Privacy-preserving deduplication of encrypted data with dynamic ownership management in fog computing
Introduction
Fog computing, an evolutionary framework of future generation computing, is a combination of the Internet of Things (IoT) and cloud computing. Due to the rise of IoT devices with limited computing resources, cloud-based solutions have been extensively researched. However, forecasts based on the recent growth of the IoT market [1], [2] indicate that centralized clouds will be unlikely to be able to provide satisfactory services to users in the near future. As an extension of the cloud computing paradigm from the core to the edge of the network, fog computing can be seen as a layered structure of services [3], [4], [5]. While the central cloud provides a wide range of computing services, it also manages decentralized heterogeneous fog devices. Individual fog devices located near IoT devices provide faster cloud services to end users based on their own computation, storage, and network capabilities. Therefore, fog computing is a promising next-generation computing paradigm, with three attractive attributes: (1) low latency, (2) enhanced user experience (i.e., high quality service), and (3) context awareness based on locational proximity [6], [7].
Centralized cloud storage is unable to handle enormous volumes of data in a timely manner given a finite network bandwidth. Distributed storage, namely fog device, is incapable of providing permanent and global computing services to users owing to its limited resources and restricted field of vision, respectively. Therefore, efficient resource management (especially that of storage space and network bandwidth) can be seen as one of the most important goals of commercial online storage services. Under the fog computing environment, utilization of these resources in a harmonious way between the central cloud and fog devices would be one of the most desirable approaches. Deduplication is able to utilize space efficiently by storing only a single copy of duplicate data and providing owners with a link to it. Compared to cloud storage, fog devices located near the premises of end users with temporal storage can provide a faster data outsourcing service to data owners. At the same time, the central cloud can efficiently utilize storage space by receiving and maintaining only unique data from fog devices.
Despite the compelling benefits of deduplication, privacy issues surrounding outsourced data have also received close attention. Because data owners lose control of their outsourced data, they cannot guarantee the secure management of their data in remote storage systems [8], [9], [10], [11], [12].
In order to balance resource efficiency and data privacy, the encryption of data at the user level can be considered. Because a storage service provider cannot always be fully trusted [13], [14], it should not be given encryption keys. In this context, most of state-of-the-art secure deduplication researches require data owners to derive a fixed common encryption key for the same data files in a deterministic way. This leads to generation of the same ciphertext for the same data and eventually enables remote storage service providers to identify duplicates without knowledge of encryption keys. Then, the revoked users (who have removed his data from the storage) may be able to access the data even after the data deletion, or leak his secret key if there is no proper key update procedure [15]. This kind of threats could lead to the unauthorized access to plain content. The more frequent the membership changes for the outsourced data in remote storage, the more susceptible to key disclosure it is [16], [17], [18]. Therefore, to prevent information leakage in fog systems proper update of keys and outsourced data is essential in pragmatic remote storage service systems.
Efficient key management can also be considered an important issue [19]. To the best of our knowledge, previous studies on secure deduplication can hardly support updates of outsourced data in an efficient manner. Since the shared key is fixed at the time of initial upload in previous approaches, the shared plain data needs to be re-encrypted using a fresh key and uploaded to remote storage by trusted entity on every key update. Then, the new key should be distributed to all of the legitimate data owners in a secure manner. This can incur significant communication and computation overhead expenses. Therefore, efficient key management and ciphertext updates are vital to the success of secure deduplication in fog computing.
In this paper, we propose a deduplication scheme for encrypted data that supports fine-grained access control in a fog storage system. Fine-grained access control implies a cryptographic enforcement of access control in a seamless manner without additional communications and computations on data owner side upon occurrences of ownership changes [20], [21], [22]. For both key management efficiency and security against key exposure threats, user-level keys are adopted in this paper. This refers to the pairing of a data-invariant private key and a data-dependent public key. In terms of efficiency, each data owner is supposed to keep a constant number of keys regardless of the number of outsourced data files. As regards fine-grained access control, valid data owners can access their outsourced plain contents as long as their private keys are kept secret regardless of manipulations performed on the outsourced data on the remote storage side. The proposed scheme also provides consistent privacy no matter how many times membership changes for the same data file occur in remote storage. This is done by updating the user-level public keys and ciphertext stored in the central cloud without knowledge of the private keys. This form of non-interactive update effectively reduces computation and communication overheads without weakening security. The proposed scheme also significantly reduces communication volume and the number of managed keys without security degradation.
The rest of this paper is organized as follows. In Section 2, previous secure deduplication studies are briefly reviewed. In Section 3, our goal for fog storage systems is defined. In Section 4, the proposed deduplication protocol is presented. Then, our scheme is compared with previous approaches in terms of efficiency in Section 5 and the security is analyzed in Section 6, respectively. In Section 7, the paper concludes with a summary of the proposed scheme.
Section snippets
Related work
Although there are numerous novel studies contributed to secure deduplication, recent studies have mostly considered cloud storage environments rather than fog computing. In this section, we briefly summarize representative ones among them and point out their limitations and difficulties in direct adoption to the fog storage architecture.
Fog storage description and our goals
In this section, we describe the architecture of fog storage systems and then define our goal for this paper.
Proposed data deduplication scheme
In this section, the proposed scheme is described as a data management framework during the life cycle of outsourced data.
Performance analysis
In this section, the proposed scheme is analyzed and compared with state-of-the-art client-side deduplication approaches in terms of functionality and efficiency.
