Showing papers on "On-the-fly encryption published in 2019"

Secure Cloud Data Deduplication with Efficient Re-encryption

Abstract: Data deduplication technique has been widely adopted by commercial cloud storage providers, which is important in coping with the explosive growth of data. To further protect the security of users' sensitive data in the outsourced storage mode, many secure data deduplication schemes have been designed and applied in various scenarios. Among these schemes, secure and efficient re-encryption for encrypted data deduplication attracted the attention of many scholars, and many solutions have been designed to support dynamic ownership management. In this paper, we focus on the re-encryption deduplication storage system and show that the recently designed lightweight rekeying-aware encrypted deduplication scheme is vulnerable to the stub-reserved attack. Furthermore, we propose a secure data deduplication scheme with efficient re-encryption based on the convergent all-or-nothing-transform (CAONT) and randomly sampled bits from the Bloom filter. Due to the property of hash function, our scheme can resist the stub-reserved attack and guarantee the data privacy of data owners' sensitive data. Moreover, instead of re-encrypting the entire package, data owners are only required to re-encrypt a small part of it through the CAONT, thereby effectively reducing the computation overhead. Finally, security analysis and experimental results show that our scheme is secure and efficient in re-encryption.

A New Secure and Lightweight Searchable Encryption Scheme over Encrypted Cloud Data

Abstract: Searchable Encryption is an emerging cryptographic technique that enables searching capabilities over encrypted data on the cloud. In this paper, a novel searchable encryption scheme for the client-server architecture has been presented. The scheme exploits the properties of the modular inverse to generate a probabilistic trapdoor which facilitates the search over the secure inverted index table. We propose indistinguishability that is achieved by using the property of a probabilistic trapdoor. We design and implement a proof of concept prototype and test our scheme with a real dataset of files. We analyze the performance of our scheme against our claim of the scheme being light weight. The security analysis yields that our scheme assures a higher level of security as compared to other existing schemes.

Forward Secure Public Key Encryption with Keyword Search for Outsourced Cloud Storage

Abstract: Cloud storage has become a primary industry in remote data management service but also attracts security concerns, where the best available approach for preventing data disclosure is encryption. Among them the public key encryption with keyword search (PKSE) is considered to be a promising technique, since clients can efficiently search over encrypted data files. That is, a client first generates a search token when to query data files, the cloud server uses the search token to proceed the query over encrypted data files. However, a serious attack is raised when PKSE meets cloud. Formally speaking, the cloud server can learn the information of a newly added encrypted data file containing the keyword that previously queried by using the search tokens it has received, and can further discover the privacy information. To address this issue, we propose a forward secure public key searchable encryption scheme, in which a cloud server cannot learn any information about a newly added encrypted data file containing the keyword that previously queried. To better understand the design principle, we introduce a framework for constructing forward secure public key searchable encryption schemes based on attribute-based searchable encryption. Finally, the experiments show our scheme is efficient.

No-Reference Quality Evaluator of Transparently Encrypted Images

Abstract: In past years, various encrypted algorithms have been proposed to fully or partially protect the multimedia content in view of practical applications. In the context of digital TV broadcasting, transparent encryption only protects partial content and fulfills both security and quality requirements. To date, only a few reference-based works have been reported to evaluate the quality of transparently encrypted images. However, these works are incapable of reference-unavailable conditions. In this paper, we conduct the first attempt that proposes a novel quality evaluator in the absence of reference images. The key strategy of the proposed metric lies in extracting features by considering the motivation of transparently encrypted images. Specifically, given that encrypted images prevent content from being easily recognized, several features, including correlation coefficient, information entropy, and intensity statistic, are preliminarily extracted to estimate visual recognizability. Meanwhile, considering that encrypted images are avoided since they are of extremely low quality, we also capture many features to measure the distortions on multiple quality-sensitive image attributes, such as naturalness, structure, and texture. Finally, the quality evaluator is built by bridging all extracted features and corresponding quality scores via a regression module. Experimental results demonstrate that the proposed method is superior to the mainstream no-reference quality evaluation methods designed for synthetically distorted images and possesses a close approximation to state-of-the-art reference-based methods designed for encrypted images.

Enhanced secure sharing of PHR’s in cloud using user usage based attribute based encryption and signature with keyword search

Abstract: Cloud based Personal health record (PHR) is an emerging cloud based platform for exchanging a person’s health information in a secure manner. There occur many security issues when records of the data owners are outsourced through the third party cloud providers. The health records which are sensitive must be stored and retrieved through a secure source without any loss in the data. Nevertheless sharing and searching of the data is the key aspect, but when it is outsourced undeniably it is a cumbersome task. It may lead to unveil the sensitive information and so the records may become vulnerable to the hackers. In this report, we have suggested a novel access control structure called as user usage based encryption constructed on the searchable attribute based encryption to guarantee the data protection. Usage is mapped as credential with a time frame to every private attribute. The data user can decipher a fortified attribute only if there is a match between the credentials associated with the attribute. Using the feature extraction algorithm the searchable encryption scheme enables a consistent routing of encrypted attributes. Multi-Credential routing is applied to strengthen the confidentiality of the fragile records. We allow the data user to perpetuate the credentials according to their usage criteria also the user receives the keys as labels along with the credentials. The data owner will be able to associate each enciphered attribute with a set of credentials. Before beginning the encryption scheme we apply the singular value decomposition algorithm to the unutilized or less used attributes to reduce the attribute set. Additionally the data user confidentiality pitfalls are tackled using the semantic clustering of data user. To preserve the data user confidentiality reliable overlay privacy preserving protocol is designed. We manifest a complete security analysis so that our recommended system dominates the up to date approaches in terms of communication and ciphering cost.

Facilitating Secure and Efficient Spatial Query Processing on the Cloud

Abstract: Database outsourcing is a common cloud computing paradigm that allows data owners to take advantage of its on-demand storage and computational resources. The main challenge is maintaining data confidentiality with respect to untrusted parties i.e., cloud service provider, as well as providing relevant query results in real-time to authenticated users. Existing approaches either compromise confidentiality of the data or suffer from high communication cost between the server and the user. To overcome this problem, we propose a dual transformation and encryption scheme for spatial data, where encrypted queries are executed entirely at the service provider on the encrypted database and encrypted results are returned to the user. The user issues encrypted spatial range queries to the service provider and then uses the encryption key to decrypt the query response returned. This allows a balance between the security of data and efficient query response as the queries are processed on encrypted data at the cloud server. Moreover, we compare with existing approaches on large datasets and show that this approach reduces the average query communication cost between the authorized user and service provider, as only a single round of communication is required by the proposed approach.

Atlas: Application Confidentiality in Compromised Embedded Systems

Abstract: Due to the requirements of the Internet-of-Things, modern embedded systems have become increasingly complex, running different applications. In order to protect their intellectual property as well as the confidentiality of sensitive data they process, these applications have to be isolated from each other. Traditional memory protection and memory management units provide such isolation, but rely on operating system support for their configuration. However, modern operating systems tend to be vulnerable and cannot guarantee confidentiality when compromised. We present Atlas, a hardware-based security architecture, complementary to traditional memory protection mechanisms, ensuring code and data confidentiality through transparent encryption, even when the system software has been exploited. Atlas relies on its zero-software trusted computing base to protect against system-level attackers and also supports secure shared memory. We implemented Atlas based on the LEON3 softcore processor, including toolchain extensions for developers. Our FPGA-based evaluation shows minimal cycle overhead at the cost of a reduced maximum frequency.

Fuzzy matching: multi-authority attribute searchable encryption without central authority

Abstract: Attribute-based keyword search (ABKS) supports the access control on the search result based upon fuzzy identity over encrypted data, when the search operation is performed over outsourced encrypted data in cloud. However, almost ABKS schemes trust a single authority to monitor the attribute key for users. In practice, we usually have different entities responsible for monitoring different attribute keys to a user. Thus, it is not realistic to trust a single authority to monitor all attributes keys for ABKS scheme in practical situation. Although a large body of ABKS schemes have been proposed, few works have been done on multi-authority attribute searchable encryption. We propose a multi-authority attribute searchable encryption without central authority in this paper. Comparing previous ABKS schemes, we extend the single-authority ABKS scheme to multi-authority ABKS scheme and remove the central authority in multi-authority ABKS scheme. We analyze our scheme in terms of security and efficiency.

