1. No category

Cloud

Department of Computer Science | Institute of Systems Architecture | Chair of Computer Networks
FlexCloud: Reliable and Secure
Cloud Overlay Infrastructures
Prof. Dr. Alexander Schill
2013
Outline
Cloud Computing …
• What is it all about?
• Problems
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
#3
The shape of a cloud …
… is in the eye of the beholder.
IaaS/PaaS*
Cloud Operating System,
part of Azure Platform
SaaS*
Customized applications
for business and home
user, based on Google
App Engine, e.g.
collaboration tools
*
IaaS*
Migration of virtual
machines between private
and public clouds
SaaS = Software as a Service
PaaS = Platform as a Service
IaaS = Infrastructure as a Service
PaaS*
SaaS/PaaS*
Development and hosting
of web applications
Business cloud services
focussing on customer
relationship management
#4
Cloud Computing Characteristics
Cloud Computing is …
On-demand
self service
Rapid elasticity
… the on-demand and
pay-per-use application of
virtualised IT services
over the Internet.
Broadband network
access
Measured and
optimized service
Resource pooling
Adopted from the NIST Definition of Cloud Computing [MeGr2011]
#5
Service & Deployment Models
Cloud Architecture Stack
Cloud Organization
User/Clients
Machine
Interface
Applications Services
Software Services (SaaS)
Components
Services
Programming Environment
Execution Environment
Platform Services (PaaS)
Compute
Network
Storage
Convenience
Applications
Public
Hybrid
Community
Private
Virtual Resource Set (VRS)
Infrastructure Services (IaaS)
User Control
Adopted from [MeGr2011] and [BKNT2010]
User Interface
Physical Resource Set (PRS)
#6
Cloud Computing …
• What is it all about?
• Problems
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
#7
Problems of Cloud Computing
Reliability and security when giving up physical possession
> Failure of monocultures
> Cloud providers‘ trustworthiness
> Staying in control
#8
FlexCloud Objectives
π-Cloud: Establishing a secure cloud computing life cycle
Hybrid cloud platform to integrate a user’s (cloud) resources,
services and data.
> Unified Cloud
Prevent Vendor-Lock-in + Integration of existing IT
> Secure Cloud
Ensure data privacy and security
> Managed Cloud
Keep the user in command
> Efficient Cloud
Adapt to user preferences and cloud's vital signs
#9
Cloud Computing …
• What is it all about?
• Problems
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 10
FlexCloud's Approach
Subsume all end devices within a Personal Secure Cloud
(π-Cloud) controlled by the π-Box.
π-Cloud
π-Box
# 11
Transparent Encryption
Document classification concerning
security requirements.
Analysis of structured,
unstructured data and
context information
Addressee identification and
derivation of respective keys.
π-Cloud
PKI
?
# 13
Cloud Computing …
• What is it all about?
• Problems?
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 15
Increasing Availability: from RAID to RAIC
RAIC:
RAID:
Redundant Array of Independent Disks
Redundant Array of Independent Clouds
Integration Layer
Integration Layer
Distributed
file system
Logical partition
Web
access
Versioning
Preprocessing Layer
File level transformation
(e.g. compression)
Preprocessing Layer
RAID level redundancy
routine (mirror, stripe, …)
Transport Layer
Block resources
Dispersal routine
Reliable
Unreliable,
disk
low
storage
quality
hard disk
Unreliable,
Reliable,
proprietary
universal
andand
secure
insecure
cloud
storage
cloud
storage
Fragment level transformation
(e.g. encryption)
Transport Layer
Caching
Local persistence
Provider Storage API adapter
# 16
Secure Cloud Storage Integrator for
Enterprises (System Architecture)
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
CIFS
Cryptography
Meta Data
Company Intranet
API
FTP
π-Data Controller
# 17
Storing Files (1/5)
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 18
Implementation of the Shared Folder
./xmp /tmp/fuse
ls - /tmp/fuse
libfuse
glibc
glibc
User space
Kernel
FUSE
VFS
NFS
Ext3
…
CIFS =
Ext3 =
FUSE =
glibc =
Common Internet File System
Third Extended File System
Filesystem in Userspace
GNU C library
NFS = Network File System
SMB = Server Message Block
VFS = Virtual File System
• Technology: FUSE
(Filesystem in Userspace)
• CIFS/SMB network share on
proxy file server
• Unified user interface for
arbitrary cloud storage
services
• Utilizing CIFS access control
mechanisms
# 19
Storing Files (2/5)
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 20
File Dispersion
Ensure availability despite of
unreliable cloud storage providers …
k
threshold, i.e.
# of necessary
shares to
reconstruct
E.g. k=6, n=8
n
total # of
shares a file
is split into
If k < n, we need
redundant information.
# 21
Secret Sharing aka Threshold Schemes
Objective:
Divide a secret 𝑠 ∈ 𝑆 in 𝑛 shares 𝑠1 , … , 𝑠𝑛 with
1. Knowledge of any 𝑘 or more 𝑠𝑖 shares makes 𝑠 easily computable.
2. Knowledge of any 𝑘 − 1 or fewer 𝑠𝑖 shares leave 𝑠 completely
undetermined (in the sense that all its possible values are equally
likely).
Sharing
Reconstruction
Input: 𝑠
Dealer
si 1
Share holders
store
Share holders
…
Reconstructor
…
𝑠1
𝑠2
si k
𝑠𝑖2
𝑠𝑛
Output: 𝑠
∗
# 22
Secret Sharing:
An informal example with 2 shares
Visual Cryptography
[NaSh1994]
Simplification: n = k = 2
[Source: http://goo.gl/watJC]
Secret cannot be determined independently!
… revealed!
# 23
Secret Sharing: More formalism
Blakley's scheme [Blakley1979]
Idea:
Any n nonparallel n-dimensional hyper-planes intersect at a specific point.
Sharing:
Recovering:
Encode the secret as any single coordinate of the point of intersection.
1. Calculating the planes' point of intersection.
2. Take a specified coordinate of that intersection.
Example:
n≥3, k=3
1 share available
Shamir's scheme
2 shares available
3 shares available
[Shamir1979]
It takes k points to define a polynomial of degree k-1.
Be a0:=s є S the secret to be shared where S is an
infinite field known to all share holders.
Randomly choose (k-1) coefficients a1,a2,…ak-1 є S to
build f(x):=Σai·xi.
Calculate shares sj:=[j,f(j)] with j є ℕn.
Recovering: Use Lagrange interpolation to find coefficients of the
polynomial including constant term a0.
Graphics taken from Wikipedia.
Idea:
Sharing:
s2
s1
s
s3
# 24
Information Dispersal:
Computationally secure secret sharing
Rabin's scheme [Rabin1989]
• Guarantees only availability but no secrecy.
• Construction
Be 𝑎𝑖 ≔ 𝑠 ∈ 𝑆 where 𝑖 = 1, … , 𝑘, i.e. 𝑓 𝑥 ≔
Rest as with Shamir's secret sharing.
𝑘
𝑖=1 𝑠
∙ 𝑥𝑖.
• Properties
•
With a polynomial and shares of the same size as before, we can now
share a value 𝑘 times as long as before.
•
Length of each share is only -th of the length of the secret, and
𝑘
if 𝑘 shares must be sufficient for reconstruction, one can obviously
not get shorter.
➔ Space optimal
•
However, one might gain some information if he gets access to
several shares.
➔ Computationally secure
1
More efficient information dispersal schemes
• Need to be maximum distance separable to use 𝑘 arbitrary
shares for reconstruction.
• Examples: Cauchy-Reed-Solomon, Liberation, Blaum-Roth [PSS2008]
# 25
Storing Files (3/5)
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 26
Cryptography: Confidentiality & Integrity
AES-CBC
+ SHA256
AES-CBC
+ SHA256
AES-CBC
+ SHA256
AES-CBC
+ SHA256
# 27
Storing Files (4/5)
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 28
Storing Files (5/5)
Stored Meta Data per component
•
Shared Folder:
General file system information, e.g. file size, access rights …
•
File Dispersion:
Used dispersion algorithm/parameters (n, k), shares‘ locations
•
Cryptography:
Used cryptographic keys and calculated checksums per share
•
Cloud Storage
Protocol Adapter:
Storage protocol parameters and provider login data
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 29
Retrieving Files (1/3)
Dispersion parameters: n=6
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 30
Retrieving Files (2/3)
Dispersion parameters: n=6, k=3
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 31
Retrieving Files (3/3)
π-Cloud =
Cloud Storage
Protocol Adapter
File Dispersion
Shared Folder
Cryptography
Meta Data
Company Intranet
π-Data Controller
# 32
Prototype Implementation
[SGS11]
web interface for π-Cockpit
[SBM+11]
π-Cockpit desktop application
ResUbic Cloud Storage Allocator
for Cyber Physical Systems
# 33
Performance Evaluation Upload
Test case
π-Box used
# local storage
# cloud storage
# encrypted shares
1
No
0
1
0
2
Yes
0
1
0
3
Yes
8
0
0
4
Yes
4
4
4
5
Yes
0
8
8
File size: 24 MB; Dispersion parameters: n=8, k=6;
Cryptography parameters: Towards
AES (256
bit,Centric
14 iterations),
SHA256;
User
Data Governance
and Control in the Cloud
Network Up/Downlink: 10/20 Mbit/s
# 34
Performance Evaluation Download
Test case
π-Box used
# local storage
# cloud storage
# encrypted shares
1
No
0
1
0
2
Yes
0
1
0
3
Yes
8
0
0
4
Yes
4
4
4
5
Yes
0
8
8
File size: 24 MB; Dispersion parameters: n=8, k=6;
Cryptography parameters: Towards
AES (256
bit,Centric
14 iterations),
SHA256;
User
Data Governance
and Control in the Cloud
Network Up/Downlink: 10/20 Mbit/s
# 35
Cloud Computing …
• What is it all about?
• Problems?
• π-Box: Building your personal secure cloud
• π-Data Controller: Secure Cloud Storage
• Conclusion & Future Work
# 37
Results so far & future work (π-Data Controller)
• Integration of existing cloud storage services (Cloud-of-Clouds)
• Proxy server for transparent mediation
➔ easy to use for end-user, common scheme for enterprises
• Good performance, high security & data control for the user
•
•
•
•
•
Data store for database system (block-based dispersion)
Collaboration scenarios, file sharing, access by external entities
Securing the meta data database
Automatic classification of data
Improving performance, e.g. scheduling algorithms,
caching/prefetching, parallelization
• Optimized cloud storage
# 38
Towards a secure cloud life cycle
Cloud Adaption and Optimization
Strategies for the compensation of
SLA violations
Strategies for minimization of
energy consumption
Mechanisms for the visualization of complex Cloud
Monitoring data
Cloud Surveillance
and Incident Detection
Specification of monitoring
targets and SLA violations
Models for the proactive recognition of
SLA violations and the evaluation of a
Cloud‘s energy efficiency
Mechanisms for reliable distributed Monitoring
Fine-grained Service Level Agreements
Methods to determine fine-grained nonfunctional properties of Cloud Services
Identification of assets and
corresponding requirements
Deduction of monitoring
targets from SLAs
Dynamic Provider
Selection and Cloud Setup
Flexible distribution mechanisms for
Cloud Platforms
Strategies for the performance optimization of
Cloud Applications
Reputation consideration to improve reliability
and trustworthiness
# 40
Tomorrow's forecast:
still cloudy but sunny spots
Contact:
[email protected]
[email protected]
http://flexcloud.eu/
# 41
References
[BKNT2010]
C. Baun, M. Kunze, J. Nimis and S. Tai: Cloud Computing. Web-basierte
dynamische IT-Services. Springer Verlag, 2010.
[Blakley1979]
G. R. Blakley: Safeguarding cryptographic keys; AFIPS Conference
Proceedings Vol. 48, National Computer Conference (NCC) 1979, 313-317.
[MeGr2011]
P. Mell and T. Grace: The NIST Definition of Cloud Computing. NIST Special
Publication 800-145, September 2011.
[NaSh1994]
M. Naor and A. Shamir, Visual Cryptography , Eurocrypt 94.
[PSS2008]
J. S. Plank, S. Simmerman, C. D. Schuman: Jerasure: A Library in C/C++
Facilitating Erasure Coding for Storage Applications – Version 1.2. Technical
Report CS-08-627, University of Tennessee, 2008.
[Rabin1989]
M. O. Rabin: Efficient Dispersal of Information for Security, Load Balancing,
and Fault Tolerance; Journal of the ACM 36/2 (1989) 335-348.
[SBM+2011]
J. Spillner, G. Bombach, S. Matthischke, R. Tzschicholz, and A. Schill:
Information Dispersion over Redundant Arrays of Optimal Cloud Storage for
Desktop Users. In: IEEE International Conference on Utility and Cloud
Computing. Melbourne, Australien, December 2011.
[SGS2011]
R. Seiger, S. Groß, and A. Schill: A Secure Cloud Storage Integrator for
Enterprises. In: International Workshop on Clouds for Enterprises.
Luxemburg, September 2011.
[Shamir1979]
A. Shamir: How to Share a Secret; Communications of the ACM 22/11
(1979) 612- 613.
# 42

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz