Local Data Security and Privacy Protection in Cloud Service Applications

Transcription

1 2015 Ninth International Conference on Frontier of Computer Science and Technology Local Data Security and Privacy Protection in Cloud Service Applications Qi-Tao Lin, Chang-Dong Wang, Jing Pan, Lu Ling and Jian-Huang Lai School of Mobile Information Engineering, Sun Yat-sen University, Zhuhai, P. R. China, School of Information Science and Technology, Sun Yat-sen University, Guangzhou, P. R. China, SYSU-CMU Shunde International Joint Research Institute (JRI), Shunde, P.R. China, Daniel.lin Abstract In the past ten years, the technology researches and applications on Cloud Computing have been booming. Depending on large data centers and distributed cluster servers, different layers of Cloud Services make it possible that computing performance becomes stronger, storage space extends vastly and price becomes much lower. With the development of Cloud Computing, countless entrepreneurs and individual users benefit from it. However, it is evident that there exist hidden security problems in individual cloud applications privacy protection and data safety. At present, the safety of cloud services usually only depends on the security policies provided by cloud service providers and their implementation level. Once users data and privacy are leaked, it will have a terrible impact on social order besides economic losses. This is an obstacle to the development of cloud computing services. Therefore, our project is going to encrypt users data in local clients through the BlowFish encryption algorithm and then use the interface of cloud computing to upload the encrypted data so that we can establish a perfect data security and privacy s mode protection without affecting the experience and efficiency of use. Because the mode is independent of cloud computing service providers, users data and privacy security can be guaranteed. It can enhance users confidence and is good for the further development of cloud services. Index Terms cloud services; privacy protection; BlowFish encryption algorithm; mode protection; security I. INTRODUCTION With the fast development of cloud computing technology, cloud computing has attracted more and more attention from both academia and industry [1]. Based on the framework of cloud computing, cloud service provider can provide service at three levels: infrastructure, platform and software. Due to a large number of advantages cloud service, such as reducing the hardware spending [2], rapid deployment, on-demand service and charging for using, cloud computing has become an important network application model around the world in recent years [3]. However, cloud computing is applied in some special environment. It means that cloud computing has a few significant particularity inevitably [4]. 1) There may be security problem because hardware facilities of cloud service are shared by a large number of users. 2) It has lost certain physical boundary because cloud service is based on virtual technology. Especially, in the public cloud environment, one logic server may have several virtual servers. Meanwhile, one virtual server can belong to different logic server groups [5]. So the role of traditional information security technologies such as firewall are weakened greatly. At the same time, with the service time expanding, cloud services data security and privacy protection problems arise gradually. For example, not long ago Linux Bash vulnerability caused the server of Ali to be cracked violently and Apple s icloud vulnerability caused private information to be disclosed. These data and privacy security problem will upset cloud service consumers greatly and become an obstacle to cloud services smooth development. Under the current cloud application circumstance, cloud computing users are forced to store part of or all data and applications on the cloud [6], which means users will lose the control to their data partly even thoroughly. Based on this fact, data security and user privacy protection mainly depend on the security methods provided by cloud service provider and what extent they are carried out to. Because we can t make sure that those security methods don t have vulnerability and are carried out absolutely, users can t foresee the leak of data. Once it happens, it will cause deadly losses to users. What s more, it is well-known that the security of corporation data in the cloud is difficult to guarantee, as they provide three types of services, namely Software as a service (SaaS), Platform as a service (PaaS), and Infrastructure as a service (IaaS). Every service has its own security issues holding different levels of security and complexity. So, it s more convincible to make the customer understand the local data security and privacy protection in cloud service [7]. In this work, based on the BlowFish encryption algorithm [8], we propose to encrypt users data in local clients and then use the interface of cloud computing to upload the encrypted data so that we can establish a perfect data security and privacy s mode protection without affecting the experience and efficiency of use. The BlowFish encryption algorithm is a symmetric encryption algorithm with high efficiency and great difficulty of reverse engineering, which is suitable for the file or folder encryption but still has a defect in secret key safekeeping. Therefore, an improved version of the BlowFish encryption algorithm is designed to enhance its data protection. Because the mode is independent of cloud computing service providers, users data and privacy security can be guaranteed /15 $ IEEE DOI /FCST