A high-speed key management method for quantum key distribution network

Abstract: Quantum Key Distribution (QKD) is a technique for sharing encryption keys between two adjacent nodes. It provides unconditional secure communication based on the laws of physics. From the viewpoint of network research, QKD is considered to be a component for providing secure communication in network systems. A QKD network enables each node to exchange encryption keys with arbitrary nodes. However previous research did not focus on the processing speed of the key management method essential for a QKD network. This paper focuses on the key management method assuming a high-speed QKD system for which we clarify the design, propose a high-speed method, and evaluate the throughput. The proposed method consists of four modules: (1) local key manager handling the keys generated by QKD, (2) one-time pad tunnel manager establishing the transparent encryption link, (3) global key manager generating the keys for application communication, and (4) web API providing keys to the application. The proposed method was implemented in software and evaluated by emulating QKD key generation and application key consumption. The evaluation result reveals that it is capable of handling the encryption keys at a speed of 414 Mb/s, 185 Mb/s, 85 Mb/s and 971 Mb/s, for local key manager, one-time pad tunnel manager, global key manager and web API, respectively. These are sufficient for integration with a high-speed QKD system. Furthermore, the method allows the high-speed QKD system consisting of two nodes to expand corresponding to the size of the QKD network without losing the speed advantage.

Multi-level encryption of tokenized protected data

Abstract: A system uses a multi-level encryption and tokenization mechanism to allow for fields of a larger object to be individually tokenized and encrypted. Protected data is encrypted using an encryption key and a generated token is displayed in its place. The encryption key is then encrypted using a secondary key. To dereference a token, a requesting application provides the token and associated context to a token service, which searches a token store for a record having both the token and the context. If such a record is located, the token service generates a secondary key and decrypts the encryption key. The decrypted encryption key then decrypts the protected data and transmits the data to the requesting application.

Field bus channel encryption method in water conservancy automation control system

Abstract: The invention discloses a field bus channel encryption method in a water conservancy automatic control system. The method realizes the transparent encryption of a protocol data unit by deploying a hardware encryption gateway between automatic control equipment and a field bus. In a hardware encryption gateway, a hybrid encryption scheme combining a domestic symmetric encryption algorithm and an asymmetric encryption algorithm is adopted. The functions of automatic control equipment identity verification, field bus communication data security and protocol packet integrity verification are realized. The unauthorized illegal equipment is effectively prevented from monitoring, intercepting and tampering data monitoring and control information on a channel of the field bus, high resistance to man-in-the-middle attacks is achieved, and safety risks caused by invasion of the channel of the field bus in a water conservancy automation control system are reduced. The hardware encryption gatewaycan be seamlessly connected to a field bus of an existing water conservancy automation control system at present, and has high equipment compatibility and universality.

Application data unit encryption method in water conservancy industrial control system

Abstract: The invention discloses an application data unit encryption method in a water conservancy industrial control system, which realizes transparent encryption of the application data unit by installing anencryption agent program between an application program of the water conservancy industrial control system and a field bus communication program. In an encryption agent program, an encryption schemebased on a domestic symmetric encryption algorithm is adopted to achieve functions of control equipment identity verification, field bus communication data secrecy and protocol packet integrity verification; unauthorized illegal equipment is effectively prevented from monitoring, intercepting and tampering data monitoring and control information on a channel of the field bus, high resistance to man-in-the-middle attacks is achieved, and safety risks caused by invasion of the channel of the field bus in a water conservancy automation control system are reduced. The encryption agent program canbe seamlessly accessed to an existing water conservancy industrial control system at present, and has high equipment compatibility and universality.

An OPENSTACK volume encryption method based on hardware encryption card

Abstract: The invention relates to the security and secrecy field of cloud computing, in particular to an OPENSTACK volume encryption method based on a hardware encryption card. In the cloud environment constructed by the OpenStack, the invention introduces a hardware cipher card, reconstructs a volume encryption module in the OpenStack, realizes transparent encryption and decryption of the OpenStack volumeby using a hardware encryption algorithm, and enhances the security of the OpenStack volume data.

Plc security processing unit and bus arbitration method thereof

Abstract: The present invention relates to a PLC security processing unit and a bus arbitration method thereof, for use to provide an active defense means for a PLC by constructing PLC hardware and software security layers. In a hardware security layer, some hardware processing mechanisms are added to support trusted measurement, an encryption algorithm, and a signature algorithm, and the virtualization isolation technology is used; in a software security layer, transparent encryption and decryption, integrity verification, backup recovery, and a virtualization isolation security mechanism are provided. Improvement is made on security processing to achieve the purpose of security and reliability. According to the present invention, a trusted environment of a PLC can be correctly created to ensure that the PLC is booted through a strictly verified path. A new STAR trust structure is designed, loss during information transfer is reduced, and the efficiency of information transfer is improved.

Electronic trading system based on underlying translation

Abstract: The invention discloses an electronic trading system based on underlying translation. The system comprises a supply side, an application side, a server side, master control software and a database. The supply side provides digital products such as development codes, model resources and the like, and a process of the electronic trading system; when the supply side provides the corresponding productfor an application user, a content is not directly provided first, but a set of corresponding sandboxed pseudo content is provided, for example, a pseudo code is provided for the development code, apseudo model after transparent encryption is provided for the model resources; the application side comprises a sandbox analysis tool, when the pseudo code or the pseudo model is used locally, the master control software issues a dynamic replacement instruction to the content of the pseudo code or the pseudo model in a local execution process, when the pseudo code or pseudo model is compiled and used, the content is recovered to the real original content according to a corresponding relation of a mapping library for recompiling or execution, so that a mode that the application side is available but not available is achieved, and head codes are inserted for control, debugging and secondary development.

An Android file transparent encryption and decryption method based on a hook

Abstract: The invention provides an Android file transparent encryption and decryption method based on a hook. Security protection such as checking prevention, scanning prevention and leakage prevention is carried out on a sensitive file. Inline-is used in the invention. According to the hook technology, a code instruction in a memory is directly modified to skip a hook function, so that the problem of a PLT hook is well solved; Combination inline The hook technology is used for re-packaging the file operation interface; and the file is encrypted in combination with the national cryptographic block symmetric cryptographic algorithm SM4, so that various attacks for the block cryptographic algorithm can be effectively resisted, and meanwhile, the whole platform architecture of Android can be well supported.

Confused Memory Read Attracts Synthetic Diffusion on the Fly - A Lightweight Image Encryption for IoT Platform.

Abstract: The analogous growth of threat and data communication among the connected devices invites specialised security algorithms for Internet of Things (IoT). The minimal computational capabilities and resource constraints of the processing devices used in IoT architecture do not afford the overhead incurred by the conventional encryption schemes. This paper proposes a lightweight image encryption algorithm that can be realised as an embedded software to run on microcontroller architectures suitable for IoT applications. The proposed algorithm uses the pseudo-random numbers produced by the Linear Feedback Shift Register (LFSR) to perform inherent confusion on the fly via random memory read. A synthetic image generated by extracting the random bits produced by the digitised Lorenz attractor has been used to diffuse the confused pixels on the fly. The proposed algorithm has been realised as embedded software to run on microcontrollers suitable for Internet of Things (IoT) applications. The proposed algorithm achieves better results than similar reliable encryption schemes in terms of security parameters such as entropy, correlation, histogram, PSNR, NPCR and UACI. Further, eliminating the storage of confusion and diffusion key beside the storage of encrypted image employing on the fly encryption process proposed in our algorithm reduces the demand on RAM for about 48 KB as compared to the conventional storage-based encryption schemes.