Security analysis
In this section, we analyze security of the proposed scheme. During data transmission between the cloud and fog devices, we assume that there is secure communication infrastructure such as AAA (Authentication, Authorization, and Accounting) server for the management of users. This requirement is common to all of the secure deduplications reviewed in the previous section. Under this consideration of user authentication and accounting, pay-per-use environment would be deployable in pragmatic fog
Conclusion
The addition of user-level data access control is a significant improvement on fine-grained access control in a fog storage environment. In this study, we proposed a secure data deduplication scheme with efficient key management and data update capabilities for outsourced data marching in step with fog storage paradigm. The proposed scheme enables fog devices to deduplicate encrypted data within the same domain of data owners. It efficiently handles dynamic ownership changes in the fog storage
Acknowledgments
We are grateful to the anonymous referees for their invaluable contributions to this article. This work was supported by a Korea University Grant. This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2016R1A2A2A05005402).
Dongyoung Koo received a B.S. degree from Yonsei University, Seoul, South Korea, in 2009, and an M.S. and a Ph.D. degree from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South Korea in 2012 and 2016, respectively, all in computer science.
He is currently a Research professor with the Department of Computer Science and Engineering at Korea university, South Korea.
His research interests include information security, secure cloud computing, and cryptography.
References (75)
- et al.
Cloud based data sharing with fine-grained proxy re-encryption
Pervasive Mob. Comput.
(2016) - et al.
Esc: An efficient, scalable, and crypto-less solution to secure wireless networks
Comput. Netw.
(2015) - et al.
Hash challenges: Stretching the limits of compare-by-hash in distributed data deduplication
Inform. Process. Lett.
(2012) - et al.
An efficient confidentiality-preserving proof of ownership for deduplication
J. Netw. Comput. Appl.
(2015) - et al.
Secure multi-server-aided data deduplication in cloud computing
Pervasive Mob. Comput.
(2015) - et al.
An adversary model to evaluate DRM protection of video contents on ios devices
Comput. Secur.
(2016) - et al.
A markov adversary model to detect vulnerable ios devices and vulnerabilities in ios apps
Appl. Math. Comput.
(2017) - R. van der Meulen, Gartner says 6.4 billion connected “things” will be in use in 2016, up 30 percent from 2015,...
- Idc market in a minute: Internet of things, Available at...
- S. Yi, C. Li, Q. Li, A survey of fog computing: Concepts, applications and issues, in: Workshop on Mobile Big Data...
Fog Computing: A Platform for Internet of Things and Analytics
Forensic-by-design framework for cyber-physical cloud systems
IEEE Cloud Comput.
On Lightweight Security Enforcement in Cyber-Physical Systems
Forensic investigation of {P2P} cloud storage services and backbone for iot networks: Bittorrent sync as a case study
Comput. Electr. Eng.
Efficient self-healing group key management with dynamic revocation and collusion resistance for scada in smart grid
Secur. Commun. Netw.
Forensic data acquisition from cloud-of-things devices: windows smartphones as a case study
Concurr. Comput.: Pract. Exper.
Data exfiltration from Internet of things devices: ios devices as case studies
IEEE Internet Things J.
A technique to circumvent ssl/tls validations on ios devices
Future Gener. Comput. Syst.
Secure Key Establishment, Vol. 41
Attribute-based encryption for fine-grained access control of encrypted data
Extended Proxy-Assisted Approach: Achieving Revocable Fine-Grained Encryption of Cloud Data
Block-level de-duplication with encrypted data
Open J. Cloud Comput. (OJCC)
Cited by (72)
Secure auditing and deduplication with efficient ownership management for cloud storage
2023, Journal of Systems ArchitectureA review on fog computing: Issues, characteristics, challenges, and potential applications
2023, Telematics and Informatics ReportsHybrid cloud storage system with enhanced multilayer cryptosystem for secure deduplication in cloud
2023, International Journal of Intelligent NetworksAn efficient encrypted deduplication scheme with security-enhanced proof of ownership in edge computing
2022, BenchCouncil Transactions on Benchmarks, Standards and EvaluationsSecure deduplication for big data with efficient dynamic ownership updates
2021, Computers and Electrical EngineeringCitation Excerpt :It is important to find a way to prevent the unauthorized users from accessing the original data [14]. So some secure deduplication schemes with ownership management [15–17] were proposed. Li et al. [18] proposed a secure deduplication scheme, in which deduplication can only be executed when the users’ privileges satisfy the file’s policy.
Dongyoung Koo received a B.S. degree from Yonsei University, Seoul, South Korea, in 2009, and an M.S. and a Ph.D. degree from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South Korea in 2012 and 2016, respectively, all in computer science.
He is currently a Research professor with the Department of Computer Science and Engineering at Korea university, South Korea.
His research interests include information security, secure cloud computing, and cryptography.
Junbeom Hur received a B.S. degree from Korea University, Seoul, South Korea, in 2001, and an M.S. and a Ph.D. degree from the Korea Advanced Institute of Science and Technology (KAIST) in 2005 and 2009, respectively, all in computer science.
He was with the University of Illinois at Urbana–Champaign as a postdoctoral researcher from 2009 to 2011.
He was with the School of Computer Science and Engineering at Chung-Ang University, South Korea as an Assistant Professor from 2011 to 2015. He is currently an Assistant Professor with the Department of Computer Science and Engineering at Korea University, South Korea.
His research interests include information security, cloud computing security, mobile security, and applied cryptography.