skip to main content
10.1145/3456727.3463780acmconferencesArticle/Chapter ViewAbstractPublication PagessystorConference Proceedingsconference-collections
research-article

Length preserving compression: marrying encryption with compression

Published: 14 June 2021 Publication History

Abstract

This work tackles an inherent conflict between two important trends. The first is the integration of data compression capabilities into many storage systems supporting random I/O on the compressed data. The second is encrypting data at the host, before data is written to the storage, in order to address regulatory and enterprise requirements. This provides end-to-end protection for the data, but since the data arrives encrypted, it prevents the storage from compressing the data. Can compression savings be achieved together with host side encryption without changing the storage protocols or storage backend? In this paper we show that they can.
We present Length Preserving Compression (LPC), which combines compression with encryption, to provide the benefits of both. The challenge is to achieve compression savings without overloading the host side with complex data management tasks which come with the fact that compression changes the data layout. We do this by keeping the data layout management capabilities on the storage while compressing and encrypting on the host. Equally important is that LPC works without changes to the compressing storage system or to the standard storage protocols involved. We implemented LPC in Linux dm-crypt and in the Xen blktap encryption and extensively evaluated its performance and impact on security and compression ratios.

References

[1]
104th United States Congress. Health insurance portability and accountability act. https://www.govinfo.gov/content/pkg/PLAW-104publ191/html/PLAW-104publ191.htm, 1996.
[2]
R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order preserving encryption for numeric data. In Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, SIGMOD '04, pages 563--574, 2004.
[3]
Apple. Use FileVault to encrypt the startup disk on your Mac. https://support.apple.com/en-us/HT204837. (Retrieved Sept. 2020).
[4]
J. Axboe et al. fio - Flexible I/O tester rev. 3.23. https://fio.readthedocs.io/en/latest/fio_doc.html. (Retrieved Sept. 2020).
[5]
M. Baldwin. Azure Disk Encryption for IaaS VMs. https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview. (Retrieved Sept. 2020).
[6]
N. Baracaldo, E. Androulaki, J. Glider, and A. Sorniotti. Reconciling end-to-end confidentiality and data reduction in cloud storage. In Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, CCSW '14, pages 21--32. ACM, 2014.
[7]
F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, volume 41, page 46, 2005.
[8]
M. Bellare, S. Keelveedhi, and T. Ristenpart. Message-locked encryption and secure deduplication. In Advances in Cryptology - EUROCRYPT 2013, pages 296--312, 2013.
[9]
A. Berryman, P. Calyam, M. Honigford, and A. M. Lai. Vdbench: A benchmarking toolkit for thin-client based virtual desktop environments. In 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010), pages 480--487. IEEE, 2010.
[10]
C. Bodley. Ceph documentation - compression. https://docs.ceph.com/en/latest/radosgw/compression/. (Retrieved Sept. 2020).
[11]
M. Broz. dm-crypt: Linux kernel device-mapper crypto target. https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt, 2020. (Retrieved Sept. 2020).
[12]
J. V. Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx. Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution. In 27th USENIX Security Symposium, USENIX Security 2018, pages 991--1008, 2018.
[13]
J. C. Coburn. Red Hat Virtual Data Optimizer. https://github.com/dm-vdo/kvdo, 2017. (Retrieved Sept. 2020).
[14]
Y. Collet. LZ4 - extremely fast compression. http://code.google.com/p/lz4/.
[15]
Y. Collet. Zstandard. https://facebook.github.io/zstd/.
[16]
H. Dang and E.-C. Chang. Privacy-Preserving Data Deduplication on Trusted Processors. In Cloud Computing (CLOUD), 2017 IEEE 10th International Conference on, pages 66--73. IEEE, 2017.
[17]
Dell EMC. Dell EMC XtremIO X2 All-Flash Array. https://www.delltechnologies.com/he-il/storage/xtremio-all-flash.htm. (Retrieved Sept. 2020).
[18]
T. Duong and J. Rizzo. The CRIME attack. http://netifera.com/research/crime/CRIME_ekoparty2012.pdf, 2012.
[19]
M. Dworkin. Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices - NIST SP 800-38E, 2010.
[20]
European Parliament and Council of the European Union. European general data protection regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679, 2016.
[21]
J. L. Gailly and M. Adler. Zlib home site. http://www.zlib.net/.
[22]
Y. Gluck, N. Harris, and A. Prado. BREACH: reviving the CRIME attack. http://breachattack.com/, 2013.
[23]
Google. Data encryption options. https://cloud.google.com/storage/docs/encryption/. (Retrieved Sept. 2020).
[24]
IBM. IBM FlashSystem A9000. https://www.ibm.com/downloads/cas/RGMAKOOK. (Retrieved Sept. 2020).
[25]
Intel. Improving Performance and Security of Big Data and Cloud Solutions. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/quickassist-technology-big-data-cloud-paper.pdf. (Retrieved Sept. 2020).
[26]
W. Kang and N. Liu. Compressing encrypted data: Achieving optimality and strong secrecy via permutations. IEEE Trans. Inf. Theor., 62(12)7153--7163, Dec. 2016.
[27]
J. Kelley and R. Tamassia. Secure compression: Theory & practice. Cryptology ePrint Archive, Report 2014/113, 2014. https://eprint.iacr.org/2014/113.
[28]
