Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

Cloud-based storage services, such as Dropbox, Google Drive, or NextCloud, are broadly used to share data with others or between the individual devices of one user due to their convenience. Various end-to-end encryption mechanisms can be applied to protect the confidentiality of sensitive data in a not fully trusted cloud environment. As all such encryption mechanisms require to store keys on the client's device, losing a device (and key) might lead to catastrophic consequences: Losing access to all outsourced data. Strategies to recover from key-loss have various trade-offs. For example, storing the key on a flash drive burdens the user to keep it secure and available, while encrypting the key with a password before uploading it to the cloud requires users to remember a complex password. These strategies also require that the key can be extracted from the device's hardware, which risks the confidentiality of the key and data once a curious person finds a lost device or a thief steals it.

In this paper, we propose and implement a cloud-based data sharing system that supports recovery after key-loss while binding the keys to the devices' hardware. By using multi-use proxy re-encryption, we build a network of re-encryption keys that enables users to use any of their devices to access data or share it with other users. In case of device-loss, we amend this network of re-encryption keys -- potentially with the help of one or more user-selected recovery users -- to restore data access to the user's new device. Our implementation highlights the system's feasibility and underlines its practical performance.
Originalspracheenglisch
Titel15th International Conference on Information Systems Security, ICISS 2019
PublikationsstatusAngenommen/In Druck - 2019

Fingerprint

Cryptography
Hardware
Recovery
Computer hardware

Dies zitieren

Hörandner, F., & Nieddu, F. (Angenommen/Im Druck). Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys. in 15th International Conference on Information Systems Security, ICISS 2019

Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys. / Hörandner, Felix; Nieddu, Franco.

15th International Conference on Information Systems Security, ICISS 2019. 2019.

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Hörandner, F & Nieddu, F 2019, Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys. in 15th International Conference on Information Systems Security, ICISS 2019.
Hörandner F, Nieddu F. Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys. in 15th International Conference on Information Systems Security, ICISS 2019. 2019
Hörandner, Felix ; Nieddu, Franco. / Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys. 15th International Conference on Information Systems Security, ICISS 2019. 2019.
@inproceedings{3ff108280e764e77a7d86c761de89f27,
title = "Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys",
abstract = "Cloud-based storage services, such as Dropbox, Google Drive, or NextCloud, are broadly used to share data with others or between the individual devices of one user due to their convenience. Various end-to-end encryption mechanisms can be applied to protect the confidentiality of sensitive data in a not fully trusted cloud environment. As all such encryption mechanisms require to store keys on the client's device, losing a device (and key) might lead to catastrophic consequences: Losing access to all outsourced data. Strategies to recover from key-loss have various trade-offs. For example, storing the key on a flash drive burdens the user to keep it secure and available, while encrypting the key with a password before uploading it to the cloud requires users to remember a complex password. These strategies also require that the key can be extracted from the device's hardware, which risks the confidentiality of the key and data once a curious person finds a lost device or a thief steals it.In this paper, we propose and implement a cloud-based data sharing system that supports recovery after key-loss while binding the keys to the devices' hardware. By using multi-use proxy re-encryption, we build a network of re-encryption keys that enables users to use any of their devices to access data or share it with other users. In case of device-loss, we amend this network of re-encryption keys -- potentially with the help of one or more user-selected recovery users -- to restore data access to the user's new device. Our implementation highlights the system's feasibility and underlines its practical performance.",
author = "Felix H{\"o}randner and Franco Nieddu",
year = "2019",
language = "English",
booktitle = "15th International Conference on Information Systems Security, ICISS 2019",

}

TY - GEN

T1 - Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys

AU - Hörandner, Felix

AU - Nieddu, Franco

PY - 2019

Y1 - 2019

N2 - Cloud-based storage services, such as Dropbox, Google Drive, or NextCloud, are broadly used to share data with others or between the individual devices of one user due to their convenience. Various end-to-end encryption mechanisms can be applied to protect the confidentiality of sensitive data in a not fully trusted cloud environment. As all such encryption mechanisms require to store keys on the client's device, losing a device (and key) might lead to catastrophic consequences: Losing access to all outsourced data. Strategies to recover from key-loss have various trade-offs. For example, storing the key on a flash drive burdens the user to keep it secure and available, while encrypting the key with a password before uploading it to the cloud requires users to remember a complex password. These strategies also require that the key can be extracted from the device's hardware, which risks the confidentiality of the key and data once a curious person finds a lost device or a thief steals it.In this paper, we propose and implement a cloud-based data sharing system that supports recovery after key-loss while binding the keys to the devices' hardware. By using multi-use proxy re-encryption, we build a network of re-encryption keys that enables users to use any of their devices to access data or share it with other users. In case of device-loss, we amend this network of re-encryption keys -- potentially with the help of one or more user-selected recovery users -- to restore data access to the user's new device. Our implementation highlights the system's feasibility and underlines its practical performance.

AB - Cloud-based storage services, such as Dropbox, Google Drive, or NextCloud, are broadly used to share data with others or between the individual devices of one user due to their convenience. Various end-to-end encryption mechanisms can be applied to protect the confidentiality of sensitive data in a not fully trusted cloud environment. As all such encryption mechanisms require to store keys on the client's device, losing a device (and key) might lead to catastrophic consequences: Losing access to all outsourced data. Strategies to recover from key-loss have various trade-offs. For example, storing the key on a flash drive burdens the user to keep it secure and available, while encrypting the key with a password before uploading it to the cloud requires users to remember a complex password. These strategies also require that the key can be extracted from the device's hardware, which risks the confidentiality of the key and data once a curious person finds a lost device or a thief steals it.In this paper, we propose and implement a cloud-based data sharing system that supports recovery after key-loss while binding the keys to the devices' hardware. By using multi-use proxy re-encryption, we build a network of re-encryption keys that enables users to use any of their devices to access data or share it with other users. In case of device-loss, we amend this network of re-encryption keys -- potentially with the help of one or more user-selected recovery users -- to restore data access to the user's new device. Our implementation highlights the system's feasibility and underlines its practical performance.

M3 - Conference contribution

BT - 15th International Conference on Information Systems Security, ICISS 2019

ER -