CloudRAID

Cloud Computing includes established technologies that potentially reduce costs and increase flexibility. An important part of the cloud is the provisioning of infrastructure (Infrastructure-as-a-Service (IaaS)), in particular for storing large amounts of data. However, this is bedeviled by various risks such as unauthorized access to storage resources or dependence on specific service providers. These issues can be mitigated by software systems.

Current State

The initial CloudRAID prototype has been successfully developed and handed over to the Bundesdruckerei, our project partner. Bundesdruckerei has developed a commercial, enterprise solution called BDrive based on our prototype. The concepts remain largely the same, however several advanced features are included in BDrive. We are still actively researching on the approaches for improving the CloudRAID concepts based on feedback from the customers and contemporary trends.

Requirements

Core requirements for reliable cloud storage include security, integrity and availability, these attributes are imperative for transparent and unhindered access to cloud storage resources. CloudRAID is a system developed at the HPI, it provides the above mentioned features and enhances the overall security of cloud storage.

Reference Architecture

The CloudRAID adopts an architecture consisting of a central server and several client applications for desktop PCs, mobile devices and web browsers. The server manages user authentication and the security of metadata in a manner that prevents service providers from intruding into users private information.

Application of RAID concepts to cloud storage

File upload to cloud storage follows three steps:

File is encrypted with symmetric encryption, the cryptographic hash value is used as the key.
A RAID algorithm is applied on the file in order to calculate the parity chunks, which are seperated from the data chunks.
The resulting chunks are thereafter distributed to different cloud storage repositories.

File recovery is the reverse of the uploading procedure:

A subset of the parity chunks as configured in the original RAID algorithm is required to reconstruct the initial data. This has to be downloaded alongside the available data chunks.
The reverse of the RAID algorithm is applied to recover the data, which is still encrypted.
The recovered file is then decrypted, note that the symmetric key used for decryption is only known to the user.

Benefits

Data Security

Each storage vendor is in possession of only a fragment of a file owing to the capacity of the RAID algorithm to seperate a file into multiple chunks, which can be easily reconstructed from a subset of these chunks. Accordingly, an attacker wishing to acquire a file stored in the cloud will have the challenge of getting all the chunks. Moreso, since all chunks are encrypted, there is an additional requirement of obtaining corresponding symmetric keys before successfully accessing data.

Data Availability

Current providers cannot assure users of constant availability of files in their possession. The CloudRAID overcomes this challenge by storing individual chunks at seperate cloud storage repositories thereby defying sole reliance on specific providers. The system also provides users the flexibility of configuring several parameters such as low costs, high bandwidth speed and performance. These factors can be combined to various ways to suit client requirements.

Threat Detection and Security Analytics

Consuming cloud services often enlarges a system's attack surface and introduces loss of control . Therefore, threat detection and security analytics capabilities are implemented to detect security threats and anomalies in CloudRAID's cloud resources. Similarly, intelligent systems are deployed to monitor and detect user-centric threats. These capabilities provide security visibility into the overall systems and narrow the gap between on-premise systems and cloud based infrastructure. Details of the described techniques are available on this page.

Advanced Access Control Mechanisms

Access control is also another challenge that needs to be solved by cloud storage services to ensure that only the authorized users can access the files stored in the cloud. We leverage attribute-based encryption to provide fine grained access control in enterprise environments, while ensuring scalable key management and scalability. Other additional features are location-based access control and multi-cloud resource management. Please take a look here for detailed information.

Team

Prof. Dr. Christoph Meinel (Project Manager)
Philipp Berger
Kennedy Torkura
Hendrik Graupner
Muhammad Sukmana

Project Partner

Bundesdruckerei GmbH

Contact us!

Want to contact us for a coffee, question or chat? Feel free to contact us: sec-eng-webadmin(at)hpi.de

News

July 2022

HPI Cybersecurity Courses for German-Chinese Summer School at Nanjing University

HPI has maintained close relations with well-known Chinese universities for more than two decades and opened its own HPI Research School at Nanjing University back in 2011. As part of an interdisciplinary summer school at Nanjng University, HPI specifically offered a Lecture Series on cybersecurity from July 5 to 7, 2022.

June 2022

Announcement: The free Online-Course "Tatort Internet: Auflage 2022" (German) starts in October. In the Course, Prof. Meinel and the Security-Team present fundamentals of IT-Security as well as current news on security around the world. You can enroll into the course already from today so that you do not miss the start in October!

May 2022

openHPI-Kurs: Cloud Computing (German) presented by Prof. Meinel, Hendrik Steinbeck and Daniel Köhler. Aside the fundamentals on Cloud Computing and it's enablers such as the Internet and Virtualization, the course further touches on areas such as Risks and Responsibilities when using or providing cloud services.

Edit: The course has finished, but the teaching-material is still available for self-paced study!

March 2022

[German] DDoS-Attacks: What are they and how do they work?

The attack from Russia against the Ukraine is not only run in the physical world. Cyber-War is becoming more and more prominent and the Online-Activists Anonymous have started to perform DDoS-Attacks against Russion webpages, companies and servers. In the German Interview, Daniel Köhler explains, what DDoS-Attacks are and how they are usually run.

January 2022

In January, a repetition of our English-language cybersecurity series started on openHPI with the course Confidential Communication in the Internet.

Join the Team!

Teaching

Summer term 2022

Bachelor Seminar: Cops and Robbers
Master Seminar: Behavioral Authentication and Physical Access Management
Master Project
- Schwachstellen-Datenbank für Cyber Threat Intelligence

Team

Supervisor: Prof. Dr. sc. nat., Dr. rer. nat. Christoph Meinel
Senior Researcher: Dr. rer. nat. Feng Cheng
PostDoc/PhD Students/Research Assistants:
- Eric Klieme, M.Sc.
- Alexander Mühle, M.Sc.
- Dr.-Ing.Pejman Najafi
- Daniel Köhler, M.Eng.
- Mehryar Majd, M.Sc.
- Farzad Motlagh, M.Sc.
- Jonas Schmitz, B.Sc. (Master Student)
External PhD Students:
- Kennedy Torkura, M.Sc. (with Resility GmbH)
- Hendrik Graupner M.Sc. (with Bundesdruckerei GmbH)
- Kaja Schmidt, M.Sc. (with European Commision)
Former Team Members