Results 1 -
8 of
8
CryptDB: Protecting confidentiality with encrypted query processing
- In SOSP
, 2011
"... Online applications are vulnerable to theft of sensitive information because adversaries can exploit software bugs to gain access to private data, and because curious or malicious administrators may capture and leak data. CryptDB is a system that provides practical and provable confidentiality in th ..."
Abstract
-
Cited by 124 (8 self)
- Add to MetaCart
(Show Context)
Online applications are vulnerable to theft of sensitive information because adversaries can exploit software bugs to gain access to private data, and because curious or malicious administrators may capture and leak data. CryptDB is a system that provides practical and provable confidentiality in the face of these attacks for applications backed by SQL databases. It works by executing SQL queries over encrypted data using a collection of efficient SQL-aware encryption schemes. CryptDB can also chain encryption keys to user passwords, so that a data item can be decrypted only by using the password of one of the users with access to that data. As a result, a database administrator never gets access to decrypted data, and even if all servers are compromised, an adversary cannot decrypt the data of any user who is not logged in. An analysis of a trace of 126 million SQL queries from a production MySQL server shows that CryptDB can support operations over encrypted data for 99.5% of the 128,840 columns seen in the trace. Our evaluation shows that CryptDB has low overhead, reducing throughput by 14.5 % for phpBB, a web forum application, and by 26 % for queries from TPC-C, compared to unmodified MySQL. Chaining encryption keys to user passwords requires 11–13 unique schema annotations to secure more than 20 sensitive fields and 2–7 lines of source code changes for three multi-user web applications.
Longitude: A Privacy-Preserving Location Sharing Protocol for Mobile Applications
- In: Proc. of IFIPTM 2011, IFIP AICT 358
, 2011
"... Strathprints is designed to allow users to access the research output of the University of Strathclyde. Copyright c © and Moral Rights for the papers on this site are retained by the individual authors and/or other copyright owners. You may not engage in further distribution of the material for any ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
Strathprints is designed to allow users to access the research output of the University of Strathclyde. Copyright c © and Moral Rights for the papers on this site are retained by the individual authors and/or other copyright owners. You may not engage in further distribution of the material for any profitmaking activities or any commercial gain. You may freely distribute both the
A.X,”Privacy and integrity preserving multi-dimensional range queries for cloud computing
- in IEEE Networking conference
, 2014
"... Abstract-In cloud computing, a cloud provider hosts the data of an organization and replies query results to the customers of the organization. Because organization's data are confidential and the cloud provider cannot be fully trusted, some schemes have been proposed to preserve data privacy ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Abstract-In cloud computing, a cloud provider hosts the data of an organization and replies query results to the customers of the organization. Because organization's data are confidential and the cloud provider cannot be fully trusted, some schemes have been proposed to preserve data privacy and query result integrity. However, these schemes either include false positives in query results, or are too expensive. In this paper, we propose an effective and efficient privacy and integrity preserving scheme for multi-dimensional range queries. To preserve privacy, we propose an order-preserving hash-based function to encode both data and queries so that a cloud provider can correctly process encoded queries over encoded data without knowing their values. To preserve integrity, we propose a new data structure called local bit matrices that allows a customer to verify the integrity of a query result with a high probability. Experimental results show that our scheme can efficiently process a dataset with one million data items.
The Blind Enforcer: On Fine-Grained Access Control Enforcement on Untrusted Clouds ∗
"... Migration of one’s computing infrastructure to the cloud is gathering momentum with the emergence of relatively mature cloud computing technologies. As data and computation are being outsourced, concerns over data security (such as confidentiality, privacy and integrity) remain one of the greatest h ..."
Abstract
- Add to MetaCart
(Show Context)
Migration of one’s computing infrastructure to the cloud is gathering momentum with the emergence of relatively mature cloud computing technologies. As data and computation are being outsourced, concerns over data security (such as confidentiality, privacy and integrity) remain one of the greatest hurdles to overcome. In the meanwhile, the increasing need for sharing data between or within cloudbased systems (for instance, sharing between enterprise systems or users of a social network application) demands even more care in ensuring data security. In this paper, we investigate the challenges in outsourcing access control of user data to the cloud. We identify what constitute a fine-grained cloud-based access control system and present the design-space along with a discussion on the current state-of-theart. We then describe a system which extends an Attribute-Based Encryption scheme to achieve more fine-grainedness as compared to existing approaches. Our system not only protects data from both the cloud service provider and unauthorized access from other users, it also moves the heavy computations towards the cloud, taking advantage of the latter’s relatively unbounded resources. Additionally, we integrate an XML-based framework (XACML) for flexible, high-level policy management. Finally, we discuss some open problems, solving which would lead to a further robust and flexible cloud-based access control system.
Reconciling User Privacy and Implicit Authentication for Mobile Devices∗
, 2015
"... In an implicit authentication system, a user profile is used as an additional factor to strengthen the authentication of mobile users. The profile consists of features that are con-structed using the history of user actions on her mobile de-vice over time. The profile is stored on the server and is ..."
