Secure Data Storage Architecture for Mobile Devices
Secure Data Storage Architecture for Mobile Devices
- 주제(키워드) Security Architecture , Data Storage , Deniable Storage , Mobile Device , Performance Improvements
- 발행기관 고려대학교 정보보호대학원
- 지도교수 이동훈
- 발행년도 2019
- 학위수여년월 2019. 2
- 학위구분 박사
- 학과 정보보호대학원 정보보호학과
- 원문페이지 193 p
- 실제URI http://www.dcollection.net/handler/korea/000000083488
- UCI I804:11009-000000083488
- DOI 10.23186/korea.000000083488.11009.0000820
- 본문언어 영어
- 제출원본 000045978858
초록/요약
As mobile devices are increasingly used in various daily activities, they also double as a movable storage that stores various personal/business information of users. Most mobile OS store personal data in its on-device data storage (e.g., file, database, etc.) and provide APIs for apps, which can be used to access data storage managed by the system or to manage its own data storage. Since the data stored in mobile devices might include sensitive information, major mobile OS offer various encryption functionalities such as per-file encryption and full disk encryption to protect privacy. However, the existing methods are not sufficient to provide an effective degree of protection. On an unlocked device, all data in the device are decrypted. Thus, the stored data can be leaked unintentionally through several vulnerabilities, even if FDE is applied. Moreover, even if the data is securely stored and protected in encrypted form, conventional encryption cannot protect against a coercive attacker who can capture the device and force the owner to reveal the encrypted information. Because encrypted binary itself proves the presence of information that the owner does not want others to see, allowing an attacker to realize that the device contains sensitive information might be as dangerous as the disclosure of such information. In order to protect a user against such a coercive attacker, Plausibly Deniable Encryption (PDE) was introduced into mobile devices. However, all the previous works on PDE-enabled storage have insurmountable limitations due to their design principle. Their limitations can compromise the deniability of the existing system. In this thesis, security architectures for mobile data storage are proposed. In the first part, a security architecture for on-device data storage---especially, for database---is presented. Next, the thesis presents an architecture for cloud-based deniable storage to provide security functionalities against a coercive attacker. Last but not least, the thesis presents an optimization technique of cryptographic algorithm that can be leveraged to improve the performance of various security systems including ones in this thesis. To evaluate the feasibility of the proposed architecture, we conduct a series of experiments on our prototype implementation, and the results show that the proposed architectures are feasible with acceptable overhead.
more목차
1 Introduction 1
2 Overview and Related Work 6
2.1 Overview 6
2.2 Related Work 9
2.2.1 Security solutions for on-device Data Storage 9
2.2.2 Plausibly Deniable Encryption on Data Storage 10
2.2.3 Cryptographic Algorithm Optimization (AES) 12
3 Security Architecture for on-device Data Storage: Database 15
3.1 Contribution 18
3.2 Preliminaries 21
3.2.1 SELinux & SEAndroid 21
3.2.2 Android Database (SQLite) 22
3.2.3 Trusted Execution Environment (TEE) 23
3.2.4 Android KeyStore 24
3.3 Attack model and Assumption 25
3.3.1 Attacker Model 25
3.3.2 Assumptions 26
3.4 System Architecture 28
3.4.1 Overview 28
3.4.2 SELinux Policy 32
3.4.3 KeyStore 33
3.4.4 SecureDB Daemon 36
3.4.5 Interface and Permission 41
3.4.6 Operation Flow 43
3.5 Application Similarity 46
3.6 Evaluations 52
3.6.1 Security Analysis 52
3.6.2 Performance Evaluations 57
3.7 Discussion and Limitations 66
3.7.1 Update of sdbd 66
3.7.2 Legitimate use of shared user ID 66
3.7.3 Declaring Permission 67
3.7.4 Volume of mobile database transactions & Application result 68
3.7.5 App Similarity Method 71
3.7.6 Extension to other platforms 72
3.8 Application to Other Data Storage 74
4 Security Architecture for Cloud-based Deniable Storage 75
4.1 Contribution 80
4.2 Models and Assumptions 82
4.2.1 System Model 82
4.2.2 Attacker Model 83
4.2.3 Assumptions 85
4.3 System Design 87
4.3.1 User Device 87
4.3.2 Cloud Storage Server 91
4.3.3 Communication Protocol 92
4.3.4 User Steps 101
4.4 Evaluation 103
4.4.1 Security Analysis 103
4.4.2 Performance Experiments 106
5 Crypto Algorithm Optimization for improving the Performance of Proposed System 109
5.1 Contribution 111
5.2 Preliminaries 113
5.2.1 Description of AES and CTR mode 113
5.2.2 Notation 116
5.3 Implementation Technique Using Repetitive Data: FACE 118
5.3.1 Technique Applied to Initial Whitening (FACErd0) 120
5.3.2 Technique Applied to Round 1 (FACErd1) 122
5.3.3 Additional Technique Applied to Round 1 (FACErd1+) 124
5.3.4 Technique Applied to Round 2 (FACErd2) 127
5.3.5 Additional Technique Applied to Round 2 (FACErd2+) 130
5.4 Evaluations 133
5.4.1 Implementation 133
5.4.2 Experimental Results 136
5.5 Discussion 143
6 Conclusion 146
A Sample Code: FACE 161
A.1 Round Transformation Code of Bitsliced FACE 161
A.2 Round Transformation Code of AES-NI-based FACE 177
A.2.1 Code for 1 x 1 177
A.2.2 Code for 4 x 1 179
