Shield: A stackable secure storage system for file sharing in public storage

With the increasing amount of personal data stored in public storage, users are losing control of their physical data, putting their data information at risk of theft or being compromised. Traditional secure storage systems either require users to completely trust the storage provider or impose the considerable burden of managing files on file owners; such systems are inapplicable in the practical cloud environment. This paper addresses these challenging problems by proposing a new secure system architecture and implementing a stackable secure storage system named Shield, in which a proxy server is introduced to be in charge of authentication and access control. We propose a new variant of the Merkle Hash Tree to support efficient integrity checking and file content update; further, we have designed a hierarchical key organization to achieve convenient keys management and efficient permission revocation. Shield supports concurrent write access by employing a virtual linked list; it also provides secure file sharing without any modification to the underlying file systems. A series of evaluations over various real benchmarks show that Shield causes about 7%~13% performance degradation when compared with eCryptfs but provides enhanced security for user's data.

[1]  Avishai Wool,et al.  CRUST: Cryptographic Remote Untrusted Storage without Public Keys , 2007, IEEE Security in Storage Workshop.

[2]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[3]  Kevin Fu,et al.  Group Sharing and Random Access in Cryptographic Storage File Systems , 1999 .

[4]  Howard Gobioff,et al.  Security for Network Attached Storage Devices , 1997 .

[5]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[6]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[7]  Luigi Catuogno,et al.  A secure file sharing service for distributed computing environments , 2013, The Journal of Supercomputing.

[8]  John Viega,et al.  Network security using OpenSSL - cryptography for secure communications , 2002 .

[9]  J.-P. Hubaux,et al.  Enforcing service availability in mobile ad-hoc WANs , 2000, 2000 First Annual Workshop on Mobile and Ad Hoc Networking and Computing. MobiHOC (Cat. No.00EX444).

[10]  Liba Svobodova,et al.  A distributed data storage system for a local network , 1980 .

[11]  Ramakrishna Kotla,et al.  SafeStore: A Durable and Practical Storage System , 2007, USENIX Annual Technical Conference.

[12]  Yang Liu,et al.  Corslet: A shared storage system keeping your data private , 2011, Science China Information Sciences.

[13]  Andrew W. Leung,et al.  Scalable security for petascale parallel file systems , 2007, Proceedings of the 2007 ACM/IEEE Conference on Supercomputing (SC '07).

[14]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[15]  Frank Pfenning,et al.  A Proof-Carrying File System , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[17]  Michael Austin Halcrow eCryptfs: An Enterprise-class Encrypted Filesystem for Linux , 2010 .

[18]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[19]  Erez Zadok,et al.  I3FS: An In-Kernel Integrity Checker and Intrusion Detection File System , 2004, LISA.

[20]  Shankar Pasupathy,et al.  Measurement and Analysis of Large-Scale Network File System Workloads , 2008, USENIX Annual Technical Conference.

[21]  Ahmad-Reza Sadeghi,et al.  A trusted versioning file system for passive mobile storage devices , 2014, J. Netw. Comput. Appl..

[22]  Darrell D. E. Long,et al.  Strong Security for Network-Attached Storage , 2002, FAST.

[23]  Declan Patrick O'Shanahan CryptosFS: Fast Cryptographic Secure NFS , 2000 .

[24]  Miguel Castro,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OPSR.

[25]  Hovav Shacham,et al.  SiRiUS: Securing Remote Untrusted Storage , 2003, NDSS.

[26]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[27]  Giuseppe Cattaneo,et al.  Design and Implementation of a Transparent Cryptographic File System for Unix , 2007 .

[28]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[29]  John Viega,et al.  Network Security with OpenSSL , 2002 .

[30]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[31]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[32]  Ethan L. Miller,et al.  POTSHARDS: Secure Long-Term Storage Without Encryption , 2007, USENIX Annual Technical Conference.

[33]  Darrell D. E. Long,et al.  Horus: fine-grained encryption-based security for large-scale storage , 2013, FAST.

[34]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[35]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[36]  Tharam S. Dillon,et al.  Cloud Computing: Issues and Challenges , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[38]  Sushil Jajodia,et al.  A data outsourcing architecture combining cryptography and access control , 2007, CSAW '07.

[39]  Erez Zadok,et al.  Proceedings of the General Track: 2003 Usenix Annual Technical Conference Ncryptfs: a Secure and Convenient Cryptographic File System , 2022 .