2013, Graf, Sebastian, Rain, Andreas, Scharon, Daniel, Waldvogel, Marcel

Cloud storage promises unlimited, flexible and cheap storages, including alltime availability and accessibility with the help of various technologies. Free-of-charge o ffers for endusers allure customers the same way as professional, pay-as-you-go storages do. The delocalization of the data provokes security concerns especially regarding the con dentiality of the data. Even though encryption offers a straight-forward solution to this problem, the performance questions its applicability when it comes to the utilization of professional storage-approaches like iSCSI. In this white-paper, we propose a utilization of NoSQL-based cloudstorages like Amazon S3 or Microsoft Azure for iSCSI. We evaluate the costs of a direct, bucket-based encryption and show, that in complex systems like iSCSI, the distance to the cloud represents the bottleneck instead of the encryption. Performance-boosting techniques like prefetching and caching improve the access and result in no practical overhead within such an utilization. Based on our own developed fully Java-based iSCSI target (jSCSI) and jClouds, our prototype represents, to the best of our knowledge, the rst, free available, cloud-deployable iSCSI.

2012-10, Graf, Sebastian, Lang, Patrick, Hohenadel, Stefan, Waldvogel, Marcel

Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave-operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.

2011, Graf, Sebastian, Zholudev, Vyacheslav, Lewandowski, Lukas, Waldvogel, Marcel

The potentials of REST offers new ways for communications between louse coupled entities featured through the Web of Things [12]. The binding of the disjunct components of this architecture creates security issues, such as the centralized authorization techniques respecting the independence of the underlying entities. This results in the question how authorization is performed respecting the flexibility of REST without any knowledge about the underlying resources. Nevertheless, possible knowledge about these resources should enable the authorization workflow to offer finer-granular permissions on substructures of the resources. With our new approach - we named Hecate- we offer a framework to assure simplified handling while keeping the potentials and flexibility of REST . We have designed an architecture based on XML with a flexible authorization mechanism on the one hand and optional resource-awareness on the other hand. The flexibility within the authorization work-flow bases on permission sets respecting the HTTP- verbs. Additional in-depth knowledge of the entity option- ally extends these permissions with resource-aware filters. Hecate offers not only great benefits because of its flexibility, but also because of the optional extensibility proved within the two reference implementations. With Hecate, we show that a centralized authorization mechanism combining independence and optional resource-based filtering extends the flexibility of REST rather than restricting it.

2010, Graf, Sebastian, Lewandowski, Lukas, Waldvogel, Marcel

The REpresentational State Transfer (REST) represents an extensible, easy and elegant architecture for accessing web-based re- sources. REST alone and in combination with XML is fast gaining mo- mentum in a diverse set of web applications. REST is stateless, as is HTTP on which it is built. For many applications, this not enough, es- pecially in the context of concurrent access and the increasing need for auditing and accountability. We present a lightweight mechanism which allows the application to control the integrity of the underlying resources in a simple, yet flexible manner. Based on an opportunistic locking ap- proach, we show in this paper that XML does not only act as an exten- sible and direct accessible backend that ensures easy modifications due to the allocation of nodes, but also gives scalable possibilities to perform on-the-fly integrity verification based on the tree structure.

2013, Graf, Sebastian, Rain, Andreas, Waldvogel, Marcel

Being a part of any social network becomes a necessity especially for the sake of self-presentation. Specialized social networks like LinkedIn are aware of these needs and offer tailored functionalities like referencing to relevant projects and topics including specific searching functionalities.
Since the social data stored within any centralized social network represents an alluring mass of information, security and privacy concerns come up within their utilization. As a consequence, guidelines for their usage are deployed within institutions to increase awareness related to these concerns. Unfortunately, the specific toolsets deployed within universities for presenting users and projects support neither the sharing of group-based or public information nor the ability to create social connections between users especially not over the borders of single institutions.
To combine the need of self-presentation with the ability of virtual social interaction, we present a prototype of a federated, distributed, social network tailored to the need of researchers. Our prototype is based on Diaspora, representing the largest distributed social platform nowadays. Enriched with automated, user-related profiles, our Diaspora-pod offers all members of the University of Konstanz the ability to interact in combination with automated university-profiles.
Tightly integrated in the existing infrastructure of the University of Konstanz and hosted on trusted infrastructure, the described prototype offers not only user-defined sharing of personal profiles in a federated way. It also leverages from the centralized handling of profiles and reduces as a consequence the administrative overhead of maintaining any personal information.
Based on its simple usage and the tight integration into the services of the University of Konstanz, our prototype has the potential to push university life to a new social level without generating concerns about security and privacy.

2012, Graf, Sebastian, Lang, Patrick, Hohenadel, Stefan, Waldvogel, Marcel

Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave- operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.

2011, Graf, Sebastian, Kramis, Marc, Waldvogel, Marcel

XML underlies the same constant modification scenarios like any other resource especially in flexible environments like the WWW. Therefor intelligent handlings of versioned XML are mandatory. Due to the structural nature of XML, the efficient storage of changes in the data and therefor in the tree needs new paradigms regarding efficient storage and effective retrieval operations. We present a node granular XML versioning approach which relies on the independence of the storage and the versioning system. Different layers which have the ability to satisfy specific aspects of a node-granular versioning storage guarantee this independence. Results prove that our architecture offers efficient handling of consecutive changes within all modification scenarios while not restricting XML regarding its usage. Hence, our prototype system handles even huge XML instances while ensuring equal access to each revision of the data.

2013, Graf, Sebastian, Miller, Wolfgang, Waldvogel, Marcel

Cloud Storages combine high availability with the unences- sity to maintain any own infrastructure and all-time availability. A wide field of different providers offer a flexible portfolio for any technical need and financial possibility. Yet, the possibilities of different cloud storage providers have all one issue in common: Basic storage is cheap whereas the costs increase with the storage consumed adhering the pay-as-you- go paradigm. Photo sharing websites such as Facebook, Picasa-Web, and Flickr leverage from own cloud infrastructure and offer unlimited storage for less or no charge. Obviously pictures can be used to store information in, which has been used for steganography and watermarking at low data rates. We propose a general framework for storing large amounts of data, its data density and error-correcting mechanisms tunable to the properties of the photo sharing website of your choice. Our cost- performance-analysis shows that photo sharing websites compare favorably to professional cloud storage services such as Amazon S3. Thanks to the integration of our software as a backend to the widely-used jClouds framework, everyone can now use photo sharing websites as one component for low-cost purposes, including archival.

2012, Graf, Sebastian, Eisele, Jörg, Waldvogel, Marcel, Strittmatter, Marc

Public cloud infrastructures represent alluring storage platforms supporting easy and flexible, location-independent access to the hosted information without any hassle for maintaining own infrastructures.
Already widely established and utilized by end-users as well as by institutions, the hosting of data on untrusted platforms, containing private and confidential information, generates concerns about the security. Technical measures establishing security rely thereby on the technical applicability. As a consequence, legal regulations must be applied to cover those measures even beyond this technical applicability.
This paper provides an evaluation of technical measures combined with legal aspects representing a guideline for secure cloud storage for end-users as well as for institutions. Based upon current approaches providing secure data storage on a technical level, german laws are applied and discussed to give an overview about correct treatment of even confidential data stored securely in the cloud.
As a result, a set of technical possibilities applied on fixed defined security requirements is presented and discussed. These technical measures are extended by legal aspects which must be provided from the site of the hosting Cloud Service Provider.
The presented combination of the technical and the legal perspective on secure cloud storage enables end-users as well as hosting institutions to store their data securely in the cloud in an accountable and transparent way.

2011, Graf, Sebastian, Belle, Sebastian Kay, Waldvogel, Marcel

While multiple techniques exist to utilize the tree structure of the Extensible Markup Language(XML) regarding integrity checks, they all rely on adaptions of the Merkle Tree: All children are acting as one slice regarding the checksum of one node with the help of an one-way hash concat nation. This results in postorder traversals regarding the (re-)computation of the integrity structure within modification operations. With our approach we perform nearly in-time updates of the entire integrity structure. We therefore equipped an XHash-based approach with an incremental hash function. This replaces postorder traversals by adapting only the incremental modifications to the checksums of a node and its ancestors. With experimental results we prove that our approach only generates a constant overhead depending on the depth of the tree while native DOMHash implementations produce an overhead based on the depth and the number of all nodes in the tree. Consequently, our approach called Rolling Boles generates sustainable impact since it facilitates instant integrity updates in constant time.