Songzhu Mei

Efficient revocation in ciphertext-policy attribute-based encryption based cryptographic cloud storage

It is secure for customers to store and share their sensitive data in the cryptographic cloud storage. However, the revocation operation is a sure performance killer in the cryptographic access control system. To optimize the revocation procedure, we present a new efficient revocation scheme which is efficient, secure, and unassisted. In this scheme, the original data are first divided into a number of slices, and then published to the cloud storage. When a revocation occurs, the data owner needs only to retrieve one slice, and re-encrypt and re-publish it. Thus, the revocation process is accelerated by affecting only one slice instead of the whole data. We have applied the efficient revocation scheme to the ciphertext-policy attribute-based encryption (CP-ABE) based cryptographic cloud storage. The security analysis shows that our scheme is computationally secure. The theoretically evaluated and experimentally measured performance results show that the efficient revocation scheme can reduce the data owner’s workload if the revocation occurs frequently.

Trusted Bytecode Virtual Machine Module: A Novel Method for Dynamic Remote Attestation in Cloud Computing

Abstract Cloud computing bring a tremendous complexity to information security. Remote attestation can be used to establish trust relationship in cloud. TBVMM is designed to extend the existing chain of trust into the software layers to support dynamic remote attestation for cloud computing. TBVMM uses Bayesian network and Kalman filter to solve the dynamicity of the trusted relationship. It is proposed to fill the trust gap between the infrastructure and upper software stacks.

An Active Data Leakage Prevention Model for Insider Threat

Insider threat has become the main vector of data leakage. Existing research on it mainly focuses on sensing and detection without defense capabilities. Meanwhile, traditional technologies for data leakage prevention rely on the terminal or boundary control which is difficult for data leakage in distributed environment. This paper presents an active data leakage prevention model for insider threat that combines trusted storage with virtual isolation technologies and expresses the protection requirements from the aspect of data object. We also show an implementation framework and give formal description as well as security properties proof. Finally, we give implementation strategies of dynamic isolation mechanisms.

TTP-ACE: A Trusted Third Party for Auditing in Cloud Environment

Cloud computing offers an appealing business model, and it is tempting for companies to delegate their IT services, as well as data, to the cloud. But in cloud environment, lack of practical auditing party always put the users’ data in danger. Users may suffer a serious data loss without any compensation for they have lost all their control on their data. We present in this paper a novel way to implement a trusted third party for auditing in cloud environment (TTP-ACE), a trusted and easy-to-use auditor for cloud environment. TTP-ACE enables the cloud service providers’ accountability and protects the cloud users’ benefits.

Re-encryption Optimization in CP-ABE Based Cryptographic Cloud Storage

Nowadays, more and more customers begin to use the cryptographic cloud storage for protecting their data security. But the re-encryption caused by revocation is a sure performance killer in such a cryptographic access control system. We propose a novel scheme to reduce the consumption of the re-encryption process. This scheme is built on a series of cryptographic algorithms. The original data is split into several slices and these slices are published to the cloud storage. After a revocation occurs, we re-encrypt only one slice instead of the whole data. The comparison between our scheme and original one shows that the optimized scheme can reduce the costs of re-encryption significantly.

Trusted Bytecode Virtual Machine Module: Towards Dynamic Remote Attestation in Cloud Computing

Cloud computing bring a tremendous complexity to information security. Many researches have been done to establish and maintain the trust relationship in cloud. Remote attestation is one of the most important feature of trusted computing. But conventional ways of remote attestation can only attest to the presence of a particular binary. They cannot measure program behavior. Existing dynamic remote attestation technologies can solve some of these problems. But they are not suitable for cloud computing when users lose their control over their critical data and business processes. In our opinion, cloud should give controls back to the users at some extent. So we propose TBVMM, a novel mechanism for cloud computing to fill the trust gap between the infrastructure and upper software stacks. TBVMM will pave a way for establishing better trust relationships in cloud environments.

Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption

Cloud computing emerges as a change in the business paradigm that offers pay-as-you-go computing capability and brings enormous benefits, but there are numerous organizations showing hesitation for the adoption of cloud computing due to security concerns. Remote attestation has been proven to boost confidence in clouds to guarantee hosted cloud applications’ integrity. However, the state-of-the-art attestation schemes do not fit that multiple requesters raise their challenges simultaneously, thereby leading to larger performance overheads on the attester side. To address that, we propose an efficient and trustworthy concurrent attestation architecture under multi-requester scenarios, Astrape, to improve efficiency in the integrity and confidentiality protection aspects to generate an unforgeable and encrypted attestation report. Specifically, we propose two key techniques in this paper. The first one—aggregated attestation signature—reliably protects the attestation content from being compromised even in the presence of adversaries who have full control of the network, therefore successfully providing attestation integrity. The second one—delegation-based controlled report—introduces a third-party service to distribute the attestation report to requesters in order to save computation and communication overload on the attested party. The report is encrypted with an access policy by using attribute-based encryption and accessed by a limited number of qualified requesters, hence supporting attestation confidentiality. The experimental results show that Astrape can take no more than 0.4 s to generate an unforgeable and encrypted report for 1000 requesters and deliver a throughput speedup of approximately 30× in comparison to the existing attestation systems.

A service recovery mechanism by recovering service's data

Service recovery technology is an important constituent part of the emergency response technologies. The service recovery goal is to build a technology system of service recovery focusing on the survival of information system services. By analyzing the relationship between service and data, we present a service recovery mechanism by recovering services data. We introduce a third party service monitor to monitor the state changes of the service, design the data recovery model, and give a example of quick data recovery. At last, we present a prototype system of service recovery; the experiment results toward the prototype system show that the mechanism designed by us can greatly improve the service recovery efficiency and it can meet the timeliness requirements of the information service.

VerFAT: A Transparent and Efficient Multi-versioning Mechanism for FAT File System

Ensuring data reliability and continuity has played an important role for ensuring the information system still working normally when suffering from attack or other abnormal events. The existing data protection technologies are difficult to meet the fine-grained and precise data protection requirements on the widely used Windows platform. Inspiring from the data organization in the FAT file system, dedicating to reduce the number of direct disk write requests, we have designed a transparent and efficient multi-versioning mechanism for FAT file system, named VerFAT. During the data backup generation, responding to each file updating request, VerFAT generates multi-versioning data blocks. While we have achieved the goal of greatly improving the efficiency of data failure recovery by modifying the linking relationship of data blocks in FAT Table, merging the separate disk write operations on FAT Table and merging the separate disk write operations on directory entry when recovery a protected directory. Also we present the theoretical analysis for failure recovery mechanism in VerFAT. The experiment results on the prototype system have proved that our design is reasonable and efficient.

SWHash: An Efficient Data Integrity Verification Scheme Appropriate for USB Flash Disk

Data integrity verification is utmost important in trusted computing and Merkle trees are usually employed in implementation. However, the efficiency of data authentication is regarded as the main bottleneck in performance. In this paper, we propose an efficient data authentication protocol appropriate for a USB flash disk, named UTrustDisk (a trust-based intelligent disk). In our scheme, verification is speed up by using WH universal hash function and speculative caching. WH algorithm can hash message into a short digest at a high speed and the collision probability is almost negligible. Speculative caching will cache the potential hot chunks which can reduce the memory bandwidth pollution. In our experiments the success rate of speculation reaches 94.5% because the UTrustDisks access mode is usually sequentially. The comparative experiment results show that SWHash average write throughput is 44.8% higher than NH scheme and 316% higher than SHA-1 scheme.