Redefining Cloud Encryption Architectures

Dynamic AES and Blockchain-Based Key Management

Author

Álvaro López Álvarez
April 07, 2025

LINKS OF THE WEEK

My Best Finds

☁️🔐 More Encryption Links

  • Dynamic AES Encryption and Blockchain Key Management: A Novel Solution for Cloud Data Security (Mohammed Y. Shakor).

  • NIST proposes standardizing a wider variant of AES encryption (Cointelegraph).

  • Securing Medical Data: The Integration of Advanced Encryption Standard and Blockchain (Xiaomeng Hu).

  • Finders Keypers: Open-source AWS KMS key usage finder (Mirko Zorze).

DEEP DIVE

Moving Beyond Static Encryption in Zero Trust Cloud Architectures

As enterprises transition deeper into cloud-native and hybrid environments, legacy encryption and key management architectures are revealing critical deficiencies. Static key storage in centralized KMSs (Key Management Systems), lack of granular control over encryption contexts, and opaque file-sharing mechanisms create vulnerabilities that are fundamentally at odds with Zero Trust Architecture (ZTA) principles—especially “never trust, always verify” and continuous access validation.

This week, we analyze a highly relevant contribution to cloud security research:
“Dynamic AES Encryption and Blockchain Key Management: A Novel Solution for Cloud Data Security” (IEEE Access, Jan 2024), which proposes a sophisticated cryptographic model that integrates:

  • Dynamic per-file AES-256 encryption

  • Decentralized key storage on private blockchain

  • Elliptic Curve Cryptography (ECC) for secure asymmetric exchange and file sharing

This layered cryptographic framework is engineered to provide forward secrecy, key uniqueness, integrity, and decentralized trust—all crucial to aligning with advanced ZTA and CSA’s Cloud Controls Matrix (CCMv4) guidelines.

Architectural Deep Dive: The Cryptographic Stack

The paper introduces a two-phase encryption and key management architecture designed to eliminate the single points of failure and trust inherent in traditional cloud security models.

1. Dynamic AES Key Generation (Per-File Encryption)

At the encryption phase:

  • A unique AES-256 key is generated per file using a dual-hashing mechanism:

    • key = SHA256(file) ⊕ SHA256(last_block_hash)

  • This ensures key randomness and unpredictability for each file instance, even if the file content is reused or deduplicated—thwarting known plaintext and frequency analysis attacks.

This approach moves beyond traditional AES implementations, where static or infrequently rotated keys are applied to entire storage volumes or tenant file systems, creating lateral risk in compromise scenarios.

2. Blockchain as a Decentralized Key Ledger

After encryption, the AES key is embedded in a block along with:

  • Timestamp

  • Encrypted key data

  • Hash of the previous block (for immutability and chaining)

This block is then encrypted with the recipient's ECC public key, making it only decryptable by the corresponding private key. These encrypted key blocks are transmitted and stored on a private permissioned blockchain, ensuring:

  • Tamper resistance: All key access attempts are traceable.

  • Decentralized trust: No centralized admin or cloud provider can decrypt or modify blocks.

  • Key immutability and auditability: All key states and transitions are cryptographically verifiable.

Blockchain-Augmented File Sharing: Secure Multi-Branch Chain Management

A major innovation in the model is the multi-branch blockchain file sharing mechanism, which directly supports Zero Trust’s need for granular, identity-bound access controls.

When a user shares a file:

  • A new chain branch is initiated off a selected block of the recipient.

  • The file is encrypted with a new AES key, stored in a new block encrypted with the recipient’s ECC public key.

  • The blockchain allows appending of these branches without polluting or affecting the main chain.

This results in a verifiable file-sharing tree, where each branch represents authenticated and traceable access events—an architecture well-aligned with CCMv4 controls like DS-08 (Data Integrity & Retention) and IAM-12 (User Access Authorization).

Proposed solution architecture

Benefits of Blockchain-Based Sharing

  • Confidentiality: Only the recipient’s ECC private key can decrypt the block and access the AES key.

  • Integrity: Any tampering with the block structure or chain sequence is immediately detectable.

  • Non-repudiation: The chain of custody for each file is cryptographically preserved.

Cryptographic Strength Analysis: Statistical and Entropy Validation

To evaluate the security robustness, the paper presents sensitivity analysis, entropy analysis, and histogram comparison using synthetic data and image encryption (e.g., grayscale “Cameraman” test).

Key Metrics:

  • Bit Sensitivity: Keys exhibited bit-flip sensitivity exceeding 59%—significantly higher than prior models like Liu et al. (2022) which peaked at 51.46%.

  • File Entropy: Output entropy approached 7.9–8.0 bits/byte, indicating near-optimal randomness and strong resistance to statistical inference.

  • Histogram Uniformity: Encrypted image histograms showed highly uniform distributions, with the proposed model outperforming standard AES in eliminating visual patterns.

These metrics suggest resilience against:

  • Statistical attacks

  • Chosen plaintext attacks

  • Side-channel leakage through pattern detection

This level of entropy is vital for compliance with standards such as NIST SP 800-57 Part 1 (Rev. 5) and the ENISA Guidelines on Cryptographic Key Management.

Security Advantages Over Traditional KMS and Static Encryption

Feature

Traditional KMS + AES

Proposed Model

Key Generation

Centralized, fixed

Per-file, dynamic

Key Storage

Centralized KMS

Private blockchain

Sharing Model

Manual ACLs, complex tokening

ECC-encrypted blockchain branches

Key Revocation

Difficult to track propagation

Chain branch pruning possible

Auditability

Limited

Full cryptographic chain of custody

This architecture complements Zero Trust principles such as:

  • Continuous authentication and cryptographic access validation

  • Micro-perimeterization at the file level

  • No implicit trust in network or storage infrastructure

Key Takeaways

  • Dynamic AES + Blockchain + ECC offers a cryptographically rigorous architecture that redefines secure file storage and sharing in the cloud.

  • This model enhances confidentiality, integrity, and access traceability in line with Zero Trust and CCMv4 frameworks.

  • Sensitivity and entropy analysis confirm strong resistance to known and side-channel attacks.

  • The solution supports granular, identity-bound sharing via multi-branch blockchains—a powerful tool for privacy and auditability.

Cloud-native security must evolve past static boundaries and implicit trust. This research marks a critical step toward cryptographically anchored, fully decentralized cloud encryption frameworks—where every file, key, and access request is verifiable, revocable, and secure by design.

That’s all for this week’s edition of CloudSec Weekly—stay vigilant and stay secure!

Before You Go

Become the Cloud Security Expert with 5 Minutes a Week

Sign up to get instant access to cloud security tactics, implementations, thoughts, and industry news delivered to your inbox.

Join for free.