More Web Proxy on the site http://driver.im/

research-article

Hourglass schemes: how to prove that cloud files are encrypted

Authors:

Marten van Dijk,

Ronald L. Rivest,

Nikos TriandopoulosAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 265 - 280

https://doi.org/10.1145/2382196.2382227

Published: 16 October 2012 Publication History

Abstract

We consider the following challenge: How can a cloud storage provider prove to a tenant that it's encrypting files at rest, when the provider itself holds the corresponding encryption keys? Such proofs demonstrate sound encryption policies and file confidentiality. (Cheating, cost-cutting, or misconfigured providers may bypass the computation/management burdens of encryption and store plaintext only.)

To address this problem, we propose hourglass schemes, protocols that prove correct encryption of files at rest by imposing a resource requirement (e.g., time, storage or computation) on the process of translating files from one encoding domain (i.e., plaintext) to a different, target domain (i.e., ciphertext). Our more practical hourglass schemes exploit common cloud infrastructure characteristics, such as limited file-system parallelism and the use of rotational hard drives for at-rest files. For files of modest size, we describe an hourglass scheme that exploits trapdoor one-way permutations to prove correct file encryption whatever the underlying storage medium.

We also experimentally validate the practicality of our proposed schemes, the fastest of which incurs minimal overhead beyond the cost of encryption. As we show, hourglass schemes can be used to verify properties other than correct encryption, e.g., embedding of "provenance tags" in files for tracing the source of leaked files. Of course, even if a provider is correctly storing a file as ciphertext, it could also store a plaintext copy to service tenant requests more efficiently. Hourglass schemes cannot guarantee ciphertext-only storage, a problem inherent when the cloud manages keys. By means of experiments in Amazon EC2, however, we demonstrate that hourglass schemes provide strong incentives for economically rational cloud providers against storage of extra plaintext file copies.

References

[1]

American Express may have failed to encrypt data. Available at http://www.scmagazine.com/american-express-may-have-failed-to-encrypt-data/article/170997/.

[2]

Sony playstation data breach, 2011. Available at http://en.wikipedia.org/wiki/PlayStation_Network_outage.

[3]

M. Abadi, M. Burrows, M. Manasse, and T. Wobber. Moderately hard, memory-bound functions. ACM Trans. Internet Technol., 5:299--327, May 2005.

Digital Library

[4]

G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song. Provable data possession at untrusted stores. In ACM CCS, pages 598--609, 2007.

Digital Library

[5]

G. Ateniese, S. Kamara, and J. Katz. Proofs of storage from homomorphic identification protocols. In ASIACRYPT '09, pages 319--333, Berlin, Heidelberg, 2009.

Digital Library

[6]

Y. Dodis, S. Vadhan, and D. Wichs. Proofs of retrievability via hardness amplification. In TCC, pages 109--127, 2009.

Digital Library

[7]

C. Dwork, J. Lotspiech, and M.Naor. Digital signets: self-enforcing protection of digital information. In STOC, pages 489--498. ACM, 1996.

Digital Library

[8]

C. Dwork and M. Naor. Pricing via processing or combatting junk mail. In CRYPTO, pages 139--147, 1993.

Digital Library

[9]

C. Dwork, M. Naor, and H. Wee. Pebbling and proofs of work. In CRYPTO, pages 37--54, 2005.

Digital Library

[10]

S. Dziembowski, T. Kazana, and D. Wichs. One-time computable self-erasing functions. In TCC, pages 125--143, 2011.

Digital Library

[11]

E. Giberti. Honesty box: EBS performance revisited. Blog posting, available at http://tinyurl.com/3nqxngv, 2010.

[12]

S. Goldberg, S. Halevi, A. D. Jaggard, V. Ramachandran, and R. N. Wright. Rationality and traffic attraction: incentives for honest path announcements in BGP. In SIGCOMM, pages 267--278, 2008.

Digital Library

[13]

P. Golle, S. Jarecki, and I. Mironov. Cryptographic primitives enforcing communication and storage complexity. In FC '02, pages 120--135, 2003.

Digital Library

[14]

V. Gratzer and D. Naccache. Alien vs. quine. IEEE Security and Privacy, 5(2):26--31, 2007.

Digital Library

[15]

J. Halpern and V. Teague. Rational secret sharing and multiparty computation: extended abstract. In STOC, pages 623--632, 2004.

Digital Library

[16]

M. Jakobsson and K. Johansson. Retroactive detection of malware with applications to mobile platforms. In HotSec, pages 1--13, 2010.

Digital Library

[17]

M. Jakobsson and A. Juels. Proofs of work and bread pudding protocols. In Communications and Multimedia Security, pages 258--272, 1999.

Digital Library

[18]

A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In NDSS, pages 151--165, 1999.

[19]

A. Juels and B. S. K. Jr. PORs: proofs of retrievability for large files. In ACM CCS, pages 584--597, 2007.

Digital Library

[20]

M. Labs and M. F. P. Services. Protecting your critical assets: Lessons learned from "Operation Aurora", 2010. Whitepaper available at http://www.mcafee.com/us/resources/white-papers/wp-protecting-critical-assets.pdf.

[21]

M. H. Manshaei, Q. Zhu, T. Alpcan, and J.-p. Hubaux. Game theory meets network security and privacy. Main, V(April):1--44, 2010.

[22]

N. Nisan, T. Roughgarden, E. Tardos, and V. V. Vazirani. Algorithmic Game Theory. Cambridge University Press, New York, NY, USA, 2007.