2 It can enhance users confidence and is good for the further development of cloud services. II. RELATED WORK To solve the security problems of cloud service, some research efforts have been made, which mainly focus on the encryption of authorization link and many methods have been proposed, such as secure cloud authentication using EIDs [9], communication encryption [10] and private information retrieval [10]. However, given untrusted cloud service provider, users data should be encrypted and protected effectively in the local clients before uploading to the cloud. Jawahar Thakur et al [8] provide a fair comparison between three most common symmetric key cryptography algorithms, DES, AES, and BlowFish. Eman M.Mohamed et al [3] illustrate that cloud computing moves the application software and databases to the large data centers. This unique feature raises many new security challenges [11]. For example, both data and software are fully not contained in users computer but the cloud provider premises. So, it is obvious that cloud typically has a single security architecture but with many different demand on security from cloud consumers. What s more, they provide a comparability between AES and BlowFish as well as the data security model based on the study of cloud architecture. They first introduce some background studies like Cryptography Goals, Modes of Encryption/Decryption, Concepts of three most commonly used encryption algorithms, DES, 3DES and AES. Then they analyze the performances of these methods by running several encryption settings to process different sizes of data blocks to evaluate the algorithm s speed for encryption and decryption. Based on the comparison results, we can know that BlowFish has a better performance than other common encryption algorithms [12]. By treating the raw data with BlowFish, we can turn the original data into the encrypted one. Without the encryption key, it s rarely possible to decipher the data in the cloud or anywhere. Thus the security of the data could be guaranteed. The key step of BlowFish is to expand the user s key, as the key varies in the length, and the key could be expanded to as long as over 400 bits, and this is the most complicated step of the method. All the characters would be treated as 16 bit integer, avoiding the problem of coding of some unicode characters. And then the data would be divided into 64 bit blocks, and each block would be encrypted independently. However, this brings another problem. All of the encryption processes, including the key initialization and even the decipher, are dependent on the key which the user chooses. If the key is got by the cracker, the data would be leaked. So it is important to keep the key properly. To achieve this, we encipher the key itself with BlowFish using the first 2 bits of the key as the encryption key, ensuring that the key couldn t be found or cracked by anyone else. Besides, we simulate the cloud storage application and create a cloud environment with the Microsoft Azure cloud platform, the experimental results of which have confirmed the effectiveness of the proposed method. A. Data encryption In the traditional BlowFish algorithm, there are two main steps [13]. The first one is the key extension and the second one is enciphering the data as shown in Fig. 1, which is quite similar to ours. III. OUR WORK To solve the security problems of cloud service, in our project, we propose a security schema to protect the data and privacy of the users of the cloud storage application, which is based on the following two ideas, namely local encryption and cloud interface. Our strategy is to encrypt the data in the local end system before the data is sent the cloud server, which could strongly increase the confidence of the consumers. To achieve this, we have to find a proper encryption algorithm. In this work, we use a new method based on the BlowFish encryption algorithm, which is a secret-key block cipher, and efficient/easy to implement. The BlowFish method encrypts a 64 bits block each time, where a simple encryption is iterated 16 times. In the BlowFish method, the key can be of any length up to 448 bits. Although the key has to be initialized through a complex initialization phase, the encryption of data with BlowFish is very efficient on large microprocessors. Fig. 1. The basic process of BlowFish. For key extension, there are two types of boxes to produce strong ciphers, namely S-boxes and P -boxes. There are large S-boxes, which are more resistant to variant cryptanlysis. In our implementation, we use 32-bit S-boxes. And there is a P -box, the function of which is to operate with the key. These boxes are initialized as the value of decimal part of π. The size of P -box and S-box are 18 and 256, respectively. 255

