NaEPASC: a novel and efficient public auditing scheme for cloud data

Cloud computing is deemed the next-generation information technology （IT） platform, in which a data center is crucial for providing a large amount of computing and storage resources for various service applications with high quality guaranteed. However, cloud users no longer possess their data in a local data storage infrastructure, which would result in auditing for the integrity of outsourced data being a challenging problem, especially for users with constrained computing resources. Therefore, how to help the users complete the verification of the integrity of the outsourced data has become a key issue. Public verification is a critical technique to solve this problem, from which the users can resort to a third-party auditor （TPA） to check the integrity of outsourced data. Moreover, an identity-based （ID-based） public key cryptosystem would be an efficient key management scheme for certificatebased public key setting. In this paper, we combine ID-based aggregate signature and public verification to construct the protocol of provable data integrity. With the proposed mechanism, the TPA not only verifies the integrity of outsourced data on behalf of cloud users, but also alleviates the burden of checking tasks with the help of users＇ identity. Compared to previous research, the proposed scheme greatly reduces the time of auditing a single task on the TPA side. Security analysis and performance evaluation results show the high efficiency and security of the proposed scheme.     

基于区块链的外包服务公平支付方案

随着外包计算服务的快速发展,云计算吸引了越来越多的个人和企业使用外包服务提供商的服务.而雾计算进一步将云计算扩展到网络边缘,在雾计算中,用户由于受计算资源的约束,所以将计算任务外包给雾节点.然而,用户和雾计算节点之间的相互不信任,将会导致公平支付的问题.现有的大多数解决方案采用的是传统的支付机制,需要依赖银行来实现支付.为了实现外包服务的公平支付问题,本文提出了基于区块链的外包服务公平支付方案,通过区块链智能合约支付报酬.同时本文提出的方案可以确保如果雾计算节点完成了计算任务,则用户必须支付报酬给雾计算节点.而如果雾计算节点没有完成计算任务,则用户可以获得赔偿.系统分析表明本方案实现了外包服务的正确性和公平性,并且其消耗在可接受范围内.     

Verifying remote data integrity in peer-to-peer data storage: A comprehensive survey of protocols

This paper surveys protocols that verify remote data possession. These protocols have been proposed as a primitive for ensuring the long-term integrity and availability of data stored at remote untrusted hosts. Externalizing data storage to multiple network hosts is becoming widely used in several distributed storage and P2P systems, which urges the need for new solutions that provide security properties for the remote data. Replication techniques cannot ensure on their own data integrity and availability, since they only offer probabilistic guarantees. Moreover, peer dynamics (i.e., peers join and leave at any time) and their potential misbehavior (e.g., free-riding) exacerbate the difficult challenge of securing remote data. To this end, remote data integrity verification protocols have been proposed with the aim to detect faulty and misbehaving storage hosts, in a dynamic and open setting as P2P networks. In this survey, we analyze several of these protocols, compare them with respect to expected security guarantees and discuss their limitations.     

Secure and efficient privacy-preserving public auditing scheme for cloud storage

Cloud computing poses many challenges on integrity and privacy of users’ data though it brings an easy, cost-effective and reliable way of data management. Hence, secure and efficient methods are needed to ensure integrity and privacy of data stored at the cloud. Wang et al. proposed a privacy-preserving public auditing protocol in 2010 but it is seriously insecure. Their scheme is vulnerable to attacks from malicious cloud server and outside attackers regarding to storage correctness. So they proposed a scheme in 2011 with an improved security guarantee but it is not efficient. Thus, in this paper, we proposed a scheme which is secure and with better efficiency. It is a public auditing scheme with third party auditor (TPA), who performs data auditing on behalf of user(s). With detail security analysis, our scheme is proved secure in the random oracle model and our performance analysis shows the scheme is efficient.     

VMKDO: Verifiable multi-keyword search over encrypted cloud data for dynamic data-owner

The advantages of cloud computing encourage individuals and enterprises to outsource their local data storage and computation to cloud server, however, data security and privacy concerns seriously hinder the practicability of cloud storage. Although searchable encryption (SE) technique enables cloud server to provide fundamental encrypted data retrieval services for data-owners, equipping with a result verification mechanism is still of prime importance in practice as semi-trusted cloud server may return incorrect search results. Besides, single keyword search inevitably incurs many irrelevant results which result in waste of bandwidth and computation resources. In this paper, we are among the first to tackle the problems of data-owner updating and result verification simultaneously. To this end, we devise an efficient cryptographic primitive called as verifiable multi-keyword search over encrypted cloud data for dynamic data-owner scheme to protect both data confidentiality and integrity. Rigorous security analysis proves that our scheme is secure against keyword guessing attack (KGA) in standard model. As a further contribution, the empirical experiments over real-world dataset show that our scheme is efficient and feasible in practical applications.     

Outsourced data integrity verification based on blockchain in untrusted environment

Outsourced data, as the significant component of cloud service, has been widely used due to its convenience, low overhead, and high flexibility. To guarantee the integrity of outsourced data, data owner (DO) usually adopts a third party auditor (TPA) to execute the data integrity verification scheme. However, during the verification process, DO cannot fully confirm the reliability of the TPA, and handing over the verification of data integrity to the untrusted TPA may lead to data security threats. In this paper, we focus on the problem of integrity verification of outsourced data in untrusted environment, that is, how to improve the security and efficiency of data integrity verification without utilizing untrusted TPA. To address the problem, we design a decentralized model based on blockchain consisting of some collaborative verification peers (VPs), each of which maintains a replication of the entire blockchain to avoid maliciously tampering with. Based on the model, we present an advanced data integrity verification algorithm which allows DO to store and check the verification information by writing and retrieving the blockchain. In addition, in order to improve the concurrent performance, we extend the algorithm by introducing the verification group (VG) constituting by some VPs organized by Inner-Group and Inter-Group consensus protocols. We conduct a completed security analysis as well as extensive experiments of our proposed approach, and the evaluation results demonstrate that our proposed approaches achieve superior performance.

     

Fog computing for next-generation Internet of Things: Fundamental,state-of-the-art and research challenges

In recent times, the Internet of Things (IoT) applications, including smart transportation, smart healthcare, smart grid, smart city, etc. generate a large volume of real-time data for decision making. In the past decades, real-time sensory data have been offloaded to centralized cloud servers for data analysis through a reliable communication channel. However, due to the long communication distance between end-users and centralized cloud servers, the chances of increasing network congestion, data loss, latency, and energy consumption are getting significantly higher. To address the challenges mentioned above, fog computing emerges in a distributed environment that extends the computation and storage facilities at the edge of the network. Compared to centralized cloud infrastructure, a distributed fog framework can support delay-sensitive IoT applications with minimum latency and energy consumption while analyzing the data using a set of resource-constraint fog/edge devices. Thus our survey covers the layered IoT architecture, evaluation metrics, and applications aspects of fog computing and its progress in the last four years. Furthermore, the layered architecture of the standard fog framework and different state-of-the-art techniques for utilizing computing resources of fog networks have been covered in this study. Moreover, we included an IoT use case scenario to demonstrate the fog data offloading and resource provisioning example in heterogeneous vehicular fog networks. Finally, we examine various challenges and potential solutions to establish interoperable communication and computation for next-generation IoT applications in fog networks.     

Privacy-preserving public auditing for educational multimedia data in cloud computing

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.     

On the security of auditing mechanisms for secure cloud storage

Cloud computing is a novel computing model that enables convenient and on-demand access to a shared pool of configurable computing resources. Auditing services are highly essential to make sure that the data is correctly hosted in the cloud. In this paper, we investigate the active adversary attacks in three auditing mechanisms for shared data in the cloud, including two identity privacy-preserving auditing mechanisms called Oruta and Knox, and a distributed storage integrity auditing mechanism. We show that these schemes become insecure when active adversaries are involved in the cloud storage. Specifically, an active adversary can arbitrarily alter the cloud data without being detected by the auditor in the verification phase. We also propose a solution to remedy the weakness without sacrificing any desirable features of these mechanisms.     

Securing Parked Vehicle Assisted Fog Computing With Blockchain and Optimal Smart Contract Design

Vehicular fog computing(VFC)has been envisioned as an important application of fog computing in vehicular networks.Parked vehicles with embedded computation resources could be exploited as a supplement for VFC.They cooperate with fog servers to process offloading requests at the vehicular network edge,leading to a new paradigm called parked vehicle assisted fog computing(PVFC).However,each coin has two sides.There is a follow-up challenging issue in the distributed and trustless computing environment.The centralized computation offloading without tamper-proof audit causes security threats.It could not guard against false-reporting,free-riding behaviors,spoofing attacks and repudiation attacks.Thus,we leverage the blockchain technology to achieve decentralized PVFC.Request posting,workload undertaking,task evaluation and reward assignment are organized and validated automatically through smart contract executions.Network activities in computation offloading become transparent,verifiable and traceable to eliminate security risks.To this end,we introduce network entities and design interactive smart contract operations across them.The optimal smart contract design problem is formulated and solved within the Stackelberg game framework to minimize the total payments for users.Security analysis and extensive numerical results are provided to demonstrate that our scheme has high security and efficiency guarantee.     

Role-based access control in DCOM

The explosive growth of the Web, the increasing popularity of PCs and the advances in high-speed network access have brought distributed computing into the mainstream. To simplify network programming and to realize component-based software architecture, distributed object models have emerged as standards. One of those models is distributed component object model (DCOM) which is a protocol that enables software components to communicate directly over a network in a reliable, and efficient manner. In this paper, we investigate an aspect of DCOM concerning software architecture and security mechanism. Also, we describe the concept of role-based access control (RBAC) which began with multi-user and multi-application on-line systems pioneered in the 1970s. And we investigate how we can enforce the role-based access control as a security provider within DCOM, specially in access security policy.     

全生命周期的云外包数据安全审计协议

海量数据的产生给用户带来了极大的存储和计算负担,云服务器的出现很好地解决了这一问题,但数据外包给用户带来便利的同时,也引起了一些的安全问题。针对数据在外包过程中的安全性问题,结合经典的字符串相等检测协议和基于等级的默克尔哈希树（RMHT）算法,设计并实现了一种理论更简化、效率更高的全生命周期的云外包数据安全审计协议。该协议不仅可以保证外包存储数据的完整性,用户可以定期对数据的完整性进行审计;而且可以保证数据的安全迁移;此外,还可以防止恶意的云服务器保留迁移数据的副本,更好地保护用户的隐私。安全性分析和效率分析显示,该协议足够安全并较为高效,外包数据在整个生命周期的安全性将得到较好的保护。     

Key Derivation Policy for data security and data integrity in cloud computing

Cloud computing is currently emerging as a promising next-generation architecture in the Information Technology (IT) industry and education sector. The encoding process of state information from the data and protection are governed by the organizational access control policies. An encryption technique protects the data confidentiality from the unauthorized access leads to the development of fine-grained access control policies with user attributes. The Attribute-Based Encryption (ABE) verifies the intersection of attributes to the multiple sets. The handling of adding or revoking the users is difficult with respect to changes in policies. The inclusion of multiple encrypted copies for the same key raised the computational cost. This paper proposes an efficient Key Derivation Policy (KDP) for improvement of data security and integrity in the cloud and overcomes the problems in traditional methods. The local key generation process in proposed method includes the data attributes. The secret key is generated from the combination of local keys with the user attribute by a hash function. The original text is recovered from the ciphertext by the decryption process. The key sharing between data owner and user validates the data integrity referred MAC verification process. The proposed efficient KDP with MAC verification analyze the security issues and compared with the Cipher Text–Attribute-Based Encryption (CP-ABE) schemes on the performance parameters of encryption time, computational overhead and the average lifetime of key generation. The major advantage of proposed approach is the updating of public information and easy handling of adding/revoking of users in the cloud.     

基于SM2联合签名的电子发票公开验证方案

为解决当前电子发票防伪困难、隐私泄露、验证效率低等问题,针对全程无纸化的电子发票文件,提出了一种基于国密签名算法的电子发票公开验证架构。面向电子发票文件数据来源复杂、票面用户信息敏感、数据流转频繁等特征及电子发票高效公开查验需求,在电子发票服务架构下设计电子发票生成及查验协议,基于无证书联合签名提出发票防伪签名码生成方案,实现开票方与税务主管部门的多重数据核验与签名,支持各类型的发票持有者对电子发票的真伪及数据完整性进行公开查验。融合数据加密算法对电子发票中的用户隐私数据进行保护,同时可满足各类发票应用场景下的真伪或状态验证需求,解决了当前电子发票文件中用户消费信息等敏感数据在传递中泄露的问题,突破了电子发票仅能通过在线系统核对真伪的局限。查验方仅需验证单次签名即可确认开票方及主管部分等双方签名的电子发票真伪性,同时利用公钥加密实现了隐私数据,方案中使用国密算法符合电子发票应用需求。调用Scyther安全仿真工具对方案安全性进行分析,在各类攻击下可安全验证数据的完整性及来源真实性并保证隐私数据的保密性。在查验计算开销及发票文件数据量两方面,与国外已实行的典型电子发票查验方案及同类型基于...     

