Grant Abstract: When users store their data in the cloud, they take many privacy risks: Will the cloud storage provider allow others to see that data? If the user sets sharing rules for the data, will the cloud storage system follow those rules? Recent news stories of user data exfiltration from cloud storage systems show that users have reason for concern. Encrypting files before storing them in the cloud would provide strong protection, but this approach makes it very difficult for users to share data with others and to change their sharing policies. This project is exploring techniques to cryptographically protect user files in cloud-based storage systems, while supporting advanced, dynamic sharing policies.
While cryptographically protecting data under a static access control policy is well documented in the literature, existing constructions either do not efficiently support dynamic policies (e.g., changes to role/attribute assignments) or make heavy trust assumptions to support this dynamism. This project is (1) developing an open-source platform for prototyping, analyzing, and deploying dynamic access control enforcement solutions for untrusted environments; (2) creating cryptographic constructions that are capable of securely implementing popular role- and attribute-based access control models on untrusted storage platforms while supporting dynamic policy and data updates; (3) designing efficient, trusted hardware-assisted, cloud-scale implementations of popular access control models supporting dynamic policy and data updates in a variety of deployment scenarios; and (4) a carrying out a comprehensive evaluation that explores the trade-offs in trust between these cryptographically- and hardware-enforced approaches and examines the cryptographic, computational, and communication costs of the proposed constructions under a variety of real-world workloads. Learn more at: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1704139&HistoricalAwards=false