Secure searching on cloud storage enhanced by homomorphic indexing

Enterprise cloud tenants would store their outsourced cloud data in encrypted form for data privacy and security. However, flexible data access functions such as data searching is usually sacrificed as a result. Thus, enterprise tenants demand secure data retrieval and computation solution from the cloud provider, which will allow them to utilize cloud services without the risks of leaking private data to outsiders and even service providers.In this paper, we propose an exclusive-or (XOR) homomorphism encryption scheme to support secure keyword searching on encrypted data for cloud storage. First, this scheme specifies a new data protection method by encrypting the keyword and randomizing it by performing XOR operation with a random bit-string for each session to protect access pattern leakage; Secondly, the homomorphic evaluation key enables the searching evaluation to be on-demand calculated, thus it removes the dependency of key storage on cloud and enhance protection against cloud’s violability; Thirdly, this scheme can effectively protect data-in-transit against passive attack such as access pattern analysis due to the randomization. This scheme also can reduce data leakage to service provider because the homomorphism-key solution instead of key storage on cloud. The above three features have been proved by the experiments and further tested out at Email service which can support secure subject searching. The execution time of one searching process is just in the order of milliseconds. We could get 2–3 times speedup compared to default utility grep with the concern of expensive one-time indexing which can be built off-line in advance.     

Accountable privacy preserving attribute-based access control for cloud services enforced using blockchain

International Journal of Information Security - When dealing with cloud services, there are important security requirements that are highly recommended to be achieved, notably, access control....     

基于属性加密的云存储隐私保护机制研究

以典型的云存储体系结构为研究对象,从数据拥有者、云服务器、授权机构、用户以及用户撤销机制5个方面对云存储系统的隐私保护机制进行了研究,通过分析比较发现,云存储系统中的隐私保护问题主要可以分为系统参与者的身份隐私问题、敏感属性信息泄露问题、云存储系统敏感内容信息泄露问题。针对上述问题,研究了当前基于属性加密的云存储系统隐私保护机制,并讨论了其中存在的不足、可能的解决方案以及未来可能的研究方向。     

CryptoCT: towards privacy preserving color transfer and storage over cloud

Multimedia Tools and Applications - Current trend toward cloud computing coupled with emerging technologies such as high definition images/videos and 360-degree videos, has led the requirement of...     

A privacy preserving authorisation system for the cloud

In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of users? data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the users? privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.     

Secure proof of storage with deduplication for cloud storage systems

Explosion of multimedia content brings forth the needs of efficient resource utilization using the state of the arts cloud computing technologies such as data deduplication. In the cloud computing environments, achieving both data privacy and integrity is the challenging issue for data outsourcing service. Proof of Storage with Deduplication (POSD) is a promising solution that addresses the issue for the cloud storage systems with deduplication enabled. However, the validity of the current POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of this approach under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improved POSD scheme to mitigate our attack.     

云存储中基于属性的关键词搜索加密方案研究

为保证云端敏感数据安全性的同时提高数据共享效率,提出了一种安全、灵活、高效的基于属性的关键词搜索加密方案。方案中设计了一种需要数据拥有者私钥参与的索引生成机制抵抗关键词猜测攻击,基于线性秘密共享访问结构描述用户的搜索权限,支持一对多应用场景,借鉴连接子集关键词搜索技术和在线/离线思想提高搜索的灵活性和效率。理论分析与实验评估结果表明,该方案具有较高的效率。     

Integrity-verifiable conjunctive keyword searchable encryption in cloud storage

Conjunctive searchable encryption is an efficient way to perform multi-keyword search over encrypted data in cloud storage. However, most existing methods do not take into account the integrity verification of the search result. Moreover, existing integrity verification methods can only verify the integrity of single-keyword search results, which cannot meet the requirements of conjunctive search. To address this problem, we proposed a conjunctive keyword searchable encryption scheme with an authentication mechanism that can efficiently verify the integrity of search results. The proposed scheme is based on the dynamic searchable symmetric encryption and adopts the Merkle tree and bilinear map accumulator to prove the correctness of set operations. It supports conjunctive keyword as input for conjunctive search and gives the server the ability to prove the integrity of the search result to the user. Formal proofs and extensive experiments show that the proposed scheme is efficient, unforgeable and adaptive secure against chosen-keyword attacks.     

