Versatile Key Management for Secure Cloud Storage
2012-10, Graf, Sebastian, Lang, Patrick, Hohenadel, Stefan, Waldvogel, Marcel
Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave-operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.
Hecate, Managing Authorization with RESTful XML
2011, Graf, Sebastian, Zholudev, Vyacheslav, Lewandowski, Lukas, Waldvogel, Marcel
The potentials of REST offers new ways for communications between louse coupled entities featured through the Web of Things . The binding of the disjunct components of this architecture creates security issues, such as the centralized authorization techniques respecting the independence of the underlying entities. This results in the question how authorization is performed respecting the flexibility of REST without any knowledge about the underlying resources. Nevertheless, possible knowledge about these resources should enable the authorization workflow to offer finer-granular permissions on substructures of the resources. With our new approach - we named Hecate- we offer a framework to assure simplified handling while keeping the potentials and flexibility of REST . We have designed an architecture based on XML with a flexible authorization mechanism on the one hand and optional resource-awareness on the other hand. The flexibility within the authorization work-flow bases on permission sets respecting the HTTP- verbs. Additional in-depth knowledge of the entity option- ally extends these permissions with resource-aware filters. Hecate offers not only great benefits because of its flexibility, but also because of the optional extensibility proved within the two reference implementations. With Hecate, we show that a centralized authorization mechanism combining independence and optional resource-based filtering extends the flexibility of REST rather than restricting it.
Integrity Assurance for RESTful XML
2010, Graf, Sebastian, Lewandowski, Lukas, Waldvogel, Marcel
The REpresentational State Transfer (REST) represents an extensible, easy and elegant architecture for accessing web-based re- sources. REST alone and in combination with XML is fast gaining mo- mentum in a diverse set of web applications. REST is stateless, as is HTTP on which it is built. For many applications, this not enough, es- pecially in the context of concurrent access and the increasing need for auditing and accountability. We present a lightweight mechanism which allows the application to control the integrity of the underlying resources in a simple, yet flexible manner. Based on an opportunistic locking ap- proach, we show in this paper that XML does not only act as an exten- sible and direct accessible backend that ensures easy modifications due to the allocation of nodes, but also gives scalable possibilities to perform on-the-fly integrity verification based on the tree structure.
PERFIDIX : a Generic Java Benchmarking Tool
2007, Kramis, Marc, Onea, Alexander, Graf, Sebastian
PERFIDIX shows an easy way to benchmark your code. Unlike heavy-load profilers, PERFIDIX comes in an easy-to-use way based on the proven usage of JUnit Testcases. This short paper describes the current work-in progress of the PERFIDIX 1.0 release.
A legal and technical perspective on secure cloud storage
2012, Graf, Sebastian, Eisele, Jörg, Waldvogel, Marcel, Strittmatter, Marc
Public cloud infrastructures represent alluring storage platforms supporting easy and flexible, location-independent access to the hosted information without any hassle for maintaining own infrastructures.
Already widely established and utilized by end-users as well as by institutions, the hosting of data on untrusted platforms, containing private and confidential information, generates concerns about the security. Technical measures establishing security rely thereby on the technical applicability. As a consequence, legal regulations must be applied to cover those measures even beyond this technical applicability.
This paper provides an evaluation of technical measures combined with legal aspects representing a guideline for secure cloud storage for end-users as well as for institutions. Based upon current approaches providing secure data storage on a technical level, german laws are applied and discussed to give an overview about correct treatment of even confidential data stored securely in the cloud.
As a result, a set of technical possibilities applied on fixed defined security requirements is presented and discussed. These technical measures are extended by legal aspects which must be provided from the site of the hosting Cloud Service Provider.
The presented combination of the technical and the legal perspective on secure cloud storage enables end-users as well as hosting institutions to store their data securely in the cloud in an accountable and transparent way.
Treetank, Designing A Versioned XML Storage
2011, Graf, Sebastian, Kramis, Marc, Waldvogel, Marcel
XML underlies the same constant modification scenarios like any other resource especially in flexible environments like the WWW. Therefor intelligent handlings of versioned XML are mandatory. Due to the structural nature of XML, the efficient storage of changes in the data and therefor in the tree needs new paradigms regarding efficient storage and effective retrieval operations. We present a node granular XML versioning approach which relies on the independence of the storage and the versioning system. Different layers which have the ability to satisfy specific aspects of a node-granular versioning storage guarantee this independence. Results prove that our architecture offers efficient handling of consecutive changes within all modification scenarios while not restricting XML regarding its usage. Hence, our prototype system handles even huge XML instances while ensuring equal access to each revision of the data.
Distributing XML with focus on parallel evaluation
2008, Graf, Sebastian, Kramis, Marc, Waldvogel, Marcel
In contrast to relational databases the distribution of document-centric XML is not well researched. While there are some suggestions on how to split and distribute large XML documents, these approaches do not consider the parallel query evaluation. In this paper, we present and compare five different algorithms to search after suitable split nodes in a large XML document. We then describe how to distribute extractable sub-structures over a fixed number of peers and how to query these peers in parallel to retrieve the final result. In addition, we analyse the impact of our splitting algorithms with respect to scalability for two different XPath expression classes on three well-known XML data sets. We conclude this paper with an outlook on future work, including result ordering during parallel query execution and dynamic re-distribution of XML fragments to new peers due to updates.
A secure cloud gateway based upon XML and web services
2011, Graf, Sebastian
Storing data in the cloud offers a scalable and easy way to handle large amounts of data guaranteeing availability and scalability by the hosting Cloud Service Providers. The price for the gained availability is uncertainness about the integrity and confidentiality of the data. Even if common approaches provide high availability and end-to-end encryption necessary to achieve Availability and Confidentiality as security goals, other security requirements like Integrity and Accountability are neglected. The key management of those clients for encrypting data to satisfy Confidentiality must furthermore support join-/leave-operations within the client set. This work presents an architecture for a secure cloud gateway satisfying the common security goals Availability, Confidentiality, Integrity and Accountability. Mapping these security goals, XML as storage base is equipped with recursive integrity checks, encryption and versioning based on the native XML storage Treetank. A Key Manager extends this approach to provide the deployment of multiple clients sharing keys to the storage in a secure way. New key material is pushed to a server instance deployed as Platform-as-a-Service (PaaS) propagating this update to the clients. The server furthermore applies integrity checks on encrypted data within transfer and storage. Any communication between client, server and Key Manager relies on fixed defined workflows based upon web ser- vices. The proposed architecture called SecureCG thereby enables collaborative work on shared cloud storages within multiple clients ensuring confidentiality, consistency and availability of the stored data.
Rolling Boles, Optimal XML Structure Integrity for Updating Operations
2011, Graf, Sebastian, Belle, Sebastian Kay, Waldvogel, Marcel
While multiple techniques exist to utilize the tree structure of the Extensible Markup Language(XML) regarding integrity checks, they all rely on adaptions of the Merkle Tree: All children are acting as one slice regarding the checksum of one node with the help of an one-way hash concat nation. This results in postorder traversals regarding the (re-)computation of the integrity structure within modification operations. With our approach we perform nearly in-time updates of the entire integrity structure. We therefore equipped an XHash-based approach with an incremental hash function. This replaces postorder traversals by adapting only the incremental modifications to the checksums of a node and its ancestors. With experimental results we prove that our approach only generates a constant overhead depending on the depth of the tree while native DOMHash implementations produce an overhead based on the depth and the number of all nodes in the tree. Consequently, our approach called Rolling Boles generates sustainable impact since it facilitates instant integrity updates in constant time.
jSCSI - A Java iSCSI Initiator
2007, Kramis, Marc, Wildi, Volker, Lemke, Bastian, Graf, Sebastian, Janetzko, Halldor, Waldvogel, Marcel
jSCSI represents an initiator implementation of the iSCSI standard. This short paper describes the current work-in-progress of the jSCSI 1.0 release and gives first benchmarks as well as an outlook for upcoming releases.