Research On Key Issues Of Secure Data Outsourcing

The cloud storage service is one of the most important services in cloud computing.It enables users to outsource their data to a cloud server and access the data remotely over the Internet.Such a service gives users an efficient and flexible way to manage their data without deploying and maintaining local storage devices and services.Despite the appealing advantages of data outsourcing,it also suffers from various security threats towards the outsourced data as well as users'privacy.Specifically,since users do not physically own their data once outsourcing the data to cloud servers,they are always worried about the cloud storage reliability,i.e.,whether the outsourced data is well maintained on cloud servers.In addition,as the outsourced data may be very sensitive and should be prevented for any leakage,the data could be encrypted before outsourcing.However,conventional encryption algorithms can guarantee the confidentiality of the outsourced data,but they neither enable a cloud server to reduce storage costs from deduplication across its users,nor allow users to retrieve the outsourced data using keywords.Furthermore,data outsourcing brings security and privacy issues about digital investigations into the outsourced data.In this dissertation,we investigate data security in cloud storage systems,and the main contributions are four-folded as follows.1.Research on public verification of data integrity for cloud storage(1)We propose a public verification scheme for the cloud storage using indistinguishability obfuscation,dubbed EPVDI,which requires a lightweight computation on the auditor.We extend EPVDI to support batch verification,where multiple verification tasks from different users can be performed efficiently by the auditor.Compared with existing works,EPVDI significantly reduces the auditor's verification overhead.(2)We propose a certificateless public verification scheme,dubbed CPVPA,by using blockchain technology to resist malicious and procrastinating auditors without introducing any trusted entity.In CPVPA,an auditor does not need to maintain users'certificates for data integrity verification,which frees CPVPA from the certificate management problem.2.Research on encrypted data deduplication for cloud storage and its applications(1)We propose an encrypted data deduplication scheme for cloud storage with resistance against brute-force attacks and compromised key servers,dubbed DECKS,where the security protection of DECKS is periodically renewed by replacing exiting key servers by newly employed ones.It frees DECKS from the reliance on a specific group of key servers in a long period of time.The substitution of key servers would not impact the deduplication on the same file outsourced in different periods.(2)We analyze the inherent characteristic of electronic medical records(EMRs)from actual electronic health(eHealth)systems,where we found that:?.EMRs in actual eHealth systems are inherent low-entropy;?.Performing deduplication on EMRs can reduce storage costs by more than 66%;?.Multiple patients would generate large amounts of duplicate EMRs,and cross-patient duplicate EMRs would be generated numerously only in the case that the patients consult doctors in the same department.With the integration of our analysis results and DECKS,we then propose an efficient and secure encrypted EMRs deduplication scheme for cloud-assisted eHealth systems,dubbed HealthDep.3.Research on public-key encryption with keyword search for cloud storage(1)We propose a secure and efficient public-key encryption with keyword search(short for PEKS)scheme,dubbed SEPSE,to thwart off-line keyword guessing attacks(short for KGA)for cloud storage,where multiple key servers are introduced to assist users in encrypting keywords and generating trapdoors(i.e.,search tokens)in an oblivious and threshold way.SEPSE supports key renewal to periodically replace an existing key with a new one on each key server to thwart the key compromise.(2)We present a blockchain-assisted rate-limiting mechanism and integrate it into SEPSE to resist online KGA,where each request of servers-derived keyword made by the user is integrated into a transaction on a public blockchain,the key servers are able to check the number of servers-derived keyword requests of a user by checking the number of transactions created by her/him,and stop responding after a bound is reached.The proposed mechanism does not require the synchronization between key servers,and thereby is highly efficient in terms of communication costs.4.Research on secure digital investigations for cloud storage(1)We formalize a model of data provenance,where the lifecycle of outsourced data documents is formally formulated.We propose a blockchain-based efficient and secure data provenance scheme for cloud storage,dubbed ESP to resist provenance record forgery,removal,modification attacks.The security of ESP is guaranteed in the case that the identity manager is compromised,even if the malicious cloud server colludes with it.(2)We propose Chronos~+,an accurate blockchain-based time-stamping scheme for outsourced data,where both the storage and time-stamping services are provided by cloud service providers.Even if an adversary colludes with the cloud service provider,he cannot back-date/forward-date the outsourced files.Chronos~+makes a file's timestamp corresponding to a time interval formed by the earliest and latest creation times which are derived from the heights of the corresponding blocks on a public blockchain.Due to blockchains'chain growth property,such a height-derived timestamp can ensure that the time intervals'range is within a few minutes so as to guarantee the accuracy.