[ieee cloudcom 2013] cloudedup - secure deduplication with encrypted data
DESCRIPTION
With the continuous and exponential increase of the number of users and the size of their data, data deduplication becomes more and more a necessity for cloud storage providers. By storing a unique copy of duplicate data, cloud providers greatly reduce their storage and data transfer costs. The advantages of deduplication unfortunately come with a high cost in terms of new security and privacy challenges. We propose ClouDedup, a secure and efficient storage service which assures block-level deduplication and data confidentiality at the same time. Although based on convergent encryption, ClouDedup remains secure thanks to the definition of a component that implements an additional encryption operation and an access control mechanism. Furthermore, as the requirement for deduplication at block-level raises an issue with respect to key management, we suggest to include a new component in order to implement the key management for each block together with the actual deduplication operation. We show that the overhead introduced by these new components is minimal and does not impact the overall storage and computational costs.TRANSCRIPT
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
ClouDedup:Secure Deduplication with
Encrypted DataPasquale Puzio
SecludIT & EURECOM
Refik Molva (EURECOM)
Melek Önen (EURECOM)
Sergio Loureiro (SecludIT)
IEEE CloudCom 2013, Bristol, UK
December 3rd
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Deduplication
● Storing duplicated data only once● Total space savings up to 90-95% in backup
applications
1
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Deduplication
...but it does not work on encrypted data!
D = Hello World
D = Hello World
ENCRYPTION with K1 ENCRYPTION with K2
owhfgr0wgr[whfrw0[h0[erghe0[gh0[eg
dfjl;dbfrwbfirbfroepthwobgfrugtwertgrtwu
2
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Convergent Encryption
Data Encryption key derived from Data
K = hash(Data)
D = Hello World
D = Hello World
ENCRYPTION with H(D) ENCRYPTION with H(D)
klfgwilegfiorwegtriegtiergieiergriegrigfifiw
klfgwilegfiorwegtriegtiergieiergriegrigfifiw
3
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Convergent Encryption
● Convergent Encryption is vulnerable to “dictionary attacks” [Perttula et al]
● Solutions based on key agreement infeasible in the Cloud
● How to achieve safe Convergent Encryption in the Cloud ?
⇨ Additional deterministic encryption with the same secret key for all users
4
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Solution – Additional Encryption
● Convergent encryption by Users● Additional Encryption by server/gateway
○ Deterministic ○ Unique key known only by the server○ No key exchange/sharing○ Security by design
5
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Solution - Metadata
Block-level deduplication + convergent encryption
⇨ New requirement: key management
SOLUTION▪ metadata manager
▪ deduplication on encrypted blocks ▪ management of block keys
▪ separation between data and metadata
⇨ independance from actual storage
6
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Metadata Manager
7
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Solution – putting all together
8
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Metadata Overhead
9
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Performance
● Storage/retrieval cost is linear with block count
● Deduplication cost is constant
10
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Security
11
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Conclusion
● Confidentiality and block-level deduplication● Countermeasure against CE vulnerabilities
● Negligible performance impact
● Storage agnostic● Transparent to the storage provider
12
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
Future Work
● Prototype for performance analysis (ongoing, current results are promising)
● Typical operations such as edit, append and delete
● Data sharing
13
ClouDedup: Secure Deduplication with Encrypted Data for Cloud Storage Pasquale Puzio
THANK YOU