Enabling cloud storage auditing with key-exposure resilience under continual key-leakage
Introduction
Cloud storage is an emerging technology that provides clients with convenient data-related services. Recently, many world-leading IT companies have released cloud storage products, such as Google Cloud Storage, Microsoft Azure, and Amazon S3. Clients who utilize these cloud storage services rent the storage capacity and network bandwidth in a pay-as-you-go manner. Accordingly, they can outsource their data to the cloud and access the data anytime, anywhere through the internet, and enjoy other storage services based in the cloud (e.g., data analysis or image processing) if required. This obviates the need for clients to maintain basic storage infrastructure, and the storage service provider can concentrate on the quality of the service themselves. Many individuals and institutions have adopted cloud storage to maintain their data. Since their inception, cloud storage services have become a lucrative industry, with the global cloud storage market estimated to reach $65.41 billion by the year 2020 [1].
Despite the numerous advantages of using a cloud storage service, data integrity has always been a significant problem that has prevented prospective clients from adopting this service. When users upload their data to the cloud, they lose complete control of their data and rely entirely on the cloud to maintain them. Although cloud service providers adopt a variety of advanced techniques (eg. replication [2] or erasure code [3]) to ensure data reliability and robustness, data corruption still frequently occurs [4]. In addition, a dishonest cloud server may conceal the incident of data loss to the users, or even maliciously delete users’ data. Accordingly, from a user’s perspective, the service provider should convince the user that the data they saved in the cloud will remain intact.
Unfortunately, unlike traditional settings in which hash functions and signatures can be utilized for integrity insurance, in a cloud storage scenario, the clients seldom retain a local copy of their data. In addition, it would be unrealistic to require the clients to download the entire dataset. Thus, it is necessary to compose an appropriate integrity auditing mechanism in a cloud storage scenario that can remotely verify the intactness of the data without reliance on local copies [5], [6]. In this regard, cloud storage auditing protocols are cryptographic protocols that can efficiently and effectively prove the intactness of the data stored in the cloud. They normally adopt a spot-checking technique and thus the auditors are only required to access a fraction of the data to verify the integrity of the entire dataset. Consequently, cloud storage auditing has become a tool of significant importance for cloud data security.
Most of the cloud auditing protocols that have been developed to date assume that the client’s secret key for auditing is securely maintained. However, in practice, newly emerging side-channel attacks may invalidate this assumption. Traditional techniques that were used to launch side-channel attacks such as a power analysis attack [7], [8], timing attack [9], and electromagnetic analysis [10] were expensive to carry out and sometimes led to observable physical damage to the affected device. Modern side-channel attacks (eg. [11], [12], [13]) can grab users’ secret key inexpensively and imperceptibly. For example, as shown by Genkin [14], who jointly analyzed different traces (e.g., the far end of a cable, human touch, electromagnetic, and power consumption), it is feasible to extract 4096-bit RSA keys and 3072-bit ElGamal keys from laptops with little effort. Once the secret key for auditing is leaked to the cloud service provider, all the present cloud auditing protocols would fail.
Schemes concentrating on secret key leakage in cloud auditing have been proposed [15], [16], [17], with all of them addressing the problem of cloud auditing as a result of key disclosure. These schemes consider the client’s key to be fully leaked rather than partially leaked in a side-channel attack. For example, the client may inadvertently and carelessly download malware that reads the client’s key and sends it to the attacker. In these previous studies, the entire lifetime of the secret key was separated into several time periods and forward security for a cloud auditing protocol was provided by updating the secret keys among the periods. As a result, these auditing protocols still remain secure in those periods that occur before the secret key is fully exposed. In practice, however, the adversary can obtain pieces of information about the secret key between two updates by launching a side-channel attack, which can obviously help it breach the security of the auditing protocol.
