Elsevier

Information Sciences

Volume 520, May 2020, Pages 15-30
Information Sciences

Enabling cloud storage auditing with key-exposure resilience under continual key-leakage

https://doi.org/10.1016/j.ins.2020.02.010Get rights and content

Abstract

Cloud storage auditing is a service that is usually provided to enable clients to verify the integrity of their data stored in the cloud. However, clients risk exposing their secret key. To address the problem of key exposure, researchers have provided “Forward Security” by dividing the entire lifetime of the secret key into several periods and updating the secret key within each of these periods. Forward security can ensure the validity of authenticators before the period in which the secret key is fully exposed. However, the security of these protocols can be broken by launching side-channel attacks to leak the secret key partially rather than fully. In this study, we focus on implementing measures in cloud storage auditing to protect against side-channel attacks in practice. We formalize the definition and security model of a cloud storage auditing protocol, which supports forward security under continual key-leakage, and construct the first protocol. Our protocol remains secure even if an adversary obtains partial leakage of the secret key during a period. In addition, if the secret key were to be fully disclosed in a certain period, our protocol would maintain forward security. Therefore, the proposed protocol provides stronger security compared with existing protocols.

Introduction

Cloud storage is an emerging technology that provides clients with convenient data-related services. Recently, many world-leading IT companies have released cloud storage products, such as Google Cloud Storage, Microsoft Azure, and Amazon S3. Clients who utilize these cloud storage services rent the storage capacity and network bandwidth in a pay-as-you-go manner. Accordingly, they can outsource their data to the cloud and access the data anytime, anywhere through the internet, and enjoy other storage services based in the cloud (e.g., data analysis or image processing) if required. This obviates the need for clients to maintain basic storage infrastructure, and the storage service provider can concentrate on the quality of the service themselves. Many individuals and institutions have adopted cloud storage to maintain their data. Since their inception, cloud storage services have become a lucrative industry, with the global cloud storage market estimated to reach $65.41 billion by the year 2020 [1].

Despite the numerous advantages of using a cloud storage service, data integrity has always been a significant problem that has prevented prospective clients from adopting this service. When users upload their data to the cloud, they lose complete control of their data and rely entirely on the cloud to maintain them. Although cloud service providers adopt a variety of advanced techniques (eg. replication [2] or erasure code [3]) to ensure data reliability and robustness, data corruption still frequently occurs [4]. In addition, a dishonest cloud server may conceal the incident of data loss to the users, or even maliciously delete users’ data. Accordingly, from a user’s perspective, the service provider should convince the user that the data they saved in the cloud will remain intact.

Unfortunately, unlike traditional settings in which hash functions and signatures can be utilized for integrity insurance, in a cloud storage scenario, the clients seldom retain a local copy of their data. In addition, it would be unrealistic to require the clients to download the entire dataset. Thus, it is necessary to compose an appropriate integrity auditing mechanism in a cloud storage scenario that can remotely verify the intactness of the data without reliance on local copies  [5], [6]. In this regard, cloud storage auditing protocols are cryptographic protocols that can efficiently and effectively prove the intactness of the data stored in the cloud. They normally adopt a spot-checking technique and thus the auditors are only required to access a fraction of the data to verify the integrity of the entire dataset. Consequently, cloud storage auditing has become a tool of significant importance for cloud data security.

Most of the cloud auditing protocols that have been developed to date assume that the client’s secret key for auditing is securely maintained. However, in practice, newly emerging side-channel attacks may invalidate this assumption. Traditional techniques that were used to launch side-channel attacks such as a power analysis attack [7], [8], timing attack [9], and electromagnetic analysis [10] were expensive to carry out and sometimes led to observable physical damage to the affected device. Modern side-channel attacks (eg. [11], [12], [13]) can grab users’ secret key inexpensively and imperceptibly. For example, as shown by Genkin [14], who jointly analyzed different traces (e.g., the far end of a cable, human touch, electromagnetic, and power consumption), it is feasible to extract 4096-bit RSA keys and 3072-bit ElGamal keys from laptops with little effort. Once the secret key for auditing is leaked to the cloud service provider, all the present cloud auditing protocols would fail.

