Layered security for storage at the edge: on decentralized multi-factor access control

In this paper we propose a protocol that allows end-users in a decentralized setup (without requiring any trusted third party) to protect data shipped to remote servers using two factors - knowledge (passwords) and possession (a time based one time password generation for authentication) that is portable. The protocol also supports revocation and recreation of a new possession factor if the older possession factor is compromised, provided the legitimate owner still has a copy of the possession factor. Furthermore, akin to some other recent works, our approach naturally protects the outsourced data from the storage servers themselves, by application of encryption and dispersal of information across multiple servers. We also extend the basic protocol to demonstrate how collaboration can be supported even while the stored content is encrypted, and where each collaborator is still restrained from accessing the data through a multi-factor access mechanism. Such techniques achieving layered security is crucial to (opportunistically) harness storage resources from untrusted entities.

[1]  電子情報通信学会 IEICE transactions on fundamentals of electronics, communications and computer sciences , 1992 .

[2]  Robert H. Deng,et al.  A Generic Framework for Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems , 2011, IEEE Transactions on Parallel and Distributed Systems.

[3]  Teruo Higashino,et al.  Edge-centric Computing: Vision and Challenges , 2015, CCRV.

[4]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .

[5]  Markus Jakobsson,et al.  On Quorum Controlled Asymmetric Proxy Re-encryption , 1999, Public Key Cryptography.

[6]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[7]  Nāgārjuna,et al.  A Secure Erasure Code-Based Cloud Storage System with Secure Data Forwarding , 2014 .

[8]  Ejaz Ahmed,et al.  A review on remote data auditing in single cloud server: Taxonomy and open issues , 2014, J. Netw. Comput. Appl..

[9]  Anwitaman Datta,et al.  InterCloud RAIDer: A Do-It-Yourself Multi-cloud Private Data Backup System , 2014, ICDCN.

[10]  Zhenfu Cao,et al.  CCA-Secure Proxy Re-Encryption without Pairings , 2009, IACR Cryptol. ePrint Arch..

[11]  Raul Gracia-Tinedo,et al.  Cloud-as-a-Gift: Effectively Exploiting Personal Cloud Free Accounts via REST APIs , 2013, 2013 IEEE Sixth International Conference on Cloud Computing.

[12]  Benoît Libert,et al.  Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption , 2008, IEEE Transactions on Information Theory.

[13]  Miguel Correia,et al.  DepSky: Dependable and Secure Storage in a Cloud-of-Clouds , 2013, TOS.

[14]  Yevgeniy Dodis,et al.  Proxy Cryptography Revisited , 2003, NDSS.

[15]  Carlos Maltzahn,et al.  Ceph: a scalable, high-performance distributed file system , 2006, OSDI '06.

[16]  M. Mambo,et al.  Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts (Special Section on Cryptography and Information Security) , 1997 .

[17]  Alberto Montresor,et al.  P2P and Cloud: A Marriage of Convenience for Replica Management , 2012, IWSOS.

[18]  David A. Patterson,et al.  Computer Organization and Design, Fifth Edition: The Hardware/Software Interface , 2013 .

[19]  장훈,et al.  [서평]「Computer Organization and Design, The Hardware/Software Interface」 , 1997 .

[20]  Andreas Peter,et al.  A Survey of Provably Secure Searchable Encryption , 2014, ACM Comput. Surv..

[21]  Ran Canetti,et al.  Chosen-ciphertext secure proxy re-encryption , 2007, CCS '07.

[22]  Roberto Tamassia,et al.  Authenticated Data Structures , 2003, ESA.

[23]  Ertem Esiner,et al.  Auditable versioned data storage outsourcing , 2015, Future Gener. Comput. Syst..

[24]  P. Premkumar,et al.  A secure erasure code-based cloud storage system with secure data forwarding , 2013 .

[25]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[26]  John Viega,et al.  Network security using OpenSSL - cryptography for secure communications , 2002 .

[27]  Benjamin Greschbach,et al.  Passwords in peer-to-peer , 2012, 2012 IEEE 12th International Conference on Peer-to-Peer Computing (P2P).

[28]  Yevgeniy Dodis,et al.  Proxy cryptography revisted , 2003 .

[29]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[30]  Amos Beimel,et al.  Secret-Sharing Schemes: A Survey , 2011, IWCC.

[31]  Alptekin Küpçü,et al.  ZKPDL: A Language-Based System for Efficient Zero-Knowledge Proofs and Electronic Cash , 2010, USENIX Security Symposium.

[32]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[33]  John Viega,et al.  Network Security with OpenSSL , 2002 .

[34]  Karl Aberer,et al.  Enabling Secure Secret Sharing in Distributed Online Social Networks , 2009, 2009 Annual Computer Security Applications Conference.

[35]  Hakim Weatherspoon,et al.  RACS: a case for cloud storage diversity , 2010, SoCC '10.

[36]  Anthony Rowe,et al.  The Swarm at the Edge of the Cloud , 2015, IEEE Design & Test.

[37]  Rafail Ostrovsky,et al.  A Survey of Single-Database Private Information Retrieval: Techniques and Applications , 2007, Public Key Cryptography.