基于完整性度量的端到端可信匿名认证协议

针对目前端到端认证协议只认证平台身份,缺乏对平台可信性的验证,存在安全性的问题。通过改进的ELGamal签名方案,利用可信计算技术,提出了一种基于完整性度量的端到端可信匿名认证协议ETAAP(End-to-end Trusted Anonymous Authentication Protocol)。协议的首轮交互中实现了可信平台真实性验证,在此基础上通过IMC/IMV交互完成对平台完整性验证和平台安全属性的可信性评估,并采用通用可组合安全模型对协议的安全性进行了分析,证明协议是安全的。最后通过实验表明该协议具有较好的性能,可实现基于完整性的端到端可信匿名认证。     

云环境中数据存储的安全机制研究

本文针对因网络的广泛应用而产生的数据存储的安全问题,在云计算技术的基础上,从数据及身份的保密性、完整性保护和用户身份及操作的隐私保护两个方面归纳出了在云环境下数据存储的安全机制,并总结了其安全问题的解决方法。     

External integrity verification for outsourced big data in cloud and IoT: A big picture

As cloud computing is being widely adopted for big data processing, data security is becoming one of the major concerns of data owners. Data integrity is an important factor in almost any data and computation related context. It is not only one of the qualities of service, but also an important part of data security and privacy. With the proliferation of cloud computing and the increasing needs in analytics for big data such as data generated by the Internet of Things, verification of data integrity becomes increasingly important, especially on outsourced data. Therefore, research topics on external data integrity verification have attracted tremendous research interest in recent years. Among all the metrics, efficiency and security are two of the most concerned measurements. In this paper, we will bring forth a big picture through providing an analysis on authenticator-based data integrity verification techniques on cloud and Internet of Things data. We will analyze multiple aspects of the research problem. First, we illustrate the research problem by summarizing research motivations and methodologies. Second, we summarize and compare current achievements of several of the representative approaches. Finally, we introduce our view for possible future developments.     

一种基于TPM增强的ARAN安全路由协议

安全路由协议设计是Ad hoc网络安全研究的重要组成部分。当前研究主要集中在采用经典密码学中的方法来保证路由安全。结合可信计算中的TPM和典型的安全路由协议ARAN,提出了一种新的安全路由协议TEARAN,该协议不再采用集中式的公钥证书分发中心PKI,而是采用TPM中的DAA(Directed Anonymous Attestation)方式来进行节点的身份认证,以及软安全中可信阂值来监测部居节点的行为,从而进行公钥可信分发,同时确保了无恶意节点加入网络,另外,也采用公钥签名、会话密钥加密来保证端到端通信的保密性、完整性和不可否认性。理论证明了提出的TEARAN协议能够实现网络的匿名安全,防范当前常见的攻击方式,达到了很好的安全保证效果。     

移动可信接入轻量级认证与评估协议

为增强移动终端可信网络接入认证与评估协议的可用性,降低网络通信负载及终端计算负载,提出一种轻量级的身份认证与平台鉴别评估协议。协议基于接入双方在首次接入时共享的认证密钥以及对方的可信平台配置信息,在不需要可信第三方参与的情况下,完成快速的身份认证与鉴别评估。协议减少了网络数据交换次数以及接入双方的计算工作量,在保证接入认证与评估所需的安全属性的同时,还增强了平台配置信息的机密性以及抵抗重放攻击的能力。安全性和性能分析表明,所提协议适合无线网络通信环境下的移动终端可信网络接入。     

雾计算中基于DQL算法的伪装攻击检测方案

雾计算是一种在云数据中心和物联网（Internet of Things,IoT）设备之间提供分布式计算、存储等服务的技术,它能利用网络边缘进行认证并提供与云交互的方法。雾计算中以传统的安全技术实现用户与雾节点间安全性的方法不够完善,它仍然面对着窃听攻击、伪装攻击等安全威胁,这对检测技术提出了新的挑战。针对这一问题,提出了一种基于DQL（Double Q-learning）算法的雾计算伪装攻击检测方案。该方案借助物理层安全技术中的信道参数,首先在Q-learning算法的基础上处理Q值过度估计问题,获取最佳的伪装攻击测试阈值,然后通过阈值实现了用户与雾节点间的伪装攻击检测。实验结果表明,该算法检测伪装攻击的性能优于传统的Q-learning算法,具有在雾计算安全防护方面的优越性。