Embed Size (px)
Citation preview
Cloud Computing Security
Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva,
Melek Ӧnen, Pasquale Puzio
December 18, 2013 – Sophia-Antipolis, France
Cloud Computing – Outsourcing storage & computation
High availability No IT maintenance cost Decreased Costs Elasticity & Flexibility
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 2
Data breaches Unauthorized access to client data
Data Loss Accidental or malicious destruction
Account hijacking Stolen credentials
Insecure APIs Adversary steals data from cloud
Denial of Service Intolerable system slowdown
Malicious insiders More powerful attackers
Abuse of cloud services Adversary rents the cloud
Insufficient due diligence Mismatched expectations
Shared technology issues Adversary breaks out of the hypervisor
CSA’s Notorious Nine – From 2010 to 2013
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 3
Security Models & RequirementsHonest but curious
Confidentiality & Privacy• Data privacy • Computation privacy
Malicious Privacy + Integrity & Transparency
• Verifiability
Challenge
Clouds as Adversaries To trust or how to
trust?
Do not cancel cloud advantages
Lightweight operations at client sideCloud Security Big Data
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 4
Honest-but-curious cloudPrivacy preserving word searchPrivacy preserving de-duplication
Malicious cloudProof of Retrievability
Cloud Security Research at EURECOM
[PETS’12, Tclouds’13]
[CloudCom’13]
[Under submission]
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 5
Challenge No more physical possession of data Lack of resources at the client side
Related work Deterministic
Verification of the entire data costly Probabilistic
Tags for each block + random verification Costly generation of tags randomly located sentinels => limited verification
Our solution - StealthGuard Randomly generated watchdogs privacy preserving search of watchdogs
Proof of Retrievability - Overview
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 6
[Under submission]
[Ateniese et. al., Juels et. al., Shacham et.al...]
[Deswarte et. al, Filho et. al, ..]
Honest but curious cloudPrivacy preserving word searchPrivacy preserving de-duplication
Malicious cloudProof of Retrievability
Cloud Security Research at EURECOM
[PETS’12, Tclouds’13]
[CloudCom’13]
[Under submission]
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 7
A concrete Scenario: Data retention Internet Service Provider retains
customers’ log/access data (for 6 years…!)Example: DNS logs (time, IP, hostname)
Save money: Outsource to cloud
ChallengeProtect customer Privacy against prying clouds
Privacy: Encrypt log entriesSupport queries: “Has x accessed y (at time z)?”
Word SearchEfficiency: Leverage clouds’ massive parallelism
MapReduce
Privacy preserving word search
Pri
S
M
Logs
8 Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 8
Contribution Data privacy: No (non trivial) data analysis Computation privacy: query privacy, query unlinkability Parallelism with MapReduce Evaluation: privacy proofs and implementation (11%
overhead)
Main ideaWord search transformed to PIR problems (single
bit)Map: Evaluate small PIR problem on each InputSplitReduce: combine mapper output with simple
additionUser decodes output, decides existence
PRIvacy preserving Search in MapReduce
9 Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 9
PRISM - Overview
Mapper
InputSplit
Reducer
“PIR Matrix”E(1)E(0)
E(0)E(0)
E(1)
∑
User
Result
Cloud
File
Encrypt & UploadQ(word)
Query for “word”
Q(word) Q(word) Q(word) Q(word)
E( ) E( ) E( ) E( )
homomorphic
Idea: Transform search for “word” into
PIR queryword?
10 Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 10
[PETS’12]
ScenarioAuditing
Additional privacy requirementAuthorized access with revocation
Initial solution based onOne-time key for searchAttribute based encryption for key retrieval
Further work - Delegated word search
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 11
[Tclouds’13]
Honest but curious cloudPrivacy preserving word searchPrivacy preserving de-duplication
Malicious cloudProof of Retrievability
Cloud Security Research at EURECOM
[PETS’12, Tclouds’13]
[CloudCom’13]
[Under submission]
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 12
Privacy preserving deduplication
DeduplicationDuplicated data stored only once90-95% space saving
Conflict with privacyEncryption prevents detection
Initial solutionConvergent encryption
Key = hash(data) Vulnerable to dictionary attacks
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 13
ClouDedup - Overview
Confidentiality & block-level deduplication
Countermeasure against CE vulnerability
Negligible performance impact
Transparent to the storage provider
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 14
[CloudCom’13]
Privacy preserving storage & computationSuitable data encryptionPrivacy preserving primitives
Word search statistics: sum, average, etc. ..
Privacy preserving deduplication
Verifiable storage & computationVerifiable word searchProof of retrievability Data integrity
Conclusion
Do not cancel cloud advantages
Lightweight operations at client side
Big Data
Cloud Computing Security – December 18, 2013
Sophia-Antipolis, France
Slide 15
