Security for cloud storage systems
Student thesis: Doctoral Thesis
Related Research Unit(s)
Cloud storage is an important service of cloud computing, which offers services for data owners to host their data in the cloud. This new paradigm of data hosting and data access services introduces several major security concerns: 1) Data Integrity. Data owners may not fully trust the cloud server and worry that data stored in the cloud could be corrupted or even removed. 2) Data Confidentiality. Data owners may worry that some dishonest servers give data access to unauthorized users. In this thesis, we first give a brief introduction to cloud storage systems. Then, we investigate the security issues in the cloud storage systems and develop secure solutions to ensure data owners the safety and security of the data stored in the cloud. In the first part of this thesis, we focus on dealing with the data integrity issue in cloud storage systems. Third-party Storage Auditing Service is an effective method to check data integrity in the cloud, because it can provide unbasis results and convince both cloud service providers and data owners. We first investigate the data storage auditing problem and give an extensive survey of storage auditing methods in the literature. Then, we propose some requirements and challenges in the design of third-party storage schemes. We propose TSAS (Third-party Storage Auditing Scheme), an efficient and privacy-preserving auditing protocol for cloud storage, which can support data dynamic operations and batch auditing for both multiple owners and multiple clouds. The second part of this thesis mainly focuses on solving the data privacy problem in cloud storage systems. In cloud storage systems, the cloud server cannot be fully trusted to enforce the access policy. We first introduce ABAC (Attribute-based Access Control), an access control framework for cloud storage systems that achieves fine-grained access control based on an adapted Ciphertext-Policy Attribute-based Encryption (CPABE) approach. In ABAC, an efficient attribute revocation method is proposed to cope with the dynamic changes of users' access privileges in cloud storage systems. However, in real large-scale cloud storage systems, there are multiple authorities coexist, and data owners may want to share data with users who may hold attributes from different authorities. To support multiple authorities scenario, we propose an expressive, efficient and revocable multi-authority CP-ABE scheme, and apply it as the underlying technique to design MAAC (Multi-Authority Access Control) scheme for cloud storage systems with multiple authorities. Besides the efficiency of attribute revocation, the decryption on the user side should also be as efficient as possible, as users usually use their mobile devices (e.g., smart phones, tablets etc.) to access the cloud data, whose computation abilities are not as powerful as the one of PCs. To further improve the decryption efficiency, we propose DAC-MACS (Data Access Control for Multi-Authority Cloud Storage), an effective and secure data access control scheme with efficient decryption and revocation for multi-authority cloud storage systems, where the main computation of the decryption is outsourced to the cloud server. We further propose an extensive data access control scheme (EDAC-MACS), which is secure under weaker security assumptions. Under some circumstances, the cloud data should be controlled in the time-domain. To achieve this, we first propose a novel temporal access control framework that can achieve time-domain access control on multiple granularity levels. Then, we design an efficient and secure TAAC (Temporal Attribute-based Access Control) scheme for multi-authority cloud storage systems, where attributes can be revoked from users without any ciphertext re-encryption. We further propose an algorithm to improve the efficiency of TAAC. The security analysis and performance analysis show that TAAC is provably secure, and highly efficient and flexible to applications in practice.
- Virtual storage (Computer science), Storage area networks (Computer networks), Cloud computing, Computer networks, Security measures