Skip to main content
SpringerLink
Log in
Book cover

International Conference on Applied Cryptography and Network Security

ACNS 2020: Applied Cryptography and Network Security Workshops pp 400–416Cite as

Proofs of Ownership on Encrypted Cloud Data via Intel SGX

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12418)

Abstract

To deal with surging volume of outsourced data, cloud storage providers (CSPs) today prefer to use deduplication, in which if multiple copies of a file across cloud users are found, only one unique copy will be stored. A broadly used deduplication technique is client-side deduplication, in which the client will first check with the cloud server whether a file has been stored or not by sending a short checksum and, if the file was stored, the client will not upload the file again, and the cloud server simply adds the client to the owner list of the file. This can significantly save both storage and bandwidth, but introduces a new attack vector that, if a malicious client obtains a checksum of a victim file, it can simply claim ownership of the file. Proofs of ownership (PoWs) were thus investigated to allow the cloud server to check whether a client really possesses the file. Traditional PoWs rely on an assumption that the cloud server is fully trusted and has access to the original file content. In practice, however, the cloud server is not fully trusted and, data owners may store their encrypted data in the cloud, hindering execution of the traditional PoWs.

In this work, we make it possible to execute PoWs over encrypted cloud data by leveraging Intel SGX, a security feature which has been broadly equipped in processors of today’s cloud servers. By using Intel SGX, we can create a trusted execution environment in a cloud server, and the critical component of the PoW verification process will be executed in this secure environment (with confidentiality and integrity assurance). Security analysis and experimental evaluation show that our design can allow PoWs over encrypted data with modest additional overhead.

Keywords

  • Client-side deduplication
  • Cloud storage
  • Proofs of ownership
  • Intel SGX

This is a preview of subscription content, access via your institution.

Chapter
EUR   29.95
Price includes VAT (Finland)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR   93.08
Price includes VAT (Finland)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR   120.99
Price includes VAT (Finland)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    Note that for ownership proving, we need to ensure that the prover really “owns” the original file.

  2. 2.

    For simplicity, we use the term “client” to refer to peers interacting with the cloud server, including both the honest and the malicious data owner.

  3. 3.

    Currently, the Intel Attestation Service only supports the value of zero for the extended GID.

  4. 4.

    Note that the focus of this work is not the security of SGX itself, as we know that various new side-channel attacks on the SGX as well as the corresponding defenses have been actively investigated in the literature. Here we simply use SGX as a black box which is assumed to be secure.

References

  1. Amazon simple storage service (2020). http://aws.amazon.com/cn/s3/

  2. Microsoft azure (2020). http://www.windowsazure.cn/?fb=002

  3. Meyer, D.T., Bolosky, W.J.: A study of practical deduplication. ACM Trans. Storage 7(4), 1–1 (2012)

    CrossRef  Google Scholar 

  4. Dropbox (2019). https://www.dropbox.com/

  5. Box (2019). https://www.box.com/

  6. Google drive (2020). https://www.google.cn/intl/zh_cn/drive/

  7. Halevi, S., Harnik, D., Pinkas, B., Shulman-Peleg, A.: Proofs of ownership in remote storage systems. In: ACM Conference on Computer and Communications Security, pp. 491–500. ACM (2011)

    Google Scholar 

  8. Liu, J., Asokan, N., Pinkas, B.: Secure deduplication of encrypted data without additional independent servers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 874–885 (2015)

    Google Scholar 

  9. Bellare, M., Keelveedhi, S., Ristenpart, T.: DupLESS: server-aided encryption for deduplicated storage. In: USENIX Conference on Security, pp. 179–194 (2013)

    Google Scholar 

  10. Lei, L., Cai, Q., Chen, B., Lin, J.: Towards efficient re-encryption for secure client-side deduplication in public clouds. In: Lam, K.-Y., Chi, C.-H., Qing, S. (eds.) ICICS 2016. LNCS, vol. 9977, pp. 71–84. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-50011-9_6

    CrossRef  Google Scholar 

  11. You, W., Chen, B., Liu, L., Jing, J.: Deduplication-friendly watermarking for multimedia data in public clouds. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) European Symposium on Research in Computer Security (ESORICS), vol. 12308 (2020). https://doi.org/10.1007/978-3-030-58951-6_4

  12. Intel software guard extensions (2020). https://software.intel.com

  13. Chen, B., Curtmola, R., Ateniese, G., Burns,R.: Remote data checking for network coding-based distributed storage systems. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, pp. 31–42. ACM (2010)

    Google Scholar 

  14. Chen, B., Curtmola, R.: Towards self-repairing replication-based storage systems using untrusted clouds. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 377–388. ACM (2013)

    Google Scholar 

  15. Chen, B., Ammula, A.K., Curtmola, R.: Towards server-side repair for erasure coding-based distributed storage systems. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 281–288. ACM (2015)

    Google Scholar 

  16. Chen, B., Curtmola, R.: Remote data integrity checking with server-side repair. J. Comput. Secur. 25(6), 537–584 (2017)

    CrossRef  Google Scholar 

  17. Ateniese, G., et al.: Provable data possession at untrusted stores. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 598–609. ACM (2007)

    Google Scholar 

  18. Douceur, J.R., Adya, A., Bolosky,W.J., Dan, S., Theimer, M.: Reclaiming space from duplicate files in a serverless distributed file system. In: International Conference on Distributed Computing Systems, pp. 617–624 (2002)

