News Column

Patent Issued for Remote Verification of File Protections for Cloud Data Storage

August 19, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- From Alexandria, Virginia, VerticalNews journalists report that a patent by the inventors Stefanov, Emil P. (Berkeley, CA); van Dijk, Marten Erik (Somerville, MA); Oprea, Alina M. (Arlington, MA); Juels, Ari (Brookline, MA), filed on December 29, 2011, was published online on August 5, 2014.

The patent's assignee for patent number 8799334 is EMC Corporation (Hopkinton, MA).

News editors obtained the following quote from the background information supplied by the inventors: "Cloud data storage is swiftly supplanting many forms of local storage for consumers and enterprises alike. Cloud storage providers have an interest in demonstrating that files in their custody enjoy strong confidentiality and other protections, both to differentiate their services and to ease regulatory compliance for their clients.

"For example, security breach notification laws in the United States, such as those in the recently-enacted HITECH (Health Information Technology for Economic and Clinical Health) Act, typically include a safe harbor exemption for encrypted data. To benefit from such provisions, cloud storage providers must demonstrate at a minimum that while in storage, files are in encrypted form. See M. Burdon et al., 'Encryption safe harbours and data breach notification laws,' Computer Law & Security Review, 26(5):520-534, 2010.

"Auditors today commonly rely on periodic facility inspections and system architecture and configuration reviews to verify compliance with data-handling requirements under established standards such as Statement on Auditing Standards (SAS) No. 70. Such approaches are expensive and error prone. They do not support continuous monitoring or extensive fine-grained inspection and often presume correct reduction of security policies to practice. Automated verification of stored file formats is thus a compelling alternative or supplement to traditional audit approaches. To maximize cost effectiveness and minimize trust assumptions in an audited cloud storage provider, such verification should be executable remotely, e.g., by an auditor over the Internet.

"Verifying that a file is encrypted would be much easier for an auditor or client that had sole possession of the encryption keys. In order for a cloud storage provider to compute over stored, encrypted data and furnish plaintext on demand, however, the provider itself must encrypt the file and manage the keys. This is the most common cloud storage model and the one that burdens clients the least. Furthermore, for a cloud storage provider to assume responsibility for file confidentiality and minimize security requirements for clients, it should never divulge encryption keys to external entities, the file owner included.

"An auditor or client should therefore be able to verify that stored files are encrypted by a cloud storage provider that is itself managing the keys and performing the encryption and decryption operations on the files.

"If the cloud storage provider holds encryption keys, then remotely verifying that stored files are encrypted presents a very difficult problem. Consider by way of example a client that entrusts a cloud storage provider with file F, asking that the cloud storage provider store it encrypted under some secret key .kappa. as ciphertext G. How can the client verify that the cloud storage provider is actually storing G and not F? The client might challenge the cloud storage provider at a random time to send it the ciphertext G. But the cloud storage provider could deceive the client by just sending a random string R. If the cloud storage provider claims to be using an appropriate encryption algorithm, such as one that is indistinguishable under chosen ciphertext attack (IND-CCA), the client will be unable to distinguish between the random string R and the ciphertext G. It is also possible for the cloud storage provider to deceive the client by storing F in unencrypted form and then computing G on the fly, only in response to a verification request from the client.

"Accordingly, a need exists for techniques for verifying that files stored by cloud storage providers are subject to appropriate protections such as encryption."

As a supplement to the background information on this patent, VerticalNews correspondents also obtained the inventors' summary information for this patent: "Illustrative embodiments of the invention incorporate file protection verification functionality using an 'hourglass' protocol that provides an efficient and accurate technique for verifying that files stored by cloud storage providers or other types of file systems are subject to appropriate protections such as encryption. The hourglass protocol is advantageously configured to ensure that transformation of a given file from one format to another is subject to minimum resource requirements.

"In one embodiment, a client device or other processing device comprises a file processing module configured with file protection verification functionality. The file processing module is operative to provide a file to a file system for encoding, to receive from the file system a corresponding encoded file and a proof of correct encoding, and to verify that the file system stores at least a designated portion of an encapsulation of the encoded file. The file system may comprise one or more servers associated with a cloud storage provider.

"The file processing module may receive, in addition to or in place of the encoded file, a proof of correct encoding.

"The file protections that may be verified are not limited to encryption. In other embodiments, the encoded file may be generated using a leak-incriminating encoding format in which the file is stored with an embedded provenance tag, or a file binding format in which the file is inextricably bound with at least one other file. Numerous other types of file protections can also be verified using the disclosed techniques.

"In another embodiment, a client device or other processing device comprises a file processing module configured with file protection verification functionality. The file processing module is operative to provide a file to a file system for encoding, to receive from the file system a proof of correct encoding of the file, and to verify the proof of correct encoding.

"As one example, the encoding may comprise encryption encoding and the proof of correct encoding may comprise a permutation key utilized in a keyed pseudo-random permutation that is applied to the file. In such an arrangement, the proof of correct encoding may further comprise an encoded file generated by encryption under at least first and second encryption keys, with a first one of the encryption keys being based on information supplied by the provider of the file and the second one of the encryption keys being on secret information associated with the file system.

"As another example, the encoding may comprise leak-incriminating encoding and the proof of correct encoding may be generated utilizing hashes on digital signatures associated with respective blocks of the file. In such an arrangement, the proof of correct encoding may comprise an encoded file generated by applying an all-or-nothing transform function to the respective blocks of the file and their associated digital signatures.

"One or more of the illustrative embodiments described herein advantageously overcome the above-noted difficulties associated with verifying that cloud storage providers are storing files in encrypted form. For example, using an hourglass protocol in a given one of these embodiments, a cloud storage provider cannot deceive a client by simply sending the client a random string, or by storing a file in unencrypted form and then encrypting it only upon receipt of a verification request from the client. Other embodiments can be implemented without the use of an hourglass function.

"These and other features and advantages of the present invention will become more readily apparent from the accompanying drawings and the following detailed description."

For additional information on this patent, see: Stefanov, Emil P.; van Dijk, Marten Erik; Oprea, Alina M.; Juels, Ari. Remote Verification of File Protections for Cloud Data Storage. U.S. Patent Number 8799334, filed December 29, 2011, and published online on August 5, 2014. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=8799334.PN.&OS=PN/8799334RS=PN/8799334

Keywords for this news article include: EMC Corporation, Information Technology, Information and Data Storage, Information and Data Encoding and Encryption.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters