A secure data deletion scheme for IoT devices through key derivation encryption and data analysis

With the widespread adoption of mobile devices in various IoT services, an increasing amount of personal sensitive data are stored in IoT devices using flash memory as storage medium. Personal sensitive data are subject to privacy leakage due to unauthorized access, accidentally loss or resale of IoT devices. To tackle this challenge, in this paper, we present a novel key derivation encryption (KDE) algorithm, which is then used to construct a secure data deletion (SDDK) scheme for IoT devices. Initially, we design a nodal key tree based on flash memory's hierarchical structure, and present a KDE algorithm to generate data key for encrypting user's sensitive data and simplify key management. Meanwhile, based on KDE, we propose an SDDK scheme by combining partial block erasure with key deletion to remove both the ciphertext and the key components after data expiration, thereby implementing secure data deletion on IoT devices. Furthermore, we formally describe the process of SDDK using a mathematical analysis model, and give an optimal solution to reduce the page transfer overhead by employing implicit enumeration analysis algorithm. Finally, security analysis shows that the KDE algorithm is provably secure and the SDDK scheme implements data privacy protection and secure deletion of invalid data. Performance analysis and experimental results indicate that the SDDK scheme is effective and efficient. (C) 2019 Elsevier B.V. All rights reserved.