top of page

SecureCloudFS

Role

Developer

Duration

6 months

Team

Final Year Project, 4 Members  

I implemented symmetric encryption for files prior to cloud storage and developed a system to generate unique decryption keys based on user identity

Software Requirments

FUSE, Python, PKG

Problem 

Outsourcing sensitive data suffers from critical security threats, privacy, and access control problems. When data owners migrate their sensitive data to the cloud, they lose an element of control over their data. To ensure security they can encrypt their data manually prior to uploading to the cloud.

 

However, this presents several challenges. It is difficult for data owners to perform multiple encryption and decryption. It is also difficult for users to manage more than a few keys.

Solution

We propose a hybrid cryptographic scheme that combines symmetric and public key encryption algorithms in order to improve the security and performance of the personal and shared files that are outsourced.

 

Symmetric encryption is used to encrypt the contents of outsourced files to reduce the encryption cost while slower asymmetric algorithms are used to secure the exchange of secret keys for the files.

 

First, design a cryptographic layer that effectively encrypts all files that are outsourced to the cloud storage in a highly secure and transparent manner. 

 

Second, enable a secure data sharing of cloud storage at the granularity of individual files based on IBE scheme that is combined with the proposed OutFS.

Product Perspective

The proposed file system is designed to secure files that are synchronized or shared in public cloud storage systems. All the files will be transparently encrypted prior to their storage in the cloud using strong and reliable encryption, integrity and key management techniques.The main aim is to develop a user-side encrypted file system that is implemented based on FUSE (Filesystem in UserSpace) to secure files that are stored in the cloud storage systems. 

Product Functions

The main functions of this project are:

​

  • To set up a user space file system over the directory which is to be synced by a cloud tool.

  • Encryption of files before saving on to the cloud.

  • To ensure file level integrity and file system level integrity.

  •  Decryption of files for users to view.

User Classes and Characteristics

Data Owner: The owner of the files. The data owner manages the access to the files. They can add, edit and view files.

​

Users: Users can view, edit, and add new files once their authentication process is completed.

do and user.png

Use Case Diagram for Owner and User

Non-functional Requirments

Performance Requirements

​

  • The file system must permit multiple legal users to have access to the shared folder.

  • The files saved on to the cloud must be encrypted at all times.

  • The files must be decrypted when a user is trying to view or edit it.

  • File and file system integrity must be ensured at all times.​

​

Security Requirements​

​

  • Only authorised users shall be allowed to use the services of the product.

  • In order to ensure robust data sharing security, the identity-based encryption scheme (IBE) is integrated with the system.

  • The data owner can revoke the access of users who are no longer permitted to access the files.

System Architecture

System Architecture shows the various modules of the system and the interaction between them. The system consists of 4 modules - User Authentication Module, File and file system integrity checking Module, Encryption Module, Decryption Module.

4.1 bold.png

System Architecture

Class Diagram

A class diagram models the static structure of a system. It shows relationships between the systems classes, their attributes, operations (or methods), and the relationships among objects. Essentially, there are five classes - User Authentication, File Integrity, File System Integrity, Decryption and Encryption. Each class’s associated data and functions are shown in the figure below.

Class Diagram

Activity Diagram

Activity diagrams are graphical representations of workflows of step-wise activities and actions with support for choice, iteration and concurrency. Our activity commences when the user enters the private key.The system checks if the user is authorised to view the file. If the user has entered a valid key then the required file will be retrieved from the cloud and they will be granted access to the file. In case of an invalid key, access will be denied. The file and file system integrity is checked before decrypting the file. The user views the decrypted file and makes necessary edits. When the user has finished editing the file, the file is encrypted. The file and file system hash values are updated. The file is then stored in the cloud.

Activity Diagram

Module Description

Module 1 : User Authentication
The user logins to the cloud server using their credentials for login. To access the files in the system, a key is generated based on the user’s identity. User identity can be their e-mail id,phone number etc. And the key generated is different for different users and this key is used for decrypting the file.

 

Module 2 : File and File System Integrity
The system checks whether the files in the file system have been tampered with and whether files have been deleted from or added to the file system using Merkle Hash Tree. 
In the Merkle hash tree, each leaf node is a hash of a data block, each non-leaf node is a hash of its children, and a top-level hash value is the hash of the tree root node. Thus, the integrity of a file can be verified by recursively hashing all of its nodes from leaf nodes up to the root. The result is then compared to the hash value of the root node, which must be matched, otherwise, the file has been tampered with.

 

Module 3 : Encryption
Files are encrypted prior to their storage in the cloud. Symmetric encryption is performed on files.

 

Module 4 : Decryption
Files are decrypted when the user enters the key generated for them. The ciphertext is converted to plaintext only if the key matches with the cryptographic algorithm used in the system.

