Cryptographic Cloud Storage
Seny Kamara Microsoft Rearch
Kristin Lauter
Microsoft Rearch
Abstract
We consider the problem of building a cure cloud storage rvice on top of a public cloud in-frastructure where the rvice provider is not completely trusted by the customer.We describe,
at a high level,veral architectures that combine recent and non-standard cryptographic prim-
itives in order to achieve our goal.We survey the benefits such an architecture would provide to
both customers and rvice providers and give an overview of recent advances in cryptography
motivated specifically by cloud storage.
1Introduction
天使与魔鬼的对话
Advances in networking technology and an increa in the need for computing resources have prompted many organizations to outsource their storage and computing needs.This new economic and computing model is commonly referred to as cloud computing and includes various types of rvices such as:infrastructure as a rvice(IaaS),where a customer makes u of a rvice provider’s computing,storage or networking infrastructure;platform as a rvice(PaaS),where a customer leverages the provider’s resources to run custom applications;andfinally software as a rvice(SaaS),where customers u software that is run on the providers infrastructure.
Cloud infrastructures can be roughly categorized as either private or public.In a private cloud, the infrastructure is managed and owned by the customer and located ,in the customers region of control).In particular,this means that access to customer data is under its control and is only granted to parties it trusts.In a public cloud the infrastructure is owned and managed by a cloud rvice provider and is located off-,in the rvice provider’s region of control).This means that customer data is outside its control and could potentially be granted to untrusted parties.lily思维英语
Storage rvices bad on public clouds such as Microsoft’s Azure storage rvice and Amazon’s S3provide customers with scalable and dynamic storage.By moving their data to the cloud customers can avoid the costs of building and maintaining a private storage infrastructure,opting inst
ead to pay a rvice provider as a function of its needs.For most customers,this provides veral benefits including ,being able to access data from anywhere)and reliability (i.e.,not having to worry about backups)at a relatively low cost.
While the benefits of using a public cloud infrastructure are clear,it introduces significant curity and privacy risks.In fact,it ems that the biggest hurdle to the adoption of cloud storage (and cloud computing in general)is concern over the confidentiality and integrity of data.While, so far,consumers have been willing to trade privacy for the convenience of software , for web-bad email,calendars,pictures etc),this is not the ca for enterpris and government
1
organizations.This reluctance can be attributed to veral factors that range from a desire to protect mission-critical data to regulatory obligations to prerve the confidentiality and integrity of data.The latter can occur when the customer is responsible for keeping personally identifiable information(PII),or medical andfinancial records.So while cloud storage has enormous promi, unless the issues of confidentiality and integrity are addresd many potential customers will be reluctant to make the move.
To address the concerns outlined above and increa the adoption of cloud storage,we argue for designing a virtual private storage rvice bad on recently developed cryptographic techniques. Such a rvice should aim to achieve the best of both worlds by providing the curity of a private cloud and the functionality and cost savings of a public cloud.More precily,such a rvice should provide(at least):
•confidentiality:the cloud storage provider does not learn any information about customer data
•integrity:any unauthorized modification of customer data by the cloud storage provider can be detected by the customer
卡尔维诺经典while retaining the main benefits of a public storage rvice:巴黎世家是什么意思
•availability:customer data is accessible from any machine and at all times
•reliability:customer data is reliably backed up
•efficient retrieval:data retrieval times are comparable to a public cloud storage rvice •data sharing:customers can share their data with trusted parties.
An important aspect of a cryptographic storage rvice is that the curity properties described above are achieved bad on strong cryptographic guarantees as oppod to legal,physical and access control mechanisms.We believe this has veral important benefits which we discuss further in Section3.
This article is organized as follows.In Section2we describe,at a high level,a possible archi-tecture for a cryptographic storage rvice.We consider both consumer and enterpri scenarios. We stress that this design is not intended to be a formal specification(indeed many important business and engineering questions would need to be addresd)but is only meant to rve as an illustration of how some of the new and non-standard cryptographic techniques that have been developed recently could be combined to achieve our goals.In Section3we give an overview of the benefits of a cryptographic storage ,reducing the legal exposure of both customers and cloud providers,and achieving regulatory compliance.In Section4we describe in more detail the relevant cryptographic techniques,including archable encryption,proofs of storage and attribute-bad encryption.Finally,in Section5,we mention some cloud rvices that could be built on top of a cryptographic storage rvice such as cure back-ups,archival,health record systems,cure data exchange and e-discovery.
metalcore
2Architecture of a Cryptographic Storage Service
We now describe,at a high level,a possible architecture for a cryptographic storage rvice.At its core,the architecture consists of three components:a data processor(DP),that process data
2
before it is nt to the cloud;a data verifier(DV),that checks whether the data in the cloud has been tampered with;and a token generator(TG),that generates tokens that enable the cloud storage provider to retrieve gments of customer data;and a credential generator that implements an access control policy by issuing credentials to the various parties in the system(the credentials will enable the parties to decrypt encryptedfiles according to the policy).We describe designs for both consumer and enterpri scenarios.
