DFCloud: A TPM-based secure data access control method of cloud storage in mobile devices

Using the cloud storage services, users can access their data in any time, at any place, even with any computing device including mobile devices. Although these properties provide flexibility and scalability in handling data, security issues should be handled especially when mobile devices try to access data stored in cloud storage. Currently, a typical cloud storage service, Dropbox, offers server-side data encryption for security purpose. However, we think such method is not secure enough because all the encryption keys are managed by software and there is no attestation on the client software integrity. Moreover, a simple user identification based on user ID and Password is also easy to be compromised. Data sharing which is critical in enterprise environment is significantly restricted because it is not easy to share encryption key among users. In this paper, we propose DFCloud, a secure data access control method of cloud storage services to handle these problems found in the typical cloud storage service Dropbox. DFCloud relies on Trusted Platform Module (TPM) [1] to manage all the encryption keys and define a key sharing protocol among legal users. We assume that each client is mobile device using ARM TrustZone [2] technology. The DFCloud server prototype is implemented using ARM Fastmodel 7.1 and Open Virtualization software stack for ARM TrustZone. For DFCloud client, TPM functions are developed in the secure domain of ARM TrustZone because most ARM-based mobile devices are not equipped with TPM chip. The DFCloud framework defines TPM-based secure channel setup, TPM-based key management, remote client attestation, and a secure key share protocol across multiple users/devices. It is shown that our concept works correctly through a prototype implementation.