Abstract
With fast-paced growth of digital data and exploding storage management costs, enterprises are looking for new ways to effectively manage their data. One such cost-effective paradigm is the cloud storage model also referred to as Storage-as-a-Service, in which enterprises outsource their storage to a storage service provider (SSP) by storing data (usually encrypted) at a remote SSP-managed site and accessing it over a high speed network. Along with storage capacity used, the SSP often charges clients on the amount of data that is accessed from the SSP site. Thus, it is in the interest of the client enterprise to download only relevant content. This makes search over outsourced storage an important capability. Searching over encrypted outsourced storage, however, is a complex challenge. Each enterprise has different access privileges for different users and this access control needs to be preserved during search (for example, ensuring that a user cannot search through data that is inaccessible from the filesystem due to its permissions). Secondly, the search mechanism has to preserve confidentiality from the SSP and indices can not be stored in plain text.
In this article, we present a new filesystem search technique that integrates access control and indexing/search mechanisms into a unified framework to support access control aware search. Our approach performs indexing within the trusted enterprise domain and uses a novel access control barrel (ACB) primitive to encapsulate access control within these indices. The indices are then systematically encrypted and shipped to the SSP for hosting. Unlike existing enterprise search techniques, our approach is resilient to various common attacks that leak private information. Additionally, to the best of our knowledge, our approach is a first such technique that allows search indices to be hosted at the SSP site, thus effectively providing search-as-a-service. This does not require the client enterprise to fully trust the SSP for data confidentiality. We describe the architecture and implementation of our approach and a detailed experimental analysis comparing with other approaches.
- Amazon Simple Storage Service. http://aws.amazon.com/s3. (Accessed May 2009).Google Scholar
- Bawa, M., Bayardo, R., and Agarwal, R. 2003. Privacy-preserving indexing of documents on the network. In Proceedings of the International Conference on Very Large Databases (VLDB). Google Scholar
Digital Library
- Boneh, D., Crescenzo, G., Ostrovsky, R., and Persiano, G. 2004. Public key encryption with keyword search. In Proceedings of the International Cryptology Conference (EUROCRYPT).Google Scholar
- Brick, F. 2003. Are you ready to outsource your storage? Computer Technology Review.Google Scholar
- Büttcher, S. and Clarke, C. 2005. A security model for full-text file system search in multi-user environments. In Proceedings of the USENIX Conference on File and Storage Technologies (FAST). Google Scholar
Digital Library
- Chang, Y. and Mitzenmacher, M. 2005. Privacy preserving keyword searches on remote encrypted data. In Proceedings of the Applied Cryptography and Network Security. Google Scholar
Digital Library
- Chor, B., Goldreich, O., Kushilevitz, E., and Sudan, M. 1995. Private information retrieval. In Proceedings of the IEEE Symposium on Foundations of Computer Science (FOCS). Google Scholar
Digital Library
- Coveo Enterprise Search. http://www.coveo.com. (Accessed May 2009).Google Scholar
- Gartner Group. http://www.gartner.com. (Accessed May 2009).Google Scholar
- Goh, E., Shacham, H., Modadugu, N., and Boneh, D. 2003. SiRiUS: Securing remote untrusted storage. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Google Desktop. http://desktop.google.com. (Accessed May 2009).Google Scholar
- Google Enterprise Search. http://www.google.com/enterprise. (Accessed May 2009).Google Scholar
- Grunbacher, A. and Nuremberg, A. POSIX Access Control Lists on Linux. http://www.suse.de/~agruen/acl/linux-acls/online. (Accessed May 2009).Google Scholar
- Hacigumus, H., Iyer, B., Li, C., and Mehrotra, S. 2002. Executing SQL over encrypted data in the database service provider model. In Proceedings of the ACM SIGMOD International Conference on Management of Data. Google Scholar
