research-article

Practical Active Revocation

Authors:

Laurent Réveillère,

Etienne RivièreAuthors Info & Claims

Middleware '20: Proceedings of the 21st International Middleware Conference

Pages 29 - 43

https://doi.org/10.1145/3423211.3425667

Published: 11 December 2020 Publication History

Abstract

We propose Knob, a practical active revocation scheme allowing to efficiently revoke users' access to encrypted data banks stored in public clouds. Knob leverages Trusted Execution Environments and All-or-Nothing Data Transforms in order to re-encrypt only small portions of the content directly in the cloud, using a scalable swarm of re-encryption workers. It prevents malicious users from being able to predict which portions of the files will be re-encrypted upon a revocation, effectively disabling pre-provisioning attacks. Our evaluation using industry workloads shows that Knob outperforms active revocation using full re-encryption by up to 3 orders of magnitude while being on average 3 to 7 times faster than state-of-the-art partial re-encryption.

References

[1]

Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. 2006. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Transactions on Information and System Security (TISSEC) 9, 1 (2006), 1--30.

Digital Library

[2]

AutismSpeaks. [n. d.]. https://www.autismspeaks.org/

[3]

Enrico Bacis, Sabrina De Capitani di Vimercati, Sara Foresti, Daniele Guttadoro, Stefano Paraboschi, Marco Rosa, Pierangela Samarati, and Alessandro Saullo. 2016. Managing data sharing in OpenStack swift with over-encryption. In ACM Workshop on Information Sharing and Collaborative Security (WISCS).

Digital Library

[4]

Enrico Bacis, Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Marco Rosa, and Pierangela Samarati. 2016. Mix&Slice: Efficient access revocation in the cloud. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[5]

Enrico Bacis, Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Marco Rosa, and Pierangela Samarati. 2016. Access control management for secure cloud storage. In International Conference on Security and Privacy in Communication Systems (SecureComm). Springer.

[6]

Michael Backes, Christian Cachin, and Alina Oprea. 2005. Lazy revocation in cryptographic file systems. In Third IEEE International Security in Storage Workshop (SISW). IEEE.

Digital Library

[7]

Marco Baldi, Nicola Maturo, Eugenio Montali, and Franco Chiaraluce. 2014. AONT-LT: A data protection scheme for cloud and cooperative storage systems. In International Conference on High Performance Computing & Simulation (HPCS). IEEE.

[8]

Alysson Neves Bessani, Ricardo Mendes, Tiago Oliveira, Nuno Ferreira Neves, Miguel Correia, Marcelo Pasin, and Paulo Verissimo. 2014. SCFS: A Shared Cloud-backed File System. In USENIX Annual Technical Conference. 169--180.

[9]

Dan Boneh, Craig Gentry, and Brent Waters. 2005. Collusion resistant broadcast encryption with short ciphertexts and private keys. In Annual International Cryptology Conference. Springer, 258--275.

Digital Library

[10]

Dan Boneh, Kevin Lewi, Hart Montgomery, and Ananth Raghunathan. 2013. Key homomorphic PRFs and their applications. In Advances in Cryptology-CRYPTO. Springer, 410--428.

[11]

Dan Boneh and Richard J Lipton. 1996. A Revocable Backup System. In USENIX Security Symposium.

[12]

Mariem Bouchaala, Cherif Ghazel, and Leila Azouz Saidane. 2019. Dual Revocation: Attribute and User Revocation Based On CPABE In Cloud Computing. In International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). IEEE.

[13]

Victor Boyko. 1999. On the security properties of OAEP as an all-or-nothing transform. In Annual International Cryptology Conference. Springer, 503--518.

[14]

Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure: SGX cache attacks are practical. In 11th USENIX Workshop on Offensive Technologies (WOOTS).

[15]

Stefan Brenner, Colin Wulf, David Goltzsche, Nico Weichbrodt, Matthias Lorenz, Christof Fetzer, Peter Pietzuch, and Rüdiger Kapitza. 2016. SecureKeeper: confidential ZooKeeper using Intel SGX. In Proceedings of the 17th International Middleware Conference. ACM.

Digital Library

[16]

Sanchuan Chen, Xiaokuan Zhang, Michael K Reiter, and Yinqian Zhang. 2017. Detecting privileged side-channel attacks in shielded execution with Déjá Vu. In ACM Asia Conference on Computer and Communications Security (AsiaCrypt). ACM.

Digital Library

[17]

Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi, Jessica Staddon, Ryusuke Masuoka, and Jesus Molina. 2009. Controlling data in the cloud: outsourcing computation without outsourcing control. In ACM workshop on Cloud computing security (CCSW).

Digital Library

[18]

Stefan Contiu, Rafael Pires, Sébastien Vaucher, Marcelo Pasin, Pascal Felber, and Laurent Réveillère. 2018. IBBE-SGX: Cryptographic Group Access Control using Trusted Execution Environments. In 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE.

[19]

Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive 2016 (2016), 86.

[20]

Adrian J. Duncan, Sadie Creese, and Michael Goldsmith. 2012. Insider Attacks in Cloud Computing. In 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (Trust-Com).

[21]

William C Garrison, Adam Shull, Steven Myers, and Adam J Lee. 2016. On the practicality of cryptographically enforcing dynamic access control policies in the cloud. In IEEE Symposium on Security and Privacy (SP). IEEE.

[22]

Google Genomics. 2018. Genomic Data is Going Google. Technical Report. 8 pages. https://cloud.google.com/genomics/resources/google-genomics-whitepaper.pdf.

[23]

Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. 2017 Cache attacks on Intel SGX In 10th European Workshop on Systems Security (EuroSec). ACM.

[24]

Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. 2006. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security (CCS). Acm, 89--98.

Digital Library

[25]

Daniel Gruss, Julian Lettner, Felix Schuster, Olya Ohrimenko, Istvan Haller, and Manuel Costa. 2017. Strong and efficient cache side-channel protection using hardware transactional memory. In 26th USENIX Security Symposium.

Digital Library

[26]

Keiko Hashizume, David G Rosado, Eduardo Fernández-Medina, and Eduardo B Fernandez. 2013. An analysis of security issues for cloud computing. Journal of internet services and applications 4, 1 (2013), 5.

[27]

James S Plank Jason Resch. 2011. AONT-RS: Blending Security and Performance in Dispersed Storage Systems. In 9th USENIX Conference on File and Storage Technologies (FAST).

[28]

Flavio Junqueira and Benjamin Reed. 2013. ZooKeeper: Distributed Process Coordination (1st ed.). O'Reilly Media, Inc.

[29]

B Kaliski and J Staddon. 1998. RFC2437: PKCS# 1: RSA Encryption.

[30]

Katarzyna Kapusta and Gerard Memmi. 2018. Selective All-Or-Nothing Transform: Protecting Outsourced Data Against Key Exposure. In 10th International Symposium on Cyberspace Safety and Security (CSS). Springer.

[31]

Katarzyna Kapusta, Han Qiu, and Gerard Memmi. 2019. Secure Data Sharing with Fast Access Revocation through Untrusted Clouds. In 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (NTMS). IEEE, 1--5.

[32]

Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In 26th USENIX Security Symposium, USENIX Security. 16--18.

Digital Library

[33]

Jingwei Li, Chuan Qin, Patrick PC Lee, and Jin Li. 2016. Rekeying for encrypted deduplication storage. In 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 618--629.

[34]

Mingqiang Li, Chuan Qin, Jingwei Li, and Patrick PC Lee. 2016. CD-Store: Toward reliable, secure, and cost-efficient cloud storage via convergent dispersal. IEEE Internet Computing 20, 3 (2016), 45--53.

Digital Library

[35]

Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX enclaves from practical side-channel attacks. In 2018 USENIX Annual Technical Conference (ATC).

[36]

Zachary NJ Peterson, Randal C Burns, Joseph Herring, Adam Stubble-field, and Aviel D Rubin. 2005. Secure Deletion for a Versioning File System. In 4th USENIX Conference on File and Storage Technologies (FAST).

[37]

Planet. [n. d.]. https://www.planet.com/

[38]

Han Qiu, Katarzyna Kapusta, Zhihui Lu, Meikang Qiu, and Gerard Memmi. 2019. All-or-nothing data protection for ubiquitous communication: challenges and perspectives. Information Sciences 502 (2019).

[39]

Noëlle Rakotondravony, Benjamin Taubmann, Waseem Mandarawi, Eva Weishäupl, Peng Xu, Bojan Kolosnjaji, Mykolai Protsenko, Hermann De Meer, and Hans P Reiser. 2017. Classifying malware attacks in IaaS cloud environments. Journal of Cloud Computing 6, 1 (2017), 26.

Digital Library

[40]

Joel Reardon, Srdjan Capkun, and David Basin. 2012. Data node encrypted file system: Efficient secure deletion for flash memory. In 21st USENIX Security Symposium. USENIX Association, 17--17.

[41]

Ronald L Rivest. 1997. All-or-nothing encryption and the package transform. In International Workshop on Fast Software Encryption. Springer, 210--218.

[42]

Francisco Rocha and Miguel Correia. 2011. Lucy in the sky without diamonds: Stealing confidential data in the cloud. In Workshops of the 41st IEEE/IFIP International Conference on Dependable Systems and Networks (DSNW).

Digital Library

[43]

Vinnie Scarlata, Simon Johnson, James Beaney, and Piotr Zmijewski. 2018. Supporting third party attestation for Intel® SGX with Intel® data center attestation primitives. Technical Report. Intel Corporation.

[44]

Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy data analytics in the cloud using SGX. In IEEE Symposium on Security and Privacy (SP).

Digital Library

[45]

Hui Tian, Fulin Nan, Hong Jiang, Chin-Chen Chang, Jianting Ning, and Yongfeng Huang. 2019. Public auditing for shared cloud data with efficient and secure group management. Information Sciences 472 (2019).

[46]

Troy Toman. 2017. Our Data From Space Lives in Google Cloud. https://www.planet.com/pulse/planets-data-from-space-lives-in-google-cloud/.

[47]

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In Proceedings of the 27th USENIX Security Symposium. USENIX Association.

Digital Library

[48]

Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A Gunter. 2017. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM.

Digital Library

[49]

Saman Zarandioon, Danfeng Daphne Yao, and Vinod Ganapathy. 2011. K2C: Cryptographic cloud storage with lazy revocation and anonymous access. In International Conference on Security and Privacy in Communication Systems. Springer.

Cited By

Bacis EDe Capitani di Vimercati SForesti SParaboschi SRosa MSamarati P(2024)Mix&Slice for Efficient Access Revocation on Outsourced DataIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.328059021:3(1390-1405)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3280590
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Rosinosky GDa Silva SBen Mokhtar SNégru DRéveillère LRivière EZhang KGherbi AVenkatasubramanian NVeiga L(2021)PProxProceedings of the 22nd International Middleware Conference10.1145/3464298.3476130(14-26)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3464298.3476130

Index Terms

Practical Active Revocation
1. Information systems
  1. Information storage systems
    1. Storage architectures
      1. Cloud based storage
2. Security and privacy
  1. Database and storage security
    1. Information accountability and usage control
  2. Security services
    1. Access control

Recommendations

An Efficient Attribute Based Encryption Scheme with Revocation for Outsourced Data Sharing Control
IMCCC '11: Proceedings of the 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control

Cipher text-Policy Attribute Based Encryption (CP-ABE) is a promising cryptographic primitive for fine-grained access control of shared data. However, when CP-ABE is used to control outsourced data sharing, it confronts two obstacles. Firstly, the data ...
Proxy Signature with Revocation
Proceedings, Part II, of the 21st Australasian Conference on Information Security and Privacy - Volume 9723

Proxy signature is a useful cryptographic primitive that allows signing right delegation. In a proxy signature scheme, an original signer can delegate his/her signing right to a proxy signer or a group of proxy signers who can then sign documents on ...
Self-updatable encryption

Revocation and key evolving paradigms are central issues in cryptography, and in PKI in particular. A novel concern related to these areas was raised in the recent work of Sahai, Seyalioglu, and Waters (CRYPTO 2012) who noticed that revoking past keys ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

Middleware '20: Proceedings of the 21st International Middleware Conference

December 2020

455 pages

ISBN:9781450381536

DOI:10.1145/3423211

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 December 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

BPIFRANCE

Conference

Middleware '20

Sponsor:

ACM

Middleware '20: 21st International Middleware Conference

December 7 - 11, 2020

Delft, Netherlands

Acceptance Rates

Overall Acceptance Rate 203 of 948 submissions, 21%

Upcoming Conference

MIDDLEWARE '24

25th International Middleware Conference

December 2 - 6, 2024

Hong Kong , Hong Kong

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
102
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)2

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bacis EDe Capitani di Vimercati SForesti SParaboschi SRosa MSamarati P(2024)Mix&Slice for Efficient Access Revocation on Outsourced DataIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.328059021:3(1390-1405)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3280590
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Rosinosky GDa Silva SBen Mokhtar SNégru DRéveillère LRivière EZhang KGherbi AVenkatasubramanian NVeiga L(2021)PProxProceedings of the 22nd International Middleware Conference10.1145/3464298.3476130(14-26)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3464298.3476130

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents