Cloud data storage security based on cryptographic mechanisms. (La sécurité des données stockées dans un environnement cloud, basée sur des mécanismes cryptographiques)

Recent technological advances have given rise to the popularity and success of cloud. This new paradigm is gaining an expanding interest, since it provides cost efficient architectures that support the transmission, storage, and intensive computing of data. However, these promising storage services bring many challenging design issues, considerably due to the loss of data control. These challenges, namely data confidentiality and data integrity, have significant influence on the security and performances of the cloud system. This thesis aims at overcoming this trade-off, while considering two data security concerns. On one hand, we focus on data confidentiality preservation which becomes more complex with flexible data sharing among a dynamic group of users. It requires the secrecy of outsourced data and an efficient sharing of decrypting keys between different authorized users. For this purpose, we, first, proposed a new method relying on the use of ID-Based Cryptography (IBC), where each client acts as a Private Key Generator (PKG). That is, he generates his own public elements and derives his corresponding private key using a secret. Thanks to IBC properties, this contribution is shown to support data privacy and confidentiality, and to be resistant to unauthorized access to data during the sharing process, while considering two realistic threat models, namely an honest but curious server and a malicious user adversary. Second, we define CloudaSec, a public key based solution, which proposes the separation of subscription-based key management and confidentiality-oriented asymmetric encryption policies. That is, CloudaSec enables flexible and scalable deployment of the solution as well as strong security guarantees for outsourced data in cloud servers. Experimental results, under OpenStack Swift, have proven the efficiency of CloudaSec in scalable data sharing, while considering the impact of the cryptographic operations at the client side. On the other hand, we address the Proof of Data Possession (PDP) concern. In fact, the cloud customer should have an efficient way to perform periodical remote integrity verifications, without keeping the data locally, following three substantial aspects : security level, public verifiability, and performance. This concern is magnified by the client’s constrained storage and computation capabilities and the large size of outsourced data. In order to fulfill this security requirement, we first define a new zero-knowledge PDP proto- col that provides deterministic integrity verification guarantees, relying on the uniqueness of the Euclidean Division. These guarantees are considered as interesting, compared to several proposed schemes, presenting probabilistic approaches. Then, we propose SHoPS, a Set-Homomorphic Proof of Data Possession scheme, supporting the 3 levels of data verification. SHoPS enables the cloud client not only to obtain a proof of possession from the remote server, but also to verify that a given data file is distributed across multiple storage devices to achieve a certain desired level of fault tolerance. Indeed, we present the set homomorphism property, which extends malleability to set operations properties, such as union, intersection and inclusion. SHoPS presents high security level and low processing complexity. For instance, SHoPS saves energy within the cloud provider by distributing the computation over multiple nodes. Each node provides proofs of local data block sets. This is to make applicable, a resulting proof over sets of data blocks, satisfying several needs, such as, proofs aggregation

[1]  Ling Tian,et al.  Identity-Based Authentication for Cloud Computing , 2009, CloudCom.

[2]  Kathryn Lothschuetz Montgomery HIPAA: The Health Insurance Portability and Accountability Act Legislation , 2001 .

[3]  Cheng-Chi Lee,et al.  A Survey on Attribute-based Encryption Schemes of Access Control in Cloud Environments , 2013, Int. J. Netw. Secur..

[4]  Carl Faith,et al.  Introduction to ring theory: Schur’s Lemma and semisimple rings, prime and primitive rings, Noetherian and Artinian modules, nil, prime and Jacobson radicals , 2004 .

[5]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[6]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[7]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[8]  Cong Wang,et al.  Secure and practical outsourcing of linear programming in cloud computing , 2011, 2011 Proceedings IEEE INFOCOM.

[9]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[10]  Reza Curtmola,et al.  Robust remote data checking , 2008, StorageSS '08.

[11]  Nigel P. Smart,et al.  Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series) , 2005 .

[12]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[13]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[14]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[15]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[16]  Nesrine Kaaniche,et al.  ID Based Cryptography for Cloud Data Storage , 2013, 2013 IEEE Sixth International Conference on Cloud Computing.