Digital Library
- He, D. Cleaned W3C Subcollections. http://www.sis.pitt.edu/~daqing/w3c-cleaned.html. (Accessed May 2009).Google Scholar
- Ibm Protection Services. http://www-935.ibm.com/services/us/index.wss/offerfamily/bcrs/a1026934. (Accessed May 2009).Google Scholar
- Index Engines Enterprise Search. http://www.indexengines.com/product_enterprise_search_appliance.htm. (Accessed May 2009).Google Scholar
- Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., and Fu, K. 2003. Plutus: Scalable secure file sharing on untrusted storage. In Proceedings of the USENIX Conference on File and Storage Technologies (FAST). Google Scholar
Digital Library
- Krawczyk, H., Bellare, M., and Canetti, R. HMAC: Keyed-hashing for message authentication. http://www.faqs.org/rfcs/rfc2104.html. (Accessed May 2009).Google Scholar
- Kretser, O., Moffat, A., Shimmin, T., and Zobel, J. 1998. Methodologies for distributed information retrieval. In Proceedings of the International Conference on Distributed Computing Systems (ICDCS). Google Scholar
Digital Library
- Li, J., Krohn, M., and Mazieres, D. 2004. Secure untrusted data repository SUNDR. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI). Google Scholar
Digital Library
- Linux Manual Pages. man command-name.Google Scholar
- McCallum, A. Bow: A toolkit for statistical language modeling, text retrieval, classification and clustering. http://www.cs.cmu.edu/~mccallum/bow. (Accessed May 2009).Google Scholar
- Ritchie, D. and Thompson, K. 1974. The UNIX Time-Sharing System. Comm. ACM 17, 7. Google Scholar
Digital Library
- Robertson, S., Walker, S., and Beaulieu, M. 1998. Okapi at trec-7: Automatic ad hoc, filtering, vlc and interactive. In Proceedings of the Text Retrieval Conference (TREC).Google Scholar
- Singh, A. and Liu, L. 2008. Sharoes: A data sharing platform for outsourced enterprise storage environments. In Proceedings of the IEEE International Conference on Data Engineering (ICDE). Google Scholar
Digital Library
- Singh, A., Srivatsa, M., and Liu, L. 2007. Efficient and Secure Search of Enterprise File Sytems. Proceedings of the IEEE International Conference on Web Services (ICWS).Google Scholar
- Song, D., Wagner, D., and Perrig, A. 2000. Practical techniques for searches over encrypted data. In Proceedings of the IEEE Security and Privacy Symposium. Google Scholar
Digital Library
- SUN Grid. http://www.sun.com/solutions/cloudcomputing/index.jsp. (Accessed May 2009).Google Scholar
- TREC Enterprise Track. http://www.ins.cwi.nl/projects/trec-ent. (Accessed May 2009).Google Scholar
- Windows Desktop Search for Enterprise.http://www.microsoft.com/windows/desktopsearch. (Accessed May 2009).Google Scholar
- Witten, I., Moffat, A., and Bell, T. C. 1999. Managing Gigabytes: Compressing and Indexing Documents and Images. Morgan Kaufmann. Google Scholar
Digital Library
Index Terms
Search-as-a-service: Outsourced search over outsourced storage
Recommendations
Attribute-Based Keyword Search and Data Access Control in Cloud
CIS '14: Proceedings of the 2014 Tenth International Conference on Computational Intelligence and SecurityAs more and more data is outsourced to cloud which is assumed to be a semi-trusted server, it is necessary to encrypt the sensitive data stored in the cloud. However, it brings a series of problems, such as: How to search over the encrypted data ...
Attribute-based fine-grained access control with efficient revocation in cloud storage systems
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityA cloud storage service allows data owner to outsource their data to the cloud and through which provide the data access to the users. Because the cloud server and the data owner are not in the same trust domain, the semi-trusted cloud server cannot be ...
Secure, efficient and revocable multi-authority access control system in cloud storage
A multi-authority attribute-based access control system for cloud storage is proposed.An adaptively secure multi-authority CP-ABE (MA-CP-ABE) scheme in the standard model.A decryption outsourcing method for the proposed MA-CP-ABE scheme.An attribute-...






Comments