TY - GEN
T1 - Proofs of data residency
T2 - 2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017
AU - Dang, Hung
AU - Purwanto, Erick
AU - Chang, Ee Chien
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/4/2
Y1 - 2017/4/2
N2 - While cloud storage services offer manifold benefits such as cost-effectiveness or elasticity, there also exist various security and privacy concerns. Among such concerns, we pay our primary attention to data residency { a notion that requires outsourced data to be retrievable in its entirety from local drives of a storage server in-question. We formulate such notion under a security model called Proofs of Data Residency (PoDR). PoDR can be employed to check whether the data are replicated across different storage servers, or combined with storage server geolocation to \locate" the data in the cloud. We make key observations that the data residency checking protocol should exclude all server-side computation and that each challenge should ask for no more than a single atomic fetching operation. We illustrate challenges and subtleties in protocol design by showing potential attacks to naive constructions. Next, we present a secure PoDR scheme structured as a timed challenge-response protocol. Two implementation variants of the proposed solution, namely N-ResCheck and E-ResCheck, describe an interesting use-case of trusted computing, in particular the use of Intel SGX, in cryptographic timed challenge-response protocols whereby having the verifier co-locating with the prover offers security enhancement. Finally, we conduct extensive experiments to exhibit potential attacks to insecure constructions and validate the performance as well as the security of our solution.
AB - While cloud storage services offer manifold benefits such as cost-effectiveness or elasticity, there also exist various security and privacy concerns. Among such concerns, we pay our primary attention to data residency { a notion that requires outsourced data to be retrievable in its entirety from local drives of a storage server in-question. We formulate such notion under a security model called Proofs of Data Residency (PoDR). PoDR can be employed to check whether the data are replicated across different storage servers, or combined with storage server geolocation to \locate" the data in the cloud. We make key observations that the data residency checking protocol should exclude all server-side computation and that each challenge should ask for no more than a single atomic fetching operation. We illustrate challenges and subtleties in protocol design by showing potential attacks to naive constructions. Next, we present a secure PoDR scheme structured as a timed challenge-response protocol. Two implementation variants of the proposed solution, namely N-ResCheck and E-ResCheck, describe an interesting use-case of trusted computing, in particular the use of Intel SGX, in cryptographic timed challenge-response protocols whereby having the verifier co-locating with the prover offers security enhancement. Finally, we conduct extensive experiments to exhibit potential attacks to insecure constructions and validate the performance as well as the security of our solution.
UR - http://www.scopus.com/inward/record.url?scp=85021973624&partnerID=8YFLogxK
U2 - 10.1145/3052973.3053016
DO - 10.1145/3052973.3053016
M3 - Conference Proceeding
AN - SCOPUS:85021973624
T3 - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
SP - 408
EP - 422
BT - ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 2 April 2017 through 6 April 2017
ER -