PASSAT: Single Password Authenticated Secret-Shared Intrusion-Tolerant Storage with Server Transparency

TL;DR

PASSAT is a practical, server-transparent system that enhances cloud storage security using secret sharing and user-managed authentication, without requiring cloud provider cooperation.

Contribution

It introduces PASSAT, a novel, application-transparent system that securely distributes files across multiple cloud providers using XOR secret sharing and user-held credentials.

Findings

Secure storage with less than k colluding providers

Efficient secret sharing with XOR scheme

No changes needed on cloud servers

Abstract

In this paper, we introduce PASSAT, a practical system to boost the security assurance delivered by the current cloud architecture without requiring any changes or cooperation from the cloud service providers. PASSAT is an application transparent to the cloud servers that allows users to securely and efficiently store and access their files stored on public cloud storage based on a single master password. Using a fast and light-weight XOR secret sharing scheme, PASSAT secret-shares users' files and distributes them among n publicly available cloud platforms. To access the files, PASSAT communicates with any k out of n cloud platforms to receive the shares and runs a secret-sharing reconstruction algorithm to recover the files. An attacker (insider or outsider) who compromises or colludes with less than k platforms cannot learn the user's files or modify the files stealthily. To authenticate the user to multiple cloud platforms, PASSAT crucially stores the authentication credentials, specific to each platform on a password manager, protected under the user's master password. Upon requesting access to files, the user enters the password to unlock the vault and fetches the authentication tokens using which PASSAT can interact with cloud storage. Our instantiation of PASSAT based on (2, 3)-XOR secret sharing of Kurihara et al., implemented with three popular storage providers, namely, Google Drive, Box, and Dropbox, confirms that our approach can efficiently enhance the confidentiality, integrity, and availability of the stored files with no changes on the servers.