Hourglass schemes: how to prove that cloud files are encrypted

We consider the following challenge: How can a cloud storage provider prove to a tenant that it's encrypting files at rest, when the provider itself holds the corresponding encryption keys? Such proofs demonstrate sound encryption policies and file confidentiality. (Cheating, cost-cutting, or misconfigured providers may bypass the computation/management burdens of encryption and store plaintext only.) To address this problem, we propose hourglass schemes, protocols that prove correct encryption of files at rest by imposing a resource requirement (e.g., time, storage or computation) on the process of translating files from one encoding domain (i.e., plaintext) to a different, target domain (i.e., ciphertext). Our more practical hourglass schemes exploit common cloud infrastructure characteristics, such as limited file-system parallelism and the use of rotational hard drives for at-rest files. For files of modest size, we describe an hourglass scheme that exploits trapdoor one-way permutations to prove correct file encryption whatever the underlying storage medium. We also experimentally validate the practicality of our proposed schemes, the fastest of which incurs minimal overhead beyond the cost of encryption. As we show, hourglass schemes can be used to verify properties other than correct encryption, e.g., embedding of "provenance tags" in files for tracing the source of leaked files. Of course, even if a provider is correctly storing a file as ciphertext, it could also store a plaintext copy to service tenant requests more efficiently. Hourglass schemes cannot guarantee ciphertext-only storage, a problem inherent when the cloud manages keys. By means of experiments in Amazon EC2, however, we demonstrate that hourglass schemes provide strong incentives for economically rational cloud providers against storage of extra plaintext file copies.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  References , 1971 .

[3]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[4]  Moni Naor,et al.  Digital signets: self-enforcing protection of digital information (preliminary version) , 1996, STOC '96.

[5]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[6]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[7]  Ari Juels,et al.  $evwu Dfw , 1998 .

[8]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[9]  Stanislaw Jarecki,et al.  Cryptographic Primitives Enforcing Communication and Storage Complexity , 2002, Financial Cryptography.

[10]  Joseph Y. Halpern,et al.  Rational secret sharing and multiparty computation: extended abstract , 2004, STOC '04.

[11]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[12]  Radu Sion,et al.  Query Execution Assurance for Outsourced Databases , 2005, VLDB.

[13]  Moni Naor,et al.  Pebbling and Proofs of Work , 2005, CRYPTO.

[14]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[15]  David Naccache,et al.  Alien vs. Quine , 2007, IEEE Security & Privacy.

[16]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[17]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[18]  Sharon Goldberg,et al.  Rationality and traffic attraction: incentives for honest path announcements in bgp , 2008, SIGCOMM '08.

[19]  Yevgeniy Dodis,et al.  Proofs of Retrievability via Hardness Amplification , 2009, IACR Cryptol. ePrint Arch..

[20]  Jonathan Katz,et al.  Proofs of Storage from Homomorphic Identification Protocols , 2009, ASIACRYPT.

[21]  Tim Roughgarden,et al.  Algorithmic Game Theory , 2007 .

[22]  Markus Jakobsson,et al.  Retroactive Detection of Malware with Applications to Mobile Platforms , 2010, HotSec.

[23]  Gene Tsudik,et al.  Secure Code Update for Embedded Devices via Proofs of Secure Erasure , 2010, ESORICS.

[24]  Stefan Dziembowski,et al.  One-Time Computable Self-erasing Functions , 2011, TCC.

[25]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[26]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.