Abstract
Nowadays, users are delegating the data storage to cloud services, due to the virtually unlimited storage, change history, broadband connection, and high availability. Despite the benefits and facilities, it is necessary to pay extra attention to data confidentiality and users’ privacy, as numerous threats aim to collect such information in an unauthorized manner. An approach to ensure data confidentiality is the use of client-side encryption, with the user taking control of the encryption keys and defining which files or data will be encrypted. This scheme is already explored by many applications on personal computers and also as a native feature in some smartphone operating systems, but are still susceptible to certain types of attacks. Aiming to improve the security of the client-side encryption approach, we propose to apply the Intel Software Guard Extensions (SGX) to perform data sealing, creating a secure vault that can be synchronized with any cloud storage service, while relying on the SGX to protect the key handling. To validate our proposal, we build a proof of concept based on the Cryptomator application, an open-source client-side encryption tool specially designed for cloud storage services. Our results show an overall performance better than the original Cryptomator application, with stronger security premises. Thus, our solution proved to be feasible and can be expanded and refined for practical use and integration with cloud synchronization services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Data breach report: cloud storage exposes 270,000 users’ private information (2020). https://www.securitymagazine.com/articles/91985-data-breach-report-cloud-storage-exposes-users-private-information
Ahmad, A., Kim, K., Sarfaraz, M.I., Lee, B.: OBLIVIATE: a data oblivious file system for Intel SGX. In: Proceedings of the 25th Network and Distributed System Security Symposium. Internet Society, San Diego (2018). https://doi.org/10.14722/ndss.2018.23284
Ahn, J., et al.: DiskShield: a data tamper-resistant storage for Intel SGX. In: Proceedings of the 15th Asia Conference on Computer and Communications Security. ACM, Taipei (2020). https://doi.org/10.1145/3320269.3384717
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. ACM, Tel-Aviv (2013)
Aumasson, J.P., Merino, L.: SGX secure enclaves in practice: security and crypto review. In: Proceedings of the Black Hat. Black Hat, Las Vegas (2016)
Babitha, M., Babu, K.R.R.: Secure cloud storage using AES encryption. In: Proceedings of the International Conference on Automatic Control and Dynamic Optimization Techniques, pp. 859–864. IEEE, Pune (2016). https://doi.org/10.1109/ICACDOT.2016.7877709
Branco Jr., E.C., Monteiro, J.M., Reis, R., Machado, J.C.: A flexible mechanism for data confidentiality in cloud database scenarios. In: Proceedings of the 18th International Conference on Enterprise Information Systems, pp. 359–368. SciTePress, Rome (2016). https://doi.org/10.5220/0005872503590368
Branscombe, M.: Has Microsoft been looking at user files to find the 75tb OneDrive hoarders? (2015). https://www.techradar.com/news/internet/cloud-services/has-microsoft-been-looking-at-user-files-to-find-the-75tb-onedrive-hoarders--1308186
Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: Proceedings of the 11th USENIX Workshop on Offensive Technologies. USENIX, Vancouver (2017). https://www.usenix.org/conference/woot17/workshop-program/presentation/brasser
Broz, M.: Linux Unified Key Setup (2020). https://gitlab.com/cryptsetup/cryptsetup/wikis/home
Burihabwa, D., Felber, P., Mercier, H., Schiavoni, V.: SGX-FS: hardening a file system in user-space with Intel SGX. In: Proceedings of the 10th IEEE International Conference on Cloud Computing Technology and Science. IEEE, Nicosia (2018). https://doi.org/10.1109/CloudCom2018.2018.00027
CentOS: The CentOS Project (2020). https://www.centos.org/
