5.4.3. FADE - policy-based deletion
(from : 1 )
Background
- two key encryption similar to Time-based solutions
- data encrypted using data key
- data key is secured by (encrypted or distributed according to) control key
- control key may be time-based
Idea
- each file associated with file access policy
- each policy may be Boolean combination of atomic policies
- each atomic policy is associated with control key (may be time-based), controlled by key manager
- when policy is revoked the corresponding key is removed from key manager
- when the policy combination associated with a file is revoked, the data key (hence the encrypted content) cannot be recovered with the control keys of the policies -- we say the file is deleted
FADE: protocol participants
- Data owner
- - entity that originates file data to be stored on the cloud. It may be a file system of a PC, a user-level program, a mobile device, or even in the form of a plug-in of a client application.
- Key manager
- - maintains the policy-based control keys that are used to encrypt data keys. It responds to the data owner'ss requests by performing encryption, decryption, renewal, and revocation to the control keys. Quorum of managers and introducing secret sharing is optional in order to improve the robustness of the key manager service to being compromised, however such modification increases the overhead of keys.
- Storage cloud
- - maintained by a third-party cloud provider and keeps the data on behalf of the data owner. There are no protocol and implementation changes needed on the storage cloud to FADE system. Even a naive storage service that merely provides file upload/download operations is suitable to cooperate with FADE.
Fig. 5.4.3/1: Example from : 1
- Conjunctive Policies:
- If file \(F\) is associated with policies \(P_1\wedge \dots \wedge P_m\), data owner has to generate data key \(K\) and keys \(S_1, \dots, S_m\) Key \(K\) is encrypted using all \(S_i\) keys, namely: \(\lbrace \lbrace K\rbrace_{S_1}\rbrace_{S_2}\cdots _{S_m}\) and together with \(\lbrace F \rbrace_K\) and \(S_1^{e_1},\dots,S_m^{e_m}\) is stored in the cloud. In similar manner, during download the owner sends to the key manager \((S_1 R)^{e_1},\dots,(S_m R)^{e_m}\) and after response recovers \(S_1,\dots,S_m\), hence \(K\) and \(F\).
- Disjunctive Policies:
- If file \(F\) is associated with policies \(P_1\vee \dots \vee P_m\), data owner has to generate data key \(K\) and keys \(S_1, \dots, S_m\) Key \(K\) is encrypted separately by each \(S_i\) key, namely: \(\lbrace K\rbrace_{S_1}, \dots \lbrace K\rbrace_{S_m}\) and together with \(\lbrace F \rbrace_K\) and \(S_1^{e_1},\dots,S_m^{e_m}\) is stored in the cloud. In order to recover \(F\) owner may use any of the policies.
Policy Reneval
Important is that the old policy will always be revoked first before the new policy is revoked. If the new policy is revoked first, then the file version that is protected with the old policy may still be accessible when the control keys of the old policy are compromised, meaning that the file is not assuredly deleted. A straightforward approach of implementing policy renewal is to combine the file upload and download operations, but without retrieving the encrypted file from the cloud.
Procedures summary
The procedures can be summarized as follows:
- download all encrypted keys from the storage cloud,
- send them to the key manager for decryption,
- recover the data key,
- re-encrypt the data key with the control keys of the new policies,
- send the newly encrypted keys back to the cloud.
- File metadata: contains two pieces of information -- file size and HMAC. FADE uses HMAC-SHA1 for integrity checking. The file metadata is of fixed size (with 8 bytes of file size and 20 bytes of HMAC) and is attached at the beginning of the encrypted file.
- Policy metadata: includes the specification of the Boolean combination of policies and the corresponding encrypted cryptographic keys. Each single policy is specified by a unique 4-byte integer identifier. To represent a Boolean combination of policies '*' and '+' are used to denote the AND and OR operators. Policy metadata is uploaded as a separate file in order to allow easy policy changes.
Key manager functionality
- Creating policy - the key manager creates a new policy and returns the corresponding public control key.
- Retrieving the public control key of a policy - if the policy is accessible, then the key manager returns the public control key. Otherwise, an error is returned.
- Decrypting a key with respect to a policy - if the policy is accessible, then the key manager decrypts the (blinded) key. Otherwise, an error is returned.
- Revoking a policy - the key manager revokes the policy and removes the corresponding keys.
Data owner and Storage cloud interface
- Upload(file,policy) - input file is encrypted using given policy and transfered to the cloud along with metadata. FADE uses 128-bit AES with CBC.
- Download(file) - data owner retrieves the file and the policy metadata from the cloud, checks the integrity of the file, and decrypts the file.
- Delete(policy) - data owner tells the key manager to permanently revoke the specified policy. All files associated with the policy will be assuredly deleted.
- Renew(file,newpolicy) - data owner first fetches the policy metadata for the given file from the cloud, then updates the policy metadata with the new policy. Finally, sends the policy metadata back to the cloud.
Results presented by the authors in : 1 show that overhead caused by using FADE is not significant.
The results of the experiments are presented below.
Experiment 1. Performance of upload/download operations
File size Total time Data transmision AES+HMAC Key managment File (%) Policy (%) Time (%) Time (%) 1KB 1.260s 0.724s 57.4% 0.537s 42.6% 0.000s 0.0% 0.000s 0.0% 10KB 1.552s 1.020s 65.7% 0.532s 34.3% 0.001s 0.0% 0.000s 0.0% 100KB 2.452s 1.903s 77.6% 0.546s 22.3% 0.002s 0.1% 0.001s 0.0% 1MB 4.194s 3.646s 86.9% 0.527s 12.6% 0.022s 0.5% 0.000s 0.0% 10MB 16.275s 15.463s 95.0% 0.595s 3.7% 0.218s 1.3% 0.000s 0.0%
File size Total time Data transmision AES+HMAC Key managment File (%) Policy (%) Time (%) Time (%) 1KB 0.843s 0.485s 57.5% 0.355s 42.1% 0.000s 0.0% 0.003s 0.4% 10KB 0.912s 0.615s 67.4% 0.294s 32.2% 0.000s 0.0% 0.003s 0.3% 100KB 1.968s 1.682s 85.5% 0.282s 14.3% 0.002s 0.1% 0.002s 0.1% 1MB 4.696s 4.360s 92.8% 0.317s 6.7% 0.017s 0.4% 0.002s 0.1% 10MB 33.746s 33.182s 98.3% 0.395s 1.2% 0.166s 0.5% 0.002s 0.0%
Experiment 2. Performance of policy updates
We do not show the AES+HMAC time as it is not involved in policy renewal.
File size Total time Data transmision Key managment Download (%) Upload (%) Time (%) 1KB 0.923s 0.315s 34.1% 0.605s 65.5% 0.004s 0.4% 10KB 0.805s 0.266s 33.0% 0.536s 66.6% 0.004s 0.4% 100KB 0.821s 0.271s 33.0% 0.546s 66.5% 0.004s 0.5% 1MB 0.813s 0.273s 33.5% 0.537s 66.0% 0.003s 0.4% 10MB 0.832s 0.266s 32.0% 0.562s 67.6% 0.004s 0.5%
Tang, Y., Lee, P.P.C., Lui, J.C.S., Perlman, R.: Secure overlay cloud storage with access control and assured deletion.
IEEE Trans. Dependable Secur. Comput. 9(6) (2012) 903-916. http://dx.doi.org/10.1109/TDSC.2012.49