2.1A Consumer Architecture
Consider three parties:a ur Alice that stores her data in the cloud;a ur Bob with whom Alice wants to share data;and a cloud storage provider that stores Alice’s data.To u the rvice,Alice and Bob begin by downloading a client application that consists of a data processor,a data verifier an
d a token generator.Upon itsfirst execution,Alice’s application generates a cryptographic key. We will refer to this key as a master key and assume it is stored locally on Alice’s system and that it is kept cret from the cloud storage provider.
Whenever Alice wishes to upload data to the cloud,the data processor is invoked.It attaches some ,current time,size,keywords etc)and encrypts and encodes the data and metadata with a variety of cryptographic primitives(which we describe in more detail in Section 4).Whenever Alice wants to verify the integrity of her data,the data verifier is invoked.The latter us Alice’s master key to interact with the cloud storage provider and ascertain the integrity of the data.When Alice wants to retrieve ,allfiles tagged with keyword“urgent”)the token generator is invoked to create a token.The token is nt to the cloud storage provider who us it to retrieve the appropriate(encrypted)files which it returns to Alice.Alice then us the decryption key to decrypt thefiles.Data sharing between Alice and Bob proceeds in a similar fashion.Whenever she wishes to share data with Bob,the application invokes the token generator to create an appropriate token,and the credential generator to generate a credential for Bob.Both the token and credential are nt to Bob who,in turn,nds the token to the provider.The latter us the token to retrieve and return the appropriate encrypted documents which Bob decrypts using his credential.
This process is illustrated in Figure1.We note that in order to achieve the curity properties we ek,it is important that the client-side application and,in particular,the core components be either open-source or implemented or verified by someone other than the cloud rvice provider.
2.2An Enterpri Architecture
In the enterpri scenario we consider an enterpri MegaCorp that stores its data in the cloud;
a business partner PartnerCorp with whom MegaCorp wants to share data;and a cloud storage provider that stores MegaCorp’s data.
涉外会计
To u the rvice,MegaCorp deploys dedicated machines within its network.Depending on the particular scenario,the dedicated machines will run various core components.Since the components make u of a master cret key,it is important that they be adequately protected and, in particular,that the master key be kept cret from the cloud storage provider and PartnerCorp. If this is too costly in terms of resources or experti,management of the dedicated machines(or specific components)can alternatively be outsourced to a trusted entity.
In the ca of a medium-sized enterpri with enough resources and experti,the dedicated machines include a data processor,a data verifier,a token generator and a credential generator.
3
Figure1:(1)Alice’s data processor prepares the data before nding it to the cloud;(2)Bob asks Alice for permission to arch for a keyword;(3)Alice’s token and credential generators nd a token for the keyword and a credential back to Bob;(4)Bob nds the token to the cloud;(5)the cloud us the token tofind the appropriate encrypted documents and returns them to Bob.(?) At any point in time,Alice’s data verifier can verify the integrity of the data.
元旦的英文To begin,each MegaCorp and PartnerCorp employee receives a credential from the credential generator.The credentials will reflect some relevant information about the employees such as their organization or team or role.Whenever a MegaCorp employee generates data that needs to be stored in the cloud,it nds the data together with an associated decryption policy to the dedicated machine for processing.The decryption policy specifies the type of credentials necessary to decrypt the ,only members of a particular team).To retrieve data from the cloud (e.g.,allfiles generated by a particular employee),an employee requests an appropriate token from the dedicated machine.The employee then nds the token to the cloud provider who us it to find and return the appropriate encryptedfiles which the employee decrypts using his credentials. Whenever MegaCorp wants to verify the integrity of the data,the dedicated machine’s data verifier is invoked.The latter us the master cret key to interact with the storage provider and ascertain the integrity of the data.
Now consider the ca where a PartnerCorp employee needs access to MegaCorp’s data.The employee authenticates itlf to MegaCorp’s dedicated machine and nds it a keyword.The latter verifies that the particular arch is allowed for this PartnerCorp employee.If so,the dedicated ma-chine returns an appropriate token which the employee us to recover the appropriate(encrypted)files from the rvice provider.It then us its credentials to decrypt thefile.This process is illustrated in Figure2.Similarly to the consumer architecture,it is imperative that all components be either open-source or implemented by someone other than the cloud rvice provider.freeform
In the ca that MegaCorp is a very large organization and that the prospect of running and maintaining enough dedicated machines to process all employee data is infeasible,consider the following slight variation of the architecture described above.More precily,in this ca the dedicated machines only run data verifiers,token generators and credential generators while the data processing is distributed to each employee.This is illustrated in Figure3.Note that in this scenario the data processors do not include the master cret key so the confidentiality of the data
4
Figure2:(1)Each MegaCorp and PartnerCorp employee receives a credential;(2)MegaCorp employees nd their data to the dedicated machine;(3)the latter process the data using the data processor before nding it to the cloud;(4)the PartnerCorp employee nds a keyword to MegaCorp’s dedicated machine;(5)the dedicated machine returns a token;(6)the PartnerCorp emplo
yee nds the token to the cloud;(7)the cloud us the token tofind the appropriate encrypted documents and returns them to the employee.(?)At any point in time,MegaCorp’s data verifier can verify the integrity of MegaCorp’s data.
is not affected.The data processors,however,do include some keying material which,if revealed to the rvice provider,could enable it to compromi the confidentiality of the tokens it receives (i.e,.it could learn which keywords are being arched for).
3Benefits of a Cryptographic Storage Service
The core properties of a cryptographic storage rvice are that(1)control of the data is main-tained by the customer and(2)the curity properties are derived from cryptography,as oppod to legal mechanisms,physical curity or access control.Therefore,such a rvice provides v-eral compelling advantages over other storage rvices bad on public cloud infrastructures.In this ction,we recall some of the main concerns with cloud computing as outlined in the Cloud Security Alliances recent report[7]and highlight how the concerns can be mitigated by such an architecture.
Regulatory compliance.Most countries have laws in place that make organizations responsible for the protection of the data that is entrusted to them.This is particularly so for the ca of personally id
entifiable information,medical records andfinancial records.And since organizations are often held responsible for the actions of their contractors,the u of a public cloud storage rvice can involve significant legal risks.In a cryptographic storage rvice,the data is encrypted on-premi by the data processor(s).This way,customers can be assured that the confidentiality of their data is prerved irrespective of the actions of the cloud storage provider.This greatly
5
Figure3:(1)Each MegaCorp and PartnerCorp employee receives a credential;(2)MegaCorp employees process their data using their own data processors and nd them to the cloud;(3)the PartnerCorp employee nds a keyword to MegaCorp’s dedicated machine;(4)the latter returns a token;(5)the employee nds the token to the cloud;(6)the cloud us the token tofind the appropriate encrypted documents and returns them to the employee.(?)At any point in time, MegaCorp’s data verifier can check the integrity of MegaCorp’s data.
reduces any legal exposure for both the customer and the provider.
Geographic restrictions.Data that is stored in certain legal jurisdictions may be subject to regulations even if it was not collected there.Becau it can be difficult to ascertain exactly where one’s data is being stored once it is nt to the ,many rvice providers have data centers deployed throughout the world)some customers may be reluctant to u a public cloud for fear of increasing their legal exposure.In a cryptographic storage rvice data is only stored in encrypted form so any law that pertains to the stored data has little to no effect on the customer.This reduces legal exposure for the customer and allows the cloud storage provider to make optimal u of its storage infrastructure,thereby reducing costs.
socks怎么读Subpoenas.If an organization becomes the subject of an investigation,law enforcement agencies may request access to its data.If the data is stored in a public cloud,the request may be made to the cloud provider and the latter could even be prevented from notifying the customer.This can have vere conquences for customers.First,it preempts the customer from challenging the request.Second,it can lead to law enforcement having access to data from clients that are not under investigation(,[34]).Such a scenario can occur due to the fact that rvice providers often store multiple customer’s data on the same disks.In a cryptographic storage rvice,since data is stored in encrypted form and since the customer retains posssion of all the keys,any request for the(unencrypted)data must be made directly to the customer.
6山东2011高考分数线
