采用随机块附加策略的云数据安全去重方法

doi:10.19665/j.issn1001-2400.20230503

摘要/Abstract

摘要：

源端去重技术通过返回确定性响应阻止后续用户上传相同文件,极大地节省了网络带宽和存储开销。然而这种确定性响应带来了侧信道攻击。一旦请求文件不需要后续上传,攻击者便能轻易窃取云存储中目标文件的存在性隐私。为抵抗侧信道攻击,学者们提出添加可信网关、设置触发阈值、混淆响应值等抵御方法;但上述方法分别存在部署成本高、启动开销大和难以抵抗随机块生成攻击和学习剩余信息攻击等不足。为解决这一问题,提出了一种简单而有效的云数据安全去重方法,采用随机块附加策略实现对去重响应的混淆。首先在去重请求末尾附加一定数量且状态未知的文件块来模糊原请求块的存在状态,然后通过乱序处理降低响应值下边界的返回概率,最后结合新提出的响应表生成去重响应。安全性分析和实验结果表明,与现有技术相比,该方法以增加少量开销为代价显著提高了安全性。

关键词: 云存储, 重复数据删除, 侧信道攻击, 隐私安全

Abstract:

Source based deduplication prevents subsequent users from uploading the same file by returning a deterministic response,which greatly saves the network bandwidth and storage overhead.However,the deterministic response inevitably introduces side channel attacks.Once the subsequent uploading is not needed,an attacker can easily steal the existent privacy of the target file in cloud storage.To resist side channel attacks,various kinds of defense schemes such as adding trusted gateways,setting trigger thresholds,confusing response values,and so on are proposed.However,these methods suffer from the problems of high deployment costs,high startup costs and the difficulty in resisting random chunks generation attack and learn remaining information attack.Thus,we propose a novel secure deduplication scheme,which utilizes the random chunks attachment strategy to achieve obfuscation in response.Specifically,we first add a certain number of chunks with the unknown existent status at the end of the request to blur the existent status of the original requested ones,and then reduce the probability of returning a lower boundary value in response by scrambling strategy.Finally,the deduplication response is generated with the help of the newly designed response table.Security analysis and experimental results show that,compared with the existing works,our scheme significantly improve the security at the expense of just a little extra overhead.

Key words: cloud storage, deduplication, side channel attack, privacy security

中图分类号:

TN915.08

林耿豪,周子集,唐鑫,周艺腾,钟宇琪,齐天旸. 采用随机块附加策略的云数据安全去重方法[J]. 西安电子科技大学学报, 2023, 50(5): 212-228.

LIN Genghao,ZHOU Ziji,TANG Xin,ZHOU Yiteng,ZHONG Yuqi,QI Tianyang. Random chunks attachment strategy based secure deduplication for cloud data[J]. Journal of Xidian University, 2023, 50(5): 212-228.

