Skip to main content
SpringerLink
Log in

A framework with data-centric accountability and auditability for cloud storage

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

The cross-domain characteristic of cloud storage service decides that both users and service providers have limited trust toward each other. Judging from a real-world perspective, both parties may have the motivation to engage in dishonest activity for monetary reasons. Hence, accountability should be seriously treated in designing storage systems with practical security. This paper proposes a general accountable framework for cloud storage in a data-centric manner. We design non-repudiable action records to log all data-related access behavior, and through later auditing to detect possible misbehavior. To resist replay attacks, we adopt signature exchange idea to let both parties verify and maintain different metadata signatures signed by the other party. For potential disputes about data content or access records, we also design arbitration protocol to fairly and efficiently settle the dispute and find out the cheating party. Experimental evaluation of our prototype shows that cryptographic cost, storage overhead and throughput are reasonable and acceptable.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. “Temporarily agree” means that if a user can only check the integrity for received data and could not perform data freshness check, then he simply keeps the hash of the received data in the record, and relies on the future auditing to check whether the CSP sent a stale version of data at that time. Due to the complexities of cryptographic storage design, there are many ways to perform data freshness check during data access, the specific freshness check policy is dependent on the system design and implementation. This paper focuses on introducing a general accountability framework for cloud storage, so we omit the details of freshness check, readers can refer to post-freshness check policy in [20] or immediate freshness check policy in [22].

References

  1. Amazon (2008) Amazon s3 availability event. https://aws.amazon.com/cn/message/41926/

  2. Francisco P (2014) Ipad’s security breach. http://www.linkedin.com/pulse/20140817183007-68332546-ipad-s-security-breach/

  3. Jordi G (2016) Linkedin data leakage: change your password now. http://www.linkedin.com/pulse/linkedin-data-leakage-change-your-password-now-jordi-gili/

  4. Khan KM, Malluhi Q (2010) Establishing trust in cloud computing. IT Prof 12(5):20–27

    Article  Google Scholar 

  5. Ren K, Wang C, Wang Q (2012) Security challenges for the public cloud. IEEE Internet Comput 16(1):69–73

    Article  Google Scholar 

  6. Armbrust M, Fox A, Griffith R, Joseph AD, Katz R, Konwinski A, Lee G, Patterson D, Rabkin A, Stocia I, Zaharia M (2010) A view of cloud computing. Commun ACM 53(4):50–58

    Article  Google Scholar 

  7. Lund MS, Bjornar S, Ketil S (2010) Evolution in relation to risk and trust management. Computer 43(5):49–55

    Article  Google Scholar 

  8. Blaze M, Joan F, Jack L (1996) Decentralized trust management. In: Security and Privacy, pp 164–173

  9. Wang Y, Julita V (2003) Bayesian network-based trust model. In: IEEE International Conference on Web Intelligence, pp 372–378

  10. Li W, Lingdi P (2009) Trust model to enhance security and interoperability of cloud environment. In: Cloud Computing, pp 69–79

    Google Scholar 

  11. Blaze M, John I, Keromytis A (2003) Experience with the keynote trust management system: applications and future directions. In: Trust Management, pp 1071–1087

    Google Scholar 

  12. Liu Z, Joy AW, Thompson RA (2004) A dynamic trust model for mobile ad hoc networks. In: Proceedings of the 10th IEEE International Workshop on Future Trends, pp 80–85

  13. Yan Z, Zhang P, Vasilakos AV (2014) A survey on trust management for internet of things. J Netw Comput Appl 42:120–134

    Article  Google Scholar 

  14. Urquhart J (2009) The biggest cloud-computing issue of 2009 is trust. http://news.cnet.com/8301-19413_3-10133487-240.html

  15. Conner W, Iyengar A, Mikalsen T, Rouvellou I, Nahrstedt K (2009) A trust management framework for service-oriented environments. In: Proceedings of the 18th International Conference on World Wide Web, pp 891–900

  16. Alhamad M, Tharam D, Elizabeth C (2010) SLA-based trust model for cloud computing. In: Proceedings of the 13th International Conference on Network-Based Information Systems, pp 321–324

  17. Noor TH, Sheng QZ (2011) Credibility-based trust management for services in cloud environments. In: Kappel G, Maamar Z, Motahari-Nezhad HR (eds) Service-oriented computing. ICSOC 2011. Lecture Notes in Computer Science, vol 7084. Springer, Berlin, Heidelberg, pp 328–343

    Chapter  Google Scholar 

  18. Wang S, Zhang L, Ma N, Wang S (2008) An evaluation approach of subjective trust based on cloud model. J Softw Eng Appl 01:1062–1068

