Analysis and improvement on identity-based cloud data integrity verification scheme

Many individuals or businesses outsource their data to remote cloud.Cloud storage provides users the advantages of economic convenience,but data owners no longer physically control over the stored data,which introduces new security challenges,such as no security guarantees of integrity and privacy.The security of two identity-based cloud data integrity verification schemes by Zhang et al and Xu et al respectively are analysed.It shows that Zhang et al.’s scheme is subjected to secret key recovery attack for the cloud servers can recover user’s private key only utilizing stored data.And Xu et al.’s scheme cannot satisfy security requirements of soundness.Based on Xu et al.'s scheme,a modified identity-based cloud data integrity verification scheme is proposed.A comprehensive analysis shows the new scheme can provide the security requirements of soundness and privacy,and has the same communication overhead and computational cost as Xu et al.’s scheme.     

Public integrity verification for data sharing in cloud with asynchronous revocation

Cloud data sharing service, which allows a group of people to access and modify the shared data, is one of the most popular and efficient working styles in enterprises. Recently, there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost. Under the new cloud environment, the cloud users require the data integrity verification to inspect the data service at the cloud side. Several recent studies have focused on this application scenario. In these studies, each user within a group is required to sign a data block created or modified by him. While a user is revoked, all the data previously signed by him should be resigned. In the existing research, the resigning process is dependent on the revoked user. However, cloud users are autonomous. They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors. As the developers in the cloud-based software development platform, they are voluntary and not strictly controlled by the system. Due to this feature, cloud users may not always follow the cloud service protocol. They may not participate in generating the resigning key and may even expose their secret keys after being revoked. If the signature is not resigned in time, the subsequent verification will be affected. And if the secret key is exposed, the shared data will be maliciously modified by the attacker who grasps the key. Therefore, forcing a revoked user to participate in the revocation process will lead to efficiency and security problems. As a result, designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable. In this paper, we identify this challenging problem as the asynchronous revocation, in which the revocation operations (i.e., re-signing key generation and resigning process) and the user's revocation are asynchronous. All the revocation operations must be able to be performed without the participation of the revoked user. Even more ambitiously, the revocation process should not rely on any special entity, such as the data owner or a trusted agency. To address this problem, we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user. From the perspectives of security and practicality, the revoked user does not participate in the resigning process and the re-signing key generation. Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags (HVTs). Moreover, the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users. The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme. The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 ?s and a user can finish the verification in 300 ?ms with a 99% error detection probability.     

Secure Data Access and Sharing Scheme for Cloud Storage

Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

     

基于DDCT表的多副本完整性审计方案

在云存储环境下,云数据采用多副本存储已经成为一种流行的应用.针对恶意云服务提供商威胁云副本数据安全问题,提出一种基于DDCT（Dynamic Divide and Conquer Table）表的多副本完整性审计方案.首先引入DDCT表来解决数据动态操作问题,同时表中存储副本数据的块号、版本号和时间戳等信息;接下来为抵制恶意云服务商攻击,设计一种基于时间戳的副本数据签名认证算法;其次提出了包括区块头和区块体的副本区块概念,区块头存储副本数据基于时间戳识别认证的签名信息,区块体存放加密的副本数据;最后委托第三方审计机构采用基于副本时间戳的签名认证算法来审计云端多副本数据的完整性.通过安全性分析和实验对比,本方案不仅有效的防范恶意存储节点之间的攻击,而且还能防止多副本数据泄露给第三方审计机构.     

Cloud data assured deletion scheme based on overwrite verification

At the end of data life cycle,there is still a risk of data leakage,because mostly data which was stored in cloud is removed by logical deletion of the key.Therefore,a cloud data assured deletion scheme (WV-CP-ABE) based on ciphertext re-encrypt and overwrite verification was proposed.When data owner wants to delete the outsourced data,the data fine-grained deletion operation was realized by re-encrypting the ciphertext to change the access control policy.Secondly,a searchable path hash binary tree (DSMHT) based on dirty data block overwrite was built to verify the correctness of the data to be deletion.Finally,the dual mechanism of changing the ciphertext access control policy and data overwriting guarantees the data assured deletion.The experimental analysis proves that the fine-grained control is better and the security is more reliable than the previous logical delete method in the assured deletion of data.     