Schemes concentrating on secret key leakage in cloud auditing have been proposed [15], [16], [17], with all of them addressing the problem of cloud auditing as a result of key disclosure. These schemes consider the client’s key to be fully leaked rather than partially leaked in a side-channel attack. For example, the client may inadvertently and carelessly download malware that reads the client’s key and sends it to the attacker. In these previous studies, the entire lifetime of the secret key was separated into several time periods and forward security for a cloud auditing protocol was provided by updating the secret keys among the periods. As a result, these auditing protocols still remain secure in those periods that occur before the secret key is fully exposed. In practice, however, the adversary can obtain pieces of information about the secret key between two updates by launching a side-channel attack, which can obviously help it breach the security of the auditing protocol.

In this study, we focus on enabling leakage-tolerant cloud storage auditing to overcome the problem of partial key leakage between two key updates in the forward-secure cloud auditing protocols. Specifically, our proposed cloud storage auditing method achieves both “forward security” and “key-leakage resilience” simultaneously. Fig. 1 shows the scenario on which our work is based. The two participants are: the client (file owner) and the cloud. The client partitions each of his files to blocks and uploads the blocks and the corresponding authenticators to the cloud. The client can use a service based in the cloud to verify whether their files are correctly stored in the cloud. An adversary can obtain partial information about the client’s secret key by using side-channel attacks.

In this regard, leakage-resilience has attracted considerable attention in theoretical cryptography as an algorithmic countermeasure (contrary to engineering countermeasures such as hiding [18] and masking [19]) against side-channel attacks. In leakage-resilient cryptography, leakage models are generalized to capture the features of multiple types of side-channel attacks. Among these models, the continual memory leakage model is generally considered to be the most powerful model, which assumes the secret key in the memory can be (partially) acquired by the adversary.

To make the auditing protocol support both of “forward security” and “key-leakage resilience” simultaneously, we first propose an auditing protocol with continual key-leakage resilience. Then, we extend the scheme to achieve our goal. The main contributions are as follows:

  • 1.

    First, we attempted to provide the storage auditing protocol with continual key-leakage resilience, a capability previous auditing protocols did not have. Our design enables malicious operations on the client’s cloud data to be detected, even if the malicious cloud obtains partial information about the client’s current secret key for cloud storage auditing. We define continual key-leakage resilience for the cloud auditing protocol and propose the first concrete protocol for cloud storage.

  • 2.

    We developed a cloud storage auditing protocol to support “forward security” and “continual key-leakage resilience” simultaneously. This protocol makes it possible to detect malicious operations on the client’s cloud data in previous time periods, even if the malicious cloud server were to obtain the client’s current secret key for cloud storage auditing and partial information about the secret keys of previous time periods. Specifically, we employ a binary tree structure [20], [21] to update the clients secret keys in different time periods. We apply an existing technique [20] to our continual key-leakage resilient auditing protocol and propose the first auditing protocol with the above-mentioned two security properties.

Data Auditing for cloud storage. Remote data integrity verification has its origins in integrity protection memory management systems [22], which enable a client to verify whether read/write operations are correctly executed in unreliable memory. With the proliferation of cloud storage, proof of retrievability (POR) [23] and proof of data possession (PDP) [5], [24] were proposed to efficiently verify the integrity of archival datasets. Specifically, a POR scheme stores each encrypted file in the cloud server along with a set of pseudorandom blocks. Subsequently, the client can examine the data integrity by verifying whether the server retains the pseudorandom blocks. PDP follows a different approach by allowing the client to verify the integrity by challenging the server with some randomly selected block numbers to determine whether the server generates valid proofs.

Later, multiple PDP and POR schemes were proposed to extend the performance or functionality of traditional schemes. For example, dynamic PDP [6], [25], [26] enables the client’s file archive to be dynamically updated (e.g., via file upload or delete). PDP or POR with public verifiability (e.g., [27], [28], [29]) enables a third party, rather than the client, to verify the data integrity. Other solutions (e.g.,[30], [31], [32]) took privacy into consideration and ensured that neither the cloud nor the auditor could acquire the user’s data.

