Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption
Abstract
:1. Introduction
- The design of a flexible architecture, Astrape, to enforce an efficient attestation for a remote cloud system under multi-requester scenarios. Astrape resorts to an attestation proxy for the distribution of the newly-generated encrypted report, in which computation and communication overhead can be drastically reduced on the attester side.
- Providing a concurrent attestation protocol with integrity and confidentiality guarantee in an efficient manner. In this protocol, we leverage nonces’ aggregation, attribute-based encryption and delegation-based response to enable controlled attestation for qualified requesters posing a set of attributes to satisfy the access policy.
- Introducing the trust measure into the CP-ABE to build more expressive access policies, whereby we enable the report acquired by qualified requesters. By measuring trust based on behavior evidence, Astrape achieves a more controlled report for the trustworthy attestation.
- A proof-of-concept prototype of the architecture with concurrent attestation in a cloud environment, as well as security and performance evaluations that confirm the effectiveness and efficiency of Astrape.
2. Background
2.1. Cloud Computing
- SaaS (Software as a Service): The capability offered to cloud users is to make use of applications provided by the cloud provider. The users do not have a right of management or control over the underlying cloud infrastructure to support applications’ execution.
- PaaS (Platform as a Service): The capability offered to cloud users is to deploy user-created applications by using programming languages and tools of the cloud provider. The users just have a right of control over its applications and possibly environment configurations.
- IaaS (Infrastructure as a Service): The capability offered to cloud users is to provision fundamental computing resources to deploy arbitrary software. The users have control over operating systems, storage and deployed applications.
2.2. Ciphertext-Policy Attribute-Based Encryption
2.3. Remote Attestation
2.4. Standard Attestation Protocol
3. Astrape Architecture
3.1. Overview
3.2. Threat Model and Assumptions
4. Efficient and Trustworthy Concurrent Attestation
4.1. Aggregated Attestation Signature
4.2. Cryptographic Keys Used
4.3. Delegation-Based Controlled Report
4.4. Concurrent Attestation Protocol
4.5. Measuring Trust in Clouds
5. Evaluation
5.1. Experimentation Setup
5.2. Performance Evaluation
5.2.1. Nonces’ Aggregation
5.2.2. Aggregated Attestation Signature
5.2.3. Symmetric Encryption
5.2.4. Private Key Generation
5.2.5. CP-ABE Encryption and Decryption
5.2.6. Full System Performance
5.3. Security Evaluation
6. Related Work
7. Discussion and Limitation
8. Conclusions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
Abbreviations
ABE | Attribute-Based Encryption |
AIK | Attestation Identity Key |
CA | Certificate Authority |
CP-ABE | Ciphertext-Policy Attribute-Based Encryption |
FIFO | First-In-First-Out |
IMA | Integrity Measurement Architecture |
KP-ABE | Key-Policy Attribute-Based Encryption |
PCR | Platform Configuration Register |
SELinux | Security-Enhanced Linux |
SEV | Secure Encrypted Virtualization |
SGX | Software Guard Extensions |
TCB | Trusted Computing Base |
TCG | Trusted Computing Group |
TEE | Trusted Execution Environment |
TPM | Trusted Platform Module |
vTPM | virtual TPM |
VM | Virtual Machine |
References
- Palos-Sanchez, P.R. Drivers and Barriers of the Cloud Computing in SMEs: The Position of the European Union. Harv. Deusto Bus. Res. 2017, 6, 116–132. [Google Scholar] [CrossRef]
- Armbrust, M.; Fox, A.; Griffith, R.; Joseph, A.D.; Katz, R.; Konwinski, A.; Lee, G.; Patterson, D.; Rabkin, A.; Stoica, I.; Zaharia, M. A View of Cloud Computing. Commun. ACM 2010, 53, 50–58. [Google Scholar] [CrossRef]
- Takabi, H.; Joshi, J.B.; Ahn, G.J. Security and Privacy Challenges in Cloud Computing Environments. IEEE Secur. Priv. 2010, 8, 24–31. [Google Scholar] [CrossRef]
- Zissis, D.; Lekkas, D. Addressing Cloud Computing Security Issues. Future Gener. Comput. Syst. 2012, 28, 583–592. [Google Scholar] [CrossRef]
- Palos-Sanchez, P.R.; Arenas-Marquez, F.J.; Aguayo-Camacho, M. Cloud Computing (SaaS) Adoption as a Strategic Technology: Results of an Empirical Study. Mob. Inf. Syst. 2017, 2017, 2536040. [Google Scholar] [CrossRef]
- Sailer, R.; Zhang, X.; Jaeger, T.; van Doorn, L. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th USENIX Security Symposium, USENIX Association, San Diego, CA, USA, 9–13 August 2004; pp. 223–238. [Google Scholar]
- TCG. TPM Main Specification. Available online: https://trustedcomputinggroup.org/resource/tpm-main-specification/ (accessed on 8 March 2018).
- TCG. TPM Library Specification. Available online: https://trustedcomputinggroup.org/resource/tpm-library-specification/ (accessed on 8 March 2018).
- Santos, N.; Rodrigues, R.; Gummadi, K.P.; Saroiu, S. Policy-sealed Data: A New Abstraction for Building Trusted Cloud Services. In Proceedings of the 21st USENIX Security Symposium, USENIX Association, Bellevue, WA, USA, 8–10 August 2012; pp. 175–188. [Google Scholar]
- Zhang, T.; Lee, R.B. CloudMonatt: An Architecture for Security Health Monitoring and Attestation of Virtual Machines in Cloud Computing. In Proceedings of the 42nd Annual International Symposium on Computer Architecture, Portland, OR, USA, 13–17 June 2015; pp. 362–374. [Google Scholar]
- Zhang, T.; Lee, R.B. Design, Implementation and Verification of Cloud Architecture for Monitoring a Virtual Machine’s Security Health. IEEE Trans. Comput. 2018, 67, 799–815. [Google Scholar] [CrossRef]
- Dragoni, N.; Giallorenzo, S.; Lafuente, A.L.; Mazzara, M.; Montesi, F.; Mustafin, R.; Safina, L. Microservices: Yesterday, Today, and Tomorrow. In Present and Ulterior Software Engineering; Springer: Berlin, Germany, 2017; pp. 195–216. [Google Scholar] [Green Version]
- Mei, S.; Wang, Z.; Cheng, Y.; Ren, J.; Wu, J.; Zhou, J. Trusted Bytecode Virtual Machine Module: A Novel Method for Dynamic Remote Attestation in Cloud Computing. Int. J. Comput. Intell. Syst. 2012, 5, 924–932. [Google Scholar] [CrossRef] [Green Version]
- Ba, H.; Zhou, H.; Qiao, H.; Wang, Z.; Ren, J. RIM4J: An Architecture for Language-Supported Runtime Measurement against Malicious Bytecode in Cloud Computing. Symmetry 2018, 10, 253. [Google Scholar] [CrossRef]
- Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-Policy Attribute-Based Encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar]
- Jula, A.; Sundararajan, E.; Othman, Z. Cloud Computing Service Composition: A Systematic Literature Review. Expert Syst. Appl. 2014, 41, 3809–3824. [Google Scholar] [CrossRef]
- Stieninger, M.; Nedbal, D. Characteristics of Cloud Computing in the Business Context: A Systematic Literature Review. Glob. J. Flex. Syst. Manag. 2014, 15, 59–68. [Google Scholar] [CrossRef]
- Radu, L.D. Green Cloud Computing: A Literature Survey. Symmetry 2017, 9, 295. [Google Scholar] [CrossRef]
- Mell, P.; Grance, T. The NIST Definition of Cloud Computing, Technical Report 2011. Available online: https://csrc.nist.gov/publications/detail/sp/800-145/final (accessed on 5 March 2018).