In this study, we focus on enabling leakage-tolerant cloud storage auditing to overcome the problem of partial key leakage between two key updates in the forward-secure cloud auditing protocols. Specifically, our proposed cloud storage auditing method achieves both “forward security” and “key-leakage resilience” simultaneously. Fig. 1 shows the scenario on which our work is based. The two participants are: the client (file owner) and the cloud. The client partitions each of his files to blocks and uploads the blocks and the corresponding authenticators to the cloud. The client can use a service based in the cloud to verify whether their files are correctly stored in the cloud. An adversary can obtain partial information about the client’s secret key by using side-channel attacks.
In this regard, leakage-resilience has attracted considerable attention in theoretical cryptography as an algorithmic countermeasure (contrary to engineering countermeasures such as hiding [18] and masking [19]) against side-channel attacks. In leakage-resilient cryptography, leakage models are generalized to capture the features of multiple types of side-channel attacks. Among these models, the continual memory leakage model is generally considered to be the most powerful model, which assumes the secret key in the memory can be (partially) acquired by the adversary.
To make the auditing protocol support both of “forward security” and “key-leakage resilience” simultaneously, we first propose an auditing protocol with continual key-leakage resilience. Then, we extend the scheme to achieve our goal. The main contributions are as follows:
- 1.
First, we attempted to provide the storage auditing protocol with continual key-leakage resilience, a capability previous auditing protocols did not have. Our design enables malicious operations on the client’s cloud data to be detected, even if the malicious cloud obtains partial information about the client’s current secret key for cloud storage auditing. We define continual key-leakage resilience for the cloud auditing protocol and propose the first concrete protocol for cloud storage.
- 2.
We developed a cloud storage auditing protocol to support “forward security” and “continual key-leakage resilience” simultaneously. This protocol makes it possible to detect malicious operations on the client’s cloud data in previous time periods, even if the malicious cloud server were to obtain the client’s current secret key for cloud storage auditing and partial information about the secret keys of previous time periods. Specifically, we employ a binary tree structure [20], [21] to update the clients secret keys in different time periods. We apply an existing technique [20] to our continual key-leakage resilient auditing protocol and propose the first auditing protocol with the above-mentioned two security properties.
Data Auditing for cloud storage. Remote data integrity verification has its origins in integrity protection memory management systems [22], which enable a client to verify whether read/write operations are correctly executed in unreliable memory. With the proliferation of cloud storage, proof of retrievability (POR) [23] and proof of data possession (PDP) [5], [24] were proposed to efficiently verify the integrity of archival datasets. Specifically, a POR scheme stores each encrypted file in the cloud server along with a set of pseudorandom blocks. Subsequently, the client can examine the data integrity by verifying whether the server retains the pseudorandom blocks. PDP follows a different approach by allowing the client to verify the integrity by challenging the server with some randomly selected block numbers to determine whether the server generates valid proofs.
Later, multiple PDP and POR schemes were proposed to extend the performance or functionality of traditional schemes. For example, dynamic PDP [6], [25], [26] enables the client’s file archive to be dynamically updated (e.g., via file upload or delete). PDP or POR with public verifiability (e.g., [27], [28], [29]) enables a third party, rather than the client, to verify the data integrity. Other solutions (e.g.,[30], [31], [32]) took privacy into consideration and ensured that neither the cloud nor the auditor could acquire the user’s data.
The aforementioned studies (including ours) adopted the single-server model, which regards the cloud storage platform as a whole entity. Accordingly, they only focus on integrity verification in the cloud but cannot recover the original data when an inconsistency is found. It is worth mentioning that another approach was to adopt the multi-server model with the aim of reconstructing the compromised data by using a redundancy (e.g., replication or coding) technique. For example, a replication technique was adopted for data-recovery [33], whereas the high-availability and integrity layer (HAIL) [2] utilizes erasure coding, and a third approach involved regenerating codes in recovering corrupted data [34], [35].