[17]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[18]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[19]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[20]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[21]  Jia Xu,et al.  Towards efficient proofs of retrievability , 2012, ASIACCS '12.

[22]  John Gantz,et al.  The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East , 2012 .

[23]  Milan Petkovic,et al.  Secure management of personal health records by applying attribute-based encryption , 2009, Proceedings of the 6th International Workshop on Wearable, Micro, and Nano Technologies for Personalized Health.

[24]  Masao Kasahara,et al.  ID based Cryptosystems with Pairing on Elliptic Curve , 2003, IACR Cryptol. ePrint Arch..

[25]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[26]  Ben Lynn,et al.  On the implementation of pairing-based cryptosystems , 2007 .

[27]  Jing Peng,et al.  A novel encryption scheme for data deduplication system , 2010, 2010 International Conference on Communications, Circuits and Systems (ICCCAS).

[28]  Yevgeniy Dodis,et al.  Proofs of Retrievability via Hardness Amplification , 2009, IACR Cryptol. ePrint Arch..

[29]  Miroslaw Kutylowski,et al.  Proof of Possession for Cloud Storage via Lagrangian Interpolation Techniques , 2012, NSS.

[30]  Yvo Desmedt,et al.  A secure and scalable Group Key Exchange system , 2005, Inf. Process. Lett..

[31]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[32]  Ramakrishna Gummadi,et al.  Determinating timing channels in compute clouds , 2010, CCSW '10.

[33]  Matthew J. B. Robshaw,et al.  A Dynamic Key Infrastructure for Grid , 2005, EGC.

[34]  Tom Clark,et al.  Storage Virtualization: Technologies for Simplifying Data Storage and Management , 2005 .

[35]  Benny Pinkas,et al.  Proofs of ownership in remote storage systems , 2011, CCS '11.

[36]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[37]  Massimo Cafaro,et al.  Grids, Clouds and Virtualization , 2012 .

[38]  Somchart Fugkeaw,et al.  Achieving privacy and security in multi-owner data outsourcing , 2012, Seventh International Conference on Digital Information Management (ICDIM 2012).

[39]  M. Phil,et al.  PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING , 2015 .

[40]  S. Ramachandram,et al.  Applicability of Homomorphic Encryption and CryptDB in Social and Business Applications: Securing Data Stored on the Third Party Servers while Processing through Applications , 2014 .

[41]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[42]  Vinod Ganapathy,et al.  K2C: Cryptographic Cloud Storage with Lazy Revocation and Anonymous Access , 2011, SecureComm.

[43]  Vinod Vaikuntanathan,et al.  Can homomorphic encryption be practical? , 2011, CCSW '11.

[44]  Nesrine Kaaniche,et al.  ID-Based Cryptography for Secure Cloud Data Storage , 2013 .

[45]  Kristin E. Lauter,et al.  Cryptographic Cloud Storage , 2010, Financial Cryptography Workshops.

[46]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[47]  Yuqing Zhang,et al.  Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud , 2013, IEEE Transactions on Parallel and Distributed Systems.

[48]  Sherman S. M. Chow,et al.  Improving privacy and security in multi-authority attribute-based encryption , 2009, CCS.

[49]  Frederik Vercauteren,et al.  Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes , 2010, Public Key Cryptography.

[50]  Nesrine Kaaniche,et al.  CloudaSec: A novel public-key based framework to handle data sharing security in clouds , 2014, 2014 11th International Conference on Security and Cryptography (SECRYPT).

[51]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[52]  Peter Williams,et al.  Single round access privacy on outsourced storage , 2012, CCS '12.

[53]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[54]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[55]  Seung Kook Park Applications of Algebraic Curves to Cryptography , 2007 .

[56]  Kazi Zunnurhain,et al.  FAPA: a model to prevent flooding attacks in clouds , 2012, ACM-SE '12.

[57]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[58]  Cindy Judd,et al.  Google Docs: A Review , 2013 .

[59]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[60]  Roberto Di Pietro,et al.  Scalable and efficient provable data possession , 2008, IACR Cryptol. ePrint Arch..

[61]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[62]  Reza Curtmola,et al.  Remote data checking using provable data possession , 2011, TSEC.

[63]  Darrell D. E. Long,et al.  Secure data deduplication , 2008, StorageSS '08.

[64]  Matthew J. B. Robshaw,et al.  On Identity-Based Cryptography and Grid Computing , 2004, International Conference on Computational Science.

[65]  Nesrine Kaaniche,et al.  A Novel Zero-Knowledge Scheme for Proof of Data Possession in Cloud Storage Applications , 2014, 2014 14th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.

[66]  Francisco Rodríguez-Henríquez,et al.  High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves , 2010, Pairing.

[67]  Bernd Freisleben,et al.  An identity-based security infrastructure for Cloud environments , 2010, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security.

[68]  Stephen S. Yau,et al.  Dynamic audit services for integrity verification of outsourced storages in clouds , 2011, SAC.

[69]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[70]  Jia Xu,et al.  Weak leakage-resilient client-side deduplication of encrypted data in cloud storage , 2013, ASIA CCS '13.

[71]  Benny Pinkas,et al.  Side Channels in Cloud Services: Deduplication in Cloud Storage , 2010, IEEE Security & Privacy.

[72]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[73]  Yong Zhao,et al.  Cloud Computing and Grid Computing 360-Degree Compared , 2008, GCE 2008.

[74]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[75]  G. Grätzer General Lattice Theory , 1978 .

[76]  Henry Li Introducing Windows Azure , 2009 .

[77]  Andrew J. Blumberg Toward Practical and Unconditional Verification of Remote Computations , 2011, HotOS.

[78]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[79]  Michael Mitzenmacher,et al.  Privacy Preserving Keyword Searches on Remote Encrypted Data , 2005, ACNS.

[80]  Pieter H. Hartel,et al.  Ciphertext-Policy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of User Attributes (extended version) , 2009 .

[81]  Roberto Di Pietro,et al.  Boosting efficiency and security in proof of ownership for deduplication , 2012, ASIACCS '12.

[82]  Ronald L. Rivest,et al.  Hourglass schemes: how to prove that cloud files are encrypted , 2012, CCS.

[83]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[84]  Gilberto Filé,et al.  Static Analysis, 14th International Symposium, SAS 2007, Kongens Lyngby, Denmark, August 22-24, 2007, Proceedings , 2007, SAS.

[85]  Cong Wang,et al.  Attribute based data sharing with attribute revocation , 2010, ASIACCS '10.

[86]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[87]  Jacques Stern,et al.  On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order , 2006, Journal of Cryptology.

[88]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[89]  Ronald L. Rivest,et al.  How to tell if your cloud files are vulnerable to drive crashes , 2011, CCS '11.

[90]  Kenneth G. Paterson,et al.  Identity-based cryptography for grid security , 2005, First International Conference on e-Science and Grid Computing (e-Science'05).

[91]  Dennis Abts,et al.  A Guided Tour through Data-center Networking , 2012, ACM Queue.

[92]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[93]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[94]  Yonggang Wen,et al.  Private data deduplication protocols in cloud storage , 2012, SAC '12.

[95]  Dan Boneh,et al.  On the Impossibility of Efficiently Combining Collision Resistant Hash Functions , 2006, CRYPTO.

[96]  Ratna Dutta,et al.  Pairing-Based Cryptographic Protocols : A Survey , 2004, IACR Cryptol. ePrint Arch..

[97]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[98]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[99]  Elisa Bertino,et al.  An Efficient Certificateless Encryption for Secure Data Sharing in Public Clouds , 2014, IEEE Transactions on Knowledge and Data Engineering.

[100]  Vijay Varadharajan,et al.  Enforcing Role-Based Access Control for Secure Data Storage in the Cloud , 2011, Comput. J..

[101]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[102]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[103]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[104]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[105]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[106]  Zhifeng Xiao,et al.  Security and Privacy in Cloud Computing , 2013, IEEE Communications Surveys & Tutorials.