Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Providing Proofs of Past Data Possession in Cloud Forensics

  • Be the first to comment

  • Be the first to like this

Providing Proofs of Past Data Possession in Cloud Forensics

  1. 1. Providing Proofs of Past Data Possession in Cloud Forensics Shams Zawoad, Ragib Hasan SECuRE and Trustworthy computing (SECRET) Lab University of Alabama at 1/23/2013
  2. 2. Problem Statement : A Motivating Story Bob XYZ Corporation Did Bob have this file? Cloud VM/Storage 1/23/2013 1
  3. 3. What is Digital Forensics and Cloud Forensics? Digital Forensics Incident Examination Identification Identification Collection Organization Presentation Evidence Identification Analysis Cloud Forensics • Applying digital forensics procedures in cloud. • A subset of Network forensics [Ruan et al.] 1/23/2013 2
  4. 4. Cloud Forensics vs Traditional Digital Forensics Traditional Cloud • Physical access to • No physical access computing resources • No need to depend on • Need to depend on CSP third party • Single user system • Multi-tenant system • Tools are available • No proven available 1/23/2013 3
  5. 5. What is Past Data Possession? If a file ‘F’ was possessed by a user ‘U’, then Past Data Possession states that U possessed F at a given past 1/23/2013 4
  6. 6. Why Is It Challenging to Provide the Past Data Possession? Reduced Control over Clouds Access Control Access Control Access Control Multi-tenancy Application Application Application Data Chain of Custody Data Data OS OS OS Presentation Servers Servers Servers Network Network Network SaaS PaaS IaaS Customers have control Customers do not have 1/23/2013 5
  7. 7. In the Threat Model, Bob, Investigator, and the Cloud can be Malicious User can delete records or present fake records Investigator can plant invalid evidence CSP can provide false past data possession or deny hosting any evidence Every body can collude with each 1/23/2013 6
  8. 8. Hence, The Possible Attacks can be: Denial of possession False presence Evidence contamination Repudiation by CSP Repudiation by User Privacy 1/23/2013 7
  9. 9. What Can be the Solution? Proposing Proof of Past Data Possession (PPDP) • PPDP attests that a User U possessed a File F at a given past time. • An Auditor can use PPDP to check the Past Data Possession. • File can be deleted but PPDP can still preserve the proof of data 1/23/2013 8
  10. 10. PPDP Provides: Integrity I1: Adversaries cannot remove any evidence. I2: Adversaries cannot plant any invalid evidence. I3: Adversaries cannot change any existing evidence. I4: CSP cannot deny hosting any evidence. I5: CSP cannot repudiate any previously published 1/23/2013 9
  11. 11. PPDP Provides: Confidentiality C1: From the proof adversaries cannot recover the original file. C2: From the proof adversaries cannot learn about the version history of 1/23/2013 10
  12. 12. Components of PPDP File • Private, stored in Cloud Proof of File P • Private, Stored in Cloud Accumulator • Private, Stored in Cloud Signed • Public, Available through RSSAccumulator, 1/23/2013 11
  13. 13. Proof of Past Data Possession (PPDP) User CSP Proof 1/23/2013 12
  14. 14. Bloom Filter as an Accumulator A probabilistic data structure to check whether an element is a member of a set or not. • Stores the membership information in a bit array • Space efficient representation. • Performance of element insertion and membership checking is good. • False positive probability is not zero. Is used in Google Chrome to maintain Black-list of malicious 1/23/2013 13
  15. 15. Verification of Past Data Possession PPDPu = <H(DSu), SPkc(DSu)> No Signature Rejects Valid? Yes Document DSu No Rejects Exists? Bit positions Yes 1/23/2013 14
  16. 16. How to Identify the Generation Time of Evidence? Investigator/ Auditor can query in two ways: • A time range of evidence generation. • Exact date of evidence 1/23/2013 15
  17. 17. Security Analysis w.r.t. Collusion Model CUI ¬CUI C¬UI CU¬ 1/23/2013 16
  18. 18. Security Analysis w.r.t. Collusion Model C¬U ¬ I ¬CU ¬ I ¬C¬UI ¬C¬U¬ 1/23/2013 17
  19. 19. Security Analysis Non repudiation by CSP : Proof is signed Preservation of user’s privacy: One-way Hashing Non repudiation by User: Advanced version of PPDP, each evidence is 1/23/2013 18
  20. 20. Proof-of-Concept Implementation FTP Server on Amazon EC2 Micro Instance. Client Machine: Intel Core-i5-24305 CPU @ 2.40 GHz processor and 8GB RAM. Bloom filter : 0.01 % False Positive Probability for 1000 elements. RSA (1024 bit) and SHA 1 (160 bit) 1/23/2013 19
  21. 21. Evaluation of Our Prototype % Overhead associated with time needed to insert the 1/23/2013 20
  22. 22. Evaluation of Our Prototype Average time required to find true negative 1/23/2013 21
  23. 23. Evaluation of Our Prototype Average time required to find a true positive 1/23/2013 22
  24. 24. Applications of PPDP CSP can preserve the proof without storing the data itself. Storage overhead for CSP but can earn money by Forensic-as-service. Make the Cloud more Auditable which in turn makes Cloud more Regulatory 1/23/2013 23
  25. 25. Conclusion• Introduced the notion of a Proof of Past Data Possession (PPDP) in the context of digital forensics.• Proposed an efficient and secured cryptographic scheme for creating a PPDP.• Evaluated the proposed PPDP scheme using a commercial cloud vendor. Future work : Implement the scheme in private cloud, later collaborate with a commercial 1/23/2013 24
  26. 26. Thank You Q& 1/23/2013

    Be the first to comment

    Login to see the comments


Total views


On Slideshare


From embeds


Number of embeds