Privacy-preserving deduplication of encrypted data with dynamic ownership management in fog computing

https://doi.org/10.1016/j.future.2017.01.024Get rights and content

Highlights

  • In fog computing, privacy issues become critical due to its complicated innards.

  • Efficient resource management is important in pay-per-use commercial fog storage.

  • We propose a secure deduplication with efficient ownership management in fog storage.

  • It achieves fine-grained access control through user-level key and update mechanisms.

  • The update at remote storage dramatically reduces communication overhead.

Abstract

The explosion in the volume of data generated by end-point devices, arising from IoT proliferation, has lead to the adoption of data outsourcing to dedicated data centers. However, centralized data centers such as cloud storage cannot afford to manage large stores of data in a timely manner. To allow low latency access to large amounts of data, a new computing paradigm, called fog computing, has been introduced. In a fog computing environment, privacy issues surrounding outsourced data become more critical due to its complicated innards of the system. In addition, efficient resource management is another important criterion considering the application of pay-per-use in commercial fog storage. As an extension of cloud storage, most fog storage service providers will choose to adopt data deduplication techniques to minimize resource dissipation. At the same time, data owners may update or remove outsourced data stored in the remote storage to reduce expenses. In this paper, we propose the first privacy-preserving deduplication protocol capable of efficient ownership management in fog computing. It achieves fine-grained access control by introducing user-level key management and update mechanisms. Data-invariant user-level private keys enable data owners to maintain a constant number of keys regardless of the number of outsourced data files. The update of user-level public keys for valid data owners at the remote storage dramatically reduces communication overhead. Security and performance analyses demonstrate the efficiency of the proposed scheme in terms of communication and key management in fog storage.

Introduction

Fog computing, an evolutionary framework of future generation computing, is a combination of the Internet of Things (IoT) and cloud computing. Due to the rise of IoT devices with limited computing resources, cloud-based solutions have been extensively researched. However, forecasts based on the recent growth of the IoT market  [1], [2] indicate that centralized clouds will be unlikely to be able to provide satisfactory services to users in the near future. As an extension of the cloud computing paradigm from the core to the edge of the network, fog computing can be seen as a layered structure of services  [3], [4], [5]. While the central cloud provides a wide range of computing services, it also manages decentralized heterogeneous fog devices. Individual fog devices located near IoT devices provide faster cloud services to end users based on their own computation, storage, and network capabilities. Therefore, fog computing is a promising next-generation computing paradigm, with three attractive attributes: (1) low latency, (2) enhanced user experience (i.e., high quality service), and (3) context awareness based on locational proximity  [6], [7].

Centralized cloud storage is unable to handle enormous volumes of data in a timely manner given a finite network bandwidth. Distributed storage, namely fog device, is incapable of providing permanent and global computing services to users owing to its limited resources and restricted field of vision, respectively. Therefore, efficient resource management (especially that of storage space and network bandwidth) can be seen as one of the most important goals of commercial online storage services. Under the fog computing environment, utilization of these resources in a harmonious way between the central cloud and fog devices would be one of the most desirable approaches. Deduplication is able to utilize space efficiently by storing only a single copy of duplicate data and providing owners with a link to it. Compared to cloud storage, fog devices located near the premises of end users with temporal storage can provide a faster data outsourcing service to data owners. At the same time, the central cloud can efficiently utilize storage space by receiving and maintaining only unique data from fog devices.

Despite the compelling benefits of deduplication, privacy issues surrounding outsourced data have also received close attention. Because data owners lose control of their outsourced data, they cannot guarantee the secure management of their data in remote storage systems  [8], [9], [10], [11], [12].

In order to balance resource efficiency and data privacy, the encryption of data at the user level can be considered. Because a storage service provider cannot always be fully trusted  [13], [14], it should not be given encryption keys. In this context, most of state-of-the-art secure deduplication researches require data owners to derive a fixed common encryption key for the same data files in a deterministic way. This leads to generation of the same ciphertext for the same data and eventually enables remote storage service providers to identify duplicates without knowledge of encryption keys. Then, the revoked users (who have removed his data from the storage) may be able to access the data even after the data deletion, or leak his secret key if there is no proper key update procedure  [15]. This kind of threats could lead to the unauthorized access to plain content. The more frequent the membership changes for the outsourced data in remote storage, the more susceptible to key disclosure it is  [16], [17], [18]. Therefore, to prevent information leakage in fog systems proper update of keys and outsourced data is essential in pragmatic remote storage service systems.

Efficient key management can also be considered an important issue  [19]. To the best of our knowledge, previous studies on secure deduplication can hardly support updates of outsourced data in an efficient manner. Since the shared key is fixed at the time of initial upload in previous approaches, the shared plain data needs to be re-encrypted using a fresh key and uploaded to remote storage by trusted entity on every key update. Then, the new key should be distributed to all of the legitimate data owners in a secure manner. This can incur significant communication and computation overhead expenses. Therefore, efficient key management and ciphertext updates are vital to the success of secure deduplication in fog computing.

In this paper, we propose a deduplication scheme for encrypted data that supports fine-grained access control in a fog storage system. Fine-grained access control implies a cryptographic enforcement of access control in a seamless manner without additional communications and computations on data owner side upon occurrences of ownership changes  [20], [21], [22]. For both key management efficiency and security against key exposure threats, user-level keys are adopted in this paper. This refers to the pairing of a data-invariant private key and a data-dependent public key. In terms of efficiency, each data owner is supposed to keep a constant number of keys regardless of the number of outsourced data files. As regards fine-grained access control, valid data owners can access their outsourced plain contents as long as their private keys are kept secret regardless of manipulations performed on the outsourced data on the remote storage side. The proposed scheme also provides consistent privacy no matter how many times membership changes for the same data file occur in remote storage. This is done by updating the user-level public keys and ciphertext stored in the central cloud without knowledge of the private keys. This form of non-interactive update effectively reduces computation and communication overheads without weakening security. The proposed scheme also significantly reduces communication volume and the number of managed keys without security degradation.

The rest of this paper is organized as follows. In Section  2, previous secure deduplication studies are briefly reviewed. In Section  3, our goal for fog storage systems is defined. In Section  4, the proposed deduplication protocol is presented. Then, our scheme is compared with previous approaches in terms of efficiency in Section  5 and the security is analyzed in Section  6, respectively. In Section  7, the paper concludes with a summary of the proposed scheme.

Section snippets

Related work

Although there are numerous novel studies contributed to secure deduplication, recent studies have mostly considered cloud storage environments rather than fog computing. In this section, we briefly summarize representative ones among them and point out their limitations and difficulties in direct adoption to the fog storage architecture.

Fog storage description and our goals

In this section, we describe the architecture of fog storage systems and then define our goal for this paper.

Proposed data deduplication scheme

In this section, the proposed scheme is described as a data management framework during the life cycle of outsourced data.

Performance analysis

In this section, the proposed scheme is analyzed and compared with state-of-the-art client-side deduplication approaches in terms of functionality and efficiency.

Security analysis

In this section, we analyze security of the proposed scheme. During data transmission between the cloud and fog devices, we assume that there is secure communication infrastructure such as AAA (Authentication, Authorization, and Accounting) server for the management of users. This requirement is common to all of the secure deduplications reviewed in the previous section. Under this consideration of user authentication and accounting, pay-per-use environment would be deployable in pragmatic fog

Conclusion

The addition of user-level data access control is a significant improvement on fine-grained access control in a fog storage environment. In this study, we proposed a secure data deduplication scheme with efficient key management and data update capabilities for outsourced data marching in step with fog storage paradigm. The proposed scheme enables fog devices to deduplicate encrypted data within the same domain of data owners. It efficiently handles dynamic ownership changes in the fog storage

Acknowledgments

We are grateful to the anonymous referees for their invaluable contributions to this article. This work was supported by a Korea University Grant. This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2016R1A2A2A05005402).

Dongyoung Koo received a B.S. degree from Yonsei University, Seoul, South Korea, in 2009, and an M.S. and a Ph.D. degree from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South Korea in 2012 and 2016, respectively, all in computer science.

He is currently a Research professor with the Department of Computer Science and Engineering at Korea university, South Korea.

His research interests include information security, secure cloud computing, and cryptography.

References (75)

  • F. Bonomi, R. Milito, J. Zhu, S. Addepalli, Fog computing and its role in the Internet of things, in: MCC Workshop on...
  • I. Stojmenovic, Fog computing: A cloud to the ground support for smart things and machine-to-machine networks, in:...
  • F. Bonomi et al.

    Fog Computing: A Platform for Internet of Things and Analytics

    (2014)
  • M. Yannuzzi, R. Milito, R. Serral-Gracia, D. Montero, M. Nemirovsky, Key ingredients in an iot recipe: Fog computing,...
  • A. Bisong, S.M. Rahman, An overview of the security concerns in enterprise cloud computing, CoRR abs/1101.5613, 2011,...
  • I. Stojmenovic, S. Wen, The fog computing paradigm: Scenarios and security issues, in: Federated Conference on Computer...
  • N.H.A. Rahman et al.

