BSS: block-based sharing scheme for secure data storage services in mobile cloud environment

For the last few years, academia and research organizations are continuously investigating and resolving the security and privacy issues of mobile cloud computing environment. The additional consideration in designing security services for mobile cloud computing environment should be the resource-constrained mobile devices. The execution of computationally intensive security services on mobile device consumes battery’s charging quickly. In this regard, the study presents a novel energy-efficient block-based sharing scheme that provides confidentiality and integrity services for mobile users in the cloud environment. The block-based sharing scheme is compared with the existing schemes on the basis of energy consumption, CPU utilization, memory utilization, encryption time, decryption time, and turnaround time. The experimental results show that the block-based sharing scheme consumes less energy, reduces the resources utilization, improves response time, and provides better security services to the mobile users in the presence of fully untrusted cloud server(s) as compared to the existing security schemes.     

A Cloud-Manager-Based Re-Encryption Scheme for Mobile Users in Cloud Environment: a Hybrid Approach

Cloud computing is an emerging computing paradigm that offers on-demand, flexible, and elastic computational and storage services for the end-users. The small and medium-sized business organization having limited budget can enjoy the scalable services of the cloud. However, the migration of the organizational data on the cloud raises security and privacy issues. To keep the data confidential, the data should be encrypted using such cryptography method that provides fine-grained and efficient access for uploaded data without affecting the scalability of the system. In mobile cloud computing environment, the selected scheme should be computationally secure and must have capability for offloading computational intensive security operations on the cloud in a trusted mode due to the resource constraint mobile devices. The existing manager-based re-encryption and cloud-based re-encryption schemes are computationally secured and capable to offload the computationally intensive data access operations on the trusted entity/cloud. Despite the offloading of the data access operations in manager-based re-encryption and cloud-based re-encryption schemes, the mobile user still performs computationally intensive paring-based encryption and decryption operations using limited capabilities of mobile device. In this paper, we proposed Cloud-Manager-based Re-encryption Scheme (CMReS) that combines the characteristics of manager-based re-encryption and cloud-based re-encryption for providing the better security services with minimum processing burden on the mobile device. The experimental results indicate that the proposed cloud-manager-based re-encryption scheme shows significant improvement in turnaround time, energy consumption, and resources utilization on the mobile device as compared to existing re-encryption schemes.     

MASHED: Security and privacy-aware mutual authentication scheme for heterogeneous and distributed mobile cloud computing services

ABSTRACT

Rapid development in mobile devices and cloud computing technologies has increased the number of mobile services from different vendors on the cloud platform. However, users of these services are facing different security and access control challenges due to the nonexistence of security solutions capable of providing secure access to these services, which are from different vendors, using a single key. An effective security solution for heterogeneous Mobile Cloud Computing (MCC) services should be able to guarantee confidentiality and integrity through single key-based authentication scheme. Meanwhile, a few of the existing authentication schemes for MCC services require different keys to access different services from different vendors on a cloud platform, thus increases complexity and overhead incurred through generation and storage of different keys for different services.

In this paper, an efficient mutual authentication scheme for accessing heterogeneous MCC services is proposed. The proposed scheme combines the user’s voice signature with cryptography operations to evolve efficient mutual authentication scheme devoid of key escrow problem and allows authorized users to use single key to access the heterogeneous MCC services at a reduced cost.     

Provably secure authenticated key agreement scheme for distributed mobile cloud computing services

With the rapid development of mobile cloud computing, the security becomes a crucial part of communication systems in a distributed mobile cloud computing environment. Recently, in 2015, Tsai and Lo proposed a privacy-aware authentication scheme for distributed mobile cloud computing services. In this paper, we first analyze the Tsai–Lo’s scheme and show that their scheme is vulnerable to server impersonation attack, and thus, their scheme fails to achieve the secure mutual authentication. In addition, we also show that Tsai–Lo’s scheme does not provide the session-key security (SK-security) and strong user credentials’ privacy when ephemeral secret is unexpectedly revealed to the adversary. In order to withstand these security pitfalls found in Tsai–Lo’s scheme, we propose a provably secure authentication scheme for distributed mobile cloud computing services. Through the rigorous security analysis, we show that our scheme achieves SK-security and strong credentials’ privacy and prevents all well-known attacks including the impersonation attack and ephemeral secrets leakage attack. Furthermore, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, and show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. More security functionalities along with reduced computational costs for the mobile users make our scheme more appropriate for the practical applications as compared to Tsai–Lo’s scheme and other related schemes. Finally, to demonstrate the practicality of the scheme, we evaluate the proposed scheme using the broadly-accepted NS-2 network simulator.     

SOA环境中的跨域认证方案研究

鉴于现在的网络越来越复杂,其中,用户数量大、服务类型多、安全机制不统一的特点决定了SOA环境中异构多域的情况,给出了一种基于模糊理论的信任管理方法,并将该方法与证书转换服务结合起来提出了一种 SOA 环境中的跨域认证方案,在该方案中,用户域使用信任管理方法来保证安全性,服务域结合信任管理与证书认证来保证安全性,并且用户可以透明地访问采用不同底层安全机制的域中服务,实现安全跨域认证。分析表明,该方案具有安全与普适的优势,可以满足SOA环境下身份认证的需求。     

隐私保护且支持用户撤销的属性基加密方案

自从Sahai和Waters提出了基于属性加密的概念,密文策略的属性基加密(ciphertext-policy attribute-based encryption, CP-ABE)体制因其使用场景的广泛性受到了各界的青睐.对于使用移动设备进行属性基加解密的用户而言,大量的双线性对运算带来的电池耗费是不经济的;同时,由于在云环境系统下用户属性的动态性和访问结构的公开性,也会导致属性失效和用户隐私泄露的问题.为了解决上述问题,构造了一个隐私保护的且支持用户撤销的属性基加密方案,达到了完全隐藏访问结构并通过密钥更新机制灵活地实现用户撤销;同时,该方案将计算代价较高的双线性对操作外包给云存储提供方执行,以降低移动设备用户的计算代价,为了遏制云端的不端行为或对云端恶意攻击,提供了对转换密文的验证功能,保证了转换后密文未被非法替换,使之更适用于安全的手机云应用.     

用户和属性授权机构可追责的在线/离线属性基加密方案

属性基加密作为一种一对多的加密机制,能够为云存储提供良好的安全性和细粒度访问控制。但在密文策略属性基加密中,一个解密私钥可能会对应多个用户,因此用户可能会非法共享其私钥以获取不当利益,半可信的属性授权机构亦可能会给非法用户颁发解密私钥。此外,加密消息所产生的指数运算随着访问策略复杂性的增加而增长,其产生的计算开销给通过移动设备进行加密的用户造成了重大挑战。对此,文中提出了一种支持大属性域的用户和属性授权机构可追责的在线/离线密文策略属性基加密方案。该方案是基于素数阶双线性群构造的,通过将用户的身份信息嵌入该用户的私钥中实现可追责性,利用在线/离线加密技术将大部分的加密开销转移至离线阶段。最后,给出了方案在标准模型下的选择性安全和可追责证明。分析表明,该方案的加密开销主要在离线阶段,用于追责的存储开销也极低,其适用于使用资源受限的移动设备进行加密的用户群体。     

Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks

The majority of mobile apps use credentials to provide an automatic login function. Credentials are security tokens based on a user’s ID and password information. They are created for initial authentication, and this credential authentication then replaces user verification. However, because the credential management of most Android apps is currently very insecure, the duplication and use of another user’s credentials would allow an attacker to view personal information stored on the server. Therefore, in this paper, we analyze the vulnerability of some major mobile SNS apps to credential duplication that would enable access to personal information. To address the identified weaknesses, we propose a secure credential management scheme. The proposed scheme first differentiates the credential from the smart device using an external device. Using a security mechanism, the credential is then linked with the smart device. This ensures that the credential will be verified by the special smart device. Furthermore, based on experimental results using a prototype security mechanism, the proposed scheme is shown to be a very useful solution because of its minimal additional overhead.     

基于用户定义安全条件的可验证重复数据删除方法

随着云存储用户数量的不断增长,重复数据删除技术得到了广泛的应用.如何在实现高效重复数据删除的同时,更好地保护用户数据隐私、实现客户端的安全多方计算,是云计算安全领域的研究热点问题.首次考虑了用户对重复数据删除过程的控制问题,引入了基于用户属性的安全条件机制,提出了基于用户定义安全条件的重复数据删除方法.基于双线性映射构造文件标识进行数据的查询,确保标识不泄露数据的任何明文信息.采用文件级和块级相结合的重复数据删除方法,提高了重复数据删除操作效率.基于安全多方计算理论和布隆过滤器技术实现数据的所有权证明,确保仅授权用户可获取数据的访问权,防范来自恶意用户的信道监听攻击.使用广播加密方法对数据加密密钥进行保护,实现了安全高效的重复数据删除.分析并证明了方案的安全性和正确性.仿真实验验证了方案的可行性和有效性.     

Incremental proxy re-encryption scheme for mobile cloud computing environment

Due to the limited computational capability of mobile devices, the research organization and academia are working on computationally secure schemes that have capability for offloading the computational intensive data access operations on the cloud/trusted entity for execution. Most of the existing security schemes, such as proxy re-encryption, manager-based re-encryption, and cloud-based re-encryption, are based on El-Gamal cryptosystem for offloading the computational intensive data access operation on the cloud/trusted entity. However, the resource hungry pairing-based cryptographic operations, such as encryption and decryption, are executed using the limited computational power of mobile device. Similarly, if the data owner wants to modify the encrypted file uploaded on the cloud storage, after modification the data owner must encrypt and upload the entire file on the cloud storage without considering the altered portion(s) of the file. In this paper, we have proposed an incremental version of proxy re-encryption scheme for improving the file modification operation and compared with the original version of the proxy re-encryption scheme on the basis of turnaround time, energy consumption, CPU utilization, and memory consumption while executing the security operations on mobile device. The incremental version of proxy re-encryption scheme shows significant improvement in results while performing file modification operations using limited processing capability of mobile devices.     

Two-channel user authentication by using USB on Cloud

According to parallel computing technology, Cloud service is popular, and it is easy to use Cloud service at everywhere. Cloud means involving application systems that are executed within the cloud and operated via the internet enabled devices. Cloud computing does not rely on the use of cloud storage as it will be removed upon users download action. Clouds can be classified as public, private and hybrid. Cloud service comes up with Ubiquitous; Cloud service users can use their service at anywhere at any time. It is convenient. However, there is a tradeoff. If user’s username and password are compromised, user’s cloud system is in danger, and their confidential information will be in jeopardy. At anywhere and anytime with any device, Cloud user’s credential could be in jeopardy. Security concerns in Cloud play a major role. It is the biggest obstacle to developing in Cloud. However, Cloud is still popular and vulnerability for hacking because of one channel user authentication. Therefore, this research proposes two-channel user authentication by using USB to emphasise security.     

Seed-based authentication for mobile clients across multiple devices

Authenticating users for mobile cloud apps has been a major security issue in recent years. Traditional passwords ensure the security of mobile applications, but it also requires extra effort from users to memorize complex passwords. Seed-based authentication can simplify the process of authentication for mobile users. In the seed-based authentication, images can be used as credentials for a mobile app. A seed is extracted from an image and used to generate one-time tokens for login. Compared to complex passwords, images are more friendly to mobile users. Previous work had been done in seed-based authentication which focused on providing authentication from a single device. It is common that a mobile user may have two or more mobile devices. Authenticating the same user on different devices is challenging due to several aspects, such as maintaining the same credential for multiple devices and distinguishing different users. In this article, we aimed at developing a solution to address these issues. We proposed multiple-device authentication algorithms to identify users. We adopted a one-time token paradigm to ensure the security of mobile applications. In addition, we tried to minimize the authentication latency for better performance. Our simulation showed that the proposed algorithms can improve the average latency of authentication for 40% at most, compared to single-device solutions.     