Digital Library

[23]

D. Perito and G. Tsudik. Secure code update for embedded devices via proofs of secure erasure. In ESORICS, pages 643--662, 2010.

Digital Library

[24]

R. Rivest. All-or-nothing encryption and the package transform. In Fast Software Encryption, pages 210--218, 1997.

[25]

R. L. Rivest, A. Shamir, and D. A. Wagner. Time-lock puzzles and timed-release crypto. Technical report, 1996.

Digital Library

[26]

A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. In SOSP, pages 1--16, 2005.

Digital Library

[27]

H. Shacham and B. Waters. Compact proofs of retrievability. In ASIACRYPT, pages 90--107, 2008.

Digital Library

[28]

R. Sion. Query execution assurance for outsourced databases. In VLDB, pages 601--612, 2005.

Digital Library

Cited By

Yuan HChen XLi JJiang TWang JDeng R(2022)Secure Cloud Data Deduplication with Efficient Re-EncryptionIEEE Transactions on Services Computing10.1109/TSC.2019.294800715:1(442-456)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TSC.2019.2948007
Vestergaard RPagnin EKundu RLucani D(2022)Secure Cloud Storage with Joint Deduplication and Erasure Protection2022 IEEE 15th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD55607.2022.00078(554-563)Online publication date: Jul-2022
https://doi.org/10.1109/CLOUD55607.2022.00078
Mishra SMohapatra SMishra BSahoo S(2021)Analysis of Mobile Cloud ComputingResearch Anthology on Architectures, Frameworks, and Integration Strategies for Distributed and Cloud Computing10.4018/978-1-7998-5339-8.ch001(1-24)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-5339-8.ch001
Show More Cited By

Hourglass schemes: how to prove that cloud files are encrypted
1. Security and privacy

Recommendations

Privacy-Preserving Certificateless Cloud Auditing with Multiple Users

Cloud auditing is one of the important processes to ensure the security and integrity of data in cloud storage. Implementing cloud auditing requires various cryptographic tools such as identity-based cryptography and its variant: certificateless ...
ELAR: extremely lightweight auditing and repairing for cloud security
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Cloud storage has been gaining in popularity as an on-line service for archiving, backup, and even primary storage of files. However, due to the data outsourcing, cloud storage also introduces new security challenges, which require a data audit and data ...
ICAuth: A secure and scalable owner delegated inter-cloud authorization
Abstract
This paper proposes a secure inter-cloud authorization scheme using ciphertext-policy attribute-based encryption (CP-ABE). The proposed scheme enables data owners to access files which are stored in cloud storage servers, managed by a ...
Highlights
- An inter-cloud authorization scheme is proposed for secure file sharing.
- Data ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

44
Total Citations
View Citations
1,275
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)3

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yuan HChen XLi JJiang TWang JDeng R(2022)Secure Cloud Data Deduplication with Efficient Re-EncryptionIEEE Transactions on Services Computing10.1109/TSC.2019.294800715:1(442-456)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TSC.2019.2948007
Vestergaard RPagnin EKundu RLucani D(2022)Secure Cloud Storage with Joint Deduplication and Erasure Protection2022 IEEE 15th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD55607.2022.00078(554-563)Online publication date: Jul-2022
https://doi.org/10.1109/CLOUD55607.2022.00078
Mishra SMohapatra SMishra BSahoo S(2021)Analysis of Mobile Cloud ComputingResearch Anthology on Architectures, Frameworks, and Integration Strategies for Distributed and Cloud Computing10.4018/978-1-7998-5339-8.ch001(1-24)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-5339-8.ch001
Kim BYoon Y(2021)Cloud Storage Service Architecture Providing the Eventually Consistent Totally Ordered Commit History of Distributed Key-Value Stores for Data Consistency VerificationElectronics10.3390/electronics1021270210:21(2702)Online publication date: 5-Nov-2021
https://doi.org/10.3390/electronics10212702
Ma JWang MXiong JHu Y(2021)CP-ABE-Based Secure and Verifiable Data Deletion in CloudSecurity and Communication Networks10.1155/2021/88553412021(1-14)Online publication date: 27-Mar-2021
https://doi.org/10.1155/2021/8855341
Kim BKim H(2021)Rocky: Replicating Block Devices for Tamper and Failure Resistant Edge-based Virtualized Desktop InfrastructureProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485886(285-296)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485886
Awadallah RSamsudin ATeh JAlmazrooie M(2021)An Integrated Architecture for Maintaining Security in Cloud Computing Based on BlockchainIEEE Access10.1109/ACCESS.2021.30771239(69513-69526)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3077123
You WChen B(2021)Protocols for Cloud SecurityMachine Learning Techniques and Analytics for Cloud Security10.1002/9781119764113.ch14(293-312)Online publication date: 3-Dec-2021
https://doi.org/10.1002/9781119764113.ch14
Deyannis DPapadogiannaki EKalivianakis GVasiliadis GIoannidis SRoussev VThuraisingham BCarminati BKantarcioglu M(2020)TrustAVProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3375748(39-48)Online publication date: 16-Mar-2020
https://dl.acm.org/doi/10.1145/3374664.3375748
Panwar NSharma SGupta PGhosh DMehrotra SVenkatasubramanian NRoussev VThuraisingham BCarminati BKantarcioglu M(2020)IoT ExpungeProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3375737(283-294)Online publication date: 16-Mar-2020
https://dl.acm.org/doi/10.1145/3374664.3375737
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents