A Hybrid Cloud Approach for Secure Authorized Deduplication

Published on February 2017 | Categories: Documents | Downloads: 23 | Comments: 0 | Views: 229
of 9
Download PDF   Embed   Report

Comments

Content

A Hybrid Cloud Approach for secure Authorized De-duplication

(Academic Year - 2014 -2015)

Project Synopsis
For

Submitted by

Project Guide and H.O.D. (I.T.)

1

A Hybrid Cloud Approach for secure Authorized De-duplication

1. Introduction:
Data deduplication is one of important data compression techniques for eliminating duplicate
copies of repeating data, and has been widely used in cloud storage to reduce the amount of
storage space and save bandwidth. To protect the confidentiality of sensitive data while
supporting deduplication, the convergent encryption technique has been proposed to encrypt
the data before outsourcing. To better protect data security, this paper makes the first attempt
to formally address the problem of authorized data deduplication. Different from traditional
deduplication systems, the differential privileges of users are further considered in duplicate
check besides the data itself. We also present several new deduplication constructions
supporting authorized duplicate check in a hybrid cloud architecture. Security analysis
demonstrates that our scheme is secure in terms of the definitions specified in the proposed
security model. As a proof of concept, we implement a prototype of our proposed authorized
duplicate check scheme and conduct test-bed experiments using our prototype. We show that
our proposed authorized duplicate check scheme incurs minimal overhead compared to
normal operations.
2. Previous system Problem :
previous deduplication systems cannot support differential authorization duplicate check,
which is important in many applications. In such an authorized deduplication system, each
user is issued a set of privileges during system initialization.
1.

Billing nature of cloud services:
a.

Pay As You Go: User needs to pay charges as per disk space utilized by

him. So, because of duplicate copies of file user need to pay more amounts.
b.

Duplicate file upload also increase bandwidth utilization, so it degrades

network performance.
c.
2.

User need to afford higher cost for large bandwidth uses.

Access to Authorized Users:
a.

In cloud computing environment, same file could be shared to many

users. So, there is need of implementation of access control system.
2

A Hybrid Cloud Approach for secure Authorized De-duplication

b.

Authorized users should get download access to shared files in his access

domain.
3.

Confidentiality:
a.

Cloud service providers are the third party service providers. So, Its not

secure to store confidential contents as it is on cloud.
b.

To maintain confidentiality we need to implement encryption/ decryption

scheme.
c.

But if stored encrypted files on cloud then, we can’t that, the new file

going to be uploaded on cloud is already present or not. So, In this paper
convergence key is generated based on signature/ hash function on original
data. So that we can achieve confidentiality as well as de-duplication.
4.

Indexing & Retrieval:
a.

As we are avoiding duplicate data storage, document retrieval will be

more efficient as index takes smaller space than files itself.

3. Literature Survey:

[1]P. Anderson and L. Zhang. Fast and secure laptop backups with encrypted de-duplication.
In Proc. of USENIX LISA, 2010
Summary :
Many people now store large quantities of personal and corporate data on laptops or home
computers. These often have poor or intermittent connectivity, and are vulnerable to theft or
hardware failure. Conventional backup solutions are not well suited to this environment, and
backup regimes are frequently inadequate. This paper describes an algorithm which takes
advantage of the data which is common between users to increase the speed of backups, and
reduce the storage requirements. This algorithm supports client-end per-user encryption
which is necessary for confidential personal data. It also supports a unique feature which
allows immediate detection of common subtrees, avoiding the need to query the backup
system for every file. We describe a prototype implementation of this algorithm for Apple OS
3

A Hybrid Cloud Approach for secure Authorized De-duplication

X, and present an analysis of the potential effectiveness, using real data obtained from a set of
typical users. Finally, we discuss the use of this prototype in conjunction with remote cloud
storage, and present an analysis of the typical cost savings.
[2]

M. Bellare, S. Keelveedhi, and T. Ristenpart. Dupless: Serveraided encryption for

deduplicated storage. In USENIX Security Symposium, 2013.
Summary :
Cloud storage service providers such as Dropbox, Mozy, and others perform deduplication to
save space by only storing one copy of each file uploaded. Should clients conventionally
encrypt their files, however, savings are lost. Message-locked encryption (the most prominent
manifestation of which is convergent encryption) resolves this tension. However it is
inherently subject to brute-force attacks that can recover files falling into a known set. We
propose an architecture that provides secure deduplicated storage resisting brute-force
attacks, and realize it in a system called DupLESS. In DupLESS, clients encrypt under
message-based keys obtained from a key-server via an oblivious PRF protocol. It enables
clients to store encrypted data with an existing service, have the service perform deduplication on their behalf, and yet achieves strong confidentiality guarantees. We show that
encryption for de-duplicated storage can achieve performance and space savings close to that
of using the storage service with plaintext data.
[3]

M. Bellare, S. Keelveedhi, and T. Ristenpart. Message-locked encryption and secure

de-duplication. In EUROCRYPT, pages 296– 312, 2013.
Summary :
We formalize a new cryptographic primitive, Message-Locked Encryption (MLE), where the
key under which encryption and decryption are performed is itself derived from the message.
MLE provides a way to achieve secure de-duplication (space-efficient secure outsourced
storage), a goal currently targeted by numerous cloud-storage providers. We provide
definitions both for privacy and for a form of integrity that we call tag consistency. Based on
this foundation, we make both practical and theoretical contributions. On the practical side,
we provide ROM security analyses of a natural family of MLE schemes that includes
deployed schemes. On the theoretical side the challenge is standard model solutions, and we
make connections with deterministic encryption, hash functions secure on correlated inputs
and the sample-then-extract paradigm to deliver schemes under different assumptions and for

4

A Hybrid Cloud Approach for secure Authorized De-duplication

different classes of message sources. Our work shows that MLE is a primitive of both
practical and theoretical interest.
[4]

M. Bellare, C. Namprempre, and G. Neven. Security proofs for identity-based

identification and signature schemes. J. Cryptology, 22(1):1–61, 2009.
Summary :
This paper provides either security proofs or attacks for a large number of identity-based
identification and signature schemes defined either explicitly or implicitly in existing
literature. Underlying these are a framework that on the one hand helps explain how these
schemes are derived, and on the other hand enables modular security analyses, thereby
helping to understand, simplify and unify previous work.
[5]

M. Bellare and A. Palacio. Gq and schnorr identification schemes: Proofs of security

against impersonation under active and concurrent attacks. In CRYPTO, pages 162–177,
2002.
[6]

S. Bugiel, S. Nurnberger, A. Sadeghi, and T. Schneider. Twin

clouds: An architecture for secure cloud computing. In Workshop on Cryptography and
Security in Clouds (WCSC 2011), 2011.

Motivation :
1. Convergent encryption is open to a "confirmation of a file attack" in which an attacker
can effectively confirm whether a target possesses a certain file by encrypting an
unencrypted, or plain-text, version and then simply comparing the output with files
possessed by the target.
2. So to overcome these we can use another encryption technique instead of this like
AES/MAES etc.
3. We are proposing client side deduplication scheme as future scope.

4. Objective





To design the front end where user is able to request to the private cloud to get
the token for the file.
After that user able to upload or download the file.
To develop and design code for generating convergent key and proof of
ownership.
To test the system with the proper tool.
5

A Hybrid Cloud Approach for secure Authorized De-duplication

5. Methodology:
In this paper, we address the problem of privacy preserving de-duplication in cloud
computing and propose a new de-duplication system supporting for
• Differential Authorization. Each authorized user is able to get his/her individual token of
his file to perform duplicate check based on his privileges. Under this assumption, any user
cannot generate a token for duplicate check out of his privileges or without the aid from the
private cloud server.
• Authorized Duplicate Check. Authorized user is able to use his/her individual private keys
to generate query for certain file and the privileges he/she owned with the help of private
cloud, while the public cloud performs duplicate check directly and tells the user if there is
any duplicate. The security requirements considered in this paper lie in two folds, including
the security of file token and security of data files. For the security of file token, two aspects
are defined as unforgeability and indistinguishability of file token. The details are given
below.
• Unforgeability of file token/duplicate-check token. Unauthorized users without appropriate
privileges or file should be prevented from getting or generating the file tokens for duplicate
check of any file stored at the S-CSP. The users are not allowed to collude with the public
cloud server to break the unforgeability of file tokens. In our system, the S-CSP is honest but
curious and will honestly perform the duplicate check upon receiving the duplicate request
from users. The duplicate check token of users should be issued from the private cloud server
in our scheme.
• Indistinguishability of file token/duplicate-check token. It requires that any user without
querying the private cloud server for some file token, he cannot get any useful information
from the token, which includes the file information or the privilege information.
• Data Confidentiality. Unauthorized users without appropriate privileges or files, including
the S-CSP and the private cloud server, should be prevented from access to the underlying
plaintext stored at S-CSP. In another word, the goal of the adversary is to retrieve and recover
the files that do not belong to them. In our system, compared to the previous definition of
data confidentiality based on convergent encryption, a higher level confidentiality is defined
6

A Hybrid Cloud Approach for secure Authorized De-duplication

and achieved.
6. System Design and Architecture:
The diagram of the proposed approach is shown below.

7. Future work/ Own Contributions:

7

A Hybrid Cloud Approach for secure Authorized De-duplication

The CSP provides a web interface for the client to store data into a set of cloud servers, which
are running in a cooperated and distributed manner. In addition, the web interface is used by
the users to retrieve, modify and restore data from the cloud, depending on their access rights.
Moreover, the CSP relies on database servers to map client identities to their stored data
identifiers and group identifiers.
Our secure client-side data deduplication scheme is based on an original use of the
convergent encryption.That is, on one hand, when a data owner wants to store a new
enciphered data file in remote storage servers, he has first to generate the enciphering key.
This data encrypting key is derived by applying a one way hash function on data content.
After successfully encrypting the file data, the client has to generate the data identifier of
enciphered data, in order to check its uniqueness in cloud database, before uploading the
claimed file. This data identifier is computed by using a Merkle hash tree, over encrypted
contents. Then, for subsequent data outsourcing, the client is not required to send the same
encrypted data. However, he has to substitute a client-server interactive proof scheme (PoW),
in order to prove his ownership
8. References:
[1]

P. Anderson and L. Zhang. Fast and secure laptop backups with encrypted de-

duplication. In Proc. of USENIX LISA, 2010
[2]

M. Bellare, S. Keelveedhi, and T. Ristenpart. Dupless: Serveraided encryption for

deduplicated storage. In USENIX Security Symposium, 2013.
8

A Hybrid Cloud Approach for secure Authorized De-duplication

[3]

M. Bellare, S. Keelveedhi, and T. Ristenpart. Message-locked encryption and secure

de-duplication. In EUROCRYPT, pages 296– 312, 2013.
[4]

M. Bellare, C. Namprempre, and G. Neven. Security proofs for identity-based

identification and signature schemes. J. Cryptology, 22(1):1–61, 2009.
[5]

M. Bellare and A. Palacio. Gq and schnorr identification schemes: Proofs of security

against impersonation under active and concurrent attacks. In CRYPTO, pages 162–177,
2002.
[6]

S. Bugiel, S. Nurnberger, A. Sadeghi, and T. Schneider. Twin

clouds: An architecture for secure cloud computing. In Workshop on Cryptography and
Security in Clouds (WCSC 2011), 2011.

9

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close