Algorithms

Overall Algorithm​

​

Input: Files/Data

​Output: Encrypted shareable files stored in cloud

​

  1. User authentication is done for the user. 

  2. Perform integrity check for file and file system.

  3. Decrypt file for viewing or editing.

  4. User edits the file.

  5. Encrypt the file using a symmetric encryption algorithm.

  6. Encrypt the block symmetric keys using  asymmetric scheme.

  7. Synchronize the encrypted files to the clouds.

  8. Compute the new hash values of the encrypted files using Merkle hash tree and update these values to the cloud.

Algorithm for User Authentication

​

Input: Recipient’s unique 
Output: Shared file

 

  1. The data owner takes the recipient’s unique ID which will be transferred to the trusted PKG server by the Network File System (NFS). 

  2. The PKG server then generates a master secret key and releases the system parameters to the public.

  3. The data owner obtains the system parameters from the PKG, then the file is encrypted.

  4. The resulting ciphered keys Ck is attached to the header of the shared file.

  5. The user requests his/her private key from the PKG server.

  6. The PKG server takes as inputs the system parameters and a master key. It returns the private key for the user ID. 

  7. Using the user’s secret key, the Ck is decrypted first to retrieve the file-related key parameters, which are then used to decrypt the ciphered blocks and retrieve the file.

  8. The PKG periodically renews the private keys for non-revoked users.

  9. The PKG will stop issuing a new private key to those users that got revoked and those users will not be able to gain access to the shared data. 
     

Algorithm for File-Level Integrity

​

  1. The file is split into equal size blocks.

  2. The hash value is computed for each data block.

  3. The file hash root is computed from these.

  4. For checking file-level integrity, the computed hash root is compared with the corresponding value stored in the cloud server. If they do not match, the file integrity is compromised.

  5. After editing, the newly computed hash root is updated in the cloud server.

Algorithm for File System-Level Integrity

​

  1. When a new file is written, a new inode will be created and added to the inode map of the file system.

  2. This inode is then hashed.

  3. The new root hash for the inode map is computed by recalculating the hash values of all parents of the current directory based on the hash value of the new inserted.
     

Algorithm for File Encryption

​

  1. When a file is created for the first time, the file ID is generated.

  2. The file encryption key is created by hash based message authentication of the file system key and the file ID.

  3. Each block in the file is encrypted using the initialization vector.

  4. Cipher text is calculated for all the file blocks using AES encryption.

  5. File related parameters such as file ID and file encryption key are encrypted using RSA encryption to produce the ciphered keys.

  6. The ciphered keys are appended to the file header.

Algorithm for File Decryption

​

  1. Using the user’s secret key, ciphered keys are decrypted to retrieve the file related parameters.

  2. The file related parameters are used to decrypt the ciphered block using AES encryption and retrieve the file.

Unit Testing​

​​​

The smallest testable parts of the application were individually and independently scrutinized.

​

Test 1

Check whether the input file is encrypted or not​

pic1.jpeg

Input

pic2.jpeg

Output

Test 2

Check whether the encrypted file is decrypted or not​

Input

pic1.jpeg

Output

Test 3

Check whether the user is allowed to access the file or not

​

Result: Pass

access request_edited.jpg

Input​

pic7_edited.jpg

Output​

Result: Fail

access request_edited.jpg

Input​

Output​

Test 4

Check whether the user has entered the right key or not​

pic9_edited.jpg

Input​

Output​

Test 5

Check whether the file has been tampered with or not​

pic13.jpeg

Input​

pic12.jpeg

Output​

Test 6

Check whether the file system has been tampered with or not​

pic16.jpeg

Input​

pic15.jpeg

Output​

References

 

 O. A. Khashan, "Secure Outsourcing and Sharing of Cloud Data Using a User-Side Encrypted File System," in IEEE Access, vol. 8, pp. 210855-210867, 2020, doi: 10.1109/ACCESS.2020.3039163. 

 

H. Deng et al., "Identity-Based Encryption Transformation for Flexible Sharing of Encrypted Data in Public Cloud," in IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3168-3180, 2020, doi: 10.1109/TIFS.2020.2985532.

 

Y. Tseng, T. Tsai, S. Huang and C. Huang, "Identity-Based Encryption with Cloud Revocation Authority and Its Applications," in IEEE Transactions on Cloud Computing, vol. 6, no. 4, pp. 1041-1053, 1 Oct.-Dec. 2018, doi: 10.1109/TCC.2016.2541138.

​

X. Wang, X. Cheng and Y. Xie, "Efficient Verifiable Key-Aggregate Keyword Searchable Encryption for Data Sharing in Outsourcing Storage," in IEEE Access, vol. 8, pp. 11732-11742, 2020, doi: 10.1109/ACCESS.2019.2961169.

bottom of page