Using Public Cloud Storage (PCS) can help to enhance data accessibility and availability. However, one of the major PCS concerns is how to address insider threats. These threats can occur accidentally or intentionally. A PCS provider may hide the data breach or loss that has happened to protect its reputation. The scope of this thesis is how to counter insider threats related to data integrity property in the context of Data Integrity Auditing (DIA). The data verification in DIA may be performed by either the users or by Third-Party Auditors (TPAs) via the use of integrity tags. To this end, the thesis has made three novel contributions. Firstly, the thesis presents a comprehensive threat analysis in the context, specifies requirements for an effective and efficient DIA service and presents a critical review of the state-of-the-art solutions in the light of the threats and requirements. The analysis and literature review have led to the identification of three research questions in relation to providing a secure, reliable and efficient DIA service, i.e. how to minimise or eliminate trust in the third-parties (PCS providers and TPAs), how to minimise the overheads imposed on the users and how to balance the trade-off between costs and security protection levels. Secondly, it proposes a novel tagging method, the Tagging of Outsourced Data (TOD) method, for tag generations and verifications required to facilitate the DIA service. TOD has three main features making it a secure and efficient solution: it supports both public and private verifiability on the same platform (dual verification), it preserves data confidentiality and achieves a strong level of resistance to tag collisions, and it supports dynamic data and tag deduplication. Thirdly, it proposes a novel DIA framework for providing a secure and reliable DIA service for outsourced data in a PCS. The framework, called the DIA with Eliminating any Trust in Third Parties (DIA-ETTP), uses the TOD method along with the following novel ideas: (1) use entity redundancy (TPAs and PCSes) rather than data redundancy to counter collusion attacks among PCS providers, (2) use dual verification and collaborative verification for countering frame and collusion attacks by TPAs, (3) organise PCS providers and TPAs into a hierarchical architecture and pair TPA/PCS to minimise costs imposed on the users while working against collusions by the providers, (4) use two-level (block-level at both user and provider end) data deduplication to further reduce the usersÃ¢ÂÂ costs and (5) use two-level integrity assurance (public verification in level 1 and dual verification in level 2) to balance the trade-off between protection strength and cost. Both the TOD method and the DIA-ETTP framework have been comprehensively analysed and evaluated in terms of security and performance. The performance evaluation is done both theoretically and experimentally. The results indicate that the framework is more efficient, particularly for end users, while providing a richer set of functionalities, than related solutions.
|Date of Award
|31 Dec 2020
- The University of Manchester
|James Garside (Supervisor) & Ning Zhang (Supervisor)