Abstract
- Add to MetaCart
In an implicit authentication system, a user profile is used as an additional factor to strengthen the authentication of mobile users. The profile consists of features that are con-structed using the history of user actions on her mobile de-vice over time. The profile is stored on the server and is used to authenticate an access request originated from the device at a later time. An access request will include a vector of recent measurements of the features on the device, that will be subsequently matched against the features stored at the server, to accept or reject the request. The features how-ever include private information such as user location or web sites that have been visited. We propose a privacy-preserving implicit authentication system that achieves im-plicit authentication without revealing information about the usage profiles of the users to the server. We propose an architecture, give a formal security model and a construc-tion with provable security in two settings where: (i) the device follows the protocol, and (ii) the device is captured and behaves maliciously.
Stream on the Sky: Outsourcing Access Control Enforcement for Stream Data to the Cloud
"... Abstract—There is an increasing trend for businesses to mi-grate their systems towards the cloud. Security concerns that arise when outsourcing data and computation to the cloud include data confidentiality and privacy. Given that a tremendous amount of data is being generated everyday from plethora ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—There is an increasing trend for businesses to mi-grate their systems towards the cloud. Security concerns that arise when outsourcing data and computation to the cloud include data confidentiality and privacy. Given that a tremendous amount of data is being generated everyday from plethora of devices equipped with sensing capabilities, we focus on the problem of access controls over live streams of data based on triggers or sliding windows, which is a distinct and more challenging problem than access control over archival data. Specifically, we investigate secure mechanisms for outsourcing access control enforcement for stream data to the cloud. We devise a system that allows data owners to specify fine-grained policies associated with their data streams, then to encrypt the streams and relay them to the cloud for live processing and storage for future use. The access control policies are enforced by the cloud, without the latter learning about the data, while ensuring that unauthorized access is not feasible. To realize these ends, we employ a novel cryptographic primitive, namely proxy-based attribute-based encryption, which not only provides security but also allows the cloud to perform expensive computations on behalf of the users. Our approach is holistic, in that these controls are integrated with an XML based framework (XACML) for high-level management of policies. Experiments with our prototype demonstrate the feasibility of such mechanisms, and early evaluations suggest graceful scalability with increasing numbers of policies, data streams and users. I.
Streamforce: Outsourcing Access Control Enforcement for Stream Data to the Clouds
"... Abstract. As tremendous amount of data being generated everyday from human activity and from devices equipped with sensing capabili-ties, cloud computing emerges as a scalable and cost-effective platform to store and manage the data. While benefits of cloud computing are numer-ous, security concerns ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. As tremendous amount of data being generated everyday from human activity and from devices equipped with sensing capabili-ties, cloud computing emerges as a scalable and cost-effective platform to store and manage the data. While benefits of cloud computing are numer-ous, security concerns arising when data and computation are outsourced to a third party still hinder the complete movement to the cloud. In this paper, we focus on the problem of data privacy on the cloud, particu-larly on access controls over stream data. The nature of stream data and the complexity of sharing data make access control a more challenging issue than in traditional archival databases. We present Streamforce — a system allowing data owners to securely outsource their data to the cloud. The owner specifies fine-grained policies which are enforced by the cloud. The latter performs most of the heavy computations, while learn-ing nothing about the data content. To this end, we employ a number of encryption schemes, including deterministic encryption, proxy-based at-tribute based encryption and sliding-window encryption. In Streamforce, access control policies are modeled as secure continuous queries, which entails minimal changes to existing stream processing engines, and allows for easy expression of a wide-range of policies. In particular, Streamforce comes with a number of secure query operators including Map, Filter, Join and Aggregate. Finally, we implement Streamforce over an open-source stream processing engine (Esper) and evaluate its performance on a cloud platform. The results demonstrate practical performance for many real-world applications, and although the security overhead is vis-ible, Streamforce is highly scalable. 1
CloudMine: Multi-Party Privacy-Preserving Data Analytics Service
"... Abstract. An increasing number of businesses are replacing their data storage and computation infrastructure with cloud services. Likewise, there is an increased emphasis on performing analytics based on multi-ple datasets obtained from different data sources. While ensuring security of data and com ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. An increasing number of businesses are replacing their data storage and computation infrastructure with cloud services. Likewise, there is an increased emphasis on performing analytics based on multi-ple datasets obtained from different data sources. While ensuring security of data and computation outsourced to a third party cloud is in itself challenging, supporting analytics using data distributed across multiple, independent clouds is even further from trivial. In this paper we present CloudMine, a cloud-based service which allows multiple data owners to perform privacy-preserved computation over the joint data using their clouds as delegates. CloudMine protects data privacy with respect to semi-honest data owners and semi-honest clouds. It furthermore ensures the privacy of the computation outputs from the curious clouds. It al-lows data owners to reliably detect if their cloud delegates have been lazy when carrying out the delegated computation. CloudMine can run as a centralized service on a single cloud, or as a distributed service over multiple, independent clouds. CloudMine supports a set of basic com-putations that can be used to construct a variety of highly complex, distributed privacy-preserving data analytics. We demonstrate how a simple instance of CloudMine (secure sum service) is used to implement three classical data mining tasks (classification, association rule mining and clustering) in a cloud environment. We experiment with a prototype of the service, the results of which suggest its practicality for supporting privacy-preserving data analytics as a (multi) cloud-based service.
