[ Home | Research | Publications | Teaching | Professional Activities ]

Cong Wang - Research on Cloud Computing Security

Overview | Computation | Search | Storage | Access Control


The ever-growing computing and networking technologies today are enabling a fundamental paradigm shift in how people deploy and deliver computing services: computing outsourcing. While moving data and computing services to the cloud alike infrastructures promises to provide unprecedented benefits like ubiquitous network access, rapid resource elasticity, minimal management overhead, etc., it simultaneously deprives users of direct control over the systems that manage their data and applications, raising security and privacy the primary obstacles to the public cloud adoption. My current research thus focuses on helping users regain confidence when deploying the most fundamental data and computing services, including data storage, data search, data sharing, and data computation outsourcing, on the commercial public cloud. To address these challenges, one needs a firm foundation in big data and system security, cloud computing, large-scale computing, information assurance, access control, and computer and mobile networks; I am interested in all these areas and always feel passionate about designing, measuring, and analyzing broad range of security and privacy mechanisms to address related problems.

Secure and Proof-carry Computation Outsourcing

A fundamental concern to move computational workloads from private resources to the cloud is the protection of the confidential data that the computation consumes and produces. Thus, secure computation outsourcing services are in great need to not only protect sensitive workload information but validate the integrity of the computation result. This is, however, a very difficult task due to a number of challenges that have to be met simultaneously. Firstly, such a service has to be practically feasible (immediate practicality) in terms of computational complexity. Secondly, it has to provide sound security guarantee without restricted system assumptions. Thirdly, it also has to enable substantial computational savings at the end-user's side as compared to the amount of the efforts that otherwise has to be committed to solve the problem locally. These challenges practically exclude the applicability of the existing techniques developed in the context of secure multi-party computation and fully homomorphic encryption.

WIth above challenges in mind, our proposed approach is to understand the nature of an application and its security requirements and develop application-specific solutions that are highly customized and achieve desirable trade-offs among privacy protection, performance, and other factors. We start from widely applicable engineering computing and optimization problems, which are essential for modern engineering designs, and usually require a substantial amount of computational power and involve confidential data. Aiming for a practical solution, our proposed methodology is to explicitly decompose computations into public programs running on the cloud and private data owned by the users. By organizing computation problems at various abstraction levels into a hierarchy, it is possible to leverage the structures of specific computations for achieving desirable trade-offs among security, efficiency, and practicality in a systematic manner. Critical applications that we are currently investigating include secure outsourcing large scale systems of linear equations, linear programming, and convex optimization in the cloud. The study would prepare a solid knowledge base and provide insights for further research on outsourcing more advanced computation problems.

Selected Related Publications

When data services are increasingly outsourced to cloud for its greater flexibility and cost-efficiency, sensitive data has to be encrypted before outsourcing to combat unsolicited accesses in cloud and beyond. However, the encryption makes deployment of traditional data utilization service, such as plaintext keyword search over textual data or query over database, a difficult task. Downloading all the data and decrypting locally is clearly impractical. Besides, aside from eliminating the local storage management, storing data into the cloud serves no purpose unless they can be easily searched and utilized. This necessitates the need for developing effective searching techniques over encrypted cloud data of massive scale. Such techniques should enable critical search functionalities that have long been enjoyed in modern search engine over unencrypted data, like Google, Bing, etc. The adequacy of such techniques is essential to the long-term success of the cloud services and the ultimate privacy protection of both individuals and organizations.

Our proposed research starts from enabling versatile keyword search over encrypted data that is highly usable, including the functionalities like fuzzy tolerance, result ranking, multi-keywords search, similarity search, etc. Beyond textual data, we also propose to enable privacy-preserving search over all kind of non-textual data, including search over graph-structured data, image, and/or multimedia, which are ubiquitous in modern life and are driving many new applications. Efficient techniques for searching such high dimensional encrypted data have to be developed. Our ultimate goal is to enable rich search semantics in a privacy preserving manner and efficiently support for large-scale and distributed nature of cloud data.

Selected Related Publications

Secure and Dependable Storage Service in Public Cloud

Outsourcing storage into the cloud relieves data users from the burden of direct hardware and software management and operational overhead therein. At the same time, though, cloud storage service is also relinquishing users' physical control of their outsourced data, which inevitably poses new security risks towards the correctness of the data in cloud. Traditional cryptographic primitives for the purpose of storage correctness protection cannot be utilized, as they usually require a local copy of the data for integrity verification, which isn't viable when storage is outsourced. Besides, the large amount of cloud data and users' constrained computing capabilities further makes the task of data correctness auditing in a cloud environment expensive and even formidable.

In light of the critical need of a unified storage auditing architecture for this nascent cloud economy to become fully established, our research aims to develop a secure cloud storage system supporting privacy-preserving third-party auditing, whereas three indispensable design properties from a system-usability viewpoint are to be realized. Firstly, to allow a third party auditor (TPA) to efficiently audit the cloud storage security, the design must be lightweight and must not introduce any online burden to the users. Secondly, for user data privacy and regulation compliance, it must be guaranteed that no data information should be leaked to TPA during the data auditing process. Thirdly, given cloud data's dynamic features, the auditing mechanism must support fully dynamic data operations while satisfying the requirements of data integrity protection. For these research tasks, we are investigating/developing techniques such as proof of storage, homomorphic linear authenticator, random-masking sampling, sequence-enforced Merkle Hash Tree, and their various extensions/novel combinations.

Selected Related Publications

Access Control in Public Cloud

Various sensitive data pooled in the cloud demands the cloud data sharing service to be responsible for secure, efficient and reliable enforcement of data content access among potentially large number of users on behalf of data owners. As cloud server may no longer be in the same trusted domain as the data owners, we have to rethink the problem of access control in this open environment, where cloud server takes full charge of the management of the outsourced data but are not necessarily trusted with respect to the data confidentiality. What makes the problem more challenging is the enforcement of fine-grained data access, the support of access privilege updates in dynamic scenarios, and the system scalability, while maintaining low level complexity of key management and data encryption.

We have been investigating advanced cryptographic techniques, including attribute-based encryption, proxy re-encryption, lazy re-encryption, to address these challenges. We aim to provide tools not only extending owners' full control over cloud data access, but enabling effective user revocation while introducing minimum management and online burden on the data owner for the overall access policy enforcement. Our ultimate goal is to allow all owners/users to benefit well from current capabilities of the cloud, so as to achieve finer, stronger, and more usable secure cloud data sharing services.

Selected Related Publications

Disclaimer: The papers here are made available for timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders.