Towards Secure and Effective Utilization over Encrypted Cloud Data 多媒體網路安全實驗室

advertisement

多媒體網路安全實驗室

Towards Secure and

Effective Utilization over

Encrypted Cloud Data

報告人 : 葉瑞群

日期 :2012/05/09

出處 :IEEE Transactions on Knowledge and Data Engineering

多媒體網路安全實驗室

Outline

1

2

5

INTRODUCTION

SERVICE ARCHITECTURE

BUILDING BLOCKS

TOWARDS SECURE AND

EFFECTIVE CLOUD DATA UTILIZATION

INTRODUCTION

2

INTRODUCTION(1/5)

多媒體網路安全實驗室

Cloud computing enables an economic paradigm of data service outsourcing, where individuals and enterprise customers can avoid committing large capital outlays in the purchase and management of both software and hardware and the operational overhead therein.

Despite the tremendous benefits, outsourcing data management to the commercial public cloud is also depriving customers’ direct control over the systems that manage their data, raising security and privacy as the primary obstacles to the adoption of cloud. .

3

INTRODUCTION(2/5)

多媒體網路安全實驗室

 protect data privacy and combat unsolicited accesses in cloud and beyond, sensitive data may have to be encrypted by data owners before outsourcing this, however, obsoletes the traditional data utilization service based on plaintext keyword search.

 (e.g. emails, personal health records, photo albums, tax documents, financial transactions,etc.)

4

INTRODUCTION(3/5)

多媒體網路安全實驗室

 enabling fuzzy keyword search service that aims at accommodating various typos and representation inconsistencies in different user searching inputs is of crucial importance for the high system usability and overall user search experience.

5

INTRODUCTION(4/5)

多媒體網路安全實驗室

6

INTRODUCTION(5/5)

多媒體網路安全實驗室

 However, directly deploying these techniques for secure large-scale cloud data search services would not be necessarily adequate, as they are developed as crypto primitives without considering high service-level requirements and in particular the fuzzy search functionality at all (detailed explanation in Section IV).

 in this paper we propose to explore fuzzy keyword search for encrypted cloud data utilization service.

7

多媒體網路安全實驗室

SERVICE ARCHITECTURE(1/2)

 Assume data owner has a collection of n data files C =

(F

1

, F

2

,….., F

N

) to be stored in the cloud server, where a predefined set of distinct keywords in C is denoted as W

= (W

1

,W

2

,…..,W p

).

 To keep sensitive data confidential from unauthorized entities, cryptographic methods have to be applied to the data collection C by the owner before outsourcing.

8

多媒體網路安全實驗室

SERVICE ARCHITECTURE(2/2)

 data owner will distribute search request (trapdoor) generation keys sk to authorized users.

 To securely search the file collection for a given keyword w, an authorized user uses the trapdoor generation key sk to generate a search request Tw = f(sk,w) via some one-way function f(.)

 which then performs the search over the data file collection C without decryption and sends back all encrypted files containing the specific keyword w, denoted as FIDw.

9

多媒體網路安全實驗室

BUILDING BLOCKS(1/2)

 1.Symmetric Searchable Encryption: Symmetric

Searchable Encryption (SSE) can be properly utilized in the application setting where the entity that generates the data and the ones that search over it share the same secret key(s).

 2. Asymmetric Searchable Encryption: Asymmetric

(public key based) Searchable Encryption is appropriate for application setting where the entity that generates the data is different from the one that searches over it.

Boneh et al.

10

多媒體網路安全實驗室

BUILDING BLOCKS(2/2)

 The edit distance ed(w

1

,w

2

) between two words w1 and w2 is the number of operations required to transform one of them into the other.

 Using edit distance, the fuzzy search problem can be formulated as follows: given a collection of n encrypted data files C = (F

1 keywords W = (w

, F

2

, … , F

N

), a predefined set of distinct

1

,w

2

,…,w p

) a word w in the searching input and a specified edit distance d, the execution of fuzzy keyword search should return a set of files possibly containing the word w, denoted as FIDw: if w = w i

∈ W, return {FIDw}; otherwise, if w ∉ W, return {FIDw}, where ed(w,w i

) <= d.

11

多媒體網路安全實驗室

Fuzzy Keyword Search Over Encrypted

Cloud Data

 The following 26 listed variants after only one substitution operation on the first character of keyword

CASTLE: {AASTLE, BASTLE, DASTLE ,…, YASTLE,

ZASTLE} The total number of variants of such a set would be 13 * 26 + 1. For the general case of S wi

, d

, its resulting set can be too huge for practical system usability.

12

多媒體網路安全實驗室

Fuzzy Keyword Search Over Encrypted

Cloud Data

 we propose to consider only the positions of the three primitive edit operations. That is, we can use a wildcard

‘*’ to denote all three operations of character insertion, deletion and substitution at any position, making a much smaller fuzzy keyword set.

 For example, for the keyword CASTLE with the preset edit distance 1, its fuzzy keyword set can be constructed as S

CASTLE

,

1

= {CASTLE, *CASTLE, *ASTLE, C*ASTLE,

C*STLE, …, CASTL*E, CASTL*, CASTLE*}.

13

多媒體網路安全實驗室

Fuzzy Keyword Search Over Encrypted

Cloud Data

 The total number of variants after one operation on word

CASTLE can now be reduced to only 13 + 1, far less than the exhaustive enumeration approach. Generally, for a given keyword wi with length L, the size of S wi

,

1 will be only 2L + 1 + 1, opposing to (2L+1)26+1 obtained in the straightforward approach. And, the larger the pre-set edit distance d is, the more storage overhead can be reduced.

 Before:13*26+1

 After(2L+1)*26+1

14

多媒體網路安全實驗室

Support Similarity Search

Our preliminary analysis [20] shows that for correctness of the fuzzy search mechanism, search request for keyword w is now a trapdoor set {T w’

} w’ ∈ {Sw,0,Sw,1,…,Sw,d}

, instead of a single trapdoor as in the traditional approach.

Support Similarity Search

 given n encrypted data files C = (F

1

, F

2

, … , F

N predefined set of distinct keywords W = (w

1

,w

2

), a

,;…,w p

), a word w in the searching input and a specified edit distance d, the execution of similarity search should return a set of files {FIDw}, where ed(w,w i

) <= d.

15

多媒體網路安全實驗室

CONCLUDING REMARKS

In this article, we focused on the utilization of encrypted cloud data with practical system usability and high-level user searching experience. We investigated these challenges,defined the problem of fuzzy keyword search over encrypted cloud data, and further studied its natural support of similarity search in information retrieval. We outlined the building blocks for these new search functionalities, and described several future research directions, which should be explored for such an encrypted cloud data service system to become a reality.

16

多媒體網路安全實驗室

Download