J. Kelsey. Compression and information leakage of plaintext. In Revised Papers from the 9th International Workshop on Fast Software Encryption, FSE '02, pages 263--276, 2002.
[29]
P. Kennedy. The case for using zfs compression. https://www.servethehome.com/the-case-for-using-zfs-compression/, 2018. (Retrieved Sept. 2020).
[30]
L. Khati, N. Mouha, and D. Vergnaud. Full disk encryption: Bridging theory and practice. In Topics in Cryptology - CT-RSA 2017 - The Cryptographers' Track at the RSA Conference 2017, pages 241--257, 2017.
[31]
T. Kozlowski. End-to-End Data Encryption with Data Reduction from Thales & Pure Storage. https://blog.purestorage.com/end-to-end-data-encryption-with-data-reduction-from-thales-pure-storage/. (Retrieved Sept. 2020).
[32]
L. Kurth, G. Shuklin, et al. blktap. https://wiki.xenproject.org/wiki/Blktap, 2013. (Retrieved Sept. 2020).
[33]
B. Lich et al. Bitlocker. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview. (Retrieved Sept. 2020).
[34]
J. Liu, N. Asokan, and B. Pinkas. Secure Deduplication of Encrypted Data without Additional Independent Servers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 874--885. ACM, 2015.
[35]
F. McKeen, I. Alex, A. Berenzon, C. Rozas, H. Shafi, V. Shanbhogue, and U. Savagaonkar. Innovative Instructions and Software Model for Isolated Execution. In Proceedings of the Workshop on Hardware and Architectural Support for Security and Privacy (HASP), 2013.
[36]
S. Moulton. NetApp data compression and deduplication deployment and implementation guide. https://www.netapp.com/us/media/tr-3966.pdf, 2018. (Retrieved Sept. 2020).
[37]
Nvidia. Nvidia Mellanox Bluefield-2 Data Processing Unit (DPU). https://www.mellanox.com/files/doc-2020/pb-bluefield-2-dpu.pdf. (Retrieved Sept. 2020).
[38]
Pensando. Pensando DSC-100 Distributed Services Card. https://pensando.io/wp-content/uploads/2020/03/Pensando-DSC-100-Product-Brief.pdf. (Retrieved Sept. 2020).
[39]
R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. Cryptdb: Protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, pages 85--100, 2011.
[40]
T. H. Ptacek. You Don't Want XTS. https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/, 2014. (Retrieved Feb. 2021).
[41]
Pure Storage. Data Services: Store Data Safely and Efficiently. https://www.purestorage.com/products/purity/store.html. (Retrieved Sept. 2020).
[42]
P. Rogaway, M. Wooding, and H. Zhang. The security of ciphertext stealing. In Fast Software Encryption, pages 180--195, 2012.
[43]
M. W. Storer, K. Greenan, D. D. Long, and E. L. Miller. Secure data deduplication. In Proceedings of the 4th ACM International Workshop on Storage Security and Survivability, StorageSS '08, pages 1--10. ACM, 2008.
[44]
Y. Tang and J. Yang. Secure Deduplication of General Computations. In USENIX Annual Technical Conference, pages 319--331, 2015.
[45]
Thales Group. Advanced data-at-rest encryption, access control and data access audit logging. https://cpl.thalesgroup.com/encryption/vormetric-transparent-encryption, 2019. (Retrieved Sept. 2020).
[46]
K. Vaid. Hardware innovation for data growth challenges at cloud-scale. https://azure.microsoft.com/en-us/blog/hardware-innovation-for-data-growth-challenges-at-cloud-scale/. (Retrieved Sept. 2020).
[47]
VMware. VMware vSPHERE®Virtual Machine Encryption: Virtual Machine Encryption Management. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vsphere/vmw-wp-vsphere-virtual-machin-encryp.pdf, 2017. (Retrieved Sept. 2020).
[48]
VMware. VMware vSAN: Using Deduplication and Compression. https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.virtualsan.doc/GUID-3D2D80CC-444E-454E-9B8B-25C3F620EFED.html, 2019. (Retrieved Sept. 2020).
[49]
Z. Wilcox-O'Hearn. Drew Perttula and Attacks on Convergent Encryption. https://tahoe-lafs.org/hacktahoelafs/drew_perttula.html, 2008. (Retrieved Feb. 2021).
[50]
G. Wolfgram. Creating virtual server instances with customer-managed encryption. https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-creating-instances-byok. (Retrieved Sept. 2020).
[51]
E. Zadok, J. M. Andersen, I. Badulescu, and J. Nieh. Fast indexing: Support for size-changing algorithms in stackable file systems. pages 289--304, 01 2001.

Cited By

View all
  • (2024)SimEncProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692030(615-630)Online publication date: 10-Jul-2024
  • (2024)Encrypted Data Reduction: Removing Redundancy from Encrypted Data in Outsourced StorageACM Transactions on Storage10.1145/368527820:4(1-30)Online publication date: 29-Jul-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SYSTOR '21: Proceedings of the 14th ACM International Conference on Systems and Storage
June 2021
226 pages
ISBN:9781450383981
DOI:10.1145/3456727
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • Technion: Israel Institute of Technology
  • USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2021

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

SYSTOR '21
Sponsor:

Acceptance Rates

SYSTOR '21 Paper Acceptance Rate 18 of 63 submissions, 29%;
Overall Acceptance Rate 108 of 323 submissions, 33%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)33
  • Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)SimEncProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692030(615-630)Online publication date: 10-Jul-2024
  • (2024)Encrypted Data Reduction: Removing Redundancy from Encrypted Data in Outsourced StorageACM Transactions on Storage10.1145/368527820:4(1-30)Online publication date: 29-Jul-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media