2014, Graf, Sebastian

Our life without Internet-based services is hard to imagine: We search for information with Google, share thoughts on Facebook, buy at Amazon and store our pictures on Flickr. Many of these Internet-based services focus on easy exchange of information, providing comfortable and ubiquitous storage and sharing. Relieved from hardware purchases, software bug fixes and infrastructure maintenance, users as well as companies use these cloud-based stores either for free or at low-cost. The price is the implicit grant of full access to all their sensitive data.


The stored data naturally represents a huge pool of easily accessible and alluring information for cloud providers. Customer questions like “Who accesses my information?” (representing the aspect of confidentiality), “Who altered my data?” (requiring accountability), “Is my data still intact?” (focusing on integrity) or “What happens if the cloud is unavailable?” can rarely be answered in an obligingly and honest way. Answering these questions is challenging since security measures seldom cover all security aims at once. Furthermore, the cloud is used with all kinds of data, wishing their unique characteristics to be respected.


Each of these questions above is transformed closer to an answer in this thesis resulting in an architecture jointly satisfying all the denoted security aims. A versatile key management offers flexible group shares by providing fine-grained access on end-to-end encrypted data. The keys furthermore enable time-based access on versioned storage and are provisioned over the cloud itself without harming confidentiality. Versioning of the data protects accountability in storage. This is tailored to the remote location offering auto-configured checks, constant reconstruction and evened out transfer rates of change sets. The versioning is provided by a sophisticated bucket structure. Hierarchically ordered data provides recursive integrity checks and atomic operations covering multiple buckets. Providing automatic protection of integrity and accountability, the resulting bucket arrangement is implemented by data containers offering storage of all kinds of data. Results show that the storage of blocks, files and even XML in its structural representation becomes possible. The result is a conceptually simple, transparent, yet powerful architecture to bring data securely and efficient to the cloud. The extensibility of the architecture is proven by taking advantage of photo sharing websites as No-SQL stores to shake up the closed market of expensive No-SQL cloud storage providers.


Besides these contributions guarding security on a technical level, this thesis provides an outlook exceeding the area of computer science. The architecture is interpreted from the legal point of view not only increasing confidence in the techniques developed. The resulting mapping offers a bridge between computer scientist and legal experts to exchange knowledge about necessary measures. The need for this cooperation increases as intransparent, maybe even illegal, access to Internet-stored data seem to become the favorite pass-time of governments around the world.

2013, Graf, Sebastian, Rain, Andreas, Waldvogel, Marcel

Being a part of any social network becomes a necessity especially for the sake of self-presentation. Specialized social networks like LinkedIn are aware of these needs and offer tailored functionalities like referencing to relevant projects and topics including specific searching functionalities.
Since the social data stored within any centralized social network represents an alluring mass of information, security and privacy concerns come up within their utilization. As a consequence, guidelines for their usage are deployed within institutions to increase awareness related to these concerns. Unfortunately, the specific toolsets deployed within universities for presenting users and projects support neither the sharing of group-based or public information nor the ability to create social connections between users especially not over the borders of single institutions.
To combine the need of self-presentation with the ability of virtual social interaction, we present a prototype of a federated, distributed, social network tailored to the need of researchers. Our prototype is based on Diaspora, representing the largest distributed social platform nowadays. Enriched with automated, user-related profiles, our Diaspora-pod offers all members of the University of Konstanz the ability to interact in combination with automated university-profiles.
Tightly integrated in the existing infrastructure of the University of Konstanz and hosted on trusted infrastructure, the described prototype offers not only user-defined sharing of personal profiles in a federated way. It also leverages from the centralized handling of profiles and reduces as a consequence the administrative overhead of maintaining any personal information.
Based on its simple usage and the tight integration into the services of the University of Konstanz, our prototype has the potential to push university life to a new social level without generating concerns about security and privacy.

2012, Graf, Sebastian, Eisele, Jörg, Waldvogel, Marcel, Strittmatter, Marc

Public cloud infrastructures represent alluring storage platforms supporting easy and flexible, location-independent access to the hosted information without any hassle for maintaining own infrastructures.
Already widely established and utilized by end-users as well as by institutions, the hosting of data on untrusted platforms, containing private and confidential information, generates concerns about the security. Technical measures establishing security rely thereby on the technical applicability. As a consequence, legal regulations must be applied to cover those measures even beyond this technical applicability.
This paper provides an evaluation of technical measures combined with legal aspects representing a guideline for secure cloud storage for end-users as well as for institutions. Based upon current approaches providing secure data storage on a technical level, german laws are applied and discussed to give an overview about correct treatment of even confidential data stored securely in the cloud.
As a result, a set of technical possibilities applied on fixed defined security requirements is presented and discussed. These technical measures are extended by legal aspects which must be provided from the site of the hosting Cloud Service Provider.
The presented combination of the technical and the legal perspective on secure cloud storage enables end-users as well as hosting institutions to store their data securely in the cloud in an accountable and transparent way.