Security for cloud storage systems
云存儲系統的安全性研究
Student thesis: Doctoral Thesis
Author(s)
Related Research Unit(s)
Detail(s)
Awarding Institution | |
---|---|
Supervisors/Advisors |
|
Award date | 2 Oct 2013 |
Link(s)
Permanent Link | https://scholars.cityu.edu.hk/en/theses/theses(864502e0-8aab-404c-ac0c-4677df78dfc7).html |
---|---|
Other link(s) | Links |
Abstract
Cloud storage is an important service of cloud computing, which offers services for
data owners to host their data in the cloud. This new paradigm of data hosting and
data access services introduces several major security concerns: 1) Data Integrity. Data
owners may not fully trust the cloud server and worry that data stored in the cloud could
be corrupted or even removed. 2) Data Confidentiality. Data owners may worry that
some dishonest servers give data access to unauthorized users. In this thesis, we first
give a brief introduction to cloud storage systems. Then, we investigate the security
issues in the cloud storage systems and develop secure solutions to ensure data owners
the safety and security of the data stored in the cloud.
In the first part of this thesis, we focus on dealing with the data integrity issue in
cloud storage systems. Third-party Storage Auditing Service is an effective method to
check data integrity in the cloud, because it can provide unbasis results and convince
both cloud service providers and data owners. We first investigate the data storage auditing
problem and give an extensive survey of storage auditing methods in the literature.
Then, we propose some requirements and challenges in the design of third-party storage
schemes. We propose TSAS (Third-party Storage Auditing Scheme), an efficient and
privacy-preserving auditing protocol for cloud storage, which can support data dynamic
operations and batch auditing for both multiple owners and multiple clouds.
The second part of this thesis mainly focuses on solving the data privacy problem in
cloud storage systems. In cloud storage systems, the cloud server cannot be fully trusted
to enforce the access policy. We first introduce ABAC (Attribute-based Access Control),
an access control framework for cloud storage systems that achieves fine-grained
access control based on an adapted Ciphertext-Policy Attribute-based Encryption (CPABE) approach. In ABAC, an efficient attribute revocation method is proposed to cope
with the dynamic changes of users' access privileges in cloud storage systems.
However, in real large-scale cloud storage systems, there are multiple authorities
coexist, and data owners may want to share data with users who may hold attributes
from different authorities. To support multiple authorities scenario, we propose an expressive,
efficient and revocable multi-authority CP-ABE scheme, and apply it as the
underlying technique to design MAAC (Multi-Authority Access Control) scheme for
cloud storage systems with multiple authorities.
Besides the efficiency of attribute revocation, the decryption on the user side should
also be as efficient as possible, as users usually use their mobile devices (e.g., smart
phones, tablets etc.) to access the cloud data, whose computation abilities are not as
powerful as the one of PCs. To further improve the decryption efficiency, we propose
DAC-MACS (Data Access Control for Multi-Authority Cloud Storage), an effective
and secure data access control scheme with efficient decryption and revocation for
multi-authority cloud storage systems, where the main computation of the decryption
is outsourced to the cloud server. We further propose an extensive data access control
scheme (EDAC-MACS), which is secure under weaker security assumptions.
Under some circumstances, the cloud data should be controlled in the time-domain.
To achieve this, we first propose a novel temporal access control framework that can
achieve time-domain access control on multiple granularity levels. Then, we design
an efficient and secure TAAC (Temporal Attribute-based Access Control) scheme for
multi-authority cloud storage systems, where attributes can be revoked from users without
any ciphertext re-encryption. We further propose an algorithm to improve the efficiency
of TAAC. The security analysis and performance analysis show that TAAC is
provably secure, and highly efficient and flexible to applications in practice.
- Virtual storage (Computer science), Storage area networks (Computer networks), Cloud computing, Computer networks, Security measures