Chen, G., et al.: Racing in hyperspace: closing hyper-threading side channels on SGX with contrived data races. In: Proceedings of the 39th IEEE Symposium on Security and Privacy. IEEE, San Francisco (2018). https://doi.org/10.1109/SP.2018.00024
Chen, S., Zhang, X., Reiter, M.K., Zhang, Y.: Detecting privileged side-channel attacks in shielded execution with Déjà Vu. In: Proceedings of the ACM on Asia Conference on Computer and Communications Security, pp. 7–18. ACM, Abu Dhabi (2017). https://doi.org/10.1145/3052973.3053007
Clover, J.: Hackers using iCloud’s find my iPhone feature to remotely lock macs and demand ransom payments (2017). https://www.macrumors.com/2017/09/20/hackers-find-my-iphone-remote-mac-lock/
Condé, R.C.R., Maziero, C.A., Will, N.C.: Using Intel SGX to protect authentication credentials in an untrusted operating system. In: Proceedings of the 23rd Symposium on Computers and Communications. IEEE, Natal (2018). https://doi.org/10.1109/ISCC.2018.8538470
Contiu, S., Pires, R., Vaucher, S., Pasin, M., Felber, P., Réveillère, L.: IBBE-SGX: cryptographic group access control using trusted execution environments. In: Proceedings of the 48th Annual International Conference on Dependable Systems and Networks, pp. 207–218. IEEE, Luxembourg City (2018). https://doi.org/10.1109/DSN.2018.00032
Contiu, S., Vaucher, S., Pires, R., Pasin, M., Felber, P., Réveillère, L.: Anonymous and confidential file sharing over untrusted clouds. In: Proceedings of the 38th Symposium on Reliable Distributed Systems, pp. 21–2110. IEEE, Lyon (2019). https://doi.org/10.1109/SRDS47363.2019.00013
Cox, J.: Hackers stole account details for over 60 million Dropbox users (2016). https://www.vice.com/en_us/article/nz74qb/hackers-stole-over-60-million-dropbox-accounts
Crocker, P., Querido, P.: Two factor encryption in cloud storage providers using hardware tokens. In: Proceedings of the Global Communications Conference Workshops. IEEE, San Diego (2015). https://doi.org/10.1109/GLOCOMW.2015.7414154
Cryptomator: Cryptomator system architecture (2019). https://cryptomator.org/security/architecture
Dahshan, M., Elkassas, S.: Framework for securing data in cloud storage services. In: Proceedings of the 11th International Conference on Security and Cryptography, pp. 267–274. SciTePress, Vienna (2014). https://doi.org/10.5220/0005043802670274
Dhar, A., Puddu, I., Kostiainen, K., Capkun, S.: ProximiTEE: hardened SGX attestation by proximity verification. In: Proceedings of the 10th Conference on Data and Application Security and Privacy, pp. 5–16. ACM, New Orleans (2020). https://doi.org/10.1145/3374664.3375726
Djoko, J.B., Lange, J., Lee, A.J.: NeXUS: practical and secure access control on untrusted storage platforms using client-side SGX. In: Proceedings of the 49th Annual International Conference on Dependable Systems and Networks, pp. 401–413. IEEE, Portland (2019). https://doi.org/10.1109/DSN.2019.00049
Esteves, T., et al.: TrustFS: an SGX-enabled stackable file system framework. In: Proceedings of the 38th International Symposium on Reliable Distributed Systems Workshops. IEEE, Lyon (2019). https://doi.org/10.1109/SRDSW49218.2019.00012
Huang, K., Siegel, M., Madnick, S.: Systematically understanding the cyber attack business: a survey. ACM Comput. Surv. 51(4) (2018). https://doi.org/10.1145/3199674
IDRIX: VeraCrypt - free open source disk encryption with strong security for the paranoid (2020). https://www.veracrypt.fr/en/Home.html
INTEL: Intel Software Guard Extensions Programming Reference (2014). https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf
Intel: Intel Software Guard Extensions SDK for Linux OS Developer Reference. Intel Corporation (2016). https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf
Karande, V., Bauman, E., Lin, Z., Khan, L.: SGX-Log: securing system logs with SGX. In: Proceedings of the Asia Conference on Computer and Communications Security. ACM, Abu Dhabi (2017). https://doi.org/10.1145/3052973.3053034
Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2 (2019). https://doi.org/10.1186/s42400-019-0038-7
Kim, D., et al.: SGX-LEGO: fine-grained SGX controlled-channel attack and its countermeasure. Comput. Secur. 82, 118–139 (2019). https://doi.org/10.1016/j.cose.2018.12.001
McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. ACM, Tel-Aviv (2013). https://doi.org/10.1145/2487726.2488368
Meijer, C., van Gastel, B.: Self-encrypting deception: weaknesses in the encryption of solid state drives. In: Proceedings of the 40th Symposium on Security and Privacy, pp. 72–87. IEEE, San Francisco (2019). https://doi.org/10.1109/SP.2019.00088
Moghimi, A., Eisenbarth, T., Sunar, B.: MemJam: a false dependency attack against constant-time crypto implementations in SGX. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 21–44. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_2
Müller, T., Freiling, F.C.: A systematic assessment of the security of full disk encryption. IEEE Trans. Dependable Secure Comput. 12(5), 491–503 (2015). https://doi.org/10.1109/TDSC.2014.2369041
Muncaster, P.: Verizon hit by another Amazon S3 leak (2017). https://www.infosecurity-magazine.com/news/verizon-hit-by-another-amazon-s3/
Onwujekwe, G., Thomas, M., Osei-Bryson, K.M.: Using robust data governance to mitigate the impact of cybercrime. In: Proceedings of the 3rd International Conference on Information System and Data Mining. ACM, Houston (2019). https://doi.org/10.1145/3325917.3325923
Peters, T., Lal, R., Varadarajan, S., Pappachan, P., Kotz, D.: BASTION-SGX: Bluetooth and architectural support for trusted I/O on SGX. In: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 1–9. ACM, Los Angeles (2018). https://doi.org/10.1145/3214292.3214295
Peterson, R., et al.: Vallum: privacy, confidentiality and access control for sensitive data in cloud environments. In: Proceedings of the 11th International Conference on Cloud Computing Technology and Science. IEEE, Sydney (2019). https://doi.org/10.1109/CloudCom.2019.00026
Pottier, R., Menaud, J.: Privacy-aware data storage in cloud computing. In: Proceedings of the 7th International Conference on Cloud Computing and Services Science, pp. 405–412. SciTePress, Porto (2017). https://doi.org/10.5220/0006294204050412
PwC: global economic crime survey 2016: adjusting the lens on economic crime. Technical report, PwC (2016). https://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf
Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: Proceedings of the 24th USENIX Security Symposium, pp. 431–446. USENIX Association, Washington, D.C. (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/rane
Rawlings, R.: Here are the most popular passwords of 2019 (2019). https://nordpass.com/blog/top-worst-passwords-2019/
Richter, L., Götzfried, J., Müller, T.: Isolating operating system components with Intel SGX. In: Proceedings of the 1st Workshop on System Software for Trusted Execution. ACM, Trento (2016). https://doi.org/10.1145/3007788.3007796
da Rocha, M., Valadares, D.C.G., Perkusich, A., Gorgonio, K.C., Pagno, R.T., Will, N.C.: Secure cloud storage with client-side encryption using a trusted execution environment. In: Proceedings of the 10th International Conference on Cloud Computing and Services Science, pp. 31–43. SciTePress, Prague (2020). https://doi.org/10.5220/0009130600310043
Sasy, S., Gorbunov, S., Fletcher, C.W.: ZeroTrace: oblivious memory primitives from Intel SGX. In: Proceedings of the Network and Distributed System Security Symposium. Internet Society, San Diego (2018). https://doi.org/10.14722/ndss.2018.23239
Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: abusing Intel SGX to conceal cache attacks. Cybersecurity 3(1) (2020). https://doi.org/10.1186/s42400-019-0042-y
Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of the Network and Distributed System Security Symposium. Internet Society, San Diego (2017). https://doi.org/10.14722/ndss.2017.23193
Shinde, S., Chua, Z.L., Narayanan, V., Saxena, P.: Preventing page faults from telling your secrets. In: Proceedings of the 11th Asia Conference on Computer and Communications Security, pp. 317–328. ACM, Xi’an (2016). https://doi.org/10.1145/2897845.2897885
Singh, M., Singh, M., Kaur, S.: Issues and challenges in DNS based botnet detection: a survey. Comput. Secur. 86 (2019). https://doi.org/10.1016/j.cose.2019.05.019
Sobchuk, J., O’Melia, S., Utin, D., Khazan, R.: Leveraging Intel SGX technology to protect security-sensitive applications. In: Proceedings of the 17th International Symposium on Network Computing and Applications. IEEE, Cambridge (2018). https://doi.org/10.1109/NCA.2018.8548184
Spring, T.: Insecure backend databases blamed for leaking 43 TB of app data (2017). https://threatpost.com/insecure-backend-databases-blamed-for-leaking-43tb-of-app-data/126021/
Sumathi, M., Sangeetha, S.: Survey on sensitive data handling—challenges and solutions in cloud storage system. In: Peter, J.D., Alavi, A.H., Javadi, B. (eds.) Advances in Big Data and Cloud Computing. AISC, vol. 750, pp. 189–196. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1882-5_17
Trang, T.T.X., Maruyama, K.: Secure data storage architecture on cloud environments. In: Proceedings of the 11th International Joint Conference on Software Technologies, pp. 39–47. SciTePress, Lisbon (2016). https://doi.org/10.5220/0005974400390047
Valadares, D.C.G., da Silva, M.S.L., Brito, A.E.M., Salvador, E.M.: Achieving data dissemination with security using FIWARE and Intel software guard extensions (SGX). In: Proceedings of the 23rd Symposium on Computers and Communications. IEEE, Natal (2018). https://doi.org/10.1109/ISCC.2018.8538590
Van Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F.D., Piessens, F.: A tale of two worlds: assessing the vulnerability of enclave shielding runtimes. In: Proceedings of the Conference on Computer and Communications Security, pp. 1741–1758. ACM, London (2019). https://doi.org/10.1145/3319535.3363206
Van Bulck, J., Piessens, F., Strackx, R.: SGX-Step: a practical attack framework for precise enclave execution control. In: Proceedings of the 2nd Workshop on System Software for Trusted Execution, pp. 4:1–4:6. ACM, Shanghai (2017). https://doi.org/10.1145/3152701.3152706
Wang, S., Wang, X., Zhang, Y.: A secure cloud storage framework with access control based on blockchain. IEEE Access 7, 112713–112725 (2019). https://doi.org/10.1109/ACCESS.2019.2929205
Wang, W., et al.: Leaky cauldron on the dark land: understanding memory side-channel hazards in SGX. In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security. ACM, Dallas (2017). https://doi.org/10.1145/3133956.3134038
Weafer, V.: Report: 2017 threats prediction. Technical report, McAfee Labs (2016). https://www.mcafee.com/au/resources/reports/rp-threats-predictions-2017.pdf
Weiser, S., Werner, M.: SGXIO: generic trusted I/O path for Intel SGX. In: Proceedings of the 7th Conference on Data and Application Security and Privacy, pp. 261–268. ACM, Scottsdale (2017). https://doi.org/10.1145/3029806.3029822
Yan, H., Li, X., Wang, Y., Jia, C.: Centralized duplicate removal video storage system with privacy preservation in IoT. Sensors 18(6) (2018). https://doi.org/10.3390/s18061814
Zhou, L., Varadharajan, V., Hitchens, M.: Trust-based secure cloud data storage with cryptographic role-based access control. In: Proceedings of the 10th International Conference on Security and Cryptography, pp. 62–73. SciTePress, Reykjavík (2013). https://doi.org/10.5220/0004508600620073
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
da Rocha, M., Valadares, D.C.G., Perkusich, A., Gorgonio, K.C., Pagno, R.T., Will, N.C. (2021). Trusted Client-Side Encryption for Cloud Storage. In: Ferguson, D., Pahl, C., Helfert, M. (eds) Cloud Computing and Services Science. CLOSER 2020. Communications in Computer and Information Science, vol 1399. Springer, Cham. https://doi.org/10.1007/978-3-030-72369-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-72369-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72368-2
Online ISBN: 978-3-030-72369-9
eBook Packages: Computer ScienceComputer Science (R0)