3 As for our approach, the P -array (data structure of P -box) consists of bit subkeys: (P 1,P 2,,P 18 ). And there ( are 432-bit S-array ) (data ( structure of S-box) ) ( with 256 entries: S 1 0,S1, 1,S255 1, S 2 0,S1, 2,S255 2, S 3 0,S1, 3,S255) 3 with several main steps as shown below (Fig. 3). and ( S 4 0,S 4 1,,S 4 255). After that, we begin extending the key picked by the user and generate the subkeys in the following steps (See Fig. 2). Fig. 3. The encipher function - BF En Fig. 2. The process of the subkey generation 1) Initialize, in order, the P -array and then the four S- arrays with a given string, which is composed of the hexadecimal digits of constant value, decimal part of the π. For example, P 1 = 0 243f6a88,P 2 = 0 85a308d3, and so on. 2) XOR P N with the N-th 32 bits of the key. For example we XOR P 1 with the first 32 bits of the key and for all bits of the key like this. XOR operation repeatedly cycle through the key bits until the entire P -aaray has been XORed with the key bits. It can be referred that for every short key, there s one equivalent key that is longer, at least. For instance, suppose that K is a 32-bit key, then KK, KKK, etc are equivalent keys. 3) Encrypt the all-zero string with the BlowFish encipher function (marked as BF En), using the subkeys described in steps 1) and 2). The function BF En will be described later. 4) Replace P 1 and P 2 with the output of step 3). 5) Encrypt output of step 3) using the BlowFish algorithm with the modified subkeys. 6) Replace P 3 and P 4 with the output of step 5). 7) Continue the process, replacing all entries of the P - array, and the all four S-arrays in order, with the output of the continuously changing BF En function. The BF En function is the core of the BlowFish algorithm, 1) The BF En receives one 64-bit parameter x and divides it into 32-bit halves xl and xr. 2) Execute the cycle: set xl = xl XOR Pi, xr = F (xl) XOR xr, where the function F will be described later, and then swap the value of xl and xr, for i =1,..., 16. 3) After jumping out of the cycle, swap the value of xl and xr again, then set xr = xr XOR P 17 and xl = xl XOR P 18. 4) Merge xl and xr again and return. 5) Function F is easy to implement. Exactly one 32-bit parameter should be passed in and first divide it into four 8-bit quarters: a, b, c and d. Then return the value of ((S 1, a + S 2, b mod 2 3 2) XOR S 3, c) +S 4, d mod See Fig. 4. So far, the key extension and subkeys generation have been finished. The user data now can be divided into 64-bit blocks and passed into function BF En to be enciphered. What we have revised in this algorithm is that we will encrypt the key with its first 4-bit, in order to enhance the security of the BlowFish algorithm. B. Cloud Platform After the brief introduction and analysis on the BlowFish algorithm, we continue to set about the whole preparation of the cloud platform as follows. 1) Compare and choose: Now there exist plenty of cloud platforms on the Internet, such as Microsoft Azure, Aliyun, Amazon AWS and so on. However, based on our investigation in terms of convenience and efficiency, we choose Microsoft Azure as our experimental platform, which is a flexible and open platform. 2) Register an account: In the following step, we register an Azure account in order to ensure our long-term use on 256

4 which holds plenty of blobs. Besides, each parent blob contains more child blobs to split files in order to upload them. Its schematic diagram is shown in Fig. 6. So, firstly we create an account for storing and set up the key in Azure, then configure monitoring and log record. Finally, we install the Azure Storage Explorer to upload files to cloud and other operation of storing. < < Blob REST API Windows Azure Storage Account Blob Container < Blobs Fig. 4. The F function Blocks Pages Fig. 6. Basic process of Microsoft Azure cloud storing Access the official website Register a Microsoft account Verify your account with your mobile phone Activate your account Fig. 5. Basic process of Microsoft Azure registering IV. ENCRYPTION PERFORMANCE AND RESULTS In this section, experiments have been conducted to analyze the performances of our security protection schema with the BlowFish algorithm and show the difference from other common encryption algorithms such as DES, 3DES and AES. The comparation focuses on running different encryption settings to process various sizes of data blocks to evaluate the security and the efficiency of the large file encryption. DES: Data Encryption Standard (DES) is known as the first encryption technique based on the Lucifer algorithm proposed by IBM. As the first encryption standard, it had many defects and loopholes which make it unsafe. 3DES: DES was enhanced, known as Triple DES or 3DES. The basic algorithm is the same compared to DES, it just enciphers 3 times to increase the security. Microsoft Azure. So, as shown in Fig. 5, we give a process s overview of registering. 3) Upload the file to cloud: In this step, we take advantage of the Microsoft Azure to upload and store files. Among services of storing in Microsoft Azure, Blob, Table and Queue, we choose Azure Blob, which is the easiest way to apply in the storing service. It is realized by a simple hierarchical relationship, and every account owns a container, AES: Advanced Encryption Standard was proposed by NIST in order to replace DES. So far there s only one attack, brute force. However, if the combination of numbers is high enough, even super computer can t figure it out with brute force. We implement these common algorithms and our alternative BlowFish algorithm with C++, we encipher a 256 MB file with these method and compare their efficiency. We conduct 257

5 this test on 1.4 GHz CPU running OS X Yosemite. The comparison results are listed in Table I. TABLE I COMPARISON RESULTS Algorithm Data Time(Seconds) Average MB/S DES 1MB DES 1MB AES 1MB Revised Blowfish 1MB DES 22MB DES 22MB AES 22MB Revised Blowfish 22MB DES 256MB DES 256MB AES 256MB Revised BlowFish 256MB As shown in this table, our method is typically suitable for the encryption of the relatively larger data (with size bigger than 10MB). With this big size data, the modified Blowfish algorithm gains the highest throughput (MB/S). Besides, when it comes to the issue of the security, so far, the only known method to crack the Blowfish algorithm is brute force. In our strategy, we encrypt the key of Blowfish algorithm again with the first 8-bit of the key. In this way, theoretically, the cost of brute force could be doubled, at most. Due to the cost of brute force and the capability of our device, we can t verify our inference, though, the security of our modified Blowfish algorithm is increased. Among the papers on the modified encryption algorithms, almost none of them directly confirms the security of its method, because how they modified is aimed at the cracking methods that are already known. So we decides to confirm it logically. V. CONCLUSION In this work, we firstly introduce the related work of the secure research for the cloud computing and introduce the problem that will influence people s data and privacy security. There s no denying that these problems will be in the way of the development of cloud computing. We hope that an efficient method can be designed to address this problem. So we propose a method to implement local data security and privacy protection based on the cloud service application. After comparing the most efficient data encryptions on the Internet, we choose the BlowFish algorithm to encrypt data. In the graces of the key management problem for it, we have made an improvement to encrypt the key with the first 8-bit of it so that it is able to enhance the security of the BlowFish algorithm. In the experiment, we compare the algorithm s speed of encryption of the BlowFish and other common encryption algorithm. Obviously, the algorithm that we choose is with the highest efficiency to encrypt the file. Moreover, through the comparison of the security performance, there s no denying that the BlowFish is the safest. For the further research, we will implement the abutment to our cloud platform and test the performance of the cloud storage application. In fact, we are considering to use the other commercial cloud application API such as Baidu cloud or Amazon cloud, for the purpose that we want to make our schema more practical. We ll try to build our schema upon a secure basic with high efficiency. In future work, we intend to realize and apply the method we have proposed in a software, and make it like a client software to encrypt data directly then upload the cloud, like Cloudfogger and Cloud Safety Box. We intend to build a safeguard for users data through local encryption and cloud encryption. This is just one of the practical business models that can be applied. We believe that there s still a huge potential for the cloud computing security market. ACKNOWLEDGEMENT This project was supported by CCF-Tencent Open Research Fund, the PhD Start-up Fund of Natural Science Foundation of Guangdong Province, China (No. 2014A ), the Fundamental Research Funds for the Central Universities ( ), Pilot Program of SYSU-CMU Shunde International Joint Research Institute, Undergraduate Innovation Program of Sun Yat-sen University, and Zhuhai Academy of Social Sciences philosophyproject (No ). REFERENCES [1] A. Bisong, M. Rahman et al., An overview of the security concerns in enterprise cloud computing, arxiv preprint arxiv: , [2] Y. Jadeja and K. Modi, Cloud computing-concepts, architecture and challenges, in 2012 International Conference on Computing, Electronics and Electrical Technologies (ICCEET). IEEE, 2012, pp [3] E. M. Mohamed, H. S. Abdelkader, and S. El-Etriby, Enhanced data security model for cloud computing, in 8th International Conference on Informatics and Systems (INFOS). IEEE, [4] M. Kaur and M. Mahajan, Using encryption algorithms to enhance the data security in cloud computing, International Journal of Communication and Computer Technologies, vol. 1, [5] W.-K. Zhang and G.-F. Liu, Data security and privacy protection of cloud computing, Information Security and Communications Privacy, vol. 11, [6] M. H. Diallo, B. Hore, E.-C. Chang, S. Mehrotra, and N. Venkatasubramanian, Cloudprotect: managing data privacy in cloud applications, in 2012 IEEE 5th International Conference on Cloud Computing (CLOUD). IEEE, 2012, pp [7] B. R. Kandukuri, V. R. Paturi, and A. Rakshit, Cloud security issues, in IEEE International Conference on Services Computing. IEEE, 2009, pp [8] J. Thakur and N. Kumar, DES, AES and Blowfish: Symmetric key cryptography algorithms simulation based performance analysis, International journal of emerging technology and advanced engineering, vol. 1, no. 2, [9] B. Zwattendorfer and A. Tauber, Secure cloud authentication using eids, in 2012 IEEE 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), vol. 1. IEEE, 2012, pp [10] C. Orencik, M. Kantarcioglu, and E. Savas, A practical and secure multi-keyword search method over encrypted cloud data, in IEEE Sixth International Conference on Cloud Computing (CLOUD). IEEE, 2013, pp [11] Y. Brun and N. Medvidovic, Keeping data private while computing in the cloud, in 2012 IEEE 5th International Conference on Cloud Computing (CLOUD). IEEE, 2012, pp [12] B. Schneier, The blowfish encryption algorithm retrieved, October [13] B. Schneier, J. Kelsey, D. Whiting, D. W. C. Hall, and N. Ferguson, Two sh: A 128-bit block cipher, vol. 15,