    Google Scholar 

  19. Arm trustzone (2020). https://www.arm.com/products/silicon-ip-security

  20. Attestation service for intel software guard extensions (2020). https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf

  21. Remote attestation in intel software guard extensions (2020). https://software.intel.com/content/www/us/en/develop/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example.html

  22. Yu, S., Wang, C., Ren, K., Wenjing, L.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM 2010, pp. 1–9. IEEE (2010)

    Google Scholar 

  23. Wang, Q., Wang, C., Li, J., Ren, K., Lou, W.: Enabling public verifiability and data dynamics for storage security in cloud computing. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 355–370. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_22

    CrossRef  Google Scholar 

  24. Harnik, D., Pinkas, B., Shulman-Peleg, A.: Side channels in cloud services: deduplication in cloud storage. IEEE Secur. Priv. 8(6), 40–47 (2010)

    CrossRef  Google Scholar 

  25. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy, pp. 640–656. IEEE (2015)

    Google Scholar 

  26. Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 69–90. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_4

    CrossRef  Google Scholar 

  27. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.-R.: Software grand exposure: \(\{\)SGX\(\}\) cache attacks are practical. In: 11th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 17) (2017)

    Google Scholar 

  28. Lee, S., Shih, M.-W., Gera, P., Kim, T., Kim, H., Peinado, M.: Inferring fine-grained control flow inside \(\{\)SGX\(\}\) enclaves with branch shadowing. In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 17), pp. 557–574 (2017)

    Google Scholar 

  29. Chen, S., Zhang, X., Reiter, M.K., Zhang, Y.: Detecting privileged side-channel attacks in shielded execution with déjá vu. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 7–18 (2017)

    Google Scholar 

  30. Brasser, F., Capkun,S., Dmitrienko, A., Frassetto, T., Kostiainen, K., Sadeghi, A.-R.: Dr. SGX: automated and adjustable side-channel protection for SGX using data location randomization. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 788–800 (2019)

    Google Scholar 

  31. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Network & Distributed System Security Symposium (2017)

    Google Scholar 

  32. Jang, I., Tang, A., Kim, T., Sethumadhavan, S., Huh, J.: Heterogeneous isolated execution for commodity GPUS. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 455–468 (2019)

    Google Scholar 

  33. Zhu, J., et al.: Enabling privacy-preserving, compute-and data-intensive computing using heterogeneous trusted execution environment. arXiv preprint arXiv:1904.04782 (2019)

  34. Openssl-cryptography and ssl/tls toolkit (2020). https://www.openssl.org/

  35. Intel software guard extensions ssl (2020). https://github.com/intel/intel-sgx-ssl

  36. Intel software guard extensions for linux os (2020). https://github.com/intel/linux-sgx

  37. Known attacks towards convergent encryption (2013). https://tahoe-lafs.org/hacktahoelafs/drew_perttula.html

  38. Schuster, F., et al.: VC3: trustworthy data analytics in the cloud using SGX. In: 2015 IEEE Symposium on Security and Privacy, pp. 38–54. IEEE (2015)

    Google Scholar 

  39. Pereira, L.W., et al.: Using intel SGX to enforce auditing of running software in insecure environments. In: 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp. 243–246. IEEE (2018)

    Google Scholar 

  40. Kurnikov, A., Paverd, A., Mannan, M., Asokan, N.: Keys in the clouds: auditable multi-device access to cryptographic credentials. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10 (2018)

    Google Scholar 

  41. Dang, H., Chang, E.-C.: Privacy-preserving data deduplication on trusted processors. In: 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), pp. 66–73. IEEE (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, University of Chinese Academy of Sciences (UCAS), Beijing, China

    Weijing You

  2. Department of Computer Science, Michigan Technological University, Michigan, USA

    Bo Chen

Authors
  1. Weijing You
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bo Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bo Chen .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Prof. Jianying Zhou

  2. University of Padua, Padua, Italy

    Prof. Mauro Conti

  3. Singapore University of Technology and Design, Singapore, Singapore

    Chuadhry Mujeeb Ahmed

  4. The University of Hong Kong, Hong Kong, Hong Kong

    Man Ho Au

  5. ICIS, Radboud University Nijmegen, Nijmegen, The Netherlands

    Prof. Dr. Lejla Batina

  6. University of California, Irvine, CA, USA

    Zhou Li

  7. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  8. University of Padua, Padua, Italy

    Eleonora Losiouk

  9. University of Kansas, Lawrence, KS, USA

    Bo Luo

  10. CIISE, Concordia University, Montréal, QC, Canada

    Suryadipta Majumdar

  11. Technical University of Denmark, Lyngby, Denmark

    Dr. Weizhi Meng

  12. AppGate Inc., Bogotá, Colombia

    Martín Ochoa

  13. Delft University of Technology, Delft, The Netherlands

    Stjepan Picek

  14. Stevens Institute of Technology, Hoboken, NJ, USA

    Georgios Portokalidis

  15. City University of Hong Kong, Hong Kong, China

    Cong Wang

  16. Chinese University of Hong Kong, Shatin, Hong Kong

    Kehuan Zhang

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

You, W., Chen, B. (2020). Proofs of Ownership on Encrypted Cloud Data via Intel SGX. In: , et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham. https://doi.org/10.1007/978-3-030-61638-0_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-61638-0_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61637-3

  • Online ISBN: 978-3-030-61638-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Search

Navigation