securely using cloud computing services qin liu email: [email protected]@126.com hunan...
TRANSCRIPT
![Page 2: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/2.jpg)
2
Outline
3. Introduction to Our Work
2. Security Issues in Clouds
1. Cloud Computing
![Page 3: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/3.jpg)
Evolution of Computing Patterns
![Page 4: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/4.jpg)
What Is Cloud Computing?
Wikipedia Definition Cloud computing is a concept of using the Internet to allow
people to access technology-enabled services It allows users to consume services without knowledge of
control over the technology infrastructure that supports them
NIST Definition 5 essential characteristics 3 cloud service models 4 cloud deployment models
![Page 5: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/5.jpg)
The NIST Cloud Definition Framework
CommunityCommunityCloudCloud
Private Private CloudCloud
Public CloudPublic Cloud
Hybrid Clouds
Service
Models
Essential
Characteristics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Deployment
Models
![Page 6: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/6.jpg)
On-demand service Get computing capabilities as needed automatically Broad Network Access Services available over the net using desktop, laptop, PDA,
mobile phone Resource pooling Provider resources pooled to server multiple clients Rapid Elasticity Ability to quickly scale in/out service Measured service Control, optimize services based on metering
Essential Characteristics
![Page 7: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/7.jpg)
Essential Characteristics
![Page 8: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/8.jpg)
Cloud Service Models
Software as a Service (SaaS) We use the provider apps User doesn’t manage or control the network, servers, OS, storage
or applications Platform as a Service (PaaS) User deploys their apps on the cloud Controls their apps User doesn’t manage servers, IS, storage Infrastructure as a Service (IaaS) Consumers gets access to the infrastructure to deploy their stuff Doesn’t manage or control the infrastructure Does manage or control the OS, storage, apps, selected network
components
![Page 9: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/9.jpg)
SaaS
PaaS
IaaS
Amazon Google Microsoft Salesforce
Service Delivery Model Examples
Products and companies shown for illustrative purposes only and should not be construed as an endorsement
![Page 10: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/10.jpg)
10
Cloud Deployment Models
Private cloud Enterprise owned or leased
Community cloud Shared infrastructure for specific community
Public cloud Sold to the public, mega-scale infrastructure
Hybrid cloud Composition of two or more clouds
![Page 11: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/11.jpg)
Cloud Deployment Models
![Page 12: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/12.jpg)
Top 8 Cloud Computing Companies
![Page 13: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/13.jpg)
Cloud Computing Example - Amazon EC2
IaaS http://aws.amazon.com/ec2
![Page 14: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/14.jpg)
Cloud Computing Example - Google AppEngine
PaaS http://code.google.com/appengine/ Google AppEngine API
Python runtime environment Datastore API Images API Mail API Memcache API URL Fetch API Users API
A free account can use up to 500 MB storage, enough CPU and bandwidth for about 5 million page views a month
![Page 15: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/15.jpg)
Conventional Manually
Provisioned Dedicated
Hardware Fixed Capacity Pay for Capacity Capital &
Operational Expenses
Managed via Sysadmins
Cloud Self-provisioned Shared
Hardware Elastic Capacity Pay for Use Operational
Expenses Managed via
APIs
Conventional Computingvs.Cloud Computing
![Page 16: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/16.jpg)
Why A Cloud?
![Page 17: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/17.jpg)
Why A Cloud?
![Page 18: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/18.jpg)
Why A Cloud?
![Page 19: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/19.jpg)
Cloud Computing Summary
Cloud computing is a kind of network service and is a trend for future computing
Scalability matters in cloud computing technology Users focus on application development Services are not known geographically
![Page 20: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/20.jpg)
20
3. Introduction to Our Work
2. Security Issues in Clouds
1. Cloud Computing
Outline
![Page 21: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/21.jpg)
21
What Not a Cloud?
![Page 22: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/22.jpg)
Kai Hwang and Deyi Li, “Trusted Cloud Computing with Secure Resources and Data Coloring”, IEEE Internet Computing, Sept. 2010
Cloud Providers and Security Measures
![Page 23: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/23.jpg)
23
General Security Advantages
Shifting public data to an external cloud reduces the exposure of the internal sensitive data
Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery
![Page 24: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/24.jpg)
24
General Security Challenges
Trusting vendor’s security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations can’t be examined Loss of physical control
![Page 25: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/25.jpg)
10 Security Concerns
Where’s the data? Who has access? What are your regulatory requirements? Do you have the right to audit? What type of training does the provider offer their employees? What type of data classification system does the provider use? What are the service level agreement (SLA) terms? What is the long-term viability of the provider? What happens if there is a security breach? What is the disaster recovery/business continuity plan
(DR/BCP)?
![Page 26: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/26.jpg)
7 Potential Risks
Privileged user access Regulatory compliance Data location Data segregation. Recovery Investigative support Long-term viability
![Page 27: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/27.jpg)
What Is Not New?
Data Loss Downtimes Phishing Password Cracking Botnets and Other Malware
![Page 28: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/28.jpg)
Data Loss
![Page 29: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/29.jpg)
Downtimes
29
![Page 30: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/30.jpg)
Phishing“hey! check out this funny blog about you...”
30
![Page 31: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/31.jpg)
Password Cracking
31
![Page 32: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/32.jpg)
What Is New?
Accountability No Security Perimeter Larger Attack Surface New Side Channels Lack of Auditability Regulatory Compliance Data Security
![Page 33: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/33.jpg)
Accountability
33
![Page 34: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/34.jpg)
No Security Perimeter
Little control over physical or network location of cloud instance VMs
Network access must be controlled on a host by host basis
![Page 35: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/35.jpg)
Larger Attack Surface
Cloud Provider
Your Network
![Page 36: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/36.jpg)
New Side Channels
You don’t know whose VMs are sharing the physical machine with you. Attackers can place their VMs on your machine. See “Hey, You, Get Off of My Cloud” paper for how.
Shared physical resources include CPU data cache: Bernstein 2005 CPU branch prediction: Onur Aciiçmez 2007 CPU instruction cache: Onur Aciiçmez 2007
In single OS environment, people can extract cryptographic keys with these attacks.
36
![Page 37: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/37.jpg)
Lack of Auditability
Only cloud provider has access to full network traffic, hypervisor logs, physical machine data.
Need mutual auditability Ability of cloud provider to audit potentially malicious or
infected client VMs. Ability of cloud customer to audit cloud provider
environment.
37
![Page 38: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/38.jpg)
Regulatory Compliance
![Page 39: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/39.jpg)
Certifications
39
![Page 40: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/40.jpg)
Data Security
ConfidentialityAuthorized to know
AvailabilityData Never LossMachine Never Fail
IntegrityData Has Not Been Tampered With
Storage Processing Transmission
![Page 41: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/41.jpg)
Data Security Is A Major Concern
Security concerns arising because both customer data and program are residing in Provider Premises.
Security is always a major concern in Open System Architectures
CustomerCustomer
Customer Data
Customer Data
Customer Code
Customer Code
Provider Premises
![Page 42: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/42.jpg)
Why Data Is Not Secure
Cloud Security problems are coming from Loss of control Lack of trust Multi-tenancy
Mainly exist in public cloud
![Page 43: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/43.jpg)
Loss of Control in the Cloud
Consumer’s loss of control Data, applications, resources are located with provider User identity management is handled by the cloud User access control rules, security policies and enforcement
are managed by the cloud provider Consumer relies on provider to ensure
Data security and privacy Resource availability Monitoring and repairing of services/resources
![Page 44: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/44.jpg)
Lack of Trust in the Cloud
A brief deviation from the talk Trusting a third party requires taking risks
Defining trust and risk Opposite sides of the same coin People only trust when it pays Need for trust arises only in risky situations
Defunct third party management schemes Hard to balance trust and risk e.g. Key Escrow Is the cloud headed toward the same path?
![Page 45: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/45.jpg)
Multi-tenancy Issues in the Cloud
Conflict between tenants’ opposing goals Tenants share a pool of resources and have opposing goals
How does multi-tenancy deal with conflict of interest? Can tenants get along together and ‘play nicely’ ? If they can’t, can we isolate them?
How to provide separation between tenants?
![Page 46: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/46.jpg)
Possible Solutions
Loss of Control Take back control
Data and apps may still need to be on the cloud But can they be managed in some way by the consumer?
Lack of trust Increase trust (mechanisms)
Technology Policy, regulation Contracts (incentives): topic of a future talk
Multi-tenancy Private cloud Takes away the reasons to use a cloud in the first place Strong separation
![Page 47: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/47.jpg)
Cloud Security Summary
Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model However, resources are ubiquitous, scalable, highly virtualized Contains all the traditional threats, as well as new ones
In developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of Loss of control Lack of trust Multi-tenancy problems
![Page 48: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/48.jpg)
48
3. Introduction to Our Work
2. Security Issues in Clouds
1. Cloud Computing
Outline
![Page 49: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/49.jpg)
Our Main Work
![Page 50: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/50.jpg)
Selected Publications
G. Wang, Q. Liu, F. Li, S. Yang, and J. Wu, "Outsourcing Privacy-Preserving Social Networks to a Cloud," accepted to appear in the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM 2013).
Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments" Proceedings of the 31st IEEE International Conference on Computer Communications (IEEE INFOCOM 2012).
G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption for Fine-Grained Access Control in Cloud Computing," Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS-10).
Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Towards Differential Query Services in Cost-Efficient Clouds," accept to appear in IEEE Transactions on Parallel and Distributed Systems (TPDS).
Q. Liu, G. Wang, and J. Wu, "Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment", Information Sciences.
Q. Liu, C. C. Tan, J. Wu, and G. Wang, "Cooperative Private Searching in Clouds," Journal of Parallel and Distributed Computing (JPDC).
G. Wang, Q. Liu, and J. Wu, "Hierarchical Attribute-Based Encryption and Scalable User Revocation for Sharing Data in Cloud Servers," Computers & Security.
![Page 51: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/51.jpg)
Multi-User Data Sharing Environment
Cloud Security problems are coming from :Loss of controlLack of trust (mechanisms)Multi-tenancy
Cloud Service Provider
Data Owner
Outsourcing Data
Data User
Data Retrieval
Authorization of Access
Security Issues Data Security Revocation Retrieval Privacy
The cloud service provider is a potential attacker!!
![Page 52: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/52.jpg)
Data Security
Natural way Adopting cryptographic technique
Current solutions Traditional symmetric/ asymmetric encryption
Low cost for encryption and decryption Support key delegation--HIBE Hard to achieve fine-grained access control
Attribute-Based encryption Easy to achieve fine-grained access control High cost for encryption and decryption Do not support key delegation
![Page 53: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/53.jpg)
Public Key Cryptography
53
![Page 54: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/54.jpg)
Attribute-Based Encryption (ABE)
Key Policy ABE Ciphertext Policy ABE
![Page 55: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/55.jpg)
Hierarchical Attribute-Based Encryption (HABE)
Application scenario
Sample URA
Requirements Fine-grained access control Hierarchical key generation Efficiency
![Page 56: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/56.jpg)
Hierarchical Attribute-Based Encryption (HABE)
Key technique Combine the hierarchical identity-based encryption and
attribute-based encryption Use the attributes and exact ID to identify each user
HABE Architecture
![Page 57: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/57.jpg)
User Revocation
Naïve solution The data owner re-encrypts data and distributes new keys
to the data user Frequent revocation will make the data owner become a
performance bottleneck Proxy re-encryption (PRE)
![Page 58: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/58.jpg)
Time-Based Proxy Re-Encryption
PRE in clouds The data owner to send re-encryption instruction to the
cloud The cloud perform re-encryption based on proxy re-
encryption
Cloud Service ProviderCloud Service Provider
T2:
Re-encry
ption
T1: Access Data
Data OwnerData Owner Data UserData User
T2<T1: Potential security risk
How to achieve automatic revocation without sending any instructions?
![Page 59: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/59.jpg)
Time-Based Proxy Re-Encryption
Key technique Incorporate time into PRE This scheme is suitable for the application where the valid of
access is pre-determined
2012
12...
1 31
...
1
1 31
...
( )a ss H a( ) ( )
a
ya ss H y
( )( , ) ( )y
a
y ma s
s H m
( , )( , , ) ( )y m
a
y m da s
s H d
A time tree is constructedThe data owner and the cloud
share a secret seed sThe cloud re-encrypt data
based on internal time automatically while receiving a data access request
![Page 60: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/60.jpg)
User Privacy
User privacy Search privacy: The cloud cannot know what the users are searching
for Access privacy: The cloud cannot know what/which files are returned
to the users Existing solutions
Private search (PS) can protect user privacy while searching public data
Searchable encryption (SE) can protect search privacy while searching private data
![Page 61: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/61.jpg)
Searchable Encryption (SE)
Bob sends to Alice an email encrypted under Alice’s public key.
Alice’s email gateway wants to test whether the email contains the keyword urgent so that it could route the email to her PDA immediately.
