Skip to main content
SpringerLink
Log in

Trusted Client-Side Encryption for Cloud Storage

  • Conference paper
  • First Online:
Cloud Computing and Services Science (CLOSER 2020)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1399))

Included in the following conference series:

Abstract

Nowadays, users are delegating the data storage to cloud services, due to the virtually unlimited storage, change history, broadband connection, and high availability. Despite the benefits and facilities, it is necessary to pay extra attention to data confidentiality and users’ privacy, as numerous threats aim to collect such information in an unauthorized manner. An approach to ensure data confidentiality is the use of client-side encryption, with the user taking control of the encryption keys and defining which files or data will be encrypted. This scheme is already explored by many applications on personal computers and also as a native feature in some smartphone operating systems, but are still susceptible to certain types of attacks. Aiming to improve the security of the client-side encryption approach, we propose to apply the Intel Software Guard Extensions (SGX) to perform data sealing, creating a secure vault that can be synchronized with any cloud storage service, while relying on the SGX to protect the key handling. To validate our proposal, we build a proof of concept based on the Cryptomator application, an open-source client-side encryption tool specially designed for cloud storage services. Our results show an overall performance better than the original Cryptomator application, with stronger security premises. Thus, our solution proved to be feasible and can be expanded and refined for practical use and integration with cloud synchronization services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Data breach report: cloud storage exposes 270,000 users’ private information (2020). https://www.securitymagazine.com/articles/91985-data-breach-report-cloud-storage-exposes-users-private-information

  2. Ahmad, A., Kim, K., Sarfaraz, M.I., Lee, B.: OBLIVIATE: a data oblivious file system for Intel SGX. In: Proceedings of the 25th Network and Distributed System Security Symposium. Internet Society, San Diego (2018). https://doi.org/10.14722/ndss.2018.23284

  3. Ahn, J., et al.: DiskShield: a data tamper-resistant storage for Intel SGX. In: Proceedings of the 15th Asia Conference on Computer and Communications Security. ACM, Taipei (2020). https://doi.org/10.1145/3320269.3384717

  4. Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. ACM, Tel-Aviv (2013)

    Google Scholar 

  5. Aumasson, J.P., Merino, L.: SGX secure enclaves in practice: security and crypto review. In: Proceedings of the Black Hat. Black Hat, Las Vegas (2016)

    Google Scholar 

  6. Babitha, M., Babu, K.R.R.: Secure cloud storage using AES encryption. In: Proceedings of the International Conference on Automatic Control and Dynamic Optimization Techniques, pp. 859–864. IEEE, Pune (2016). https://doi.org/10.1109/ICACDOT.2016.7877709

  7. Branco Jr., E.C., Monteiro, J.M., Reis, R., Machado, J.C.: A flexible mechanism for data confidentiality in cloud database scenarios. In: Proceedings of the 18th International Conference on Enterprise Information Systems, pp. 359–368. SciTePress, Rome (2016). https://doi.org/10.5220/0005872503590368

  8. Branscombe, M.: Has Microsoft been looking at user files to find the 75tb OneDrive hoarders? (2015). https://www.techradar.com/news/internet/cloud-services/has-microsoft-been-looking-at-user-files-to-find-the-75tb-onedrive-hoarders--1308186

  9. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: Proceedings of the 11th USENIX Workshop on Offensive Technologies. USENIX, Vancouver (2017). https://www.usenix.org/conference/woot17/workshop-program/presentation/brasser

  10. Broz, M.: Linux Unified Key Setup (2020). https://gitlab.com/cryptsetup/cryptsetup/wikis/home

  11. Burihabwa, D., Felber, P., Mercier, H., Schiavoni, V.: SGX-FS: hardening a file system in user-space with Intel SGX. In: Proceedings of the 10th IEEE International Conference on Cloud Computing Technology and Science. IEEE, Nicosia (2018). https://doi.org/10.1109/CloudCom2018.2018.00027

  12. CentOS: The CentOS Project (2020). https://www.centos.org/

  13. Chen, G., et al.: Racing in hyperspace: closing hyper-threading side channels on SGX with contrived data races. In: Proceedings of the 39th IEEE Symposium on Security and Privacy. IEEE, San Francisco (2018). https://doi.org/10.1109/SP.2018.00024

  14. Chen, S., Zhang, X., Reiter, M.K., Zhang, Y.: Detecting privileged side-channel attacks in shielded execution with Déjà Vu. In: Proceedings of the ACM on Asia Conference on Computer and Communications Security, pp. 7–18. ACM, Abu Dhabi (2017). https://doi.org/10.1145/3052973.3053007

  15. Clover, J.: Hackers using iCloud’s find my iPhone feature to remotely lock macs and demand ransom payments (2017). https://www.macrumors.com/2017/09/20/hackers-find-my-iphone-remote-mac-lock/

  16. Condé, R.C.R., Maziero, C.A., Will, N.C.: Using Intel SGX to protect authentication credentials in an untrusted operating system. In: Proceedings of the 23rd Symposium on Computers and Communications. IEEE, Natal (2018). https://doi.org/10.1109/ISCC.2018.8538470

  17. Contiu, S., Pires, R., Vaucher, S., Pasin, M., Felber, P., Réveillère, L.: IBBE-SGX: cryptographic group access control using trusted execution environments. In: Proceedings of the 48th Annual International Conference on Dependable Systems and Networks, pp. 207–218. IEEE, Luxembourg City (2018). https://doi.org/10.1109/DSN.2018.00032

  18. Contiu, S., Vaucher, S., Pires, R., Pasin, M., Felber, P., Réveillère, L.: Anonymous and confidential file sharing over untrusted clouds. In: Proceedings of the 38th Symposium on Reliable Distributed Systems, pp. 21–2110. IEEE, Lyon (2019). https://doi.org/10.1109/SRDS47363.2019.00013

  19. Cox, J.: Hackers stole account details for over 60 million Dropbox users (2016). https://www.vice.com/en_us/article/nz74qb/hackers-stole-over-60-million-dropbox-accounts

  20. Crocker, P., Querido, P.: Two factor encryption in cloud storage providers using hardware tokens. In: Proceedings of the Global Communications Conference Workshops. IEEE, San Diego (2015). https://doi.org/10.1109/GLOCOMW.2015.7414154

  21. Cryptomator: Cryptomator system architecture (2019). https://cryptomator.org/security/architecture

  22. Dahshan, M., Elkassas, S.: Framework for securing data in cloud storage services. In: Proceedings of the 11th International Conference on Security and Cryptography, pp. 267–274. SciTePress, Vienna (2014). https://doi.org/10.5220/0005043802670274

  23. Dhar, A., Puddu, I., Kostiainen, K., Capkun, S.: ProximiTEE: hardened SGX attestation by proximity verification. In: Proceedings of the 10th Conference on Data and Application Security and Privacy, pp. 5–16. ACM, New Orleans (2020). https://doi.org/10.1145/3374664.3375726

  24. Djoko, J.B., Lange, J., Lee, A.J.: NeXUS: practical and secure access control on untrusted storage platforms using client-side SGX. In: Proceedings of the 49th Annual International Conference on Dependable Systems and Networks, pp. 401–413. IEEE, Portland (2019). https://doi.org/10.1109/DSN.2019.00049

  25. Esteves, T., et al.: TrustFS: an SGX-enabled stackable file system framework. In: Proceedings of the 38th International Symposium on Reliable Distributed Systems Workshops. IEEE, Lyon (2019). https://doi.org/10.1109/SRDSW49218.2019.00012

  26. Huang, K., Siegel, M., Madnick, S.: Systematically understanding the cyber attack business: a survey. ACM Comput. Surv. 51(4) (2018). https://doi.org/10.1145/3199674

  27. IDRIX: VeraCrypt - free open source disk encryption with strong security for the paranoid (2020). https://www.veracrypt.fr/en/Home.html

  28. INTEL: Intel Software Guard Extensions Programming Reference (2014). https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf

  29. Intel: Intel Software Guard Extensions SDK for Linux OS Developer Reference. Intel Corporation (2016). https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf

  30. Karande, V., Bauman, E., Lin, Z., Khan, L.: SGX-Log: securing system logs with SGX. In: Proceedings of the Asia Conference on Computer and Communications Security. ACM, Abu Dhabi (2017). https://doi.org/10.1145/3052973.3053034

  31. Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2 (2019). https://doi.org/10.1186/s42400-019-0038-7

  32. Kim, D., et al.: SGX-LEGO: fine-grained SGX controlled-channel attack and its countermeasure. Comput. Secur. 82, 118–139 (2019). https://doi.org/10.1016/j.cose.2018.12.001

    Article  Google Scholar 

  33. McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. ACM, Tel-Aviv (2013). https://doi.org/10.1145/2487726.2488368

  34. Meijer, C., van Gastel, B.: Self-encrypting deception: weaknesses in the encryption of solid state drives. In: Proceedings of the 40th Symposium on Security and Privacy, pp. 72–87. IEEE, San Francisco (2019). https://doi.org/10.1109/SP.2019.00088

  35. Moghimi, A., Eisenbarth, T., Sunar, B.: MemJam: a false dependency attack against constant-time crypto implementations in SGX. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 21–44. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_2

    Chapter  MATH  Google Scholar 

  36. Müller, T., Freiling, F.C.: A systematic assessment of the security of full disk encryption. IEEE Trans. Dependable Secure Comput. 12(5), 491–503 (2015). https://doi.org/10.1109/TDSC.2014.2369041

    Article  Google Scholar 

  37. Muncaster, P.: Verizon hit by another Amazon S3 leak (2017). https://www.infosecurity-magazine.com/news/verizon-hit-by-another-amazon-s3/

  38. Onwujekwe, G., Thomas, M., Osei-Bryson, K.M.: Using robust data governance to mitigate the impact of cybercrime. In: Proceedings of the 3rd International Conference on Information System and Data Mining. ACM, Houston (2019). https://doi.org/10.1145/3325917.3325923

  39. Peters, T., Lal, R., Varadarajan, S., Pappachan, P., Kotz, D.: BASTION-SGX: Bluetooth and architectural support for trusted I/O on SGX. In: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 1–9. ACM, Los Angeles (2018). https://doi.org/10.1145/3214292.3214295

  40. Peterson, R., et al.: Vallum: privacy, confidentiality and access control for sensitive data in cloud environments. In: Proceedings of the 11th International Conference on Cloud Computing Technology and Science. IEEE, Sydney (2019). https://doi.org/10.1109/CloudCom.2019.00026

  41. Pottier, R., Menaud, J.: Privacy-aware data storage in cloud computing. In: Proceedings of the 7th International Conference on Cloud Computing and Services Science, pp. 405–412. SciTePress, Porto (2017). https://doi.org/10.5220/0006294204050412

  42. PwC: global economic crime survey 2016: adjusting the lens on economic crime. Technical report, PwC (2016). https://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf

  43. Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: Proceedings of the 24th USENIX Security Symposium, pp. 431–446. USENIX Association, Washington, D.C. (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/rane

  44. Rawlings, R.: Here are the most popular passwords of 2019 (2019). https://nordpass.com/blog/top-worst-passwords-2019/

  45. Richter, L., Götzfried, J., Müller, T.: Isolating operating system components with Intel SGX. In: Proceedings of the 1st Workshop on System Software for Trusted Execution. ACM, Trento (2016). https://doi.org/10.1145/3007788.3007796

  46. da Rocha, M., Valadares, D.C.G., Perkusich, A., Gorgonio, K.C., Pagno, R.T., Will, N.C.: Secure cloud storage with client-side encryption using a trusted execution environment. In: Proceedings of the 10th International Conference on Cloud Computing and Services Science, pp. 31–43. SciTePress, Prague (2020). https://doi.org/10.5220/0009130600310043

  47. Sasy, S., Gorbunov, S., Fletcher, C.W.: ZeroTrace: oblivious memory primitives from Intel SGX. In: Proceedings of the Network and Distributed System Security Symposium. Internet Society, San Diego (2018). https://doi.org/10.14722/ndss.2018.23239

  48. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: abusing Intel SGX to conceal cache attacks. Cybersecurity 3(1) (2020). https://doi.org/10.1186/s42400-019-0042-y

  49. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of the Network and Distributed System Security Symposium. Internet Society, San Diego (2017). https://doi.org/10.14722/ndss.2017.23193

  50. Shinde, S., Chua, Z.L., Narayanan, V., Saxena, P.: Preventing page faults from telling your secrets. In: Proceedings of the 11th Asia Conference on Computer and Communications Security, pp. 317–328. ACM, Xi’an (2016). https://doi.org/10.1145/2897845.2897885

  51. Singh, M., Singh, M., Kaur, S.: Issues and challenges in DNS based botnet detection: a survey. Comput. Secur. 86 (2019). https://doi.org/10.1016/j.cose.2019.05.019

  52. Sobchuk, J., O’Melia, S., Utin, D., Khazan, R.: Leveraging Intel SGX technology to protect security-sensitive applications. In: Proceedings of the 17th International Symposium on Network Computing and Applications. IEEE, Cambridge (2018). https://doi.org/10.1109/NCA.2018.8548184

  53. Spring, T.: Insecure backend databases blamed for leaking 43 TB of app data (2017). https://threatpost.com/insecure-backend-databases-blamed-for-leaking-43tb-of-app-data/126021/

  54. Sumathi, M., Sangeetha, S.: Survey on sensitive data handling—challenges and solutions in cloud storage system. In: Peter, J.D., Alavi, A.H., Javadi, B. (eds.) Advances in Big Data and Cloud Computing. AISC, vol. 750, pp. 189–196. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1882-5_17

    Chapter  Google Scholar 

  55. Trang, T.T.X., Maruyama, K.: Secure data storage architecture on cloud environments. In: Proceedings of the 11th International Joint Conference on Software Technologies, pp. 39–47. SciTePress, Lisbon (2016). https://doi.org/10.5220/0005974400390047

  56. Valadares, D.C.G., da Silva, M.S.L., Brito, A.E.M., Salvador, E.M.: Achieving data dissemination with security using FIWARE and Intel software guard extensions (SGX). In: Proceedings of the 23rd Symposium on Computers and Communications. IEEE, Natal (2018). https://doi.org/10.1109/ISCC.2018.8538590

  57. Van Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F.D., Piessens, F.: A tale of two worlds: assessing the vulnerability of enclave shielding runtimes. In: Proceedings of the Conference on Computer and Communications Security, pp. 1741–1758. ACM, London (2019). https://doi.org/10.1145/3319535.3363206

  58. Van Bulck, J., Piessens, F., Strackx, R.: SGX-Step: a practical attack framework for precise enclave execution control. In: Proceedings of the 2nd Workshop on System Software for Trusted Execution, pp. 4:1–4:6. ACM, Shanghai (2017). https://doi.org/10.1145/3152701.3152706

  59. Wang, S., Wang, X., Zhang, Y.: A secure cloud storage framework with access control based on blockchain. IEEE Access 7, 112713–112725 (2019). https://doi.org/10.1109/ACCESS.2019.2929205

    Article  Google Scholar 

  60. Wang, W., et al.: Leaky cauldron on the dark land: understanding memory side-channel hazards in SGX. In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security. ACM, Dallas (2017). https://doi.org/10.1145/3133956.3134038

  61. Weafer, V.: Report: 2017 threats prediction. Technical report, McAfee Labs (2016). https://www.mcafee.com/au/resources/reports/rp-threats-predictions-2017.pdf

  62. Weiser, S., Werner, M.: SGXIO: generic trusted I/O path for Intel SGX. In: Proceedings of the 7th Conference on Data and Application Security and Privacy, pp. 261–268. ACM, Scottsdale (2017). https://doi.org/10.1145/3029806.3029822

  63. Yan, H., Li, X., Wang, Y., Jia, C.: Centralized duplicate removal video storage system with privacy preservation in IoT. Sensors 18(6) (2018). https://doi.org/10.3390/s18061814

  64. Zhou, L., Varadharajan, V., Hitchens, M.: Trust-based secure cloud data storage with cryptographic role-based access control. In: Proceedings of the 10th International Conference on Security and Cryptography, pp. 62–73. SciTePress, Reykjavík (2013). https://doi.org/10.5220/0004508600620073

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Federal University of Technology - Paraná, Dois Vizinhos, Brazil

    Marciano da Rocha, Rodrigo Tomaz Pagno & Newton Carlos Will

  2. Department of Mechanical Engineering, Federal Institute of Pernambuco, Caruaru, Brazil

    Dalton Cézane Gomes Valadares

  3. Department of Electrical Engineering, Federal University of Campina Grande, Campina Grande, Brazil

    Angelo Perkusich

  4. Department of Computer Science, Federal University of Campina Grande, Campina Grande, Brazil

    Dalton Cézane Gomes Valadares & Kyller Costa Gorgonio

Authors
  1. Marciano da Rocha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dalton Cézane Gomes Valadares
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelo Perkusich
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kyller Costa Gorgonio
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rodrigo Tomaz Pagno
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Newton Carlos Will
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Newton Carlos Will .

Editor information

Editors and Affiliations

  1. Columbia University, New York, USA

    Donald Ferguson

  2. Free University of Bozen-Bolzano, Bolzano, Italy

    Claus Pahl

  3. Maynooth University, Maynooth, Ireland

    Markus Helfert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

da Rocha, M., Valadares, D.C.G., Perkusich, A., Gorgonio, K.C., Pagno, R.T., Will, N.C. (2021). Trusted Client-Side Encryption for Cloud Storage. In: Ferguson, D., Pahl, C., Helfert, M. (eds) Cloud Computing and Services Science. CLOSER 2020. Communications in Computer and Information Science, vol 1399. Springer, Cham. https://doi.org/10.1007/978-3-030-72369-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72369-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72368-2

  • Online ISBN: 978-3-030-72369-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation