Liangliang Xiao

Security analysis for order preserving encryption schemes

The development of third-party hosting, IT out-sourcing, service clouds, etc. raises important security concerns. It is safer to encrypt critical data that is hosted by a third party. However, a database must be able to process queries on the encrypted data. Many algorithms have been developed to support search query processing on encrypted data, including order preserving encryption (OPE) schemes. Security analysis plays an important role in the design of secure algorithms. It aids in understanding the level of security assured by an algorithm. Currently, security analysis of OPE schemes is limited. In [3], the authors defined an ideal OPE object and constructed an OPE scheme SEm,n that is computationally indistinguishable from the ideal object. Thus the security of the proposed OPE scheme is identical to that of the ideal OPE object. However, the security of the ideal object has not been analyzed. In this paper, we study the security of OPE schemes by analyzing the number of bits zh of the plaintext that remain secret from the adversary against a known plaintext attack with h known plaintexts. Based on the security analyses, we conclude that the ideal OPE object achieves one-wayness security, i.e., the probability for the adversary to fully recover the plaintext encrypted by the ideal OPE object against an h known plaintext attack is a negligible function of the secure parameter log m if h = o(mϵ), 0 <; ϵ <; 1, and n = m3. The results presented in the paper not only help improve our understanding of the security of OPE schemes and guide its parameter selections, but also provide a general method for analyzing their security.

Secure, Dependable, and High Performance Cloud Storage

There have been works considering protocols for accessing partitioned data. Most of these works assume the local cluster based environment and their designs target atomic semantics. However, when considering widely distributed cloud storage systems, these existing protocols may not scale well. In this paper, we analyze the requirements of access protocols for storage systems based on data partitioning schemes in widely distributed cloud environments. We consider the regular semantics instead of atomic semantics to improve access efficiency. Then, we develop an access protocol following the requirements to achieve correct and efficient data accesses. Various protocols are compared experimentally and the results show that our protocol yields much better performance than the existing ones.

Data Placement in P2P Data Grids Considering the Availability, Security, Access Performance and Load Balancing

Data dependability is an important issue in data Grids. Replication schemes have been widely used in distributed systems to ensure availability and improve access performance. Alternatively, data partitioning schemes (secret sharing, erasure coding with encryption) can be used to provide availability and, in addition, to offer confidentiality protection. In peer-to-peer data Grids, such confidentiality protection is essential since the nodes hosting the data shares may not be trustworthy or may be compromised. However, difficulties in generating new shares and potential security concerns for share reallocation make a pure data partitioning scheme not easily adaptable to dynamic user access patterns. In this paper, we consider combining replication and data partitioning to assure data availability, confidentiality, load balance, and efficient access for data Grid applications. Data are partitioned and shares are dispersed. The shares may be replicated to achieve better performance, load balance, and availability. Models for assessing confidentiality, availability, load balance, and communication cost are developed and used as the metrics to guide placement decisions. Due to the nature of contradicting goals, we model the placement decision problem as a multi-objective problem and use a genetic algorithm to determine solutions that are approximate to the Pareto optimal placement solutions.

Cloud Storage Design Based on Hybrid of Replication and Data Partitioning

Most existing works on data partitioning techniques simply consider to partition data objects and distribute the shares to servers. Such pure data partitioning approaches may bring potential performance and scalability problems when used in widely distributed systems. First, it is difficult to apply lazy update. Second, the share consistency verification may incur costly communications among widely distributed servers. In this paper, we propose a two-level DHT (TDHT) approach for widely distributed cloud storage to address these problems. First, we analyze the tradeoffs on security and availability between TDHT and the conventional pure data partitioning approach (integrated with DHT and called GDHT (global DHT)). The results show that TDHT can provide better security than GDHT and almost the same level of availability as GDHT. To compare their performance, we design a two-level access (TLA) protocol for the TDHT approach and compare it with the distributed version server (DVS) protocol proposed in [Ye10] for the GDHT approach. The experimental results show that TLA can provide much better user perceived update response latency and the same level or even better read access latency compared to DVS.

Scalable Authentication and Key Management in SCADA

In this paper we develop a SCADA key management system to provide better security, performance, and scalability. Conventional symmetric key based approaches have several problems. We adopt public key based approaches due to its flexibility in authentication and access control and efficiency in rekeying. However, existing public key based approaches are not scalable. Simple replication of CAs (certificate authorities) raises security concerns. We consider several novel designs to bridge the gaps in existing approaches. First, a master key based semi-autonomous key refreshing scheme has been developed to shift the rekeying burdens from CAs to individual SCADA node. Then, we design a CA-grid approach, which combines the threshold scheme and replication of CAs to achieve better protection of the master keys, improved availability, and enhanced performance by load sharing. Analyses show that our scheme has many advantages than the existing SCADA key management systems.

Leveraging Service Clouds for Power and QoS Management for Mobile Devices

We propose a QoS and power management (QPM) framework for mobile devices making use of the service cloud. Several techniques for the realization of the QPM framework have been developed. First, we develop a function pool based prediction model to predict the power and QoS behaviors of the task activated by a mobile device. Based on the prediction, we design the cost function and the decision algorithm for selecting the best platforms for executing the services/applications in order to achieve optimal energy saving while satisfying QoS requirements. Several service and data migration policies have been designed for a service to be migrated and executed on a mobile device to achieve power and QoS gains. We apply the QPM framework and associated techniques to a facial recognition case study system to validate our approach. Experimental results show that, in the best case, the QPM framework can achieve 66.7% energy saving for the mobile device and at the same time, reduce the response time by 54.3%.

Secure, Highly Available, and High Performance Peer-to-Peer Storage Systems

Storage system is an important component in many data intensive applications, including data grid. Security, availability, and high performance are important issues in the storage system design. In this paper we present a peer-to-peer (P2P) storage system design based on distributed hash table (DHT) and short secret sharing (SSS) to provide highly available, secure and efficient data storage services. Existing DHTs do not consider share location and search. Also, storage systems using data partitioning schemes (including SSS) does not consider the severe problems in share update. We develop three access protocols to maintain the share consistency in spite of concurrent update, partial update and compromised storage nodes by storing a limit number of history versions of the shares. We also conducted experimental studies to evaluate the performance and data availability and compare the behaviors of the schemes.

An adaptive multiparty protocol for secure data protection

To better protect information systems, computation time data protection needs to be considered such that even when the system is partially compromised, the security of the system is still assured. Secure multiparty computation approaches provides a possible solution for computation time data protection, but are too costly (in communication) to be practical. In this paper, we design an adaptive multi-level secure computation algorithm with the goals of reducing the average communication overheads. The adaptive algorithm runs a less secure protocol to reduce the communication overhead when there is no threat. The system adapts to a more secure but less efficient protocol when security threat is detected. Thus, the system yields better performance at normal execution time while still assures security protection at the presence of security threats.

Evaluation and Comparisons of Dependable Distributed Storage Designs for Clouds

Many research and development efforts have been devoted towards the design of dependable storage systems, but the effort in evaluating and comparing different designs for widely distributed environment is limited. In this paper, we develop models to evaluate the availability, security, and access performance of various storage designs for the cloud environment where storage resources are offered by multiple providers and spread over geographically distributed areas. The evaluation results show that each scheme exhibits some strengths and weaknesses. However, among various schemes, the short secret sharing approach (erasure coding combined with secret sharing the encryption keys) is most suitable for cloud storage. Our analysis methods can be applied to new storage designs and the results can be used to guide the storage system design process.

Information Assurance for Real-Time Decision Support

Information is an important element in all decision making processes. Also, the quality of information has to be assured in order to support proper decision making in critical systems. In this paper, we present a comprehensive solution to information assurance. First we develop an ontology of information quality metrics, which can be used in assessment as well as in guiding the information processing procedures. To achieve proper information quality assessment, it is necessary to track the information flow as well as detect anomalous information processing flaws. We leverage existing data provenance and anomaly detection technologies and improve them to achieve real-time information quality assessment and problem detection.