高效且可验证的多授权机构属性基加密方案

移动云计算对于移动应用程序来说是一种革命性的计算模式,其原理是把数据存储及计算能力从移动终端设备转移到资源丰富及计算能力强的云服务器.但是这种转移也引起了一些安全问题,例如,数据的安全存储、细粒度访问控制及用户的匿名性.虽然已有的多授权机构属性基加密云存储数据的访问控制方案,可以实现云存储数据的保密性及细粒度访问控制;但其在加密和解密阶段要花费很大的计算开销,不适合直接应用于电力资源有限的移动设备;另外,虽然可以通过外包解密的方式,减少解密计算的开销,但其通常是把解密外包给不完全可信的第三方,其并不能完全保证解密的正确性.针对以上挑战,本文提出了一种高效的可验证的多授权机构属性基加密方案,该方案不仅可以降低加密解密的计算开销,同时可以验证外包解密的正确性并且保护用户隐私.最后,安全分析和仿真实验表明了方案的安全性和高效性.     

Secure cloud file sharing scheme using blockchain and attribute-based encryption

This paper presents a novel collaboration scheme for secure cloud file sharing using blockchain and attribute-based encryption(ABE). Blockchain enables us to implement access control as a smart contract between data owner and users. Each data owner creates its own smart contract where in a data user can request to access a specific file by registering a transaction. In response transaction, the data owner sends the required credential to the user thereby enabling her/him to decrypt the intended file on the cloud storage. This scheme is decentralized, fault tolerant and secured against DoS attacks. The cipher-key, which is used for file encryption, is embedded into a set of coefficients of a polynomial so-called access polynomial. It is attached to the encrypted file on the cloud storage as a metadata. The data user can restore the cipher-key by means of the credential receiving in response transaction and access polynomial. The data owner uses ABE scheme in response transaction to impose her/him access policy to the file as well as preserving user anonymity. This scheme supports fast revocation of the user access by means of updating the access polynomial coefficients and without any communication overhead to non-revoked users. Through formal verification, we show that the scheme is secure in terms of secrecy of credential information and authentication of participants. Finally, the evaluation results show that our scheme is scalable with acceptable performance up to 20,000 users.     

工业互联网中增强安全的云存储数据访问控制方案

在工业互联网应用中,由于异构节点计算和存储能力的差异,通常采用云方案提供数据存储和数据访问服务.云存储中的访问控制如扩展多权限的云存储数据访问控制方案(NEDAC-MACS),是保证云存储中数据的安全和数据隐私的基石.给出了一种攻击方法来证明NEDAC_MACS中,被撤销的用户仍然可以解密NEDAC-MACS中的新密文;并提出了一种增强NEDAC-MACS安全性的方案,该方案可以抵抗云服务器和用户之间的合谋攻击;最后通过形式密码分析和性能分析表明,该方案能够抵抗未授权用户之间以及云服务器与用户之间的合谋攻击,保证前向安全性、后向安全性和数据保密性.     

面向边缘计算的属性加密方案

传统云环境下的属性加密方案在判定用户访问权限时通常仅依据年龄和职业等用户常规属性,而忽视了访问时间和位置的约束问题。为较好满足边缘计算的实时性和移动性需求,提出一种支持时间与位置约束的多授权外包属性加密方案。通过将时间域与位置域信息同时引入属性加密过程,实现更细粒度的访问控制。采用多授权机构共同管理属性信息,解决单授权机构的性能瓶颈问题,满足用户跨域访问需求。针对边缘计算中移动终端资源受限问题,将大部分解密计算外包至边缘节点,减轻移动终端设备负担。分析结果表明,在边缘计算环境下,该方案以较低的计算和存储开销实现了具有时间和位置约束的访问控制,并且可有效保障用户数据安全。     

基于TrustZone的可信移动终端云服务安全接入方案

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全. 然而在移动云计算高速发展的今天, 仍然没有移动终端接入可信云服务的安全解决方案. 针对上述问题, 提出了一种可信移动终端云服务安全接入方案, 方案充分考虑了移动云计算应用背景, 利用ARM TrustZone硬件隔离技术构建可信移动终端, 保护云服务客户端及安全敏感操作在移动终端的安全执行, 结合物理不可克隆函数技术, 给出了移动终端密钥与敏感数据管理机制. 在此基础之上, 借鉴可信计算技术思想, 设计了云服务安全接入协议, 协议兼容可信云架构, 提供云服务端与移动客户端间的端到端认证. 分析了方案具备的6种安全属性, 给出了基于方案的移动云存储应用实例, 实现了方案的原型系统. 实验结果表明, 可信移动终端TCB较小, 方案具有良好的可扩展性和安全可控性, 整体运行效率较高.     

A file-deduplicated private cloud storage service with CDMI standard

The emergence of cloud environments makes users convenient to synchronize files across platform and devices. However, the data security and privacy are still critical issues in public cloud environments. In this paper, a private cloud storage service with the potential for security and performance concerns is proposed. A data deduplication scheme is designed in the proposed private cloud storage system to reduce cost and increase the storage efficiency. Moreover, the Cloud Data Management Interface (CDMI) standard is implemented in the proposed system to increase the interoperability. The proposed service provides an easy way to for user to establish the system and access data across devices conveniently. The experiment results also show the superiority of the proposed interoperable private cloud storage service in terms of data transmission and storage efficiency. By comparing with the existing system Gluster Swift, the proposed system is demonstrated much suitable for the service environment where most of the transmitted data are small files.     

适合移动云存储的基于属性的关键词搜索加密方案

近年来,随着移动设备性能的不断提升和移动互联网的迅猛发展,越来越多的移动终端参与云端数据存储与共享.为了更好地解决资源受限的移动设备参与云端数据共享的安全和效率问题,基于支持通配符的与门访问结构,提出了一种高效的基于属性的关键词搜索加密方案,并证明了其在标准模型下满足选择关键词明文攻击的不可区分安全性和关键词安全性.该方案采用韦达定理使得每个属性仅需用一个元素表示,方案中索引长度固定,陷门和密钥的长度及陷门算法和搜索算法的计算复杂度与访问结构中可使用的通配符数量上限成正比,同时,移除了索引和陷门传输过程中的安全信道,进一步降低了开销.效率分析表明：与其他方案相比,该方案的计算开销和通信开销较小,更加适用于移动云存储环境.     

适用于移动用户高效访问外包数据的非对称代理重加密方案

为使移动设备更加方便快捷地解密存储于云端的外包数据,根据基于身份的广播加密（IBBE）系统和基于身份的加密（IBE）系统,使用Green等提出的解密外包的技术（GREEN M,HOHENBERGER S,WATERS B.Outsourcing the decryption of ABE ciphertexts.Proceedings of the 20th USENIX Conference on Security.Berkeley：USENIX Association,2011：34）,提出一种改进的非对称跨加密系统的代理重加密（MACPRE）方案。该方案更适合计算能力有限的移动设备安全共享云端数据。移动用户在解密重加密后的数据时,运行一次指数运算和一次配对运算便可以将明文恢复,大大提高了移动用户解密的效率,降低了移动用户的能耗。该方案的安全性可以归约到底层的IBE方案和IBBE方案的安全性。理论分析和实验结果表明,该方案使得移动设备花费较少的时间便可以将存储在云端的数据解密,缓解了移动设备计算能力的不足,实用性较强。