A carregar...
Projeto de investigação
Sem título
Financiador
Autores
Publicações
A Systems Approach to Searchable Encryption
Publication . Oliveira, Filipe Miguel Santos de; Ferreira, Bernardo; Leitão, João
The expansion of cloud services facilitates access to hardware and software resources.
The number of clients has been raising and so, the amount of data in the cloud provider’s
servers. Lots of this data have personal pieces of information that must be protected to
guarantee privacy for data owners.
Searchable encryption (SE) and symmetric searchable encryption (SSE) provide an effi cient way to protect data and enable searching operations when stored in cloud provider’s
servers. Although all the work in this area some details are left outside the scope or for
future consideration. Is necessary to consider these details to integrate the searchable
encryption schemes in real systems.
It was conducted a study about the most recent academic works in this field and
found some points not considered in the literature. The identified topics have to be
considered when manipulating files in operational systems and are related to file storage
and operations, financial costs, reindex operations and file name transformation and
multiple cloud support.
It was analysed the traditional architecture of searchable encryption schemes and
was design a new one, that uses no cloud computation services. These two architectures
were the base of the three implemented systems, which accomplish the integration of file
handling with the searchable encryption scheme regarding file storage and file operations,
filenames handling and reindex operations costs.
We accessed two of the three developed systems regarding performance, and all three
regarding costs and security.
Beyond the technical solutions for the topics named in the research work, we con cluded that accessed systems have advantages in different areas. The system with tradi tional client-server architecture is faster in search operations whereas the other, using
buffer and cache, has lower operational costs and achieves better security, guaranteeing
backward-privacy leakage. The system using only storage service revealed inadequate
for real solutions, due to long times to insert index elements.
Virtual HSM: Building a Hardware-backed Dependable Cryptographic Store
Publication . Rosa, Miguel Gomes; Ferreira, Bernardo
Cloud computing is being used by almost everyone, from regular consumer to IT
specialists, as it is a way to have high availability, geo-replication, and resource elasticity
with pay-as-you-go charging models. Another benefit is the minimal management effort
and maintenance expenses for its users.
However, security is still pointed out as the main reason hindering the full adoption
of cloud services. Consumers lose ownership of their data as soon as it goes to the cloud;
therefore, they have to rely on cloud provider’s security assumptions and Service Level
Agreements regarding privacy and integrity guarantees for their data.
Hardware Security Modules (HSMs) are dedicated cryptographic processors, typically
used in secure cloud applications, that are designed specifically for the protection of
cryptographic keys in all steps of their life cycles. They are physical devices with tamperproof
resistance, but rather expensive. There have been some attempts to virtualize
HSMs. Virtual solutions can reduce its costs but without much success as performance is
incomparable and security guarantees are hard to achieve in software implementations.
In this dissertation, we aim at developing a virtualized HSM supported by modern
attestation-based trusted hardware in commodity CPUs to ensure privacy and reliability,
which are the main requirements of an HSM. High availability will also be achieved
through techniques such as cloud-of-clouds replication on top of those nodes. Therefore
virtual HSMs, on the cloud, backed with trusted hardware, seem increasingly promising
as security, attestation, and high availability will be guaranteed by our solution, and it
would be much cheaper and as reliable as having physical HSMs.
Secure Abstractions for Trusted Cloud Computation
Publication . Tavares, Joana da Silva; Ferreira, Bernardo; Preguiça, Nuno
Cloud computing is adopted by most organizations due to its characteristics, namely
offering on-demand resources and services that can quickly be provisioned with minimal
management effort and maintenance expenses for its users. However it still suffers from
security incidents which have lead to many data security concerns and reluctance in
further adherence. With the advent of these incidents, cryptographic technologies such
as homomorphic and searchable encryption schemes were leveraged to provide solutions
that mitigated data security concerns.
The goal of this thesis is to provide a set of secure abstractions to serve as a tool for
programmers to develop their own distributed applications. Furthermore, these abstractions
can also be used to support trusted cloud computations in the context of NoSQL
data stores. For this purpose we leveraged conflict-free replicated data types (CRDTs) as
they provide a mechanism to ensure data consistency when replicated that has no need
for synchronization, which aligns well with the distributed and replicated nature of the
cloud, and the aforementioned cryptographic technologies to comply with the security
requirements. The main challenge of this thesis consisted in combining the cryptographic
technologies with the CRDTs in such way that it was possible to support all of the data
structures functionalities over ciphertext while striving to attain the best security and
performance possible.
To evaluate our abstractions we conducted an experiment to compare each secure
abstraction with their non secure counterpart performance wise. Additionally, we also
analysed the security level provided by each of the structures in light of the cryptographic
scheme used to support it. The results of our experiment shows that our abstractions
provide the intended data security with an acceptable performance overhead, showing
that it has potential to be used to build solutions for trusted cloud computation.
Unidades organizacionais
Descrição
Palavras-chave
Contribuidores
Financiadores
Entidade financiadora
Fundação para a Ciência e a Tecnologia
Programa de financiamento
3599-PPCDT
Número da atribuição
PTDC/CCI-INF/31698/2017