Leakage-resilient cryptographic protocols for the cloud. Secure multiparty computation (SMPC) [36], [37] is a generic cryptographic protocol that enables distributed parties to jointly compute a functionality, while ensuring that each party’s input and output remains secret. Generally, SMPC first transforms the targeted functionality into arithmetic or logic circuits for subsequent evaluation in a secure manner. Theoretically, the goal of leakage resilience SMPC is to secure circuit evaluation against an adversary who probes the values of internal wires. Several researchers (e.g., [38], [39], [40]) conducted in-depth research in this field.
Likewise, secret sharing [41] is a kind of cryptographic protocol that enables a user to randomly split a secret into multiple shares, such that certain subsets of the shares can be used to reconstruct the secret and others do not reveal any particulars of the secret. Secret sharing is also a significant tool for constructing secure cloud applications [42]. The leakage resilience of secret sharing was formalized by the work of Benhamouda et al. [43], after which several leakage resilient secret sharing schemes were proposed [44], [45]. In terms of application-level secure cryptographic schemes for cloud computing, Hu et al. [46] and Dai et al. [47] considered leakage resilience for searchable encryption [48] to enable secure search in the cloud.
Studies that are the most closely related to this one are [15], [16], all of which focused on the problem of cloud auditing under key disclosure. However, as mentioned previously, these solutions only provide “forward security” and do not consider the problem of partial key leakage between two key-updates.
In Section 2, we introduce the necessary preliminaries. Then, in Section 3, we propose a concrete auditing protocol with continual key-leakage resilience and analyze its security and performance. In Section 4, we extend the protocol in Section 3 such that it supports “forward security” and “continual key-leakage resilience” simultaneously. Finally, we conclude the paper in Section 5.
Section snippets
Composite order bilinear groups
Our protocols are constructed on the composite order bilinear groups of order N where is a product of four distinct primes [49]. Let G, GT be cyclic groups of order N. Let e: G × G → GT be a map satisfying the following properties:
- 1.
Bilinearity: For all u, v ∈ G and any a, b ∈ ZN, ;
- 2.
Non-degeneracy: For all generators g ∈ G, ;
- 3.
Computability: e(u, v) can be computed efficiently for all u, v ∈ G;
Following the explanation in [49], the composite order bilinear
Auditing protocol with continual key-leakage resilience
In this section, we propose our first auditing protocol and prove that it achieves continual key-leakage resilience security. We also present an analysis of the performance of our protocol.
Extension to forward secure protocol under continual key-leakage
In practice, the client’s secret key of the auditing protocol may be fully exposed. Usually, clients prefer to use software-based key management to manage their different keys for different security goals. The limitation of software-based key management and careless mistakes by the client make it possible for the key to be exposed. In addition, if data loss incidents were to occur on the cloud server side or, for storage cost reasons, the cloud server discards data the client rarely accesses,
Conclusion
In this paper, we focus on providing a cloud auditing protocol with forward security under continual key-leakage. We feed a new security definition named “key-exposure resilience under continual leakage” to the auditing protocol and initiate the first attempt to construct an auditing protocol with this definition of security. This protocol enables the integrity of the data uploaded to the cloud to be successfully verified during the time period before that in which the client’s current key
Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
CRediT authorship contribution statement
Chengyu Hu: Conceptualization, Methodology, Software, Investigation, Writing - original draft, Writing - review & editing. Yuqin Xu: Software, Investigation. Pengtao Liu: Investigation, Writing - original draft. Jia Yu: Methodology, Writing - original draft. Shanqing Guo: Methodology, Writing - review & editing. Minghao Zhao: Software, Writing - original draft.
Acknowledgments
This project is supported in part by National Natural Science Foundation of China (no.61602275, 61632020, 61772311), Major Scientific and Technological Innovation Projects of Shandong Province, China (no.2019JZZY010132), Shandong Province Higher Educational Science and Technology Program (no.J15LN01), the Open Project of Key Laboratory of Network Assessment Technology, Institute of information engineering, Chinese Academy of Sciences (no.KFKT2019-002), the Open Project of Co-Innovation Center
References (50)
- et al.
Identity-based key-exposure resilient cloud storage public auditing scheme from lattices
Inf. Sci.
(2019) - et al.
Intrusion-resilient identity-based signatures: concrete scheme in the standard model and generic construction
Inf. Sci.
(2018) - et al.
Towards achieving keyword search over dynamic encrypted cloud data with symmetric-key based verification
IEEE Transactions on Dependable and Secure Computing
(2019) - Markets, Markets, Cloud Storage Market by Type, Deployment Model, Organization Size, Vertical, and Region - Global...
- et al.
A Self-organized, Fault-tolerant and Scalable Peplication Scheme for Cloud Storage
Proceedings of the 1st ACM Symposium on Cloud Computing (SoCC)
(2010) - et al.
Erasure Coding in Windows Azure Storage.
Proceedings of the Usenix Annual Technical Conference (ATC)
(2012) - Z. Whittaker, Amazon web services suffers partial outage,...
- et al.
Provable Data Possession at Untrusted Stores
Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)
(2007) - et al.
Dynamic provable data possession
ACM Trans. Inf. Syst. Secur. (TISSEC)
(2015) - et al.
Differential Power Analysis
Proceedings of the Annual International Cryptology Conference (CRYPTO)
(1999)
Correlation power analysis with a leakage model
Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES)
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
Proceedings of the Annual International Cryptology Conference (CRYPO)
Electromagnetic analysis: concrete results
Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES)
Memento: Learning Secrets from Process Footprints
Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P)
Compromising electromagnetic emanations of wired and wireless keyboards.
Proceedings of the USENIX Security Symposium
iSpy: Automatic Reconstruction of Typed Input from Compromising Reflections
Proceedings of the 18th ACM Conference on Computer and Communications Security
Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs
Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES)
Enabling cloud storage auditing with key-exposure resistance
IEEE Trans. Inf. Forensics Secur.
Strong key-exposure resilient auditing for secure cloud storage
IEEE Trans. Inf. Forensics Secur.
Isolated wddl: a hiding countermeasure for differential power analysis on fpgas
ACM Trans. Reconfigurable Technol. Syst. (TRETS)
Multiplicative masking and power analysis of aes
International Workshop on Cryptographic Hardware and Embedded Systems (CHES)
Forward-security under continual leakage
Proceedings of the 16th International Conference on Cryptology and Network Security (CANS)
The Complexity of Online Memory Checking
Proceedings of the IEEE Symposium on Foundations of Computer Science (FOCS)
PORs: Proofs of Retrievability for Large Files
Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)
Remote data checking using provable data possession
ACM Trans. Inf. Syst. Secur. (TISSEC)
Cited by (20)
Certificateless cloud storage auditing supporting data ownership transfer
2024, Computers and SecurityOnline/offline remote data auditing with strong key-exposure resilience for cloud storage
2024, Computer Standards and InterfacesPrivacy-preserving certificateless public auditing supporting different auditing frequencies
2023, Computers and SecurityA key-insulated secure multi-server authenticated key agreement protocol for edge computing-based VANETs
2023, Internet of Things (Netherlands)A provably secure and public auditing protocol based on the bell triangle for cloud data
2021, Computer NetworksCitation Excerpt :In 2020, Xu et al. [29] proposed an intrusion-resilient public cloud auditing scheme to solve the problem that cloud service providers may maliciously tamper with user files during the key exposure period. Hu et al. [30] also proposed enabling cloud storage auditing with key exposure resilience and continual key leakage. This protocol focuses on preventing private key leakage and reducing users’ overheads.
Blockchain-based secure deduplication of encrypted data supporting client-side semantically secure encryption without trusted third party
2024, Transactions on Emerging Telecommunications Technologies