효율적인 재암호화를 지원하는 안전한 클라이언트 측 중복제거

Abstract

Cloud storage is a service that rents remote storage to users over the Internet. The service is highly demanded because it provides advantages such as high accessibility, low installation and opeating costs. However, because many users store data in cloud storage, the probability of duplicate data being stored is high. Therefore, it is necessary to apply deduplication techniques to improve storage efficiency. Among the deduplication techniques, the client-side deduplication achieves superiority in storage and network bandwidth efficiency as it uploads the data after checking whether the duplicate data is stored or not. However, previously proposed client-side deduplication techniques have three weaknesses. First, in the case of the existing data duplication check, it has no access control to users that do not accord with the data access attributes. Through the duplication check, therefore, anyone can find if the data being queried has been stored on the cloud server. Consequently, the data duplication check without access control can be a threat to the privacy of data. Secondly, in the previously proposed Proof-of-Ownership(PoW) technique using Merkle Tree, it creates a data structure that verifies that you are the user who owns the actual data. The user who owns the actual data passes the verification through the challenge-response protocol. However, it is vulnerable to man-in-the-middle attack since Merkle Tree based scheme uses static response values in verification protocols. Meanwhile, the data is stored on the cloud storage in an encrypted form for data confidentiality. In this case, re-encryption may be required when the encryption key is exposed or when an user requests deletion of the data. The previously proposed re-encryption techniques in cloud storage, however, require high computational overhead, mainly using bilinear pairing operation to generate re-encryption key. Therefore, this thesis proposes a model that overcomes the disadvantages of existing client-side deduplication. Firstly, in order to prevent exposure of data privacy that may occur during data duplication check, an attribute tag is added together with a data tag so that the result of the data duplication check can be known only to a legitimate user with appropriate data access attributes. The attribute tag of the user used here expresses the attribute of the user by using a counting bloom filter and it is used as a value to encrypt the challenge in the PoW process. Next, in order to prevent threats of the man-in-the-middle attacks to which the PoW technique using the existing Merkle Tree is exposed, the query to be requested is transfromed into a legitimate form, instead of being sent directly, so that the attacker cannot know the answer corresponding to the query. Finally, the proposed scheme uses PRE(Proxy Re-Encryption) based on symmetric encryption in order to perform an efficient re-encryption in terms of computational complexity.