Wenfeng Zhou

Faen Zhang, Xinyu Fan, Pengcheng Zhou et al.

Data security and privacy is an important but challenging problem in cloud computing. One of the security concerns from cloud users is how to efficiently verify the integrity of their data stored on the cloud server. Third Party Auditing (TPA) is a new technique proposed in recent years to achieve this goal. In a recent paper (IEEE Transactions on Computers 62(2): 362-375 (2013)), Wang et al. proposed a highly efficient and scalable TPA protocol and also a Zero Knowledge Public Auditing protocol which can prevent offline guessing attacks. However, in this paper, we point out several security weaknesses in Wang et al's protocols: first, we show that an attacker can arbitrarily modify the cloud data without being detected by the auditor in the integrity checking process, and the attacker can achieve this goal even without knowing the content of the cloud data or any verification metadata maintained by the cloud server; secondly, we show that the Zero Knowledge Public Auditing protocol cannot achieve its design goal, that is to prevent offline guessing attacks.

Faen Zhang, Xinyu Fan, Pengcheng Zhou et al.

With the wide application of cloud storage, cloud security has become a crucial concern. Related works have addressed security issues such as data confidentiality and integrity, which ensure that the remotely stored data are well maintained by the cloud. However, how to define zero-knowledge proof algorithms for stored data integrity check has not been formally defined and investigated. We believe that it is important that the cloud server is unable to reveal any useful information about the stored data. In this paper, we introduce a novel definition of data privacy for integrity checks, which describes very high security of a zero-knowledge proof. We found that all other existing remote integrity proofs do not capture this feature. We provide a comprehensive study of data privacy and an integrity check algorithm that captures data integrity, confidentiality, privacy, and soundness.

Faen Zhang, Xinyu Fan, Wenfeng Zhou et al.

It is a crucial mechanism of access control to determine that data can only be accessed for allowed purposes. To achieve this mechanism, we propose purpose-based access policies in this paper. Different from provenance-based policies that determine if a piece of data can be accessed or not, purpose-based access policies determines for what purposes can data be accessed. Particularly, the purposes can be classified as different sensitivity levels. For the first time, We tailor policy algebras to include internal and external policy operators for hierarchical purposes, in order to merge purpose sets generated by individual policies. We also created external policy algebras to merge policies from multi-parties. With different types' testing experiments, our model is proved to be feasible and practical.