Public integrity verification for data sharing in cloud with asynchronous revocation

Cloud data sharing service,which allows a group of people to access and modify the shared data,is one of the most popular and efficient working styles in enterprises.Recently,there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost.Under the new cloud environment,the cloud users require the data integrity verification to inspect the data service at the cloud side.Several recent studies have focused on this application scenario.In these studies,each user within a group is required to sign a data block created or modified by him.While a user is revoked,all the data previously signed by him should be resigned.In the existing research,the resigning process is dependent on the revoked user.However,cloud users are autonomous.They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors.As the developers in the cloud-based software development platform,they are voluntary and not strictly controlled by the system.Due to this feature,cloud users may not always follow the cloud service protocol.They may not participate in generating the resigning key and may even expose their secret keys after being revoked.If the signature is not resigned in time,the subsequent verification will be affected.And if the secret key is exposed,the shared data will be maliciously modified by the attacker who grasps the key.Therefore,forcing a revoked user to participate in the revocation process will lead to efficiency and security problems.As a result,designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable.In this paper,we identify this challenging problem as the asynchronous revocation,in which the revocation operations(i.e.,re-signing key generation and resigning process)and the user's revocation are asynchronous.All the revocation operations must be able to be performed without the participation of the revoked user.Even more ambitiously,the revocation process should not rely on any special entity,such as the data owner or a trusted agency.To address this problem,we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user.From the perspectives of security and practicality,the revoked user does not participate in the resigning process and the re-signing key generation.Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags(HVTs).Moreover,the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users.The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme.The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 s and a user can finish the verification in 300 ms with a 99% error detection probability.

PIMS:An Efficient Process Integrity Monitoring System Based on Blockchain and Trusted Computing in Cloud-Native Context

With the advantages of lightweight and high resource utilization,cloud-native technology with containers as the core is gradually becoming themainstreamtechnical architecture for information infrastructure.However,malware attacks such as Doki and Symbiote threaten the container runtime’s security.Malware initiates various types of runtime anomalies based on process form(e.g.,modifying the process of a container,and opening the external ports).Fortunately,dynamic monitoring mechanisms have proven to be a feasible solution for verifying the trusted state of containers at runtime.Nevertheless,the current routine dynamic monitoring mechanisms for baseline data protection are still based on strong security assumptions.As a result,the existing dynamicmonitoringmechanismis still not practical enough.To ensure the trustworthiness of the baseline value data and,simultaneously,to achieve the integrity verification of the monitored process,we combine blockchain and trusted computing to propose a process integrity monitoring system named IPMS.Firstly,the hardware TPM 2.0 module is applied to construct a trusted security foundation for the integrity of the process code segment due to its tamper-proof feature.Then,design a new format for storing measurement logs,easily distinguishing files with the same name in different containers from log information.Meanwhile,the baseline value data is stored on the blockchain to avoidmalicious damage.Finally,trusted computing technology is used to perform fine-grained integrity measurement and remote attestation of processes in a container,detect abnormal containers in time and control them.We have implemented a prototype system and performed extensive simulation experiments to test and analyze the functionality and performance of the PIMS.Experimental results show that PIMS can accurately and efficiently detect tampered processes with only 3.57% performance loss to the container.

WiBPA:An Efficient Data Integrity Auditing Scheme Without Bilinear Pairings

The security of cloud data has always been a concern.Cloud server provider may maliciously tamper or delete user’s data for their own benefit,so data integrity audit is of great significance to verify whether data is modified or not.Based on the general three-party audit architecture,a dynamic auditing scheme without bilinear pairings is proposed in this paper.It utilizes exponential operation instead of bilinear mapping to verify the validity of evidence.By establishing the mapping relation between logic index and tag index of data block with index transformation table,our scheme can easily support dynamic data operation.By hiding random numbers in the integrity evidence,our scheme can protect users’privacy information.Detailed security analysis shows that our scheme is secure against attacks such as forgery,replaying and substitution.Further experiments demonstrate that our scheme has lower computational overhead.