云环境下一种隐私文件分类存储与保护方案*

针对云计算环境下存储的隐私文件会造成隐私泄漏、信息量过载,使用传统加密算法对隐私文件进行加密后再外包给云的方法严重影响了隐私文件的可检索性问题进行研究,提出了一种既能够有效减少云环境中信息存储量过载,同时又能够满足隐私文件的加密保护和检索的方案。该方案首先对隐私文件进行分类,将直接隐私文件存储在数据拥有者本地存储器,非直接隐私文件则加密后上传云环境中存储,实现了隐私文件的分类存储和安全保护。然后基于改进的哈希列表建立了一个包含文件属性描述的文件检索索引、生成了文件检索陷门,实现了使用关键词在密文状态下完成文件检索。最后,通过详细的理论分析和实验对比分析证明了方案的可行性和实用性。     

Verifiable searchable symmetric encryption for conjunctive keyword queries in cloud storage

Searchable symmetric encryption (SSE) has been introduced for secure outsourcing the encrypted database to cloud storage, while maintaining searchable features. Of various SSE schemes, most of them assume the server is honest but curious, while the server may be trustless in the real world. Considering a malicious server not honestly performing the queries, verifiable SSE (VSSE) schemes are constructed to ensure the verifiability of the search results. However, existing VSSE constructions only focus on single-keyword search or incur heavy computational cost during verification. To address this challenge, we present an efficient VSSE scheme, built on OXT protocol (Cash et al., CRYPTO 2013), for conjunctive keyword queries with sublinear search overhead. The proposed VSSE scheme is based on a privacy-preserving hash-based accumulator, by leveraging a well-established cryptographic primitive, Symmetric Hidden Vector Encryption (SHVE). Our VSSE scheme enables both correctness and completeness verifiability for the result without pairing operations, thus greatly reducing the computational cost in the verification process. Besides, the proposed VSSE scheme can still provide a proof when the search result is empty. Finally, the security analysis and experimental evaluation are given to demonstrate the security and practicality of the proposed scheme.     

面向移动终端的隐私数据安全存储及自毁方案

针对移动终端隐私数据的安全问题,结合数据压缩、门限秘密共享和移动社交网络,提出一种面向移动终端的隐私数据安全存储及自毁方案.首先,对移动隐私数据进行无损压缩获得压缩数据.然后,使用对称密钥对压缩数据进行对称加密获得原始密文.接着,将原始密文分解成两部分密文块:其中一部分密文块与时间属性结合并封装成移动数据自毁对象(MDSO)后保存到云服务器中;另一部分密文块与对称密钥和时间属性结合,再经过拉格朗日多项式处理后获得密文分量.最后,将这些密文分量分别嵌入图片并共享到移动社交网络.当超过授权期后,任何用户都无法获取密文块重组出原始密文,从而无法恢复隐私数据,最终实现移动隐私数据的安全自毁.实验结果表明:当文件为10 KB时,压缩和加密时间之和仅为22 ms,说明所提方案性能开销较低.综合分析亦表明该方案具备较高安全性,能有效抵抗安全攻击,保护移动隐私数据的隐私安全.     

Privacy-aware searching with oblivious term matching for cloud storage

Encryption ensures confidentiality of the data outsourced to cloud storage services. Searching the encrypted data enables subscribers of a cloud storage service to access only relevant data, by defining trapdoors or evaluating search queries on locally stored indexes. However, these approaches do not consider access privileges while executing search queries. Furthermore, these approaches restrict the searching capability of a subscriber to a limited number of trapdoors defined during data encryption. To address the issue of privacy-aware data search, we propose Oblivious Term Matching (OTM). Unlike existing systems, OTM enables authorized subscribers to define their own search queries comprising of arbitrary number of selection criterion. OTM ensures that cloud service provider obliviously evaluates encrypted search queries without learning any information about the outsourced data. Our performance analysis has demonstrated that search queries comprising of 2 to 14 distinct search criteria cost only 0.03 to 1.09 $ per 1000 requests.     

Secure and efficient privacy-preserving public auditing scheme for cloud storage

Cloud computing poses many challenges on integrity and privacy of users’ data though it brings an easy, cost-effective and reliable way of data management. Hence, secure and efficient methods are needed to ensure integrity and privacy of data stored at the cloud. Wang et al. proposed a privacy-preserving public auditing protocol in 2010 but it is seriously insecure. Their scheme is vulnerable to attacks from malicious cloud server and outside attackers regarding to storage correctness. So they proposed a scheme in 2011 with an improved security guarantee but it is not efficient. Thus, in this paper, we proposed a scheme which is secure and with better efficiency. It is a public auditing scheme with third party auditor (TPA), who performs data auditing on behalf of user(s). With detail security analysis, our scheme is proved secure in the random oracle model and our performance analysis shows the scheme is efficient.     

可验证的多用户云加密关键字搜索方案

针对云环境下多用户访问和大数据量存储的特点,提出了一种云环境下加密关键字搜索方案。与已有的大多数方案相比,该方案使用签名绑定关键字索引和其关联加密文件,实现了查询结果完备性和完整性的验证,使用重加密技术实现了多用户隐查询,并动态更新用户查询权限。此外,该方案在查询过程中使用哈希查询优化索引结构,实现了对云数据的快速访问。安全性分析表明,该方案是安全的;性能分析及仿真实验结果表明该方案和已有的一些算法相比有了较大的性能提升。     

A hybrid solution for privacy preserving medical data sharing in the cloud environment

Storing and sharing of medical data in the cloud environment, where computing resources including storage is provided by a third party service provider, raise serious concern of individual privacy for the adoption of cloud computing technologies. Existing privacy protection researches can be classified into three categories, i.e., privacy by policy, privacy by statistics, and privacy by cryptography. However, the privacy concerns and data utilization requirements on different parts of the medical data may be quite different. The solution for medical dataset sharing in the cloud should support multiple data accessing paradigms with different privacy strengths. The statistics or cryptography technology alone cannot enforce the multiple privacy demands, which blocks their application in the real-world cloud. This paper proposes a practical solution for privacy preserving medical record sharing for cloud computing. Based on the classification of the attributes of medical records, we use vertical partition of medical dataset to achieve the consideration of different parts of medical data with different privacy concerns. It mainly includes four components, i.e., (1) vertical data partition for medical data publishing, (2) data merging for medical dataset accessing, (3) integrity checking, and (4) hybrid search across plaintext and ciphertext, where the statistical analysis and cryptography are innovatively combined together to provide multiple paradigms of balance between medical data utilization and privacy protection. A prototype system for the large scale medical data access and sharing is implemented. Extensive experiments show the effectiveness of our proposed solution.     

XML privacy protection model based on cloud storage

When eXtensible Markup Language (XML) becomes a widespread data representation and exchange format for Web applications, safeguarding the privacy of data represented in XML documents can be indispensable. In this paper, we propose an XML privacy protection model by separating the structure and content, and with cloud storage to save content information and Trusted Third Party (TTP) to help manage structure information. To protect data privacy more effectively, we will create different Document Type Definition (DTD) views for different users according to users' privacy practice and the provider's privacy preferences. To further speed up the process of gaining access to data we will adopt the start–end region encoding scheme to encode the nodes in XML document and DTD views. The experiment result shows that this mechanism has a good performance in space and time.