[IEEE CloudCom 2013] ClouDedup - Secure Deduplication with Encrypted Data
-
Upload
pasquale-puzio -
Category
Technology
-
view
1.220 -
download
1
description
Transcript of [IEEE CloudCom 2013] ClouDedup - Secure Deduplication with Encrypted Data
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
ClouDedup:Secure Deduplication with
Encrypted DataPasquale Puzio
SecludIT & EURECOM
Refik Molva (EURECOM)
Melek Önen (EURECOM)
Sergio Loureiro (SecludIT)
IEEE CloudCom 2013, Bristol, UK
December 3rd
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Deduplication
● Storing duplicated data only once● Total space savings up to 90-95% in backup
applications
1
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Deduplication
...but it does not work on encrypted data!
D = Hello World
D = Hello World
ENCRYPTION with K1 ENCRYPTION with K2
owhfgr0wgr[whfrw0[h0[erghe0[gh0[eg
dfjl;dbfrwbfirbfroepthwobgfrugtwertgrtwu
2
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Convergent Encryption
Data Encryption key derived from Data
K = hash(Data)
D = Hello World
D = Hello World
ENCRYPTION with H(D) ENCRYPTION with H(D)
klfgwilegfiorwegtriegtiergieiergriegrigfifiw
klfgwilegfiorwegtriegtiergieiergriegrigfifiw
3
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Convergent Encryption
● Convergent Encryption is vulnerable to “dictionary attacks” [Perttula et al]
● Solutions based on key agreement infeasible in the Cloud
● How to achieve safe Convergent Encryption in the Cloud ?
⇨ Additional deterministic encryption with the same secret key for all users
4
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Solution – Additional Encryption
● Convergent encryption by Users● Additional Encryption by server/gateway
○ Deterministic ○ Unique key known only by the server○ No key exchange/sharing○ Security by design
5
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Solution - Metadata
Block-level deduplication + convergent encryption
⇨ New requirement: key management
SOLUTION▪ metadata manager
▪ deduplication on encrypted blocks ▪ management of block keys
▪ separation between data and metadata
⇨ independance from actual storage
6
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Metadata Manager
7
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Solution – putting all together
8
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Metadata Overhead
9
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Performance
● Storage/retrieval cost is linear with block count
● Deduplication cost is constant
10
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Security
11
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Conclusion
● Confidentiality and block-level deduplication● Countermeasure against CE vulnerabilities
● Negligible performance impact
● Storage agnostic● Transparent to the storage provider
12
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Future Work
● Prototype for performance analysis (ongoing, current results are promising)
● Typical operations such as edit, append and delete
● Data sharing
13
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
THANK YOU