But,Alice does not want the email gateway to be able to decrypther messages
![Page 62: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/62.jpg)
Efficient Searchable Encryption
Problem The user needs to perform decryption Thin client has only limited resources
Requirements Enable the cloud to perform partial decryption without compromising search privacy User can access data from the cloud anytime and anywhere with any devices
{A, B}
{A, C}
{F1, F2}
{F1, F3}
Cloud Service Provider
Alice
Bob
Data UserF1:{A,B}F2:{B}F3:{C}…
![Page 63: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/63.jpg)
Efficient Searchable Encryption
Key technique Alice takes both Bob and CSP’s public key as inputs of the
encryption algorithm CSP uses its secret key to perform partial decrypt and
generate an intermediate value Bob use the intermediate value to quickly recover data
Trapdoor
KWEnc
SKBob, Wj
Test
PDecrypt
Recovery
PKBob, {Wi}1<=i<=k
EMBEncPKBob, PKCSP, m
{Cwi}1<=i<=k
TWj
Cm , SKCSP
CmCloud Service Provider
C
Alice
Bob TWj, {Cwi}1<=i<=kmSKBob,C
![Page 64: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/64.jpg)
Private Search (PS)
Cloud
Bob
[1] [1] [0] [0]
F1 F2 0 NA
A compressed version of all files
F1: {A,B}
F2:{B,D}
F3:{C,D}
Given a public dictionary that contains all keywords, e.g., dictionary=<A,B,C,D>.
Bob wants to retrieve files with keywords A and B
![Page 65: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/65.jpg)
Private Search (PS)
Homomorphic encryption E(x)*E(y) = E(x+y) E(x)^y = E(x*y)
F1: { A, B} F1: { A, B} F2: {B,D} F2: {B,D} F3: {C,D} F3: {C,D}
F1 F2 0 NA
[1] [1] [0] [0] key trick: map unmatched files to 0
F1 NA
F1 F2 F3
F2 0
survival collision survival unmatched
E(F2)* E(0) =E(F2)
![Page 66: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/66.jpg)
Cooperative Private Search (COPS)
Problem for simple PS Processing each query is expensive. Given n users, the cloud
needs to execute n queries Performance bottleneck on the cloud COPS Architecture A proxy server (ADL) is introduced between the users and the
cloud (trusted) Aggregate user queries Distribute searching results
![Page 67: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/67.jpg)
Cooperative Private Search (COPS)
Key technique The user and the cloud share
Shuffle functions shuffle the dictionary and the query --- to preserve search privacy Pseudonym function: hide file name Obfuscated function: hide file content ---preserve access privacy
Key merits User privacy is preserved from
The cloud The proxy server Other users
![Page 68: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/68.jpg)
Efficient Information Retrieval for Ranked Queries (EIRQ)
Problem for Simple COPS No ranked queries The cloud returns all matched files
![Page 69: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/69.jpg)
Queries are classified into 0,1,…,r-1 ranks.
Rank-i query retrieves (1-i/r) percentage of matched files
Files that match rank 0 queries
Files that match rank 1 queries Files that match
rank i queries
Will not be filtered Filtered with probability 1/r
Filtered with probability i/r
……… …
The cloud
Cannot know which files are filtered/returned
Cannot know each queries’ rank
Efficient Information Retrieval for Ranked Queries (EIRQ)
![Page 70: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/70.jpg)
Key techniques: Construct a mask matrix to protect query ranks Filter files without knowing which files are filtered
QueryGenStep 1:
User ADL CloudKeywords,
rank
FileFilter
FileRecovery
MatrixConstruct
Step 2:
Step 4:
Step 3:
Mask matrix
Buffer
Certain percentage of files matching user keywords
Efficient Information Retrieval for Ranked Queries (EIRQ)
![Page 71: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/71.jpg)
ADL constructs a mask matrix that is encrypted with its publics key, and sends it to the cloud
Cloud
ADL
A
B
C
D
[1] [1]
[1] [1]
[1] [0]
[0] [0]
… …
[0] [0]
{A, B} Rank 0
{A, C} Rank 1
Alice
Bob
Number of ranks, r=2
Number of keywords
Construct Mask Matrix
![Page 72: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/72.jpg)
Cloud
F1: { A, B}
F1: { A, B} F2: {B,
D} F2: {B, D} F3: {C,
D} F3: {C, D}
buffer
ADL
…
A
B
C
D
[1] [1]
[1] [1]
[1] [0]
[0] [0]
… …
[0] [0]
The cloud chooses a random column for each file …
F1 and F2 will be returnedF3 will be filtered with 50%
A file, matched rank i query,the probability to be filtered i/r
For F3: 50% 50%E(0)*E(0)=E(0) E(0)*E(0)=E(0)E(0)^F3 =E(0) E(1)^ F3 =E(F3)
Filter Files
![Page 73: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/73.jpg)
Evaluation
![Page 74: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/74.jpg)
Evaluation
![Page 75: Securely Using Cloud Computing Services Qin Liu Email: gracelq628@126.comgracelq628@126.com Hunan University Part I](https://reader035.vdocument.in/reader035/viewer/2022081506/56649d0c5503460f949e0a0e/html5/thumbnails/75.jpg)
75
Questions?