by modifying the linking relationship of data blocks in FAT Table, merging the separate disk write operations on FAT Table and merging the separate disk write operations on directory entry when recovery a protected directory. Also we present the theoretical analysis for failure recovery mechanism in VerFAT. The experiment results on the prototype system have proved that our design is reasonable and efficient.

SWHash: An Efficient Data Integrity Verification Scheme Appropriate for USB Flash Disk

Data integrity verification is utmost important in trusted computing and Merkle trees are usually employed in implementation. However, the efficiency of data authentication is regarded as the main bottleneck in performance. In this paper, we propose an efficient data authentication protocol appropriate for a USB flash disk, named UTrustDisk (a trust-based intelligent disk). In our scheme, verification is speed up by using WH universal hash function and speculative caching. WH algorithm can hash message into a short digest at a high speed and the collision probability is almost negligible. Speculative caching will cache the potential hot chunks which can reduce the memory bandwidth pollution. In our experiments the success rate of speculation reaches 94.5% because the UTrustDisks access mode is usually sequentially. The comparative experiment results show that SWHash average write throughput is 44.8% higher than NH scheme and 316% higher than SHA-1 scheme.

A novel file-level continuous data protection mechanism oriented service application

Continuous Data Protection (CDP) technology is a good schema for ensuring the continuity and survival capability of the service applications. However, the existing continuous data protection technology is difficult to meet the requirements, which means more fine-grained, closely associated with the upper applications and efficient failure recovery capabilities. We have designed and implemented a file-level CDP mechanism oriented service applications. By monitoring the modification operation on the files associated with corresponding service, the system generates the data backup blocks sets, which increased depend on the time series. Meanwhile, the Sub-Fragment is designed to save storage overhead during the data protecting procedure. When the service failure occurs, a novel file data recovery technology will be used to recovery the file data in the manner of no-copy data recovery. The test results for the sample data sets show that the mechanism can ensure the upper users accessing the file systems transparently, reduce more than half of the data storage costs during protecting process, and greatly enhance the efficiency of service application data.