2014, Graf, Sebastian

Our life without Internet-based services is hard to imagine: We search for information with Google, share thoughts on Facebook, buy at Amazon and store our pictures on Flickr. Many of these Internet-based services focus on easy exchange of information, providing comfortable and ubiquitous storage and sharing. Relieved from hardware purchases, software bug fixes and infrastructure maintenance, users as well as companies use these cloud-based stores either for free or at low-cost. The price is the implicit grant of full access to all their sensitive data.


The stored data naturally represents a huge pool of easily accessible and alluring information for cloud providers. Customer questions like “Who accesses my information?” (representing the aspect of confidentiality), “Who altered my data?” (requiring accountability), “Is my data still intact?” (focusing on integrity) or “What happens if the cloud is unavailable?” can rarely be answered in an obligingly and honest way. Answering these questions is challenging since security measures seldom cover all security aims at once. Furthermore, the cloud is used with all kinds of data, wishing their unique characteristics to be respected.


Each of these questions above is transformed closer to an answer in this thesis resulting in an architecture jointly satisfying all the denoted security aims. A versatile key management offers flexible group shares by providing fine-grained access on end-to-end encrypted data. The keys furthermore enable time-based access on versioned storage and are provisioned over the cloud itself without harming confidentiality. Versioning of the data protects accountability in storage. This is tailored to the remote location offering auto-configured checks, constant reconstruction and evened out transfer rates of change sets. The versioning is provided by a sophisticated bucket structure. Hierarchically ordered data provides recursive integrity checks and atomic operations covering multiple buckets. Providing automatic protection of integrity and accountability, the resulting bucket arrangement is implemented by data containers offering storage of all kinds of data. Results show that the storage of blocks, files and even XML in its structural representation becomes possible. The result is a conceptually simple, transparent, yet powerful architecture to bring data securely and efficient to the cloud. The extensibility of the architecture is proven by taking advantage of photo sharing websites as No-SQL stores to shake up the closed market of expensive No-SQL cloud storage providers.


Besides these contributions guarding security on a technical level, this thesis provides an outlook exceeding the area of computer science. The architecture is interpreted from the legal point of view not only increasing confidence in the techniques developed. The resulting mapping offers a bridge between computer scientist and legal experts to exchange knowledge about necessary measures. The need for this cooperation increases as intransparent, maybe even illegal, access to Internet-stored data seem to become the favorite pass-time of governments around the world.