图/表 12

图1

图2

表1

图3

图4

图5

图6

表2

图7

图8

图9

图10

参考文献 24

[1]	HARNIK D, PINKAS B, SHULMAN-PELE G. Side Channels in Cloud Services:Deduplication in Cloud Storage[J]. IEEE Security & Privacy, 2010, 8(6):40-47.
[2]	SU K W, LEU J S, YU M C, et al. Design and Implementation of Various File Deduplication Schemes on Storage Devices[J]. Mobile Networks and Applications, 2017, 22:40-50. doi: 10.1007/s11036-016-0677-9
[3]	刘红燕. 云存储环境中安全的重复数据删除方法研究[D]. 青岛: 青岛大学, 2020.
[4]	PAULO J, PEREIRA J. A Survey and Classification of Storage Deduplication Systems[J]. ACM Computing Surveys (CSUR), 2014, 47(1):1-30.
[5]	刘小梅, 唐鑫, 杨舒婷, 等. 基于Reed-Solomon编码的抗边信道攻击云数据安全去重方法[J]. 信息安全学报, 2022, 7(6):80-93.
	LIU Xiaomei, TANG Xin, YANG Shuting, et al. Reed-Solomon Coding Based Secure Deduplication for Cloud Storage with Resistance Against Side Channel Attack[J]. Journal of Cyber Security, 2022, 7(6):80-93.
[6]	RABOTKA V, MANNAN M. An Evaluation of Recent Secure Deduplication Proposals[J]. Journal of Information Security & Applications, 2016, 27:3-18.
[7]	ZUO P F, HUA Y, WANG C, et al. Mitigating Traffic-Based Side Channel Attacks in Bandwidth-Efficient Cloud Storage[C]//The 32th IEEE International Parallel and Distributed Processing Symposium(IPDPS). Piscataway:IEEE, 2018:1153-1162.
[8]	唐鑫, 周琳娜, 单伟杰, 等. 基于阈值重加密的抗边信道攻击云数据安全去重方法[J]. 通信学报, 2020, 41(6):98-111. doi: 10.11959/j.issn.1000-436x.2020103
	TANG Xin, ZHOU Linna, SHAN Weijie, et al. Threshold Re-Encryption Based Secure Deduplication Method for Cloud Data with Resistance Against Side Channel Attack[J]. Journal of Communications, 2020, 41(6):98-111. doi: 10.11959/j.issn.1000-436x.2020103
[9]	HEEN O, NEUMANN C, MONTALVO L, et al. Improving the Resistance to Side-channel Attacks on Cloud Storage Services[C]//International Conference on New Technologies,Mobility and Security(NTMS). Piscataway:IEEE, 2012:1-5.
[10]	高原, 咸鹤群, 穆雪莲, 等. 基于阈值自适应调整的重复数据删除方案[J]. 青岛大学学报:自然科学版, 2019, 32(4):36-39.
	GAO Yuan, XIAN Hequn, MU Xuelian, et al. Data Deduplication Scheme Based on Adaptive Adjustment of Threshold[J]. Journal of Qingdao University:Natural Science Edition, 2019, 32(4):36-39.
[11]	TANG X, CHEN X, ZHOU R, et al. Marking Based Obfuscation Strategy to Resist Side Channel Attack in Cross-User Deduplication for Cloud Storage[C]//The 21th IEEE International Conference on Trust,Security and Privacy in Computing and Communications(TrustCom). Piscataway:IEEE, 2022:1-9.
[12]	TANG X, ZHANG Y, ZHOU L N, et al. Request Merging Based Cross-User Deduplication for Cloud Storage with Resistance Against Appending Chunks Attack[J]. Chinese Journal of Electronics, 2021, 30(2):199-209. doi: 10.1049/cje2.v30.2
[13]	LEE S, CHOI D. Privacy-Preserving Cross-User Source-Based Data Deduplication in Cloud Storage[C]//International Conference on ICT Convergence. Piscataway:IEEE, 2012:329-330.
[14]	WANG B, LOU W, HOU Y T. Modeling the Side-Channel Attacks in Data Deduplication with Game Theory[C]//2015 IEEE Conference on Communications and Network Security(CNS).Piscataway:IEEE, 2015:200-208.
[15]	TANG X, ZHOU L, HU B, et al. Aggregation-Based Tag Deduplication for Cloud Storage with Resistance Against Side Channel Attack[J]. Security and Communication Networks, 2021, 2021:1-15.
[16]	ZHANG Y, MAO Y, XU M, et al. Towards Thwarting Template Side-Channel Attacks in Secure Cloud Deduplications[J]. IEEE Transactions on Dependable and Secure Computing, 2019, 18(3):1008-1018.
[17]	YU C M, GOCHHAYAT S P, CONTI M, et al. Privacy Aware Data Deduplication for Side Channel in Cloud Storage[J]. IEEE Transactions on Cloud Computing, 2018, 8(2):597-609. doi: 10.1109/TCC.6245519
[18]	POORANIAN Z, CHEN K C, YU C M, et al. RARE:Defeating Side Channels Based on Data-Deduplication in Cloud Storage[C]//The 39th IEEE International Conference on Computer Communications Workshops (INFOCOM WKSHPS). Piscataway:IEEE, 2018:444-449.
[19]	VESTERGAARD R, ZHANG Q, LUCANI D E. CIDER:A Low Overhead Approach to Privacy Aware Client-Side Deduplication[C]//The 63th IEEE Global Communications Conference(GLOBALCOM). Piscataway:IEEE, 2021:1-6.
[20]	HA G, CHEN H, JIA C, et al. Threat Model and Defense Scheme for Side-Channel Attacks in Client-Side Deduplication[J]. Tsinghua Science and Technology, 2022, 28(1):1-12.
[21]	TANG X, ZHOU L N, HUANG Y F, et al. Efficient Cross-User Deduplication of Encrypted Data Through Re-Encryption[C]//The 17th IEEE International Conference on Trust,Security and Privacy in Computing and Communications. Piscataway:IEEE, 2018:897-904.
[22]	WANG Y H, TANG X, ZHOU Y T, et al. Blockchain-Based Integrity Auditing with Secure Deduplication in Cloud Storage[C]//The Seventh International Conference on Data Mining and Big Data(DMBD'2022).Heidelberg:Springer, 2022:303-318.
[23]	BECKER B, KOHAVI R.Census Income (2002)[R/OL].[2002-01-01]. https://archive.ics.uci.edu/ml/machine-learning-databases/adult/adult.data.
[24]	COHEN W W. Enron Email Dataset (2015)[R/OL].[2015-05-07]. https://www.cs.cmu.edu/-enron/.

去重方案	泄露隐私次数/次
DEDUP	100 000
ZEUS	100 000
RARE	50 054
CIDER(4)	50 090
CIDER(8)	49 986
RCAS(k=2,t=0)	25 016
RCAS(k=4,t=0)	6 256
RCAS(k=6,t=0)	1 561
RCAS(k=4,t=1)	475
RCAS(k=6,t=1)	66