The aforementioned studies (including ours) adopted the single-server model, which regards the cloud storage platform as a whole entity. Accordingly, they only focus on integrity verification in the cloud but cannot recover the original data when an inconsistency is found. It is worth mentioning that another approach was to adopt the multi-server model with the aim of reconstructing the compromised data by using a redundancy (e.g., replication or coding) technique. For example, a replication technique was adopted for data-recovery [33], whereas the high-availability and integrity layer (HAIL) [2] utilizes erasure coding, and a third approach involved regenerating codes in recovering corrupted data [34], [35].

Leakage-resilient cryptographic protocols for the cloud. Secure multiparty computation (SMPC) [36], [37] is a generic cryptographic protocol that enables distributed parties to jointly compute a functionality, while ensuring that each party’s input and output remains secret. Generally, SMPC first transforms the targeted functionality into arithmetic or logic circuits for subsequent evaluation in a secure manner. Theoretically, the goal of leakage resilience SMPC is to secure circuit evaluation against an adversary who probes the values of internal wires. Several researchers (e.g., [38], [39], [40]) conducted in-depth research in this field.

Likewise, secret sharing [41] is a kind of cryptographic protocol that enables a user to randomly split a secret into multiple shares, such that certain subsets of the shares can be used to reconstruct the secret and others do not reveal any particulars of the secret. Secret sharing is also a significant tool for constructing secure cloud applications [42]. The leakage resilience of secret sharing was formalized by the work of Benhamouda et al. [43], after which several leakage resilient secret sharing schemes were proposed [44], [45]. In terms of application-level secure cryptographic schemes for cloud computing, Hu et al. [46] and Dai et al. [47] considered leakage resilience for searchable encryption [48] to enable secure search in the cloud.

Studies that are the most closely related to this one are [15], [16], all of which focused on the problem of cloud auditing under key disclosure. However, as mentioned previously, these solutions only provide “forward security” and do not consider the problem of partial key leakage between two key-updates.

In Section 2, we introduce the necessary preliminaries. Then, in Section 3, we propose a concrete auditing protocol with continual key-leakage resilience and analyze its security and performance. In Section 4, we extend the protocol in Section 3 such that it supports “forward security” and “continual key-leakage resilience” simultaneously. Finally, we conclude the paper in Section 5.

Section snippets

Composite order bilinear groups

Our protocols are constructed on the composite order bilinear groups of order N where N=p1p2p3p4 is a product of four distinct primes [49]. Let G, GT be cyclic groups of order N. Let e: G × G → GT be a map satisfying the following properties:

  • 1.

    Bilinearity: For all u, v ∈ G and any a, b ∈ ZN, e(ua,vb)=e(u,v)ab;

  • 2.

    Non-degeneracy: For all generators g ∈ G, e(g,g)1GT;

  • 3.

    Computability: e(u, v) can be computed efficiently for all u, v ∈ G;

Following the explanation in [49], the composite order bilinear

Auditing protocol with continual key-leakage resilience

In this section, we propose our first auditing protocol and prove that it achieves continual key-leakage resilience security. We also present an analysis of the performance of our protocol.

Extension to forward secure protocol under continual key-leakage

In practice, the client’s secret key of the auditing protocol may be fully exposed. Usually, clients prefer to use software-based key management to manage their different keys for different security goals. The limitation of software-based key management and careless mistakes by the client make it possible for the key to be exposed. In addition, if data loss incidents were to occur on the cloud server side or, for storage cost reasons, the cloud server discards data the client rarely accesses,

Conclusion

In this paper, we focus on providing a cloud auditing protocol with forward security under continual key-leakage. We feed a new security definition named “key-exposure resilience under continual leakage” to the auditing protocol and initiate the first attempt to construct an auditing protocol with this definition of security. This protocol enables the integrity of the data uploaded to the cloud to be successfully verified during the time period before that in which the client’s current key

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

CRediT authorship contribution statement

Chengyu Hu: Conceptualization, Methodology, Software, Investigation, Writing - original draft, Writing - review & editing. Yuqin Xu: Software, Investigation. Pengtao Liu: Investigation, Writing - original draft. Jia Yu: Methodology, Writing - original draft. Shanqing Guo: Methodology, Writing - review & editing. Minghao Zhao: Software, Writing - original draft.