    Google Scholar 

  19. Goh E-J, Shacham H, Modadugu N, Boneh D (2003) SiRiUS: securing remote untrusted storage. In: Proceedings of the 7th Network and Distributed System Security Symposium (NDSS’03), pp 131–145

  20. Popa RA, Lorch JR, Molnar D, Wang HJ, Zhuang L (2011) Enabling security in cloud storage slas with cloudproof. In: USENIX Annual Technical Conference (ATC’11), vol 242, pp 55–368

  21. Buchty R, Heintze N, Oliva D (2014) Cryptonite—a programmable crypto processor architecture for high-bandwidth applications. In: International Conference on Architecture of Computing Systems, pp 184–198

  22. Jin H, Zhou K, Jiang H, Lei D, Wei R, Li C (2018) Full integrity and freshness for cloud data. Future Gener Comput Syst 80:640–652

    Article  Google Scholar 

  23. C Alliance (2011) Security guidance for critical areas of focus in cloud computing v3. 0. Cloud Security Alliance

  24. Ryan KLK, Jagadpramana P, Mowbray M, Pearson S, Kirchberg M, Liang Q, Lee BS (2011) Trustcloud: a framework for accountability and trust in cloud computing, In: World congress on services, IEEE, Washington, DC, pp 584–588

  25. Yumerefendi AR, Chase JS (2005) The role of accountability in dependable distributed systems. In: Proceedings of HotDep, vol 5, pp 3–8

  26. Lampson BW (2004) Computer security in the real world. Computer 37(6):37–46

    Article  Google Scholar 

  27. Yumerefendi AR, Chase JS (2004) Trust but verify: accountability for network services. In: Proceedings of the 11th Workshop on ACM SIGOPS European Workshop. ACM, pp 37–42

  28. Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69

    Article  Google Scholar 

  29. Ko RK, Lee BS, Pearson S (2011) Towards achieving accountability, auditability and trust in cloud computing. In: International Conference on Advances in Computing and Communications. Springer, pp 432–444

  30. Schneier B, Kelsey J (1998) Cryptographic support for secure logs on untrusted machines. In: USENIX Security Symposium, vol 98, pp 53–62

  31. Peterson ZN, Burns RC, Ateniese G, Bono S (2007) Design and implementation of verifiable audit trails for a versioning file system. In: Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST’07), vol 7, p 20

  32. Maniatis P, Baker M (2002) Enabling the archival storage of signed documents. In: Proceedings of the 1st USENIX Conference on File and Storage Technologies, pp 3–17

  33. Maniatis P, Baker M (2002) Secure history preservation through timeline entanglement. arXiv preprint arXiv:cs/0202005

  34. Boneh D, Gentry C, Waters B (2005) Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Advances in Cryptology (CRYPTO’05), pp 258–275

    Chapter  Google Scholar 

  35. Fu K, Kamara S, Kohno T (2006) Key regression: enabling efficient key distribution for secure distributed storage. In: Computer Science Department Faculty Publication Series, pp 110–149

  36. Backes M, Cachin C, Oprea A (2006) Secure key-updating for lazy revocation. In: European Symposium on Research in Computer Security (ESORICS’06), pp 327–346

    Chapter  Google Scholar 

  37. Ma D, Tsudik G (2009) A new approach to secure logging. ACM Trans Storage 5(1):1–21

    Article  Google Scholar 

  38. Schneier B, Kelsey J (1999) Secure audit logs to support computer forensics. ACM Trans Inf Syst Secur 2(2):159–176

    Article  Google Scholar 

  39. Bellare M, Bennet Y (2003) Forward-security in private-key cryptography. CT-RSA 2612:1–18

    MathSciNet  MATH  Google Scholar 

  40. Holt JE (2006) Logcrypt: forward security and public verification for secure audit logs. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and E-Research, pp 203–211

  41. Castro M, Barbara L (1999) Practical byzantine fault tolerance. In: Proceedings of the Symposium on Operating Systems Design and Implementation, pp 173–186

  42. Yin J, Martin J-P, Venkataramani A, Alvisi L, Dahlin M (2003) Separating agreement from execution for byzantine fault tolerant services. ACM SIGOPS Oper Syst Rev 37(5):253–267

    Article  Google Scholar 

  43. Juels A, Kaliski Jr BS (2007) Pors: proofs of retrievability for large files. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS’07), pp 584–597

  44. Ateniese G, Burns R, Curtmola R, Herring J, Kissner L, Peterson Z, Song D (2007) Provable data possession at untrusted stores. In: Proceedings of the 14th ACM Conference on Computer and Communication Security (CCS’07), pp 598–609

