SEVERAL trends are opening up the era of cloud computing,

Transcription

1 220 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 Toward Secure and Dependable Storage Servces n Cloud Computng Cong Wang, Student Member, IEEE, Qan Wang, Student Member, IEEE, Ku Ren, Senor Member, IEEE, Nng Cao, and Wenjng Lou, Senor Member, IEEE Abstract Cloud storage enables users to remotely store ther data and enjoy the on-demand hgh qualty cloud applcatons wthout the burden of local hardware and software management Though the benefts are clear, such a servce s also relnqushng users physcal possesson of ther outsourced data, whch nevtably poses new securty rsks toward the correctness of the data n cloud In order to address ths new problem and further acheve a secure and dependable cloud storage servce, we propose n ths paper a flexble dstrbuted storage ntegrty audtng mechansm, utlzng the homomorphc token and dstrbuted erasure-coded data The proposed desgn allows users to audt the cloud storage wth very lghtweght communcaton and computaton cost The audtng result not only ensures strong cloud storage correctness guarantee, but also smultaneously acheves fast data error localzaton, e, the dentfcaton of msbehavng server Consderng the cloud data are dynamc n nature, the proposed desgn further supports secure and effcent dynamc operatons on outsourced data, ncludng block modfcaton, deleton, and append Analyss shows the proposed scheme s hghly effcent and reslent aganst Byzantne falure, malcous data modfcaton attack, and even server colludng attacks Index Terms Data ntegrty, dependable dstrbuted storage, error localzaton, data dynamcs, cloud computng Ç 1 INTRODUCTION SEVERAL trends are openng up the era of cloud computng, whch s an Internet-based development and use of computer technology The ever cheaper and more powerful processors, together wth the Software as a Servce (SaaS) computng archtecture, are transformng data centers nto pools of computng servce on a huge scale The ncreasng network bandwdth and relable yet flexble network connectons make t even possble that users can now subscrbe hgh qualty servces from data and software that resde solely on remote data centers Movng data nto the cloud offers great convenence to users snce they don t have to care about the complextes of drect hardware management The poneer of cloud computng vendors, Amazon Smple Storage Servce (S3), and Amazon Elastc Compute Cloud (EC2) [2] are both well-known examples Whle these nternet-based onlne servces do provde huge amounts of storage space and customzable computng resources, ths computng C Wang s wth the Department of Electrcal and Computer Engneerng, Illnos Insttute of Technology, 1451 East 55th St, Apt 1017 N, Chcago, IL E-mal: cwang55@tedu Q Wang s wth the Department of Electrcal and Computer Engneerng, Illnos Insttute of Technology, 500 East 33rd St, Apt 602, Chcago, IL E-mal: qwang38@tedu K Ren s wth the Department of Electrcal and Computer Engneerng, Illnos Insttute of Technology, 3301 Dearborn St, Segel Hall 319, Chcago, IL E-mal: kren@ecetedu N Cao s wth the Department of Electrcal and Computer Engneerng, Worcester Polytechnc Insttute, 100 Insttute Road, Worcester, MA E-mal: ncao@wpedu W Lou s wth the Department of Computer Scence, Vrgna Polytechnc Insttute and State Unversty, Falls Church, VA E-mal: wjlou@vtedu Manuscrpt receved 4 Apr 2010; revsed 14 Sept 2010; accepted 25 Dec 2010; publshed onlne 6 May 2011 For nformaton on obtanng reprnts of ths artcle, please send e-mal to: tsc@computerorg and reference IEEECS Log Number TSCSI Dgtal Object Identfer no /TSC platform shft, however, s elmnatng the responsblty of local machnes for data mantenance at the same tme As a result, users are at the mercy of ther cloud servce provders (CSP) for the avalablty and ntegrty of ther data [3], [4] On the one hand, although the cloud nfrastructures are much more powerful and relable than personal computng devces, broad range of both nternal and external threats for data ntegrty stll exst Examples of outages and data loss ncdents of noteworthy cloud storage servces appear from tme to tme [5], [6], [7], [8], [9] On the other hand, snce users may not retan a local copy of outsourced data, there exst varous ncentves for CSP to behave unfathfully toward the cloud users regardng the status of ther outsourced data For example, to ncrease the proft margn by reducng cost, t s possble for CSP to dscard rarely accessed data wthout beng detected n a tmely fashon [10] Smlarly, CSP may even attempt to hde data loss ncdents so as to mantan a reputaton [11], [12], [13] Therefore, although outsourcng data nto the cloud s economcally attractve for the cost and complexty of long-term large-scale data storage, ts lackng of offerng strong assurance of data ntegrty and avalablty may mpede ts wde adopton by both enterprse and ndvdual cloud users In order to acheve the assurances of cloud data ntegrty and avalablty and enforce the qualty of cloud storage servce, effcent methods that enable on-demand data correctness verfcaton on behalf of cloud users have to be desgned However, the fact that users no longer have physcal possesson of data n the cloud prohbts the drect adopton of tradtonal cryptographc prmtves for the purpose of data ntegrty protecton Hence, the verfcaton of cloud storage correctness must be conducted wthout explct knowledge of the whole data fles [10], [11], [12], [13] Meanwhle, cloud storage s not just a thrd party data warehouse The data stored n the cloud may not only be /12/$3100 ß 2012 IEEE Publshed by the IEEE Computer Socety

2 WANG ET AL: TOWARD SECURE AND DEPENDABLE STORAGE SERVICES IN CLOUD COMPUTING 221 accessed but also be frequently updated by the users [14], [15], [16], ncludng nserton, deleton, modfcaton, appendng, etc Thus, t s also mperatve to support the ntegraton of ths dynamc feature nto the cloud storage correctness assurance, whch makes the system desgn even more challengng Last but not the least, the deployment of cloud computng s powered by data centers runnng n a smultaneous, cooperated, and dstrbuted manner [3] It s more advantages for ndvdual users to store ther data redundantly across multple physcal servers so as to reduce the data ntegrty and avalablty threats Thus, dstrbuted protocols for storage correctness assurance wll be of most mportance n achevng robust and secure cloud storage systems However, such mportant area remans to be fully explored n the lterature Recently, the mportance of ensurng the remote data ntegrty has been hghlghted by the followng research works under dfferent system and securty models [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22] These technques, whle can be useful to ensure the storage correctness wthout havng users possessng local data, are all focusng on sngle server scenaro They may be useful for qualty-of-servce testng [23], but does not guarantee the data avalablty n case of server falures Although drect applyng these technques to dstrbuted storage (multple servers) could be straghtforward, the resulted storage verfcaton overhead would be lnear to the number of servers As an complementary approach, researchers have also proposed dstrbuted protocols [23], [24], [25] for ensurng storage correctness across multple servers or peers However, whle provdng effcent cross server storage verfcaton and data avalablty nsurance, these schemes are all focusng on statc or archval data As a result, ther capabltes of handlng dynamc data remans unclear, whch nevtably lmts ther full applcablty n cloud storage scenaros In ths paper, we propose an effectve and flexble dstrbuted storage verfcaton scheme wth explct dynamc data support to ensure the correctness and avalablty of users data n the cloud We rely on erasurecorrectng code n the fle dstrbuton preparaton to provde redundances and guarantee the data dependablty aganst Byzantne servers [26], where a storage server may fal n arbtrary ways Ths constructon drastcally reduces the communcaton and storage overhead as compared to the tradtonal replcaton-based fle dstrbuton technques By utlzng the homomorphc token wth dstrbuted verfcaton of erasure-coded data, our scheme acheves the storage correctness nsurance as well as data error localzaton: whenever data corrupton has been detected durng the storage correctness verfcaton, our scheme can almost guarantee the smultaneous localzaton of data errors, e, the dentfcaton of the msbehavng server(s) In order to strke a good balance between error reslence and data dynamcs, we further explore the algebrac property of our token computaton and erasure-coded data, and demonstrate how to effcently support dynamc operaton on data blocks, whle mantanng the same level of storage correctness assurance In order to save the tme, computaton resources, and even the related onlne burden of users, we also provde the extenson of the proposed man scheme to support thrd-party audtng, where users can safely Fg 1 Cloud storage servce archtecture delegate the ntegrty checkng tasks to thrd-party audtors (TPA) and be worry-free to use the cloud storage servces Our work s among the frst few ones n ths feld to consder dstrbuted data storage securty n cloud computng Our contrbuton can be summarzed as the followng three aspects: 1) Compared to many of ts predecessors, whch only provde bnary results about the storage status across the dstrbuted servers, the proposed scheme acheves the ntegraton of storage correctness nsurance and data error localzaton, e, the dentfcaton of msbehavng server(s) 2) Unlke most pror works for ensurng remote data ntegrty, the new scheme further supports secure and effcent dynamc operatons on data blocks, ncludng: update, delete, and append 3) The experment results demonstrate the proposed scheme s hghly effcent Extensve securty analyss shows our scheme s reslent aganst Byzantne falure, malcous data modfcaton attack, and even server colludng attacks The rest of the paper s organzed as follows: Secton 2 ntroduces the system model, adversary model, our desgn goal, and notatons Then we provde the detaled descrpton of our scheme n Sectons 3 and 4 Secton 5 gves the securty analyss and performance evaluatons, followed by Secton 6 whch overvews the related work Fnally, Secton 7 concludes the whole paper 2 PROBLEM STATEMENT 21 System Model A representatve network archtecture for cloud storage servce archtecture s llustrated n Fg 1 Three dfferent network enttes can be dentfed as follows: User: an entty, who has data to be stored n the cloud and reles on the cloud for data storage and computaton, can be ether enterprse or ndvdual customers Cloud Server (CS): an entty, whch s managed by cloud servce provder (CSP) to provde data storage servce and has sgnfcant storage space and computaton resources (we wll not dfferentate CS and CSP hereafter) Thrd-Party Audtor: an optonal TPA, who has expertse and capabltes that users may not have, s trusted to assess and expose rsk of cloud storage servces on behalf of the users upon request In cloud data storage, a user stores hs data through a CSP nto a set of cloud servers, whch are runnng n a

3 222 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 smultaneous, cooperated, and dstrbuted manner Data redundancy can be employed wth a technque of erasurecorrectng code to further tolerate faults or server crash as user s data grow n sze and mportance Thereafter, for applcaton purposes, the user nteracts wth the cloud servers va CSP to access or retreve hs data In some cases, the user may need to perform block level operatons on hs data The most general forms of these operatons we are consderng are block update, delete, nsert, and append Note that n ths paper, we put more focus on the support of fle-orented cloud applcatons other than nonfle applcaton data, such as socal networkng data In other words, the cloud data we are consderng s not expected to be rapdly changng n a relatve short perod As users no longer possess ther data locally, t s of crtcal mportance to ensure users that ther data are beng correctly stored and mantaned That s, users should be equpped wth securty means so that they can make contnuous correctness assurance (to enforce cloud storage servce-level agreement) of ther stored data even wthout the exstence of local copes In case that users do not necessarly have the tme, feasblty or resources to montor ther data onlne, they can delegate the data audtng tasks to an optonal trusted TPA of ther respectve choces However, to securely ntroduce such a TPA, any possble leakage of user s outsourced data toward TPA through the audtng protocol should be prohbted In our model, we assume that the pont-to-pont communcaton channels between each cloud server and the user s authentcated and relable, whch can be acheved n practce wth lttle overhead These authentcaton handshakes are omtted n the followng presentaton 22 Adversary Model From user s perspectve, the adversary model has to capture all knds of threats toward hs cloud data ntegrty Because cloud data do not resde at user s local ste but at CSP s address doman, these threats can come from two dfferent sources: nternal and external attacks For nternal attacks, a CSP can be self-nterested, untrusted, and possbly malcous Not only does t desre to move data that has not been or s rarely accessed to a lower ter of storage than agreed for monetary reasons, but t may also attempt to hde a data loss ncdent due to management errors, Byzantne falures, and so on For external attacks, data ntegrty threats may come from outsders who are beyond the control doman of CSP, for example, the economcally motvated attackers They may compromse a number of cloud data storage servers n dfferent tme ntervals and subsequently be able to modfy or delete users data whle remanng undetected by CSP Therefore, we consder the adversary n our model has the followng capabltes, whch captures both external and nternal threats toward the cloud data ntegrty Specfcally, the adversary s nterested n contnuously corruptng the user s data fles stored on ndvdual servers Once a server s comprsed, an adversary can pollute the orgnal data fles by modfyng or ntroducng ts own fraudulent data to prevent the orgnal data from beng retreved by the user Ths corresponds to the threats from external attacks In the worst case scenaro, the adversary can compromse all the storage servers so that he can ntentonally modfy the data fles as long as they are nternally consstent In fact, ths s equvalent to nternal attack case where all servers are assumed colludng together from the early stages of applcaton or servce deployment to hde a data loss or corrupton ncdent 23 Desgn Goals To ensure the securty and dependablty for cloud data storage under the aforementoned adversary model, we am to desgn effcent mechansms for dynamc data verfcaton and operaton and acheve the followng goals: 1 Storage correctness: to ensure users that ther data are ndeed stored approprately and kept ntact all the tme n the cloud 2 Fast localzaton of data error: to effectvely locate the malfunctonng server when data corrupton has been detected 3 Dynamc data support: to mantan the same level of storage correctness assurance even f users modfy, delete, or append ther data fles n the cloud 4 Dependablty: to enhance data avalablty aganst Byzantne falures, malcous data modfcaton and server colludng attacks, e, mnmzng the effect brought by data errors or server falures 5 Lghtweght: to enable users to perform storage correctness checks wth mnmum overhead 24 Notaton and Prelmnares F the data fle to be stored We assume that F can be denoted as a matrx of m equal-szed data vectors, each consstng of l blocks Data blocks are all well represented as elements n Galos Feld GFð2 p Þ for p ¼ 8 or 16 A The dspersal matrx used for Reed-Solomon codng G The encoded fle matrx, whch ncludes a set of n ¼ m þ k vectors, each consstng of l blocks f key ðþ pseudorandom functon (PRF), whch s defned as f : f0; 1g key! GFð2 p Þ key ðþ pseudorandom permutaton (PRP), whch s defned as : f0; 1g log2ð Þ key!f0; 1g log2ð Þ ver a verson number bound wth the ndex for ndvdual blocks, whch records the tmes the block has been modfed Intally we assume ver s 0 for all data blocks the seed for PRF, whch depends on the fle name, block ndex, the server poston j as well as the optonal block verson number ver s ver j 3 ENSURING CLOUD DATA STORAGE In cloud data storage system, users store ther data n the cloud and no longer possess the data locally Thus, the correctness and avalablty of the data fles beng stored on the dstrbuted cloud servers must be guaranteed One of the key ssues s to effectvely detect any unauthorzed data modfcaton and corrupton, possbly due to server compromse and/or random Byzantne falures Besdes, n the dstrbuted case when such nconsstences are

4 WANG ET AL: TOWARD SECURE AND DEPENDABLE STORAGE SERVICES IN CLOUD COMPUTING 223 successfully detected, to fnd whch server the data error les n s also of great sgnfcance, snce t can always be the frst step to fast recover the storage errors and/or dentfyng potental threats of external attacks To address these problems, our man scheme for ensurng cloud data storage s presented n ths secton The frst part of the secton s devoted to a revew of basc tools from codng theory that s needed n our scheme for fle dstrbuton across cloud servers Then, the homomorphc token s ntroduced The token computaton functon we are consderng belongs to a famly of unversal hash functon [27], chosen to preserve the homomorphc propertes, whch can be perfectly ntegrated wth the verfcaton of erasurecoded data [24], [28] Subsequently, t s shown how to derve a challenge-response protocol for verfyng the storage correctness as well as dentfyng msbehavng servers The procedure for fle retreval and error recovery based on erasure-correctng code s also outlned Fnally, we descrbe how to extend our scheme to thrd party audtng wth only slght modfcaton of the man desgn 31 Fle Dstrbuton Preparaton It s well known that erasure-correctng code may be used to tolerate multple falures n dstrbuted storage systems In cloud data storage, we rely on ths technque to dsperse the data fle F redundantly across a set of n ¼ m þ k dstrbuted servers An ðm; kþ Reed-Solomon erasure-correctng code s used to create k redundancy party vectors from m data vectors n such a way that the orgnal m data vectors can be reconstructed from any m out of the m þ k data and party vectors By placng each of the m þ k vectors on a dfferent server, the orgnal data fle can survve the falure of any k of the m þ k servers wthout any data loss, wth a space overhead of k=m For support of effcent sequental I/O to the orgnal fle, our fle layout s systematc, e, the unmodfed m data fle vectors together wth k party vectors s dstrbuted across m þ k dfferent servers Let F ¼ðF 1 ;F 2 ; ;F m Þ and F ¼ðf 1 ;f 2 ; ;f l Þ T ð 2 f1; ; mgþ Here, T (shorthand for transpose) denotes that each F s represented as a column vector, and l denotes data vector sze n blocks All these blocks are elements of GFð2 p Þ The systematc layout wth party vectors s acheved wth the nformaton dspersal matrx A, derved from an m ðm þ kþ Vandermonde matrx [29] B 1 2 m mþ1 n C 1 m 1 2 m 1 m m 1 mþ1 m 1 n m 1 C A ; where j ðj 2f1; ;ngþ are dstnct elements randomly pcked from GFð2 p Þ After a sequence of elementary row transformatons, the desred matrx A can be wrtten as p 11 p 12 p 1k p 21 p 22 p 2k A ¼ðIjPÞ ¼B A ; p m1 p m2 p mk where I s a m m dentty matrx and P s the secret party generaton matrx wth sze m k Note that A s derved from a Vandermonde matrx, thus t has the property that any m out of the m þ k columns form an nvertble matrx By multplyng F by A, the user obtans the encoded fle G ¼ F A ¼ðG ð1þ ;G ð2þ ; ;G ðmþ ;G ðmþ1þ ; ;G ðnþ Þ ¼ðF 1 ;F 2 ; ;F m ;G ðmþ1þ ; ;G ðnþ Þ; where G ðjþ ¼ðg ðjþ 1 ;gðjþ 2 ; ;gðjþ l Þ T ðj 2f1; ;ngþ As notced, the multplcaton reproduces the orgnal data fle vectors of F and the remanng part ðg ðmþ1þ ; ;G ðnþ Þ are k party vectors generated based on F 32 Challenge Token Precomputaton In order to acheve assurance of data storage correctness and data error localzaton smultaneously, our scheme entrely reles on the precomputed verfcaton tokens The man dea s as follows: before fle dstrbuton the user precomputes a certan number of short verfcaton tokens on ndvdual vector G ðjþ ðj 2f1; ;ngþ, each token coverng a random subset of data blocks Later, when the user wants to make sure the storage correctness for the data n the cloud, he challenges the cloud servers wth a set of randomly generated block ndces Upon recevng challenge, each cloud server computes a short sgnature over the specfed blocks and returns them to the user The values of these sgnatures should match the correspondng tokens precomputed by the user Meanwhle, as all servers operate over the same subset of the ndces, the requested response values for ntegrty check must also be a vald codeword determned by the secret matrx P Suppose the user wants to challenge the cloud servers t tmes to ensure the correctness of data storage Then, he must precompute t verfcaton tokens for each G ðjþ ðj2f1; ;ngþ, usng a PRF fðþ, a PRP ðþ, a challenge key k chal, and a master permutaton key K PRP Specfcally, to generate the th token for server j, the user acts as follows: 1 Derve a random challenge value of GFð2 p Þ by ¼ f kchal ðþ and a permutaton key k ðþ based on K PRP 2 Compute the set of r randomly-chosen ndces fi q 2½1; ;lšj1 q rg; where I q ¼ ðþ k ðqþ: 3 Calculate the token as v ðjþ ¼ Xr q GðjÞ ½I q Š; where G ðjþ ½I q Š¼g ðjþ I q : Note that v ðjþ, whch s an element of GFð2 p Þ wth small sze, s the response the user expects to receve from server j when he challenges t on the specfed data blocks After token generaton, the user has the choce of ether keepng the precomputed tokens locally or storng them n encrypted form on the cloud servers In our case here, the user stores them locally to obvate the need for encrypton and lower the bandwdth overhead durng dynamc data operaton whch wll be dscussed shortly The detals of token generaton are shown n Algorthm 1

5 224 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 Algorthm 1 Token Precomputaton 1: procedure 2: Choose parameters l; n and functon f;; 3: Choose the number t of tokens; 4: Choose the number r of ndces per verfcaton; 5: Generate master key K PRP and challenge key k chal ; 6: for vector G ðjþ ;j 1;n do 7: for round 1;t do 8: Derve ¼ f kchal ðþ and k ðþ from K PRP 9: Compute v ðjþ 10: end for 11: end for 12: Store all the v s locally 13: end procedure ¼ P r q GðjÞ ½ k ðþ ðqþš Once all tokens are computed, the fnal step before fle dstrbuton s to blnd each party block g ðjþ n ðg ðmþ1þ ; ; G ðnþ Þ by g ðjþ g ðjþ þ f kj ðs j Þ;2f1; ;lg; where k j s the secret key for party vector G ðjþ ðj 2fm þ 1; ;ngþ Ths s for protecton of the secret matrx P We wll dscuss the necessty of usng blnded partes n detal n Secton 52 After blndng the party nformaton, the user dsperses all the n encoded vectors G ðjþ ðj 2f1; ;ngþ across the cloud servers S 1 ;S 2 ; ;S n 33 Correctness Verfcaton and Error Localzaton Error localzaton s a key prerequste for elmnatng errors n storage systems It s also of crtcal mportance to dentfy potental threats from external attacks However, many prevous schemes [23], [24] do not explctly consder the problem of data error localzaton, thus only provdng bnary results for the storage verfcaton Our scheme outperforms those by ntegratng the correctness verfcaton and error localzaton (msbehavng server dentfcaton) n our challenge-response protocol: the response values from servers for each challenge not only determne the correctness of the dstrbuted storage, but also contan nformaton to locate potental data error(s) Specfcally, the procedure of the th challenge-response for a cross-check over the n servers s descrbed as follows: 1 The user reveals the as well as the th permutaton key k ðþ to each servers 2 The server storng vector G ðjþ ðj 2f1; ;ngþ aggregates those r rows specfed by ndex k ðþ nto a lnear combnaton R ðjþ ¼ Xr q GðjÞ ½ ðþ k ðqþš; and send back R ðjþ ðj 2f1; ;ngþ 3 Upon recevng R ðjþ s from all the servers, the user takes away blnd values n R ðjþ ðj 2fm þ 1; ;ngþ by R ðjþ R ðjþ Xr f kj ðs Iq ;jþ q ; where I q ¼ ðþ k ðqþ: 4 Then, the user verfes whether the receved values reman a vald codeword determned by the secret matrx P R ð1þ ; ;R ðmþ P ¼? R ðmþ1þ ; ;R ðnþ : Because all the servers operate over the same subset of ndces, the lnear aggregaton of these r specfed rows ðr ð1þ ; ;R ðnþ Þ has to be a codeword n the encoded fle matrx (See Secton 51 for the correctness analyss) If the above equaton holds, the challenge s passed Otherwse, t ndcates that among those specfed rows, there exst fle block corruptons Once the nconsstency among the storage has been successfully detected, we can rely on the precomputed verfcaton tokens to further determne where the potental data error(s) les n Note that each response R ðjþ s computed exactly n the same way as token v ðjþ, thus the user can smply fnd whch server s msbehavng by verfyng the followng n equatons: R ðjþ ¼? v ðjþ ;j2f1; ;ng: Algorthm 2 gves the detals of correctness verfcaton and error localzaton Algorthm 2 Correctness Verfcaton and Error Localzaton 1: procedure CHALLENGE() 2: Recompute ¼ f kchal ðþ and k ðþ from K PRP; 3: Send f ;k ðþ g to all the cloud servers; 4: Receve from servers: fr ðjþ ¼ P r q GðjÞ ½ ðþ k ðqþšj1 j ng 5: for ðj m þ 1;nÞ do 6: R ðjþ R ðjþ P r f k j ðs Iq ;jþ q, I q ¼ ðþ k 7: end for 8: f ððr ð1þ ; ;R ðmþ ÞP¼¼ðR ðmþ1þ ðqþ ; ;R ðnþ ÞÞ than 9: Accept and ready for the next challenge 10: else 11: for (j 1;n) do 12: f ðr ðjþ! ¼v ðjþ Þ than 13: return server j s msbehavng 14: end f 15: end for 16: end f 17: end procedure Dscusson Prevous work [23], [24] has suggested usng the decodng capablty of error-correcton code to treat data errors But such approach mposes a bound on the number of msbehavng servers b by b bk=2c Namely, they cannot dentfy msbehavng servers when b>bk=2c 1 However, our token-based approach, whle allowng effcent storage correctness valdaton, does not have ths lmtaton on the number of msbehavng servers That s, our approach can dentfy any number of msbehavng servers for b ðm þ kþ Also note that, for every challenge, each server only needs to send back an aggregated value over the 1 In [23], the authors also suggest usng brute-force decodng when ther dspersal code s an erasure code However, such brute-force method s asymptotcally neffcent, and stll cannot guarantee dentfcaton of all msbehavng servers

6 WANG ET AL: TOWARD SECURE AND DEPENDABLE STORAGE SERVICES IN CLOUD COMPUTING 225 specfed set of blocks Thus, the bandwdth cost of our approach s much less than the straghtforward approaches that requre downloadng all the challenged data 34 Fle Retreval and Error Recovery Snce our layout of fle matrx s systematc, the user can reconstruct the orgnal fle by downloadng the data vectors from the frst m servers, assumng that they return the correct response values Notce that our verfcaton scheme s based on random spot-checkng, so the storage correctness assurance s a probablstc one However, by choosng system parameters ðe:g:; r; l; tþ approprately and conductng enough tmes of verfcaton, we can guarantee the successful fle retreval wth hgh probablty On the other hand, whenever the data corrupton s detected, the comparson of precomputed tokens and receved response values can guarantee the dentfcaton of msbehavng server(s) (agan wth hgh probablty), whch wll be dscussed shortly Therefore, the user can always ask servers to send back blocks of the r rows specfed n the challenge and regenerate the correct blocks by erasure correcton, shown n Algorthm 3, as long as the number of dentfed msbehavng servers s less than k (otherwse, there s no way to recover the corrupted blocks due to lack of redundancy, even f we know the poston of msbehavng servers) The newly recovered blocks can then be redstrbuted to the msbehavng servers to mantan the correctness of storage Algorthm 3 Error Recovery 1: procedure % Assume the block corruptons have been detected among % the specfed r rows; % Assume s k servers have been dentfed msbehavng 2: Download r rows of blocks from servers; 3: Treat s servers as erasures and recover the blocks 4: Resend the recovered blocks to correspondng servers 5: end procedure 35 Toward Thrd Party Audtng As dscussed n our archtecture, n case the user does not have the tme, feasblty, or resources to perform the storage correctness verfcaton, he can optonally delegate ths task to an ndependent thrd-party audtor, makng the cloud storage publcly verfable However, as ponted out by the recent work [30], [31], to securely ntroduce an effectve TPA, the audtng process should brng n no new vulnerabltes toward user data prvacy Namely, TPA should not learn user s data content through the delegated data audtng Now we show that wth only slght modfcaton, our protocol can support prvacy-preservng thrd party audtng The new desgn s based on the observaton of lnear property of the party vector blndng process Recall that the reason of blndng process s for protecton of the secret matrx P aganst cloud servers However, ths can be acheved ether by blndng the party vector or by blndng the data vector (we assume k<m) Thus, f we blnd data vector before fle dstrbuton encodng, then the storage verfcaton task can be successfully delegated to thrd party audtng n a prvacy-preservng manner Specfcally, the new protocol s descrbed as follows: 1 Before fle dstrbuton, the user blnds each fle block data g ðjþ n ðg ð1þ ; ;G ðmþ Þ by g ðjþ g ðjþ þ f kj ðs j Þ;2f1; ;lg, where k j s the secret key for data vector G ðjþ ðj 2f1; ;mgþ 2 Based on the blnded data vector ðg ð1þ ; ;G ðmþ Þ, the user generates k party vectors ðg ðmþ1þ ; ;G ðnþ Þ va the secret matrx P 3 The user calculates the th token for server j as prevous scheme: v ðjþ ¼ P r q GðjÞ ½I q Š, where G ðjþ ½I q Š¼g ðjþ I q and ¼ f kchal ðþ 2GFð2 p Þ 4 The user sends the token set fv ðjþ g f1t;1jng, secret matrx P, permutaton and challenge key K PRP, and k chal to TPA for audtng delegaton The correctness valdaton and msbehavng server dentfcaton for TPA s just smlar to the prevous scheme The only dfference s that TPA does not have to take away the blndng values n the servers response R ðjþ ðj 2f1; ;ngþ but verfes drectly As TPA does not know the secret blndng key k j ðj 2f1; ;mgþ, there s no way for TPA to learn the data content nformaton durng audtng process Therefore, the prvacy-preservng thrd party audtng s acheved Note that compared to prevous scheme, we only change the sequence of fle encodng, token precomputaton, and blndng Thus, the overall computaton overhead and communcaton overhead remans roughly the same 4 PROVIDING DYNAMIC DATA OPERATION SUPPORT So far, we assumed that F represents statc or archved data Ths model may ft some applcaton scenaros, such as lbrares and scentfc data sets However, n cloud data storage, there are many potental scenaros where data stored n the cloud s dynamc, lke electronc documents, photos, or log fles, etc Therefore, t s crucal to consder the dynamc case, where a user may wsh to perform varous block-level operatons of update, delete, and append to modfy the data fle whle mantanng the storage correctness assurance Snce data do not resde at users local ste but at cloud servce provder s address doman, supportng dynamc data operaton can be qute challengng On the one hand, CSP needs to process the data dynamcs request wthout knowng the secret keyng materal On the other hand, users need to ensure that all the dynamc data operaton request has been fathfully processed by CSP To address ths problem, we brefly explan our approach methodology here and provde the detals later For any data dynamc operaton, the user must frst generate the correspondng resulted fle blocks and partes Ths part of operaton has to be carred out by the user, snce only he knows the secret matrx P Besdes, to ensure the changes of data blocks correctly reflected n the cloud address doman, the user also needs to modfy the correspondng storage verfcaton tokens to accommodate the changes on data blocks Only wth the accordngly changed storage verfcaton tokens, the prevously dscussed challenge-response protocol can be carred on successfully even after data dynamcs In

7 226 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 Fg 2 Logcal representaton of data dynamcs, ncludng block update, append, and delete other words, these verfcaton tokens help to ensure that CSP would correctly execute the processng of any dynamc data operaton request Otherwse, CSP would be caught cheatng wth hgh probablty n the protocol executon later on Gven ths desgn methodology, the straghtforward and trval way to support these operatons s for user to download all the data from the cloud servers and recompute the whole party blocks as well as verfcaton tokens Ths would clearly be hghly neffcent In ths secton, we wll show how our scheme can explctly and effcently handle dynamc data operatons for cloud data storage, by utlzng the lnear property of Reed-Solomon code and verfcaton token constructon 41 Update Operaton In cloud data storage, a user may need to modfy some data block(s) stored n the cloud, from ts current value f j to a new one, f j þ f j We refer ths operaton as data update Fg 2 gves the hgh level logcal representaton of data block update Due to the lnear property of Reed-Solomon code, a user can perform the update operaton and generate the updated party blocks by usng f j only, wthout nvolvng any other unchanged blocks Specfcally, the user can construct a general update matrx F as 0 1 f 11 f 12 f 1m f 21 f 22 f 2m F ¼ B A f l1 f l2 f lm ¼ðF 1 ; F 2 ; ; F m Þ: Note that we use zero elements n F to denote the unchanged blocks and thus F should only be a sparse matrx most of the tme (we assume for certan tme epoch, the user only updates a relatvely small part of fle F) To mantan the correspondng party vectors as well as be consstent wth the orgnal fle layout, the user can multply F by A and thus generate the update nformaton for both the data vectors and party vectors as follows: F A ¼ G ð1þ ; ; G ðmþ ; G ðmþ1þ ; ; G ðnþ ¼ F 1 ; ; F m ; G ðmþ1þ ; ; G ðnþ ; where G ðjþ ðj 2fm þ 1; ;ngþ denotes the update nformaton for the party vector G ðjþ Because the data update operaton nevtably affects some or all of the remanng verfcaton tokens, after preparaton of update nformaton, the user has to amend those unused tokens for each vector G ðjþ to mantan the same storage correctness assurance In other words, for all the unused tokens, the user needs to exclude every occurrence of the old data block and replace t wth the new one Thanks to the homomorphc constructon of our verfcaton token, the user can perform the token update effcently To gve more detals, suppose a block G ðjþ ½I s Š, whch s covered by the specfc token v ðjþ, has been changed to G ðjþ ½I s ŠþG ðjþ ½I s Š, where I s ¼ ðþ k ðsþ To mantan the usablty of token v ðjþ not hard to verfy that the user can smply update t by v ðjþ v ðjþ,ts þ s GðjÞ ½I s Š, wthout retrevng other r 1 blocks requred n the precomputaton of v ðjþ After the amendment to the affected tokens, 2 the user needs to blnd the update nformaton g ðjþ for each party block n ðg ðmþ1þ ; ; G ðnþ Þ to hde the secret matrx P by g ðjþ g ðjþ þ f kj ðs ver j Þ;2f1; ;lg Here, we use a new seed s ver j for the PRF The verson number ver functons lke a counter whch helps the user to keep track of the blnd nformaton on the specfc party blocks After blndng, the user sends update nformaton to the cloud servers, whch perform the update operaton as G ðjþ G ðjþ þ G ðjþ ; ðj 2f1; ;ngþ for the PRF functons every tme (for a block update operaton), we can ensure the freshness of the random value embedded nto party blocks In other words, the cloud servers cannot smply abstract away the random blndng nformaton on party blocks by subtractng the old and newly updated party blocks As a result, the secret matrx P s stll beng well protected, and the guarantee of storage correctness remans Dscusson Note that by usng the new seed s ver j 42 Delete Operaton Sometmes, after beng stored n the cloud, certan data blocks may need to be deleted The delete operaton we are consderng s a general one, n whch user replaces the data block wth zero or some specal reserved data symbol From ths pont of vew, the delete operaton s actually a specal case of the data update operaton, where the orgnal data blocks can be replaced wth zeros or some predetermned specal blocks Therefore, we can rely on the 2 In practce, t s possble that only a fracton of tokens need amendment, snce the updated blocks may not be covered by all the tokens

8 WANG ET AL: TOWARD SECURE AND DEPENDABLE STORAGE SERVICES IN CLOUD COMPUTING 227 update procedure to support delete operaton, e, by settng f j n F to be f j Also, all the affected tokens have to be modfed and the updated party nformaton has to be blnded usng the same method specfed n an update operaton 43 Append Operaton In some cases, the user may want to ncrease the sze of hs stored data by addng blocks at the end of the data fle, whch we refer as data append We antcpate that the most frequent append operaton n cloud data storage s bulk append, n whch the user needs to upload a large number of blocks (not a sngle block) at one tme Gven the fle matrx F llustrated n fle dstrbuton preparaton, appendng blocks toward the end of a data fle s equvalent to concatenate correspondng rows at the bottom of the matrx layout for fle F (See Fg 2) In the begnnng, there are only l rows n the fle matrx To smplfy the presentaton, we suppose the user wants to append m blocks at the end of fle F, denoted as ðf lþ1;1 ;f lþ1;2 ; ;f lþ1;m Þ (We can always use zero-paddng to make a row of m elements) Wth the secret matrx P, the user can drectly calculate the append blocks for each party server as ðf lþ1;1 ; ;f lþ1;m ÞP ¼ðg ðmþ1þ lþ1 ; ;g ðnþ lþ1 Þ To ensure the newly appended blocks are covered by our challenge tokens, we need a slght modfcaton to our token precomputaton Specfcally, we requre the user to expect the maxmum sze n blocks, denoted as l max, for each of hs data vector Ths dea of supportng block append was frst suggested by Atenese et al [14] n a sngle server settng, and t reles on both the ntal budget for the maxmum antcpated data sze l max n each encoded data vector and the system parameter r max ¼ dr ðl max =lþe for each precomputed challenge-response token The precomputaton of the th token on server j s modfed as follows: v ¼ P r max q GðjÞ ½I q Š, where ( G ðjþ ½I q Š¼ GðjÞ ½ ðþ k ðqþš; 0; ½ k ðþ ½ ðþ k ðqþš l; ðqþš >l; and the PRP ðþ s modfed as: ðþ : f0; 1g log 2ðl maxþ key!f0; 1g log 2ðl max Þ Ths formula guarantees that on average, there wll be r ndces fallng nto the range of exstng l blocks Because the cloud servers and the user have the agreement on the number of exstng blocks n each vector G ðjþ, servers wll follow exactly the above procedure when recomputng the token values upon recevng user s challenge request Now when the user s ready to append new blocks, e, both the fle blocks and the correspondng party blocks are generated, the total length of each vector G ðjþ wll be ncreased and fall nto the range ½l; l max Š Therefore, the user wll update those affected tokens by addng s GðjÞ ½I s Š to the old v whenever G ðjþ ½I s Š 6¼ 0 for I s >l, where I s ¼ ðþ k ðsþ The party blndng s smlar as ntroduced n update operaton, and thus s omtted here 44 Insert Operaton An nsert operaton to the data fle refers to an append operaton at the desred ndex poston whle mantanng the same data block structure for the whole data fle, e, nsertng a block F ½jŠ corresponds to shftng all blocks startng wth ndex j þ 1 by one slot Thus, an nsert operaton may affect many rows n the logcal data fle matrx F, and a substantal number of computatons are requred to renumber all the subsequent blocks as well as recompute the challenge-response tokens Hence, a drect nsert operaton s dffcult to support In order to fully support block nserton operaton, recent work [15], [16] suggests utlzng addtonal data structure (for example, Merkle Hash Tree [32]) to mantan and enforce the block ndex nformaton Followng ths lne of research, we can crcumvent the dlemma of our block nserton by vewng each nserton as a logcal append operaton at the end of fle F Specfcally, f we also use addtonal data structure to mantan such logcal to physcal block ndex mappng nformaton, then all block nserton can be treated va logcal append operaton, whch can be effcently supported On the other hand, usng the block ndex mappng nformaton, the user can stll access or retreve the fle as t s Note that as a tradeoff, the extra data structure nformaton has to be mantaned locally on the user sde 5 SECURITY ANALYSIS AND PERFORMANCE EVALUATION In ths secton, we analyze our proposed scheme n terms of correctness, securty, and effcency Our securty analyss focuses on the adversary model defned n Secton 2 We also evaluate the effcency of our scheme va mplementaton of both fle dstrbuton preparaton and verfcaton token precomputaton 51 Correctness Analyss Frst, we analyze the correctness of the verfcaton procedure Upon obtanng all the response R ðjþ s from servers and takng away the random blnd values from R ðjþ ðj 2fm þ 1; ; ngþ, the user reles on the equaton ðr ð1þ ; ;R ðmþ ÞP ¼? ðr ðmþ1þ ; ;R ðnþ Þ to ensure the storage correctness To see why ths s true, we can rewrte the equaton accordng to the token computaton: X r! q gð1þ I q ; ; Xr q gðmþ I q P ¼ Xr q gðmþ1þ I q ; ; Xr q gðnþ I q!; and, hence, the left-hand sde (LHS) of the equaton expands as 0 LHS ¼ ; 2 ; ;r 0 ¼ ; 2 ; ;r g ð1þ I 1 g ð1þ I 2 g ð1þ I r g ðmþ1þ I 1 g ðmþ1þ I 2 g ðmþ1þ I r 1 g ð2þ I 1 g ðmþ I 1 g ð2þ I 2 g ðmþ I 2 P C A g ð2þ I r g ðmþ I r 1 g ðmþ2þ I 1 g ðnþ I 1 g ðmþ2þ I 2 g ðnþ I 2 ; C A g ðmþ2þ I r g ðnþ I r

9 228 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 Fg 3 The detecton probablty P d aganst data modfcaton We show P d as a functon of l (the number of blocks on each cloud storage server) and r (the number of rows quered by the user, shown as a percentage of l) for two values of z (the number of rows modfed by the adversary) Both graphs are plotted under p ¼ 16, n c ¼ 10, and k ¼ 5, but wth dfferent scale (a) z ¼ 1% of l (b) z ¼ 10% of l whch equals the rght hand sde as requred Thus, t s clear to show that as long as each server operates on the same specfed subset of rows, the above checkng equaton wll always hold 52 Securty Strength 521 Detecton Probablty aganst Data Modfcaton In our scheme, servers are requred to operate only on specfed rows n each challenge-response protocol executon We wll show that ths samplng strategy on selected rows nstead of all can greatly reduce the computatonal overhead on the server, whle mantanng hgh detecton probablty for data corrupton Suppose n c servers are msbehavng due to the possble compromse or Byzantne falure In the followng analyss, we do not lmt the value of n c, e, n c n Thus, all the analyss results hold even f all the servers are compromsed We wll leave the explanaton on colluson resstance of our scheme aganst ths worst case scenaro n a later secton Assume the adversary modfes the data blocks n z rows out of the l rows n the encoded fle matrx Let r be the number of dfferent rows for whch the user asks for checkng n a challenge Let X be a dscrete random varable that s defned to be the number of rows chosen by the user that matches the rows modfed by the adversary We frst analyze the matchng probablty that at least one of the rows pcked by the user matches one of the rows modfed by the adversary: Pm r ¼ 1 PfX ¼ 0g¼1 Q r 1 z ¼0ð1 mnfl ; 1gÞ 1 ð l z l Þ r If none of the specfed r rows n the th verfcaton process are deleted or modfed, the adversary avods the detecton Next, we study the probablty of a false negatve result that there exsts at least one nvald response calculated from those specfed r rows, but the checkng equaton stll holds Consder the responses R ð1þ ; ;R ðnþ returned from the data storage servers for the th challenge, each response value R ðjþ, calculated wthn GFð2 p Þ, s based on r blocks on server j The number of responses R ðmþ1þ ; ;R ðnþ from party servers s k ¼ n m Thus, accordng to proposton 2 of our prevous work n [33], the false negatve probablty s Pf r ¼Pr 1þPr 2, where Pr 1 ¼ ð1þ2 p Þ nc 1 2 nc 1 and Pr 2 ¼ð1 Pr 1 Þð2 p Þ k Based on above dscusson, t follows that the probablty of data modfcaton detecton across all storage servers s P d ¼ Pm r ð1 P f rþ Fg 3 plots P d for dfferent values of l; r; z whle we set p ¼ 16, n c ¼ 10, and k ¼ 5 3 From the fgure we can see that f more than a fracton of the data fle s corrupted, then t suffces to challenge for a small constant number of rows n order to acheve detecton wth hgh probablty For example, f z ¼ 1% of l, every token only needs to cover 460 ndces n order to acheve the detecton probablty of at least 99 percent 522 Identfcaton Probablty for Msbehavng Servers We have shown that, f the adversary modfes the data blocks among any of the data storage servers, our samplng checkng scheme can successfully detect the attack wth hgh probablty As long as the data modfcaton s caught, the user wll further determne whch server s malfunctonng Ths can be acheved by comparng the response values R ðjþ wth the prestored tokens v ðjþ, where j 2f1; ;ng The probablty for error localzaton or dentfyng msbehavng server(s) can be computed n a smlar way It s the product of the matchng probablty for samplng check and the probablty of complementary event for the false negatve result Obvously, the matchng probablty s bp m r ¼ 1 Q r 1 ^z ¼0ð1 mnfl ; 1gÞ, where ^z z Next, we consder the false negatve probablty that R ðjþ ¼ v ðjþ when at least one of ^z blocks s modfed Accordng to [33, proposton 1], tokens calculated n GFð2 p Þ for two dfferent data vectors collde wth probablty bp f r ¼ 2 p Thus, the dentfcaton probablty for msbehavng server(s) s bp d ¼ bp m r ð1 bp f r Þ Along wth the analyss n detecton probablty, f z ¼ 1% of l and each 3 Note that n c and k only affect the false negatve probablty P r f However n our scheme, snce p ¼ 16 almost domnates the neglgblty of P r f, the value of n c and k have lttle effect n the plot of P d

10 WANG ET AL: TOWARD SECURE AND DEPENDABLE STORAGE SERVICES IN CLOUD COMPUTING 229 (a) (b) Fg 4 Performance comparson between two dfferent parameter settngs for 1 GB fle dstrbuton preparaton The ðm; kþ denotes the chosen parameters for the underlyng Reed-Solomon codng For example, (10,2) means we dvde fle nto 10 data vectors and then generate two redundant party vectors (a) m s fxed, and k s decreasng (b) m þ k s fxed token covers 460 ndces, the dentfcaton probablty for msbehavng servers s at least 99 percent Note that f the number of detected msbehavng servers s less than the party vectors, we can use erasure-correctng code to recover the corrupted data, achevng storage dependablty as shown at Secton 34 and Algorthm Securty Strength aganst Worst Case Scenaro We now explan why t s a must to blnd the party blocks and how our proposed schemes acheve colluson resstance aganst the worst case scenaro n the adversary model Recall that n the fle dstrbuton preparaton, the redundancy party vectors are calculated va multplyng the fle matrx F by P, where P s the secret party generaton matrx we later rely on for storage correctness assurance If we dsperse all the generated vectors drectly after token precomputaton, e, wthout blndng, malcous servers that collaborate can reconstruct the secret P matrx easly: they can pck blocks from the same rows among the data and party vectors to establsh a set of m k lnear equatons and solve for the m k entres of the party generaton matrx P Once they have the knowledge of P, those malcous servers can consequently modfy any part of the data blocks and calculate the correspondng party blocks, and vce versa, makng ther codeword relatonshp always consstent Therefore, our storage correctness challenge scheme would be undermned even f those modfed blocks are covered by the specfed rows, the storage correctness check equaton would always hold To prevent colludng servers from recoverng P and makng up consstently-related data and party blocks, we utlze the technque of addng random perturbatons to the encoded fle matrx and hence hde the secret matrx P We make use of a keyed pseudorandom functon f kj ðþ wth key k j and seed s ver j, both of whch has been ntroduced prevously In order to mantan the systematc layout of data fle, we only blnd the party blocks wth random perturbatons (We can also only blnd data blocks and acheve prvacy-preservng thrd party audtng, as shown n Secton 35) Our purpose s to add nose to the set of lnear equatons and make t computatonally nfeasble to solve for the correct secret matrx P By blndng each party block wth random perturbaton, the malcous servers no longer have all the necessary nformaton to buld up the correct lnear equaton groups and therefore cannot derve the secret matrx P 53 Performance Evaluaton We now assess the performance of the proposed storage audtng scheme We focus on the cost of fle dstrbuton preparaton as well as the token generaton Our experment s conducted on a system wth an Intel Core 2 processor runnng at 186 GHz, 2,048 MB of RAM, and a 7,200 RPM Western Dgtal 250 GB Seral ATA drve Algorthms are mplemented usng open-source erasure codng lbrary Jerasure [34] wrtten n C All results represent the mean of 20 trals 531 Fle Dstrbuton Preparaton As dscussed, fle dstrbuton preparaton ncludes the generaton of party vectors (the encodng part) as well as the correspondng party blndng part We consder two sets of dfferent parameters for the ðm; kþ Reed-Solomon encodng, both of whch work over GFð2 16 Þ Fg 4 shows the total cost for preparng a 1 GB fle before outsourcng In the fgure on the left, we set the number of data vectors m constant at 10, whle decreasng the number of party vectors k from 10 to 2 In the one on the rght, we keep the total number of data and party vectors m þ k fxed at 22, and change the number of data vectors m from 18 to 10 From the fgure, we can see the number k s the domnant factor for the cost of both party generaton and party blndng Ths can be explaned as follows: on the one hand, k determnes how many party vectors are requred before data outsourcng, and the party generaton cost ncreases almost lnearly wth the growth of k; on the other hand, the growth of k means the larger number of party blocks requred to be blnded, whch drectly leads to more calls to our nonoptmzed PRF generaton n C By usng more practcal PRF constructons, such as HMAC [35], the party blndng cost s expected to be further mproved Compared to the exstng work [23], t can be shown from Fg 4 that the fle dstrbuton preparaton of our scheme s more effcent Ths s because n [23] an addtonal layer of error-correctng code has to be conducted on all the data and party vectors rght after the fle dstrbuton encodng For the same reason, the two-layer codng structure makes the soluton n [23] more sutable for statc data only, as any