    Forensic-by-design framework for cyber-physical cloud systems

    IEEE Cloud Comput.

    (2016)
  • Y. Yang et al.

    On Lightweight Security Enforcement in Cyber-Physical Systems

    (2016)
  • Y.-Y. Teing et al.

    Forensic investigation of {P2P} cloud storage services and backbone for iot networks: Bittorrent sync as a case study

    Comput. Electr. Eng.

    (2016)
  • Mailcious insider attacks to rise, Available at...
  • Ex-employees say it’s ok to take corporate data with them, Available at...
  • R. Jiang et al.

    Efficient self-healing group key management with dynamic revocation and collusion resistance for scada in smart grid

    Secur. Commun. Netw.

    (2015)
  • N.D.W. Cahyani et al.

    Forensic data acquisition from cloud-of-things devices: windows smartphones as a case study

    Concurr. Comput.: Pract. Exper.

    (2016)
  • C.J. D’Orazio et al.

    Data exfiltration from Internet of things devices: ios devices as case studies

    IEEE Internet Things J.

    (2016)
  • C.J. D’Orazio et al.

    A technique to circumvent ssl/tls validations on ios devices

    Future Gener. Comput. Syst.

    (2016)
  • K.-K.R. Choo

    Secure Key Establishment, Vol. 41

    (2009)
  • V. Goyal et al.

    Attribute-based encryption for fine-grained access control of encrypted data

  • Y. Yang et al.

    Extended Proxy-Assisted Approach: Achieving Revocable Fine-Grained Encryption of Cloud Data

    (2015)
  • P. Puzio, R. Molva, M. Onen, S. Loureiro, Cloudedup: Secure deduplication with encrypted data for cloud storage, in:...
  • P. Puzio et al.

    Block-level de-duplication with encrypted data

    Open J. Cloud Comput. (OJCC)

    (2014)
  • J. Liu, N. Asokan, B. Pinkas, Secure deduplication of encrypted data without additional independent servers, in: ACM...
  • S. Halevi, D. Harnik, B. Pinkas, A. Shulman-Peleg, Proofs of ownership in remote storage systems, in: ACM Conference on...
  • W.K. Ng, Y. Wen, H. Zhu, Private data deduplication protocols in cloud storage, in: Annual ACM Symposium on Applied...
  • J. Xu, E.-C. Chang, J. Zhou, Weak leakage-resilient client-side deduplication of encrypted data in cloud storage, in:...
  • D. Singelee, S. Seys, L. Batina, I. Verbauwhede, The communication and computation cost of wireless security: Extended...
  • M.W. Storer, K. Greenan, D.D. Long, E.L. Miller, Secure data deduplication, in: ACM International Workshop on Storage...
  • S. Keelveedhi, M. Bellare, T. Ristenpart, Dupless: Server-aided encryption for deduplicated storage, in: USENIX...
  • Cited by (72)

    • An efficient encrypted deduplication scheme with security-enhanced proof of ownership in edge computing

      2022, BenchCouncil Transactions on Benchmarks, Standards and Evaluations
    • Secure deduplication for big data with efficient dynamic ownership updates

      2021, Computers and Electrical Engineering
      Citation Excerpt :

      It is important to find a way to prevent the unauthorized users from accessing the original data [14]. So some secure deduplication schemes with ownership management [15–17] were proposed. Li et al. [18] proposed a secure deduplication scheme, in which deduplication can only be executed when the users’ privileges satisfy the file’s policy.

    View all citing articles on Scopus

    Dongyoung Koo received a B.S. degree from Yonsei University, Seoul, South Korea, in 2009, and an M.S. and a Ph.D. degree from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South Korea in 2012 and 2016, respectively, all in computer science.

    He is currently a Research professor with the Department of Computer Science and Engineering at Korea university, South Korea.

    His research interests include information security, secure cloud computing, and cryptography.

    Junbeom Hur received a B.S. degree from Korea University, Seoul, South Korea, in 2001, and an M.S. and a Ph.D. degree from the Korea Advanced Institute of Science and Technology (KAIST) in 2005 and 2009, respectively, all in computer science.

    He was with the University of Illinois at Urbana–Champaign as a postdoctoral researcher from 2009 to 2011.

    He was with the School of Computer Science and Engineering at Chung-Ang University, South Korea as an Assistant Professor from 2011 to 2015. He is currently an Assistant Professor with the Department of Computer Science and Engineering at Korea University, South Korea.

    His research interests include information security, cloud computing security, mobile security, and applied cryptography.

    View full text