Protecting Data Privacy by Authentication and Secret Sharing Jyhhaw Yeh Dept of Computer Science Boise State University Cloud Computing Introduction Cloud provides services software platform Infrastructure ID: 240715
Download Presentation The PPT/PDF document "A PASS Scheme in Clouding Computing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
A PASS Scheme in Clouding Computing - Protecting Data Privacy by Authentication and Secret Sharing
Jyh-haw Yeh
Dept. of Computer Science
Boise State UniversitySlide2
Cloud Computing IntroductionCloud provides services – software,, platform, Infrastructure.
Clients are charged by per-use basis.
Capital Expenditure
(CapExp)
-> Operational Expenditure (OpExp)
Multi-tenancy: better resource utilization
Reliability: redundant sites
Security: better protection from outside attacks.
Security: big ? from malicious cloud employees.Slide3
The Problem to solveProtecting clients’ data privacy from cloud employee.Perfect solution: fully homomophic encryption algorithm (FHEA). No practical algorithm
available.
Without FHEA, 100% data privacy may not be possible.Slide4
PASS SchemeProtect data Privacy by
A
uthentication and
S
ecret
S
haring (PASS).
Objective: minimize the risk of leaking private data.
A
pproach:
E
ncrypt data by a key shared with the client.
Do not store the key anywhere in the cloud.
Use secret sharing to authenticate users and recover the shared key.Slide5
PASS Scheme5 security components:Public key cryptosystem (PKC): published by cloud.
K
ey agreement (KA): agree on a shared key and two secret shares at registration.
K
ey management (KM): keep a profile for each client.
Authentication(AUTH):
client’s counter <-> server’s counter;
Computed hashed key from client’s request
<-> stored hashed key
Access control (ACL): second defense for a time frame that the secret key is in use for processing a query.Slide6
PASS SchemeDesign guideline:Ensure secret isolation (secret compartment). Security with a higher priority than efficiency.
Choose a design choice that would benefit multiple security components.Slide7
PASS Scheme - PKCPASS chooses ECC over RSA.
ECC: a curve is chosen over a prime p. A base point G with an order n.
Cloud provider publishes the ECC
domain parameter <p, a, b, G, n
>.
Each cloud entity (server, clients) sets up his own public-private key pair.
Server: public , private ,
where
Client
i
:
public , private , where Slide8
PASS Scheme – Key AgreementEach client i and the cloud server
s
agree on a data e
ncryption key and two secret shares (known to the client) and (known to the server).
The secret shares are used to recover the encryption key.Slide9
PASS Scheme – Key AgreementEncryption key agreement:Client
i
chooses a random number and then sends to the server
s
Server
s
chooses a random number and then sends to the client
i
Both compute a point
Agree on an encryption key : the x-coordinate of Slide10
PASS Scheme – Key AgreementSecret shares agreement:Both computes a point and let be the x-coordinate of the point
Both construct a same poly
With both secret shares, the poly and then the secret key can be recoveredSlide11
PASS Scheme – Key ManagementThe cloud keeps a profile for each client i
Hashed key and server request counter for authentication
Security label for access control
Client
ID
Security LabelSlide12
PASS Scheme – Client AuthenticationClient keeps his own request counter Client
Server:
Server decrypt and get both and
Client authentication succeeds if both
the stored hashed key matches the hashed key derived from secret shares
The server and client request counters are matchedSlide13
PASS Scheme – Access ControlSecurity label: (security level, {categories})Security level: secret, non-secretEach client
i
is a category
All query servers/processes are in category “query-system”
{all
}
Security label for client
i’s
profile: (secret, { })Slide14
PASS Scheme – Integrating five ComponentsStep1 - 4 for initial client registration: key agreement and data encryption
Step 5-12 for a query processing
Diagram in the following link shows these steps.
http://cs.boisestate.edu/~jhyeh/pass_diagram.pdf