  45. Shacham H, Waters B (2008) Compact proofs of retrievability. In: Advances in Cryptology (ASIACRYPT’08), pp 90–107

    Chapter  Google Scholar 

  46. Weatherspoon H, Eaton P, Chun B-G, Kubiatowicz J (2007) Antiquity: exploiting a secure log for wide-area distributed storage. ACM SIGOPS Oper Syst Rev 41(3):371–384

    Article  Google Scholar 

  47. Blaze M (1993) A cryptographic file system for unix. In: Proceedings of the 1st ACM Conference on Computer and Communication Security, pp 9–16

  48. Miller EL, Long DD, Freeman WE, Reed B (2002) Strong security for network-attached storage. In: Proceedings of the 1st USENIX Conference on File and Storage Technologies (FAST’02), pp 1–13

  49. Li J, Krohn MN, Mazières D, Shasha D (2004) Secure untrusted data repository (SUNDR). In: Proceedings of the 6th USENIX Symposium Operating Systems Design and Implementation (OSDI’04), pp 121–136

  50. Haeberlen A, Kouznetsov P, Druschel P (2007) Peerreview: practical accountability for distributed systems. In: ACM SIGOPS Operating Systems Review, vol 41(6), pp 175–188

    Article  Google Scholar 

  51. Yumerefendi AR, Chase JS (2007) Strong accountability for network storage. ACM Trans Storage 3(3):11–25

    Article  Google Scholar 

  52. Backes M, Druschel P, Haeberlen A, Unruh D (2009) CSAR: a practical and provable technique to make randomized systems accountable. In: Proceedings of the 13th Network and Distributed System Security Symposium, vol 9, pp 341–353

  53. Yavuz AA, Peng N (2009) BAF: an efficient publicly verifiable secure audit logging scheme for distributed systems. In: Proceedings of the Annual Computer Security Applications Conference, pp 219–228

  54. Dowling B, Gnther F, Herath U, Stebila D (2016) Secure logging schemes and certificate transparency. In: Proceedings of the 21st European Symposium on Research in Computer Security, pp 140–158

    Chapter  Google Scholar 

  55. Hartung G, Kaidel B, Koch A, Koch J, Hartmann D (2017) Practical and robust secure logging from fault-tolerant sequential aggregate signatures. In: International Conference on Provable Security, pp 87–106

    Chapter  Google Scholar 

  56. Marty R (2011) Cloud application logging for forensics. In: Proceedings of the ACM Symposium on Applied Computing (SAC’11). ACM, pp 178–184

  57. Dominik B, Christoph W (2011) Technical issues of forensic investigations in cloud computing environments. In: IEEE 6th International Workshop on Systematic Approaches to Digital Forensic Engineering. IEEE, pp 1–10

  58. Zawoad S, Dutta AK, Hasan R (2013) SecLaaS: secure logging-as-a-service for cloud forensics. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Ser. ASIA CCS’13. ACM, pp 219–230

  59. Zawoad S, Dutta AK, Hasan R (2016) Towards building forensics enabled cloud through secure logging-as-a-service. IEEE Trans Dependable Secur Comput 13(2):148–162

    Article  Google Scholar 

  60. Standard (2002) Secure hash, Fips pub 180-2. National Institute of Standards and Technology, Gaithersburg

  61. Rogaway P, Thomas S (2004) Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Fast Software Encryption. Springer, pp 258–275

  62. Shafi G, Silvio M, Rivest RL (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 17(2):281–308

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous referees for their reviews and insightful suggestions to improve this paper. This work is partially supported by the National Key \( R \& D\) Program of China (2016YFB0800402) and the National Natural Science Foundation of China under Grant No. 61232004. Yan Luo is supported in part by the National Science Foundation of USA (Award Nos. 1547428, 1738965 and 1450996).

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Wuhan Institute of Technology, Wuhan, China

    Hao Jin

  2. Wuhan National Lab for Optoelectronics, School of Computer Science and Technology, Wuhan Institute of Technology, Wuhan, China

    Ke Zhou

  3. Department of Electrical and Computer Engineering, University of Massachusetts, Lowell, MA, USA

    Yan Luo

Authors
  1. Hao Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ke Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yan Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hao Jin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jin, H., Zhou, K. & Luo, Y. A framework with data-centric accountability and auditability for cloud storage. J Supercomput 74, 5903–5926 (2018). https://doi.org/10.1007/s11227-018-2504-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-018-2504-5

Keywords

Search

Navigation