- Wang, G.; Liu, Q.; Wu, J. Hierarchical Attribute-based Encryption for Fine-grained Access Control in Cloud Storage Services. In Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 4–8 October 2010; pp. 735–737. [Google Scholar]
- Li, J.; Yao, W.; Zhang, Y.; Qian, H.; Han, J. Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing. IEEE Trans. Serv. Comput. 2017, 10, 785–796. [Google Scholar] [CrossRef]
- Zuo, C.; Shao, J.; Liu, J.K.; Wei, G.; Ling, Y. Fine-Grained Two-Factor Protection Mechanism for Data Sharing in Cloud Storage. IEEE Trans. Inf. Forensics Secur. 2018, 13, 186–196. [Google Scholar] [CrossRef]
- Wang, G.; Liu, Q.; Wu, J.; Guo, M. Hierarchical Attribute-based Encryption and Scalable User Revocation for Sharing Data in Cloud Servers. Comput. Secur. 2011, 30, 320–331. [Google Scholar] [CrossRef]
- Wan, Z.; Liu, J.; Deng, R. HASBE: A Hierarchical Attribute-Based Solution for Flexible and Scalable Access Control in Cloud Computing. IEEE Trans. Inf. Forensics Secur. 2012, 7, 743–754. [Google Scholar] [CrossRef]
- Yang, K.; Jia, X. Attributed-Based Access Control for Multi-authority Systems in Cloud Storage. In Proceedings of the 2012 IEEE 32nd International Conference on Distributed Computing Systems, Macau, China, 18–21 June 2012; pp. 536–545. [Google Scholar]
- Yang, K.; Jia, X.; Ren, K.; Zhang, B.; Xie, R. DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems. IEEE Trans. Inf. Forensics Secur. 2013, 8, 1790–1801. [Google Scholar] [CrossRef] [Green Version]
- Cheng, Y.; Ren, J.; Wang, Z.; Mei, S.; Zhou, J. Keys Distributing Optimization of CP-ABE Based Access Control in Cryptographic Cloud Storage. IEICE Trans. Inf. Syst. 2012, 95, 3088–3091. [Google Scholar] [CrossRef]
- Shi, E.; Perrig, A.; Doorn, L.V. BIND: A Fine-Grained Attestation Service for Secure Distributed Systems. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 8–11 May 2005; pp. 154–168. [Google Scholar] [Green Version]
- Ba, H.; Ren, J.; Wang, Z.; Zhou, H.; Li, Y.; Hong, T. User-policy-based dynamic remote attestation in cloud computing. Int. J. Embed. Syst. 2016, 8, 39–45. [Google Scholar] [CrossRef]
- Berger, S.; Cáceres, R.; Goldman, K.A.; Perez, R.; Sailer, R.; van Doorn, L. vTPM: Virtualizing the Trusted Platform Module. In Proceedings of the 15th Conference on USENIX Security Symposium, Vancouver, BC, Canada, 31 July–4 August 2006. [Google Scholar]
- Strasser, M. A Software-Based TPM Emulator for Linux. Semester Thesis, Eidgenössische Technische Hochschule Zürich (ETH Zürich), Zürich, Switzerland, 2004. [Google Scholar]
- Strasser, M.; Stamer, H. A Software-Based Trusted Platform Module Emulator. In Proceedings of the 1st International Conference on Trusted Computing, Oslo, Norway, 23–25 June 2008; Springer: Berlin, Germany, 2008; pp. 33–47. [Google Scholar]
- Dolev, D.; Yao, A.C. On the Security of Public Key Protocols. In Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, Nashville, TN, USA, 28–30 October 1981; pp. 350–357. [Google Scholar]
- Dolev, D.; Yao, A.C. On the Security of Public Key Protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
- Ries, S. Extending Bayesian Trust Models Regarding Context-dependence and User Friendly Representation. In Proceedings of the 2009 ACM Symposium on Applied Computing, Chicago, IL, USA, 9–13 November 2009; pp. 1294–1301. [Google Scholar]
- TrouSerS: The Open-Source TCG Software Stack. Available online: http://trousers.sourceforge.net/ (accessed on 5 March 2018).
- OpenSSL: Cryptography and SSL/TLS Toolkit. Available online: https://www.openssl.org/ (accessed on 5 March 2018).
- Advanced Crypto Software Collection. Available online: http://acsc.cs.utexas.edu/cpabe/ (accessed on 5 March 2018).
- Sahai, A.; Waters, B. Fuzzy Identity-based Encryption. In Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Springer: Berlin, Germany, 2005; pp. 457–473. [Google Scholar]
- Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based Encryption for Fine-grained Access Control of Encrypted Data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 89–98. [Google Scholar]
- Goyal, V.; Jain, A.; Pandey, O.; Sahai, A. Bounded Ciphertext Policy Attribute Based Encryption. In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II, Reykjavik, Iceland, 7–11 July 2008; Springer: Berlin, Germany, 2008; pp. 579–591. [Google Scholar]
- Qiao, H.; Ren, J.; Wang, Z.; Ba, H.; Zhou, H. Compulsory Traceable Ciphertext-policy Attribute-based Encryption against Privilege Abuse in Fog Computing. Future Gener. Comput. Syst. 2018, 88, 107–116. [Google Scholar] [CrossRef]
- Fan, Y.; Liu, S.; Tan, G.; Qiao, F. Fine-Grained Access Control Based on Trusted Execution Environment. Future Gener. Comput. Syst. 2018. [Google Scholar] [CrossRef]
- Anati, I.; Gueron, S.; Johnson, S.; Scarlata, V. Innovative Technology for CPU Based Attestation and Sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, Tel-Aviv, Israel, 23–24 June 2013; Volume 13. [Google Scholar]
- Kaplan, D.; Powell, J.; Woller, T. AMD Memory Encryption. Available online: https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf (accessed on 5 March 2018).
- Ba, H.; Zhou, H.; Ren, J.; Wang, Z. Runtime Measurement Architecture for Bytecode Integrity in JVM-Based Cloud. In Proceedings of the 36th IEEE Symposium on Reliable Distributed Systems, Hong Kong, China, 26–29 September 2017; pp. 262–263. [Google Scholar]
- Garfinkel, T.; Rosenblum, M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 6–7 February 2003; Internet Society: Reston, VA, USA, 2003; pp. 191–206. [Google Scholar]
- Shi, J.; Yang, Y.; Tang, C. Hardware Assisted Hypervisor Introspection. SpringerPlus 2016, 5, 647–669. [Google Scholar] [CrossRef] [PubMed]
- Ren, J.; Liu, L.; Zhang, D.; Zhang, Q.; Ba, H. Tenants Attested Trusted Cloud Service. In Proceedings of the 9th IEEE International Conference on Cloud Computing, San Francisco, CA, USA, 27 June–2 July 2016; pp. 600–607. [Google Scholar]
- Zhou, H.; Ba, H.; Ren, J.; Wang, Y.; Wang, Z.; Li, Y. Decoupling Security Services from IaaS Cloud Through Remote Virtual Machine Introspection. In Proceedings of the 10th International Conference on Security, Privacy, and Anonymity in Computation, Communication, and Storage, Guangzhou, China, 12–15 December 2017; Springer: Berlin, Germany, 2017; pp. 516–529. [Google Scholar]
- Waters, B. Ciphertext-policy Attribute-based Encryption: An Expressive, Efficient, and Provably Secure Realization. In Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography Conference on Public Key Cryptography, Taormina, Italy, 6–9 March 2011; Springer: Berlin, Germany, 2011; pp. 53–70. [Google Scholar]
- Herranz, J.; Laguillaumie, F.; Ràfols, C. Constant Size Ciphertexts in Threshold Attribute-based Encryption. In Proceedings of the 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, 26–28 May 2010; Springer: Berlin, Germany, 2010; pp. 19–34. [Google Scholar]
- Chen, C.; Zhang, Z.; Feng, D. Efficient Ciphertext Policy Attribute-based Encryption with Constant-size Ciphertext and Constant Computation-cost. In Proceedings of the 5th International Conference on Provable Security, Xi’an, China, 16–18 October 2011; Springer: Berlin, Germany, 2011; pp. 84–101. [Google Scholar]
- Attrapadung, N.; Herranz, J.; Laguillaumie, F.; Libert, B.; de Panafieu, E.; Ràfols, C. Attribute-Based Encryption Schemes with Constant-Size Ciphertexts. Theor. Comput. Sci. 2012, 422, 15–38. [Google Scholar] [CrossRef]
- Orsini, G.; Bade, D.; Lamersdorf, W. Computing at the Mobile Edge: Designing Elastic Android Applications for Computation Offloading. In Proceedings of the 8th IFIP Wireless and Mobile Networking Conference, Munich, Germany, 5–7 October 2015; pp. 112–119. [Google Scholar]
- Satyanarayanan, M. The Emergence of Edge Computing. Computer 2017, 50, 30–39. [Google Scholar] [CrossRef]
160-bit | 160-bit | 160-bit | 2048-bit | 2048-bit | 2048-bit | 2048-bit | 256-bit | 256-bit |
© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ba, H.; Zhou, H.; Mei, S.; Qiao, H.; Hong, T.; Wang, Z.; Ren, J. Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption. Symmetry 2018, 10, 425. https://doi.org/10.3390/sym10100425
Ba H, Zhou H, Mei S, Qiao H, Hong T, Wang Z, Ren J. Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption. Symmetry. 2018; 10(10):425. https://doi.org/10.3390/sym10100425
Chicago/Turabian StyleBa, Haihe, Huaizhe Zhou, Songzhu Mei, Huidong Qiao, Tie Hong, Zhiying Wang, and Jiangchun Ren. 2018. "Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption" Symmetry 10, no. 10: 425. https://doi.org/10.3390/sym10100425