Options
2015
Conference Paper
Titel
Protecting sensitive data in a distributed and mobile environment
Abstract
The Cloud and other publically available storage services enable a high potential for time and location independent access to information particularly combined with smart mobile devices. Especially law enforcement agencies, like the police, require such possibilities to access information related to an investigation at any time from any place. However, storing sensitive data on public servers isn't an option for law enforcement agencies due to the possibility of unauthorized access to these data by third parties. To allow the storage of sensitive data on public servers in the Cloud, it has to be encrypted so that the cloud providers and possible attackers do not gain access to that information. At the Fraunhofer IOSB a device called CyphWay® has been developed and presented at ICCWS 2014, which makes sure that sensitive publicly stored data are protected by encryption. This device guaranties that encryption and decryption keys are only available within a specific trusted and protected hardware module. The access to those keys is controlled by a specially designed key management system. The paper at hand describes a security concept using such a trusted environment to build a secure and distributed file system for encrypted data. For this purpose, each file or data set is encrypted independently. The resulting system provides a hierarchical key structure, which controls access to uploaded data and maps the data structure at the same time. The goals of this system are to protect every publicly stored data through encryption and to provide a hierarchical access control. By decoupling the data structure from the actual data and by encrypting the meta-data, unauthorized observers will not be able to see meta-information like directory contents or directory structures. Therefore, the presented technique enables the creation of a deniable distributed file system. Unlike several encrypted container solutions the presented system allows to distribute encrypted data over a huge number of divergent publically available storage services, like cloud storages. In addition, it is possible to combine those storages with own private or corporal storage. The key management system implements naturally an access control system and, additionally, allows the allocation of temporary access rights to other users to share data.