11 230 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 TABLE 1 The Storage and Computaton Cost of Token Precomputaton for 1 GB Data Fle under Dfferent System Settngs The ðm; kþ denotes the parameters for the underlyng Reed-Solomon codng, as llustrated n Fg 4 change to the contents of fle F must propagate through the two-layer error-correctng code, whch entals both hgh communcaton and computaton complexty But n our scheme, the fle update only affects the specfc rows of the encoded fle matrx, strkng a good balance between both error reslence and data dynamcs 532 Challenge Token Computaton Although n our scheme the number of verfcaton token t s a fxed pror determned before fle dstrbuton, we can overcome ths ssue by choosng suffcent large t n practce For example, when t s selected to be 7,300 and 14,600, the data fle can be verfed every day for the next 20 years and 40 years, respectvely, whch should be of enough use n practce Note that nstead of drectly computng each token, our mplementaton uses the Horner algorthm suggested n [24] to calculate token v ðjþ from the back, and acheves a slghtly faster performance Specfcally v ðjþ ¼ Xr rþ1 q G ðjþ ½I q Š ¼ ðððg ðjþ ½I 1 Š þ G ðjþ ½I 2 ŠÞ þ G ðjþ ½I 3 Š Þ þ G ðjþ ½I r ŠÞ ; whch only requres r multplcaton and ðr 1Þ XOR operatons Wth Jerasure lbrary [34], the multplcaton over GFð2 16 Þ n our experment s based on dscrete logarthms Followng the securty analyss, we select a practcal parameter r ¼ 460 for our token precomputaton (see Secton 521), e, each token covers 460 dfferent ndces Other parameters are along wth the fle dstrbuton preparaton Our mplementaton shows that the average token precomputaton cost s about 04 ms Ths s sgnfcantly faster than the hash functon based token precomputaton scheme proposed n [14] To verfy encoded data dstrbuted over a typcal number of 14 servers, the total cost for token precomputaton s no more than 1 and 15 mnutes, for the next 20 years and 40 years, respectvely Note that each token s only an element of feld GFð2 16 Þ, the extra storage for those precomputed tokens s less than 1MB, and thus can be neglected Table 1 gves a summary of storage and computaton cost of token precomputaton for 1GB data fle under dfferent system settngs 6 RELATED WORK Juels and Kalsk Jr [10] descrbed a formal proof of retrevablty (POR) model for ensurng the remote data ntegrty Ther scheme combnes spot-checkng and errorcorrectng code to ensure both possesson and retrevablty of fles on archve servce systems Shacham and Waters [17] bult on ths model and constructed a random lnear functon-based homomorphc authentcator whch enables unlmted number of challenges and requres less communcaton overhead due to ts usage of relatvely small sze of BLS sgnature Bowers et al [18] proposed an mproved framework for POR protocols that generalzes both Juels and Shacham s work Later n ther subsequent work, Bowers et al [23] extended POR model to dstrbuted systems However, all these schemes are focusng on statc data The effectveness of ther schemes rests prmarly on the preprocessng steps that the user conducts before outsourcng the data fle F Any change to the contents of F, even few bts, must propagate through the errorcorrectng code and the correspondng random shufflng process, thus ntroducng sgnfcant computaton and communcaton complexty Recently, Dods et al [20] gave theoretcal studes on generalzed framework for dfferent varants of exstng POR work Atenese et al [11] defned the provable data possesson (PDP) model for ensurng possesson of fle on untrusted storages Ther scheme utlzed publc key-based homomorphc tags for audtng the data fle However, the precomputaton of the tags mposes heavy computaton overhead that can be expensve for an entre fle In ther subsequent work, Atenese et al [14] descrbed a PDP scheme that uses only symmetrc key-based cryptography Ths method has lower overhead than ther prevous scheme and allows for block updates, deletons, and appends to the stored fle, whch has also been supported n our work However, ther scheme focuses on sngle server scenaro and does not provde data avalablty guarantee aganst server falures, leavng both the dstrbuted scenaro and data error recovery ssue unexplored The explct support of data dynamcs has further been studed n the two recent work [15] and [16] Wang et al [15] proposed to combne BLS-based homomorphc authentcator wth Merkle Hash Tree to support fully data dynamcs, whle Erway et al [16] developed a skp lst-based scheme to enable provable data possesson wth fully dynamcs support The ncremental cryptography work done by Bellare et al [36] also provdes a set of cryptographc buldng blocks such as hash, MAC, and sgnature functons that may be employed for storage ntegrty verfcaton whle supportng dynamc operatons on data However, ths branch of work falls nto the tradtonal data ntegrty protecton mechansm, where local copy of data has to be mantaned for the verfcaton It s not yet clear how the work can be adapted to cloud storage scenaro where users no longer have the data at local stes but stll need to ensure the storage correctness effcently n the cloud

12 WANG ET AL: TOWARD SECURE AND DEPENDABLE STORAGE SERVICES IN CLOUD COMPUTING 231 In other related work, Curtmola et al [19] amed to ensure data possesson of multple replcas across the dstrbuted storage system They extended the PDP scheme to cover multple replcas wthout encodng each replca separately, provdng guarantee that multple copes of data are actually mantaned Lllbrdge et al [25] presented a P2P backup scheme n whch blocks of a data fle are dspersed across m þ k peers usng an ðm; kþ-erasure code Peers can request random blocks from ther backup peers and verfy the ntegrty usng separate keyed cryptographc hashes attached on each block Ther scheme can detect data loss from free-rdng peers, but does not ensure all data are unchanged Flho and Barreto [37] proposed to verfy data ntegrty usng RSA-based hash to demonstrate uncheatable data possesson n peer-to-peer fle sharng networks However, ther proposal requres exponentaton over the entre data fle, whch s clearly mpractcal for the server whenever the fle s large Shah et al [12], [13] proposed allowng a TPA to keep onlne storage honest by frst encryptng the data then sendng a number of precomputed symmetrc-keyed hashes over the encrypted data to the audtor However, ther scheme only works for encrypted fles, and audtors must mantan long-term state Schwarz and Mller [24] proposed to ensure statc fle ntegrty across multple dstrbuted servers, usng erasure-codng and block-level fle ntegrty checks We adopted some deas of ther dstrbuted storage verfcaton protocol However, our scheme further support data dynamcs and explctly study the problem of msbehavng server dentfcaton, whle thers dd not Very recently, Wang et al [31] gave a study on many exstng solutons on remote data ntegrty checkng, and dscussed ther pros and cons under dfferent desgn scenaros of secure cloud storage servces Portons of the work presented n ths paper have prevously appeared as an extended abstract n [1] We have revsed the paper a lot and add more techncal detals as compared to [1] The prmary mprovements are as follows: Frst, we provde the protocol extenson for prvacypreservng thrd-party audtng, and dscuss the applcaton scenaros for cloud storage servce Second, we add correctness analyss of proposed storage verfcaton desgn Thrd, we completely redo all the experments n our performance evaluaton part, whch acheves sgnfcantly mproved result as compared to [1] We also add detaled dscusson on the strength of our bounded usage for protocol verfcatons and ts comparson wth state of the art 7 CONCLUSION In ths paper, we nvestgate the problem of data securty n cloud data storage, whch s essentally a dstrbuted storage system To acheve the assurances of cloud data ntegrty and avalablty and enforce the qualty of dependable cloud storage servce for users, we propose an effectve and flexble dstrbuted scheme wth explct dynamc data support, ncludng block update, delete, and append We rely on erasure-correctng code n the fle dstrbuton preparaton to provde redundancy party vectors and guarantee the data dependablty By utlzng the homomorphc token wth dstrbuted verfcaton of erasurecoded data, our scheme acheves the ntegraton of storage correctness nsurance and data error localzaton, e, whenever data corrupton has been detected durng the storage correctness verfcaton across the dstrbuted servers, we can almost guarantee the smultaneous dentfcaton of the msbehavng server(s) Consderng the tme, computaton resources, and even the related onlne burden of users, we also provde the extenson of the proposed man scheme to support thrd-party audtng, where users can safely delegate the ntegrty checkng tasks to thrdparty audtors and be worry-free to use the cloud storage servces Through detaled securty and extensve experment results, we show that our scheme s hghly effcent and reslent to Byzantne falure, malcous data modfcaton attack, and even server colludng attacks ACKNOWLEDGMENTS Ths work was supported n part by the US Natonal Scence Foundaton under grants CNS , CNS , CNS , and CNS , and by an Amazon web servce research grant A prelmnary verson [1] of ths paper was presented at the 17th IEEE Internatonal Workshop on Qualty of Servce (IWQoS 09) REFERENCES [1] C Wang, Q Wang, K Ren, and W Lou, Ensurng Data Storage Securty n Cloud Computng, Proc 17th Int l Workshop Qualty of Servce (IWQoS 09), pp 1-9, July 2009 [2] Amazoncom, Amazon Web Servces (AWS), amazoncom, 2009 [3] Sun Mcrosystems, Inc, Buldng Customer Trust n Cloud Computng wth Transparent Securty, offers/detals/sun_transparencyxml, Nov 2009 [4] K Ren, C Wang, and Q Wang, Securty Challenges for the Publc Cloud, IEEE Internet Computng, vol 16, no 1, pp 69-73, 2012 [5] M Arrngton, Gmal Dsaster: Reports of Mass Emal Deletons, Dec 2006 [6] J Kncad, MedaMax/TheLnkup Closes Its Doors, wwwtechcrunchcom/2008/07/10/medamaxthelnkup-closests-doors, July 2008 [7] Amazoncom, Amazon S3 Avalablty Event: July 20, 2008, July 2008 [8] S Wlson, Appengne Outage, /appengne_outagephp, June 2008 [9] B Krebs, Payment Processor Breach May Be Largest Ever, payment_processor_breach_may_bhtml, Jan 2009 [10] A Juels and BS Kalsk Jr, PORs: Proofs of Retrevablty for Large Fles, Proc 14th ACM Conf Computer and Comm Securty (CCS 07), pp , Oct 2007 [11] G Atenese, R Burns, R Curtmola, J Herrng, L Kssner, Z Peterson, and D Song, Provable Data Possesson at Untrusted Stores, Proc 14th ACM Conf Computer and Comm Securty (CCS 07), pp , Oct 2007 [12] MA Shah, M Baker, JC Mogul, and R Swamnathan, Audtng to Keep Onlne Storage Servces Honest, Proc 11th USENIX Workshop Hot Topcs n Operatng Systems (HotOS 07), pp 1-6, 2007 [13] MA Shah, R Swamnathan, and M Baker, Prvacy-Preservng Audt and Extracton of Dgtal Contents, Cryptology eprnt Archve, Report 2008/186, [14] G Atenese, RD Petro, LV Mancn, and G Tsudk, Scalable and Effcent Provable Data Possesson, Proc Fourth Int l Conf Securty and Prvacy n Comm Netowrks (SecureComm 08), pp 1-10, 2008 [15] Q Wang, C Wang, J L, K Ren, and W Lou, Enablng Publc Verfablty and Data Dynamcs for Storage Securty n Cloud Computng, Proc 14th European Conf Research n Computer Securty (ESORICS 09), pp , 2009

13 232 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL 5, NO 2, APRIL-JUNE 2012 [16] C Erway, A Kupcu, C Papamanthou, and R Tamassa, Dynamc Provable Data Possesson, Proc 16th ACM Conf Computer and Comm Securty (CCS 09), pp , 2009 [17] H Shacham and B Waters, Compact Proofs of Retrevablty, Proc 14th Int l Conf Theory and Applcaton of Cryptology and Informaton Securty: Advances n Cryptology (Asacrypt 08), pp , 2008 [18] KD Bowers, A Juels, and A Oprea, Proofs of Retrevablty: Theory and Implementaton, Proc ACM Workshop Cloud Computng Securty (CCSW 09), pp 43-54, 2009 [19] R Curtmola, O Khan, R Burns, and G Atenese, MR-PDP: Multple-Replca Provable Data Possesson, Proc IEEE 28th Int l Conf Dstrbuted Computng Systems (ICDCS 08), pp , 2008 [20] Y Dods, S Vadhan, and D Wchs, Proofs of Retrevablty va Hardness Amplfcaton, Proc Sxth Theory of Cryptography Conf (TCC 09), Mar 2009 [21] Q Wang, C Wang, K Ren, W Lou, and J L, Enablng Publc Audtablty and Data Dynamcs for Storage Securty n Cloud Computng, IEEE Trans Parallel and Dstrbuted Systems, vol 22, no 5, pp , 2011 [22] C Wang, SSM Chow, Q Wang, K Ren, and W Lou, Prvacy- Preservng Publc Audtng for Secure Cloud Storage, IEEE Trans Computers, preprnt, 2012, do:101109/tc [23] KD Bowers, A Juels, and A Oprea, HAIL: A Hgh-Avalablty and Integrty Layer for Cloud Storage, Proc ACM Conf Computer and Comm Securty (CCS 09), pp , 2009 [24] T Schwarz and EL Mller, Store, Forget, and Check: Usng Algebrac Sgnatures to Check Remotely Admnstered Storage, Proc IEEE Int l Conf Dstrbuted Computng Systems (ICDCS 06), pp 12-12, 2006 [25] M Lllbrdge, S Elnkety, A Brrell, M Burrows, and M Isard, A Cooperatve Internet Backup Scheme, Proc USENIX Ann Techncal Conf (General Track), pp 29-41, 2003 [26] M Castro and B Lskov, Practcal Byzantne Fault Tolerance and Proactve Recovery, ACM Trans Computer Systems, vol 20, no 4, pp , 2002 [27] L Carter and M Wegman, Unversal Hash Functons, J Computer and System Scences, vol 18, no 2, pp , 1979 [28] J Hendrcks, G Ganger, and M Reter, Verfyng Dstrbuted Erasure-Coded Data, Proc 26th ACM Symp Prncples of Dstrbuted Computng, pp , 2007 [29] JS Plank and Y Dng, Note: Correcton to the 1997 Tutoral on Reed-Solomon Codng, Techncal Report CS , Unv of Tennessee, Apr 2003 [30] C Wang, Q Wang, K Ren, and W Lou, Prvacy-Preservng Publc Audtng for Storage Securty n Cloud Computng, Proc IEEE INFOCOM, Mar 2010 [31] C Wang, K Ren, W Lou, and J L, Towards Publcly Audtable Secure Cloud Data Storage Servces, IEEE Network Magazne, vol 24, no 4, pp 19-24, July/Aug 2010 [32] RC Merkle, Protocols for Publc Key Cryptosystems, Proc IEEE Symp Securty and Prvacy, 1980 [33] Q Wang, K Ren, W Lou, and Y Zhang, Dependable and Secure Sensor Data Storage wth Dynamc Integrty Assurance, Proc IEEE INFOCOM, Apr 2009 [34] JS Plank, S Smmerman, and CD Schuman, Jerasure: A Lbrary n C/C++ Facltatng Erasure Codng for Storage Applcatons - Verson 12, Techncal Report CS , Unv of Tennessee, Aug 2008 [35] M Bellare, R Canett, and H Krawczyk, Keyng Hash Functons for Message Authentcaton, Proc 16th Ann Int l Cryptology Conf Advances n Cryptology (Crypto 96), pp 1-15, 1996 [36] M Bellare, O Goldrech, and S Goldwasser, Incremental Cryptography: The Case of Hashng and Sgnng, Proc 14th Ann Int l Cryptology Conf Advances n Cryptology (CRYPTO 94), pp , 1994 [37] DLG Flho and PSLM Barreto, Demonstratng Data Possesson and Uncheatable Data Transfer, Cryptology eprnt Archve, Report 2006/150, Cong Wang receved the BE and ME degrees from Wuhan Unversty, Chna, n 2004 and 2007, respectvely He s currently a PhD student n the Electrcal and Computer Engneerng Department at the Illnos Insttute of Technology He was a summer ntern at the Palo Alto Research Centre n 2011 Hs research nterests are n the areas of appled cryptography and network securty, wth a current focus on secure data servces n cloud computng and secure computaton outsourcng He s a student member of the IEEE Qan Wang receved the BS degree from Wuhan Unversty, Chna, n 2003 and the MS degree from the Shangha Insttute of Mcrosystem and Informaton Technology, Chnese Academy of Scences, Chna, n 2006, both n electrcal engneerng He s currently workng toward the PhD degree n the Electrcal and Computer Engneerng Department at the Illnos Insttute of Technology Hs research nterests nclude wreless network securty and prvacy and cloud computng securty He was a corecpent of the Best Paper Award from IEEE ICNP 2011 He s a student member of the IEEE Ku Ren receved the PhD degree n electrcal and computer engneerng from Worcester Polytechnc Insttute n 2007 He s currently an assstant professor n the Electrcal and Computer Engneerng Department at the Illnos Insttute of Technology Hs research nterests nclude securty and prvacy n cloud computng, wreless securty, smart grd securty, and sensor network securty Hs research s supported by the US Natonal Scence Foundaton (NSF), DoE, AFRL, and Amazon He was a corecpent of the Best Paper Award from IEEE ICNP 2011 and a recpent of the NSF Faculty Early Career Development (CAREER) Award n 2011 He s a senor member of the IEEE and the IEEE Computer Socety and a member of the ACM Nng Cao receved the BE and ME degrees from X an Jaotong Unversty, Chna, n 2002 and 2008, respectvely He s currently workng toward the PhD degree n the Electrcal and Computer Engneerng Department, Worcester Polytechnc Insttute Hs research nterests are n the areas of storage codes, securty and prvacy n cloud computng, and secure moble cloud Wenjng Lou eceved the BE and ME degrees n computer scence and engneerng from Xan Jaotong Unversty, Chna, n 1993 and 1996, respectvely, the MASc degree from Nanyang Technologcal Unversty, Sngapore, n 1998, and the PhD degree n electrcal and computer engneerng from the Unversty of Florda n 2003 She joned the Computer Scence Department at the Vrgna Polytechnc Insttute and State Unversty n 2011 and has been an assocate professor wth tenure snce then Pror to that, she was on the faculty of the Department of Electrcal and Computer Engneerng at Worcester Polytechnc Insttute, where she was an assstant professor snce 2003 and was promoted to assocate professor wth tenure n 2009 She s currently servng on the edtoral boards of fve journals: the IEEE Transactons on Wreless Communcatons, the IEEE Transactons on Smart Grd, IEEE Wreless Communcatons Letters, Elsever Computer Networks, and Sprnger Wreless Networks She has served as a TPC cochar for the securty symposums of several leadng IEEE conferences She was named a Joseph Samuel Satn Dstngushed Fellow n 2006 by WPI, was a recpent of the US Natonal Scence Foundaton Faculty Early Career Development (CAREER) award n 2008, and receved the Sgma X Junor Faculty Research Award at WPI n 2009 She s a senor member of the IEEE