Acknowledgments

This project is supported in part by National Natural Science Foundation of China (no.61602275, 61632020, 61772311), Major Scientific and Technological Innovation Projects of Shandong Province, China (no.2019JZZY010132), Shandong Province Higher Educational Science and Technology Program (no.J15LN01), the Open Project of Key Laboratory of Network Assessment Technology, Institute of information engineering, Chinese Academy of Sciences (no.KFKT2019-002), the Open Project of Co-Innovation Center

References (50)

  • E. Brier et al.

    Correlation power analysis with a leakage model

    Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES)

    (2004)
  • P.C. Kocher

    Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

    Proceedings of the Annual International Cryptology Conference (CRYPO)

    (1996)
  • K. Gandolfi et al.

    Electromagnetic analysis: concrete results

    Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES)

    (2001)
  • S. Jana et al.

    Memento: Learning Secrets from Process Footprints

    Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P)

    (2012)
  • M. Vuagnoux et al.

    Compromising electromagnetic emanations of wired and wireless keyboards.

    Proceedings of the USENIX Security Symposium

    (2009)
  • R. Raguram et al.

    iSpy: Automatic Reconstruction of Typed Input from Compromising Reflections

    Proceedings of the 18th ACM Conference on Computer and Communications Security

    (2011)
  • D. Genkin et al.

    Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs

    Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES)

    (2014)
  • J. Yu et al.

    Enabling cloud storage auditing with key-exposure resistance

    IEEE Trans. Inf. Forensics Secur.

    (2015)
  • J. Yu et al.

    Strong key-exposure resilient auditing for secure cloud storage

    IEEE Trans. Inf. Forensics Secur.

    (2017)
  • R.P. McEvoy et al.

    Isolated wddl: a hiding countermeasure for differential power analysis on fpgas

    ACM Trans. Reconfigurable Technol. Syst. (TRETS)

    (2009)
  • J.D. Golić et al.

    Multiplicative masking and power analysis of aes

    International Workshop on Cryptographic Hardware and Embedded Systems (CHES)

    (2002)
  • M. Bellare et al.

    Forward-security under continual leakage

    Proceedings of the 16th International Conference on Cryptology and Network Security (CANS)

    (2017)
  • M. Naor et al.

    The Complexity of Online Memory Checking

    Proceedings of the IEEE Symposium on Foundations of Computer Science (FOCS)

    (2005)
  • A. Juels et al.

    PORs: Proofs of Retrievability for Large Files

    Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)

    (2007)
  • G. Ateniese et al.

    Remote data checking using provable data possession

    ACM Trans. Inf. Syst. Secur. (TISSEC)

    (2011)

    • Cited by (20)

    • Certificateless cloud storage auditing supporting data ownership transfer

      2024, Computers and Security

    • Online/offline remote data auditing with strong key-exposure resilience for cloud storage

      2024, Computer Standards and Interfaces

    • Privacy-preserving certificateless public auditing supporting different auditing frequencies

      2023, Computers and Security

    • A key-insulated secure multi-server authenticated key agreement protocol for edge computing-based VANETs

      2023, Internet of Things (Netherlands)

    • A provably secure and public auditing protocol based on the bell triangle for cloud data

      2021, Computer Networks
      Citation Excerpt :

      In 2020, Xu et al. [29] proposed an intrusion-resilient public cloud auditing scheme to solve the problem that cloud service providers may maliciously tamper with user files during the key exposure period. Hu et al. [30] also proposed enabling cloud storage auditing with key exposure resilience and continual key leakage. This protocol focuses on preventing private key leakage and reducing users’ overheads.

    • Blockchain-based secure deduplication of encrypted data supporting client-side semantically secure encryption without trusted third party

      2024, Transactions on Emerging Telecommunications Technologies
    View all citing articles on Scopus
    View full text
    © 2020 Elsevier Inc. All rights reserved.