office file transparent encryption and decryption method and system

Abstract: The invention provides an office file transparent encryption and decryption method, which comprises the following steps of: adding a transparent encryption and decryption process and a daemon processin a terminal program, and mutually monitoring the transparent encryption and decryption process and the daemon process; Reading the certificate information in the Key into a process memory through the daemon process; When a terminal user opens a controlled file, a file flow is captured through a hook technology, a transparent encryption and decryption process calls a corresponding decryption program according to the file type of the file flow, and certificate information in a process memory is used for decrypting the file flow; And when the terminal user stores the controlled file, calling acorresponding encryption program by the transparent encryption and decryption process according to the file type of the file flow, and encrypting the file flow by using the certificate information inthe process memory. The method has the advantages that different encryption and decryption operations can be carried out on different types of files, documents, programs and the like can be effectively prevented from being maliciously tampered, and the safety of the files and the data on the terminal can be effectively guaranteed.

A trusted laminated file encryption and decryption method

Abstract: The invention relates to a credible laminated file encryption and decryption method, which is applied to a credible system, and can execute transparent encryption and decryption operation on a specified file path according to the actual needs of a user, so that the operation flexibility is improved, and the safety and the stability of the system are improved at the same time.

A method for remotely starting Oracle transparent encryption

Abstract: The invention discloses a method for remotely starting Oracle transparent encryption. The method comprises a database server, a transparent encryption management server, a plurality of application side servers and a plurality of client side hosts, wherein the database server is respectively in data connection with the transparent encryption management server and each application end server, and each application end server is respectively in data connection with each client end host. The method has the advantages that the security or availability risk caused by the Agent is avoided; the Oracletransparent encryption can be started without any influence on database application under the condition of no database stop.

Trusted encryption and decryption method

Abstract: The invention relates to a trusted encryption and decryption method. The method is applied to a trusted system. a core area of the system is subjected to full-disk transparent encryption and decryption; According to the credible encryption method, selective transparent encryption and decryption can be achieved, flexible encryption and decryption are achieved on the basis that encryption and decryption efficiency is considered, user participation is not needed in the encryption and decryption process, and the experience and the system safety are improved.

Research and Application of Transparent File Encryption Technology on Android Platform

Abstract: Aiming at the data security problem of Android platform, a transparent encryption system based on file filter driver is designed and implemented, according to the technology of file transparent encryption and decryption system based on hook transparent encryption technology and file filtering driven transparent encryption technology used on windows platform. This system is different from the traditional APP development method of Android system. By intercepting the system call function and using the secret-key converted from the host MAC address, the encryption and decryption algorithm is written into the kernel, which fundamentally guarantees the security of user information. At the same time, the user's security experience is improved by putting authentication on the screen unlocking. The system design and implementation are described in this paper from system requirement analysis to overall design and detailed design of each module. Android application development technology and cross-compiling principle are used in the coding process. The system test results show that the system can effectively transparently encrypt files and protect the privacy of mobile files.

An Efficient Implementation of Multi-interface SSD Controller on SoC

Abstract: This paper designs a high-performance multi-interface SSD controller built on Xilinx SoC. An efficient firmware is also implemented, which is elaborate to cooperate with the hardware. Parallelism techniques, such as plane-level, die-level, chip-level and channel-level, are used for improving performance. The system has hard real-time performance of sequential writing, with the minimum bad block management and wear-leveling policy to balance performance and lifetime. A transparent encryption is proposed to guarantee high security storage, that is, connecting an AES-256 core and a RAID core with DMA engine in series. Performance evaluation of physical hardware shows that writing speed can exceed 100 MiB/sec for every logical channel which combines 8 NAND Flash chips.

A trusted full-disk encryption and decryption method

Abstract: The invention relates to a trusted full-disk encryption and decryption method. The method is applied to the trusted system, full-disk transparent encryption and decryption are carried out on a core area of the system, transparent encryption and decryption of a designated hard disk partition can be achieved through the trusted encryption method, high encryption and decryption efficiency is achieved, user participation is not needed in the encryption and decryption process, and the experience and the system safety are improved.

OpenStack system with block storage encryption function and application method thereof

Abstract: The invention discloses an OpenStack system with a block storage encryption function and an application method thereof. The OpenStack system comprises a control node, a computing node and hardware storage and block storage encryption equipment. The control node integrates a Cinder encryption storage plug-in so as to process the Openstack block storage management request. The block storage resources provided by the hardware storage are provided for the virtual machine of the computing node for use through a block storage encryption device matched with the encrypted storage plug-in, and the block storage encryption device is used for transparently encrypting and decrypting the block storage data. According to the invention, transparent encryption and decryption of Openstack Cinder block storage data can be realized. The block storage encryption equipment can prevent block storage data from being maliciously stolen and tampered, has the advantage of good compatibility, uses the hardware encryption card to transparently encrypt and decrypt the block storage data, and is high in encryption and decryption performance and good in data security compared with a software implementation mode.

Database data safety management method and system

Abstract: The invention relates to the technical field of information safety, and discloses a database data safety management method. The method comprises the following steps: receiving a database access request sent by a client, carrying out legality verification on the database access request, and sending the database access request to a key management system when the verification is passed; and receivingauthorization information returned by the key management system in response to the database access request, obtaining a data key according to the authorization information, and performing transparentencryption and/or decryption operation on a database file by utilizing the data key. According to the invention, transparent encryption and decryption operation is carried out by using the data key from the system file level, so that the quickness of data encryption and decryption can be ensured; and the permission of the data key is controlled through the key management system, so that the safety is considered under the condition of ensuring the data encryption and decryption rapidness. The invention further discloses a database data safety management system.

File transparent encryption and decryption method and system based on domestic operating system

Abstract: The invention provides a file transparent encryption and decryption method and system based on a domestic operating system. The system comprises a file system calling interface, a file redirection module, a VFS system, a stacked encryption file system, a real file system and a disk system. The file redirection module is used for redirecting files; wherein the stacked encrypted file system is deployed in a domestic operating system kernel layer to intercept and check an access request of a file, and the stacked encrypted file system is formed by inserting a layer of file system driver between aVFS system and a real file system and is used for calling a real file system interface to realize the access request of the file; and the stacked encrypted file system calls the file permission control module to control the file access permission. According to the scheme provided by the invention, the ciphertext is prevented from being divulged under an unauthorized condition, and the operation safety can be ensured.

Hierarchical key technology supporting searchable transparent encryption

Abstract: The invention provides a hierarchical key generation method and system supporting searchable encryption, and the method employs a multi-layer key, and the first layer is a root key K; the second layercomprises a master key KM1 for encrypting the index and the query keyword, a master key KM2 for encrypting the document directory, a master key KM3 for encrypting the document permission and a masterkey KM4 for encrypting the document; the third layer is a secondary key and comprises an index and query keyword public key KI, a private key SK, a document directory key KD, a document permission public key KA, a private key ASK and a document key KF; a fourth layer is a working key, and comprises indexing and inquiring a keyword working key set {KIW1, ..., KIWn1} and a trap door key {QW1,..., QWn2}, a directory working key set {KDW1,..., KDWn3}, a document permission working key {KAW1,..., KAWn} and a trap door key {QAW1,..., QAWn}, and a document encryption working key set {KFW1,..., KFWn}; and the fifth layer is a document fragmentation encryption key set {KFSi1,..., KFSin4}. According to the invention, the multi-layer key is adopted to effectively resist against opponent attacks.

Method and system for processing counterfeiting process in file transparent encryption and decryption system

Abstract: The invention discloses a method for processing a forged process in a file transparent encryption and decryption system, which comprises the following steps that: a client acquires a started process and acquires a process name of the process; the client queries whether an acquired process name exists in a credit database of the client or not; if so, the client extracts fingerprint information of the process and inquires whether the fingerprint information exists in the credit database of the client or not, if not, the client sends the attribute information of the client, the attribute information of the process and the fingerprint information to the server, operation of the process is blocked, and the server judges whether the fingerprint information of the process sent by the client can be inquired in the credit database of the server or not. According to the invention, the technical problems of poor usability, large maintenance workload, passivity in solving problems, incapability ofdetecting threats, and incapability of divulging secrets and obtaining evidences in a process fingerprint-based identification mode widely used by an existing file transparent encryption and decryption system can be solved.