Authentication scheme for multi-cloud environment based on smart card

To solve the problem of the access keys stored in a smart card increasing linearly with the number of registered clouds without third party participated in authentication,an authentication scheme was proposed for multi-cloud environment based on smart card.In the proposed scheme,the authentication was realized between user and multiple clouds without third party participation when the smart card only stored two access key.Thus the storage cost of smart card was reduced effectively.Because there was no public key cryptography,the authentication messages was generated by using XOR homomorphic function and Hash function,thus the computational cost of the smart card and the cloud servers was reduced effectively.Moreover,the proposed scheme also didn’t need to store any user’s information on the cloud servers,thereby reducing the storage and management costs of the cloud servers.The security analysis and the performance analysis show that the proposed scheme is able to resist multiple attacks,which is secure and efficient.     

一个高效的门限共享验证签名方案及其应用

基于离散对数问题提出一个新的门限共享验证签名方案，该方案是EIGamal签名方案和Shamir门限方案的结合。在该方案中，n个验证者中任意t个可以验证签名的有效性，而t-1个或更少的验证者不能验证签名的有效性。伪造该方案的签名等价于伪造EIGamal签名。与已有方案相比，该方案的签名效率更高。最后基于该门限共享验证签名方案提出一个新的口令共享认证方案。     

云环境下的数据多副本安全共享与关联删除方案

针对共享在公共云环境的用户数据因所有权与管理权分离而导致的用户隐私泄露问题,结合对称加密算法、属性加密算法和副本定位技术,提出一种云环境下的数据多副本安全共享与关联删除方案,对用户数据进行加密等处理封装成副本关联对象(RAO, replication associated object),随后将RAO共享到云服务商,建立副本关联模型对RAO所产生副本进行管理并实现关联删除。分析表明方案是安全与有效的,能够对用户共享的数据及其副本进行安全共享与关联删除,有效保障了数据多副本的隐私安全。     

ACDAS: Authenticated controlled data access and sharing scheme for cloud storage

Cloud storage services require cost‐effective, scalable, and self‐managed secure data management functionality. Public cloud storage always enforces users to adopt the restricted generic security consideration provided by the cloud service provider. On the contrary, private cloud storage gives users the opportunity to configure a self‐managed and controlled authenticated data security model to control the accessing and sharing of data in a private cloud. However, this introduces several new challenges to data security. One critical issue is how to enable a secure, authenticated data storage model for data access with controlled data accessibility. In this paper, we propose an authenticated controlled data access and sharing scheme called ACDAS to address this issue. In our proposed scheme, we employ a biometric‐based authentication model for secure access to data storage and sharing. To provide flexible data sharing under the control of a data owner, we propose a variant of a proxy reencryption scheme where the cloud server uses a proxy reencryption key and the data owner generates a credential token during decryption to control the accessibility of the users. The security analysis shows that our proposed scheme is resistant to various attacks, including a stolen verifier attack, a replay attack, a password guessing attack, and a stolen mobile device attack. Further, our proposed scheme satisfies the considered security requirements of a data storage and sharing system. The experimental results demonstrate that ACDAS can achieve the security goals together with the practical efficiency of storage, computation, and communication compared with other related schemes.     

一种基于同态Hash的数据持有性证明方法

在云存储服务中,为了让用户可以验证存储服务提供者正确地持有(保存)用户的数据,该文提出一种基于同态hash (homomorphic hashing)的数据持有性证明方法。因为同态hash算法的同态性,两数据块之和的hash值与它们hash值的乘积相等,初始化时存放所有数据块及其hash值,验证时存储服务器返回若干数据块的和及其hash值的乘积,用户计算这些数据块之和的hash值,然后验证是否与其hash值的乘积相等,从而达到持有性证明的目的。在数据生存周期内,用户可以无限次地验证数据是否被正确持有。该方法在提供数据持有性证明的同时,还可以对数据进行完整性保护。用户只需要保存密钥K,约520 byte,验证过程中需要传递的信息少,约18 bit,并且持有性验证时只需要进行一次同态hash运算。文中提供该方法的安全性分析,性能测试表明该方法是可行的。     

基于属性加密的高效密文去重和审计方案

针对当前支持去重的属性加密方案既不支持云存储数据审计,又不支持过期用户撤销,且去重搜索和用户解密效率较低的问题,该文提出一种支持高效去重和审计的属性加密方案。该方案引入了第3方审计者对云存储数据的完整性进行检验,利用代理辅助用户撤销机制对过期用户进行撤销,又提出高效去重搜索树技术来提高去重搜索效率,并通过代理解密机制辅助用户解密。安全性分析表明该方案通过采用混合云架构,在公有云达到IND-CPA安全性,在私有云达到PRV-CDA安全性。性能分析表明该方案的去重搜索效率更高,用户的解密计算量较小。     

Securing Cloud Data Using a Pirate Scheme

Inspired by the approach of smart pirates dealing with their treasures, the paper proposed a scheme to protect the data security and privacy in cloud computing. In the proposed scheme, cloud data will be divided into some sequenced or logical blocks. These data blocks will be distributed among cloud storage service providers. Instead of protecting the data themselves, the proposed scheme protects the mapping of the data elements on each provider. Comprehensive analysis and simulation are designed to verify the proposed scheme, the results show that it is secure for cloud data, and the real implementation on Amazon S3 also indicates that the proposed scheme is feasible and efficient for the cloud data storage.     

Lightweight integrity verification scheme for cloud based group data

In order to protect the security of the data stored in the cloud by group users,a data integrity verification scheme was designed which can protect the privacy of the group users.The scheme can efficiently detect the shared data in the cloud and support the dynamic updating of the data,and use the characteristic of the ring signature to hide the iden-tity of the signer corresponding to the data block.That is,the third-party verifier can not spy on the users identity and other private information when validating.The aggregated approach is used to generate data labels,which reduces the storage cost of labels and supports the dynamic operation of group data,so that the users in the group can easily modify the cloud group data.     

具有隐私保护的完整性可验证的关键字搜索方案

针对传统基于属性关键字搜索(ABKS)方案存在访问结构泄密、用户侧计算量高及缺乏完整性验证问题,该文提出具有隐私保护和完整性可验证的基于属性的关键字搜索方案。该方案提出了有序多值属性访问结构和有序多值属性集,固定每个属性的位置,减少参数及相关计算,提高了方案的效率,而在密钥生成时计算具体属性取值的哈希值,从而达到区别多值属性取值的不同。同时,采用Hash和对运算实现对访问结构的隐藏,防止访问结构泄密;采用倒序索引结构和Merkle树建立数据认证树,可验证云服务器返回文档和外包解密结果的正确性。此外,支持外包解密以降低用户侧的计算量。安全分析和实验表明所提方案实现云中共享数据的可验证性、关键字不可区分性和关键字不可链接性,且是高效的。     

分布式文件交互系统节点身份认证方案

基于分布式云存储系统利用椭圆曲线和散列函数等内容,提出了一种云环境下的双向身份认证方案,实现双向认证过程。新方案的优点在于产生对通信双方公正的会话密钥,同时设计了2种不同类型的认证: 本地网内认证和跨网络认证。最后对该方案进行了安全性和性能分析,证明了本方案具有很强的安全性,能够保护用户的隐私性和抗抵赖性,且具有较低的计算量。该方案满足云存储在通信环境中的需求。     

A hierarchical approach for resource allocation in hybrid cloud environments

Cloud computing is a key technology for online service providers. However, current online service systems experience performance degradation due to the heterogeneous and time-variant incoming of user requests. To address this kind of diversity, we propose a hierarchical approach for resource management in hybrid clouds, where local private clouds handle routine requests and a powerful third-party public cloud is responsible for the burst of sudden incoming requests. Our goal is to answer (1) from the online service provider’s perspective, how to decide the local private cloud resource allocation, and how to distribute the incoming requests to private and/or public clouds; and (2) from the public cloud provider’s perspective, how to decide the optimal prices for these public cloud resources so as to maximize its profit. We use a Stackelberg game model to capture the complex interactions between users, online service providers and public cloud providers, based on which we analyze the resource allocation in private clouds and pricing strategy in public cloud. Furthermore, we design efficient online algorithms to determine the public cloud provider’s and the online service provider’s optimal decisions. Simulation results validate the effectiveness and efficiency of our proposed approach.     

Privacy-Preserving Public Auditing for Non-manager Group Shared Data

By the widespread use of cloud storage service, users get a lot of conveniences such as low-price file remote storage and flexible file sharing. The research points in cloud computing include the verification of data integrity, the protection of data privacy and flexible data access. The integrity of data is ensured by a challenge-and-response protocol based on the signatures generated by group users. Many existing schemes use group signatures to make sure that the data stored in cloud is intact for the purpose of privacy and anonymity. However, group signatures do not consider user equality and the problem of frameability caused by group managers. Therefore, we propose a data sharing scheme PSFS to support user equality and traceability meanwhile based on our previous work HA-DGSP. PSFS has some secure properties such as correctness, traceability, homomorphic authentication and practical data sharing. The practical data sharing ensures that the data owner won’t loss the control of the file data during the sharing and the data owner will get effective incentive of data sharing. The effective incentive is realized by the technology of blockchain. The experimental results show that the communication overhead and computational overhead of PSFS is acceptable.     

云存储环境下的密文安全共享机制

With the convenient of storing and sharing data in cloud storage environment,the concerns about data security arised as well.To achieve data security on untrusted servers,user usually stored the encrypted data on the cloud storage environment.How to build a cipertext-based access control scheme became a pot issue.For the access control problems of ciphertext in cloud storage environment,a CP-ABE based data sharing scheme was proposed.Novel key generation and distribution strategies were proposed to reduce the reliance on a trusted third party.Personal information was added in decryption key to resistant conclusion attacks at the same time.Moreover,key revocation scheme was proposed to provide the data backward secrecy.The security and implement analysis proves that proposed scheme is suit for the real application environment.     

Cloud Dynamic Scheduling for Multimedia Data Encryption Using Tabu Search Algorithm

The cloud computing is interlinked with recent and out-dated technology. The cloud data storage industry is earning billion and millions of money through this technology. The cloud remote server storage is on-demand technology. The cloud users are expecting higher quality in minimal cost. The quality of service is playing a vital role in any latest technology. The cloud user always depends on thirty party service providers. This service provider is facing higher competition. The customer is choosing a service based on two parameters one is security and another one is cost. The reason behind this is all our personal data is stored on some third party server. The customer is expecting higher security level. The service provider is choosing many techniques for data security, best one is encryption mechanism. This encryption method is having many algorithms. Then again one problem is raised, that is which algorithm is best for encryption. The prediction of algorithm is one of major task. Each and every algorithm is having unique advantage. The algorithm performance is varying depends on file type. The proposed method of this article is to solve this encryption algorithm selection problem by using tabu search concept. The proposed method is to ensure best encryption method to reducing the average encode and decode time in multimedia data. The local search scheduling concept is to schedule the encryption algorithm and store that data in local memory table. The quality of service is improved by using proposed scheduling technique.

     

Secure anonymous authentication scheme without verification table for mobile satellite communication systems

An authentication scheme is one of the most basic and important security mechanisms for satellite communication systems because it prevents illegal access by an adversary. Lee et al. recently proposed an efficient authentication scheme for mobile satellite communication systems. However, we observed that this authentication scheme is vulnerable to a denial of service (DoS) attack and does not offer perfect forward secrecy. Therefore, we propose a novel secure authentication scheme without verification table for mobile satellite communication systems. The proposed scheme can simultaneously withstand DoS attacks and support user anonymity and user unlinkability. In addition, the proposed scheme is based on the elliptic curve cryptosystem, has low client‐side and server‐side computation costs, and achieves perfect forward secrecy. Copyright © 2013 John Wiley & Sons, Ltd.