TREA

System and method for verifying integrity of cloud data using unconnected trusted device

Follow

Information

  • Patent Grant
  • 9641617
  • Patent Number
    9,641,617
  • Date Filed
    Friday, December 5, 2014
    9 years ago
  • Date Issued
    Tuesday, May 2, 2017
    7 years ago
Information
Abstract
The present invention provides a method and system for verifying integrity of cloud data using unconnected trusted device. The method involves requesting encrypted data though a terminal from a metadata offsite location on a cloud storage then entering encrypted data into an unconnected trusted device thereafter obtaining sentinel data from one or more predefined sentinel locations in encrypted data then requesting original data from the cloud storage through the terminal from the unconnected trusted device thereafter comparing sentinel data and original data for integrity and finally displaying the results.
Description

This application claims the benefit of Indian Patent Application Serial No. 5992/CHE/2013 filed Dec. 20, 2013, which is hereby incorporated by reference in its entirety.


FIELD

The present invention relates generally to verifying the integrity of cloud data and more particularly, a method and system for verifying integrity of cloud data using an unconnected trusted device.


BACKGROUND

Cloud computing has emerged as a great advantage to enterprise and individual users dealing with large data size. There is significant cost associated with data storage and considering the rapid rate at which data is getting generated, users are finding it more cost effective to push data to cloud storage services. However, security is a major concern for cloud users because control boundaries are moving towards cloud provider. In such scenario, cloud consumers desire more mechanisms to get assurance about security of their data stored with cloud provider. There are opportunities of data integrity violation due to malicious intent or lack of controls within cloud provider environment.


Many companies in cloud market are providing cost-effective and scalable file storage in the cloud. However verifying integrity of data stored with third party still remains challenge for cloud user community. There are various technical and operational issues which can compromise integrity of customer data in cloud. SLA's and contracts do not provide technical, efficient and verifiable method to find the integrity status of data hosted in cloud provider environment.


There are some tools available with cloud provider which checks the integrity of data over a period but their usage are limited to cloud provider and such tools many times do not provide option for cloud customer or user to verify independently the integrity of data. The tools and processes used at cloud provider side usually perform integrity check independent of requirement of particular user and data. Some available tools for data integrity verification of storage tapes might perform the verification for entire data block set or tape. Cloud customer/user might be only interested in verifying integrity of their data only instead of complete data storage. Most of the data integrity verification techniques require cryptographic operation for verification to be performed by device with significant computation capability. In a scenario where multiple cloud users use such machine, it cannot be considered as trusted or personalized device.


In view of foregoing discussion there is a need for providing a mechanism to cloud customer for verifying integrity of cloud data using unconnected trusted device.


SUMMARY

The present invention overcomes the limitation mentioned above by providing a mechanism to cloud customers for verifying the integrity of their data stored at third party cloud provider company using unconnected trusted device like mobile gadgets (phones, watch, tablet etc.).


According to the present embodiment, a method for verifying integrity of cloud data using unconnected trusted device is disclosed. The method involves requesting encrypted data through a terminal from a metadata offsite location on a cloud storage then entering encrypted data into an unconnected trusted device thereafter obtaining sentinel data from one or more predefined sentinel locations in encrypted data after decrypting through a user personalized key stored on the unconnected trusted device then requesting original data from the cloud storage through the terminal from the unconnected trusted device and finally comparing sentinel data and original data for integrity.


In an additional embodiment, a system for verifying integrity of cloud data using an unconnected trusted device is disclosed. The system includes an encrypted data request component, an encrypted data entering component, a sentinel data obtaining component, an original data request component and a data comparison component. The encrypted data request component is configured to request encrypted data though a terminal from a metadata offsite location on a cloud storage. The encrypted data entering component is configured to enter encrypted data into an unconnected trusted device. The sentinel data obtaining component is configured to obtain sentinel data from one or more predefined sentinel locations in the encrypted data after decrypting through a user personalized key stored on the unconnected trusted device. The original data request component is configured to request original data from the cloud storage through the terminal from the unconnected trusted device. The data comparison component is configured to compare sentinel data and original data for integrity.


In another embodiment, a non-transitory computer readable medium for verifying integrity of cloud data using unconnected trusted device is disclosed. This involves a non-transitory computer readable medium having stored thereon instructions verifying integrity of cloud data using unconnected trusted device. The computer program code is adapted to requesting encrypted data though a terminal from a metadata offsite location on a cloud storage then entering encrypted data into an unconnected trusted device thereafter obtaining sentinel data from one or more predefined sentinel locations in encrypted data after decrypting through a user personalized key stored on the unconnected trusted device then requesting original data from the cloud storage through the terminal from the unconnected trusted device and finally comparing sentinel data and original data for integrity.





BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention will, hereinafter, be described in conjunction with the appended drawings provided to illustrate, and not to limit the invention, wherein like designations denote like elements, and in which:



FIG. 1 is a computer architecture diagram illustrating a computing system capable of implementing the embodiments presented herein.



FIG. 2 is a flowchart, illustrating a method for verifying integrity of cloud data using unconnected trusted device, in accordance with an embodiment of the present technique.



FIG. 3 is a block diagram illustrating a system for verifying integrity of cloud data using unconnected trusted device, in accordance with an embodiment of the present technique.





DETAILED DESCRIPTION

The foregoing has broadly outlined the features and technical advantages of the present disclosure in order that the detailed description of the disclosure that follows may be better understood. Additional features and advantages of the disclosure will be described hereinafter which form the subject of the claims of the disclosure. It should be appreciated by those skilled in the art that the conception and specific embodiment disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present disclosure. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the disclosure as set forth in the appended claims. The novel features which are believed to be characteristic of the disclosure, both as to its organization and method of operation, together with further objects and advantages will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present disclosure.



FIG. 1 illustrates a generalized example of a suitable computing environment 100 in which all embodiments, techniques, and technologies of this invention may be implemented. The computing environment 100 is not intended to suggest any limitation as to scope of use or functionality of the technology, as the technology may be implemented in diverse general-purpose or special-purpose computing environments. For example, the disclosed technology may be implemented using a computing device (e.g., a server, desktop, laptop, hand-held device, mobile device, PDA, etc.) comprising a processing unit, memory, and storage storing computer-executable instructions implementing the service level management technologies described herein. The disclosed technology may also be implemented with other computer system configurations, including hand held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, a collection of client/server systems, and the like.


With reference to FIG. 1, the computing environment 100 includes at least one central processing unit 102 and memory 104. The central processing unit 102 executes computer-executable instructions. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power and as such, multiple processors can be running simultaneously. The memory 104 may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two. The memory 104 stores software 116 that can implement the technologies described herein. A computing environment may have additional features. For example, the computing environment 100 includes storage 108, one or more input devices 110, one or more output devices 112, and one or more communication connections 114. An interconnection mechanism (not shown) such as a bus, a controller, or a network, interconnects the components of the computing environment 100. Typically, operating system software (not shown) provides an operating environment for other software executing in the computing environment 100, and coordinates activities of the components of the computing environment 100.



FIG. 2 is a flowchart, illustrating a method for verifying integrity of cloud data using unconnected trusted device. An encrypted data is requested through a terminal from a metadata offsite location on a cloud storage 202 then data is entered into an unconnected trusted device 204 thereafter sentinel data is obtained from one or more predefined sentinel locations in encrypted data after decrypting through a user personalized key stored on the unconnected trusted device 206 then original data is requested from the cloud storage through the terminal from the unconnected trusted device 208 and finally comparing sentinel data and original data for integrity 210. The result of data integrity is displayed on the unconnected trusted device. The cloud storage provides an interface to cloud customer for uploading data and data is converted to the encrypted data wherein the encrypted data is metadata created by identifying the sentinel location within the original data and by encrypting sentinel location and sentinel data together by user personalized key.



FIG. 3 is a block diagram illustrating a system for verifying integrity of cloud data using unconnected trusted device, in accordance with an embodiment of the present technique. More particularly system includes a an encrypted data request component 302, an encrypted data entering component 304, a sentinel data obtaining component 306, an original data request component 308 and a data comparison component 310. The encrypted data request component is configured to request encrypted data though a terminal from a metadata offsite location on a cloud storage. The encrypted data entering component is configured to enter encrypted data into an unconnected trusted device. The sentinel data obtaining component is configured to obtain sentinel data from one or more predefined sentinel locations in the encrypted data after decrypting through a user personalized key stored on the unconnected trusted device. The original data request component is configured to request original data from the cloud storage through the terminal from the unconnected trusted device. The data comparison component is configured to compare sentinel data and original data for integrity.


The trusted unconnected devices are handheld mobile devices not limited to mobile phones, tablets, PDAs etc.


The above mentioned description is presented to enable a person of ordinary skill in the art to make and use the invention and is provided in the context of the requirement for obtaining a patent. Various modifications to the preferred embodiment will be readily apparent to those skilled in the art and the generic principles of the present invention may be applied to other embodiments, and some features of the present invention may be used without the corresponding use of other features. Accordingly, the present invention is not intended to be limited to the embodiment shown but is to be accorded the widest scope consistent with the principles and features described herein.

Claims
  • 1. A method for verifying integrity of cloud data, the method comprising: requesting, by a computing device, encrypted data through a terminal from a metadata offsite location on a cloud storage, the encrypted data is associated with original data that comprises a subset of the cloud data for a user that was uploaded and stored in the cloud storage;receiving, by the computing device, the encrypted data, wherein the encrypted data is metadata obtained by identifying one or more sentinel locations within the original data that comprises the subset of the cloud data and encrypting the one or more sentinel locations and sentinel data by a user personalized key;obtaining, by the computing, the sentinel data from one or more predefined sentinel locations in the encrypted data after decrypting through a user personalized key that is stored by the computing device;requesting, by the computing device, the original data that comprises the subset of the cloud data from the cloud storage through the terminal;comparing, by the computing device, the sentinel data and the original data to verify integrity of the original data in the cloud storage; anddisplaying, by the computing device, a result of data integrity based on the comparing.
  • 2. A computing device comprising: a processor;a memory coupled to the processor which is configured to execute programmed instructions stored in the memory to: request encrypted data through a terminal from a metadata offsite location on a cloud storage, the encrypted data is associated with original data that comprises a subset of cloud data for a user that was uploaded and stored in the cloud storage;receive the encrypted data, wherein the encrypted data is metadata obtained by identifying one or more sentinel locations within the original data that comprises the subset of the cloud data and by encrypting the one or more sentinel locations and sentinel data by a user personalized key;obtain sentinel data from one or more predefined sentinel locations in the encrypted data after decrypting through a user personalized key that is stored by the computing device;request the original data from the cloud storage through the terminal;compare the sentinel data and the original data to verify integrity of the original data in the cloud storage; anddisplay a result of data integrity based on the comparison.
  • 3. A non-transitory computer readable medium having stored thereon instructions for verifying integrity of cloud data comprising machine executable code which when executed by at least one processor, causes the at least one processor to perform steps comprising: requesting encrypted data through a terminal from a metadata offsite location on a cloud storage, the encrypted data is associated with original data that comprises a subset of the cloud data for a user that was uploaded and stored in the cloud storage;receiving the encrypted data wherein the encrypted data is metadata obtained by identifying one or more sentinel locations within original data that comprises the subset of the cloud data and by encrypting the one or more sentinel locations and sentinel data by a user personalized key;obtaining sentinel data from one or more predefined sentinel locations in the encrypted data after decrypting through a user personalized key that is stored by a computing device making the request;requesting original data from the cloud storage through the terminal;comparing the sentinel data and the original data to verify integrity of the original data in the cloud storage; anddisplaying a result of data integrity based on the comparing.
Priority Claims (1)
Number Date Country Kind
5992/CHE/2013 Dec 2013 IN national
US Referenced Citations (24)
Number Name Date Kind
6996712 Perlman et al. Feb 2006 B1
9171162 Malkhasyan Oct 2015 B2
20100211781 Auradkar et al. Aug 2010 A1
20100268692 Resch Oct 2010 A1
20100268938 Resch Oct 2010 A1
20100306076 Taveau et al. Dec 2010 A1
20100332479 Prahlad et al. Dec 2010 A1
20100332818 Prahlad Dec 2010 A1
20110093567 Jeon et al. Apr 2011 A1
20110145593 Auradkar et al. Jun 2011 A1
20110153812 Yoon et al. Jun 2011 A1
20110167221 Pangal et al. Jul 2011 A1
20110225451 Leggette et al. Sep 2011 A1
20110225640 Ganapathy et al. Sep 2011 A1
20110246433 Sun Oct 2011 A1
20110264906 Pourzandi et al. Oct 2011 A1
20120166576 Orsini et al. Jun 2012 A1
20120266000 Maheshwari Oct 2012 A1
20120311691 Karlin Dec 2012 A1
20130058477 Kobayashi Mar 2013 A1
20140173730 Bejerasco Jun 2014 A1
20140380036 Neumann Dec 2014 A1
20150113518 Liem Apr 2015 A1
20150288703 Yoshino Oct 2015 A1
Non-Patent Literature Citations (2)
Entry
Sravan Kumar, R., and Ashutosh Saxena. “Data integrity proofs in cloud storage.” Communication Systems and Networks (COMSNETS), 2011 Third International Conference on. IEEE, 2011.
Wang, Boyang, Baochun Li, and Hui Li. “Knox: privacy-preserving auditing for shared data with large groups in the cloud.” Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2012.
Related Publications (1)
Number Date Country
20150180835 A1 Jun 2015 US