Cryptographically enforced access control for user data in untrusted clouds

Wang, Frank Yi-Fei

Author(s)

Wang, Frank Yi-Fei

DownloadFull printable version (683.6Kb)

Other Contributors

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.

Advisor

Nickolai Zeldovich and James Mickens.

Terms of use

M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582

Metadata

Show full item record

Abstract

Modern web services rob users of low-level control over cloud storage; a user's single logical data set is scattered across multiple storage silos whose access controls are set by the web services, not users. The result is that users lack the ultimate authority to determine how their data is shared with other web services. In this thesis, we introduce Sieve, a new architecture for selectively exposing user data to third party web services in a provably secure manner. Sieve starts with a user-centric storage model: each user uploads encrypted data to a single cloud store, and by default, only the user knows the decryption keys. Given this storage model, Sieve defines an infrastructure to support rich, legacy web applications. Using attribute-based encryption, Sieve allows users to define intuitive, understandable access policies that are cryptographically enforceable. Using key homomorphism, Sieve can re-encrypt user data on storage providers in situ, revoking decryption keys from web services without revealing new ones to the storage provider. Using secret sharing and two-factor authentication, Sieve protects against the loss of user devices like smartphones and laptops. The result is that users can enjoy rich, legacy web applications, while benefiting from cryptographically strong controls over what data the services can access.

Description

Thesis: S.M., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2016.

This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.

Cataloged from student-submitted PDF version of thesis.

Includes bibliographical references (pages 55-60).

Date issued

2016

URI

http://hdl.handle.net/1721.1/103669

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Keywords

Electrical Engineering and Computer Science.

Collections

Graduate Theses