Cloud Data security and privacy in IAAS model

Transcription

1 Cloud Data security and privacy in IAAS model Aurelia Delfosse Numergy Department of security 25 rue Madeleine Vionnet Aubervilliers France Vincent Malguy Numergy Department of security 25 rue Madeleine Vionnet Aubervilliers France Jeremy Fanton Numergy Department of security 25 rue Madeleine Vionnet Aubervilliers France Nargisse Marine Numergy Department of architecture 25 rue Madeleine Vionnet Aubervilliers France Thierry Floriani Numergy Department of security 25 rue Madeleine Vionnet Aubervilliers France Cedric Tavernier Numergy Department of security 25 rue Madeleine Vionnet Aubervilliers France Abstract: Cloud security is again a top concern for citizens and organizations alike. Despite the benefits to consumers using IaaS (Infrastructure as a Service), as compelling case for cost savings, agility and operational efficiency, there are downsides; among them being the security of data stored in cloud computing environments and protecting these data has been challenging in the past. Hense, we propose a complete security architecture for the data protection. Another challenge is key management because the Cloud computing has been defined to accomodate a huge number of consumers. Using a standard PKI along with symmetric encryption is not enough, we believe that such system is weakly scalable and we propose an asymmetric key management powered by identity based cryptography. Also, cryptography cannot solve all problems, in particular new techniques have to be considered to solve privacy issues. Key Words: Cloud Computing, Privacy, Security, Cryptography, PKI, IBE, PIR. 1 Introduction Cloud computing is a computing and storage concept in which dynamically scalable and virtualized ressources are provided as a service. As a relatively new business model in the computing world, cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. In recent years, this innovative computing technology has drawn much attention in the fields of industry and academy. The great flexibility and economic saving of cloud computing are motivating all kinds of users, such as customers, enterprises, and even government organizations, to adopt cloud. Cloud computing is an emerging paradigm, but its security and privacy risks has been attracting significant attentions of cloud users and cloud providers. One of the important reasons is that cloud users have to trust the security mechanisms and configuration of the cloud provider and the cloud provider itself. In the community of industry and academy, cryptographic technique is currently treated as one of the key techniques to solve security and privacy problems existing in cloud computing environment. In the past few years, many types of cryptography-based solutions for cloud computing, mainly focusing on secure storage [6 14], secure computations [15 21] and secure service usage [22] have been proposed in [23]. It is well known that cloud storage is a specific sub-offering within IaaS of cloud computing [24]. With cloud storage technology, private data of users is stored on multiple third-party providers, rather than on the dedicated providers used in traditional networked data storage. The providers supply data storage service through the Internet to users themselves and others [25]. The basic requirements for cloud storage systems include mass storage and low expense. However, users are reluctant to move important and sen- ISBN:

2 sitive data to cloud unless security and privacy issues can be well solved. To deal with this problem, lots of secure cloud storage architectures have been designed and proposed in recent years, and most of them are based on cryptographic techniques [9, 26]. In this paper, we focus on the field of secure cloud storage and privacy. We try to review existing solution and propose a combination of existing secure cloud storages solution in which cryptographic techniques have been employed to design them. We also compare these cloud storages from different standpoints. This work aims to get a better understanding about what type of cryptographic techniques can be applied in secure cloud storage. Cryptographic techniques play an important role in the security protection of cloud storage, and in return the demand on secure cloud storage can promote the research of cryptography. We hope this review can give some helps for future researches, and more secure cloud storages by using cryptographic techniques can be proposed in the near future. Nevertheless cryptography cannot solve every problem, in particular customers require more and more privacy. Few years ago they required that nobody can guess who communicate with whom. This problem could be solved by methods like onion routing network protocols like TOR [50]. A new requirement appears now: when a customer queries a database, he does not want the database to know the object of its research. In fact this problem appears few years ago and is known as PIR (private information retrieval) [51, 52]. The rest of this paper is organized as follows. Sect. 2 introduces the definition of Cloud computing and their security problems, we address in this section the different problem that could be solved by symmetric cryptography. We first ommit the identity management issues and the key management because it will be considered in section 4. Sect. 3 is dedicated to present solutions to provide confidentiality while using cloud storage facilities. We review in this section solution based on operating system encryption and different techniques to transport data securely. Different solutions exist on the market today but the challenge is choosing the solution that respects the minimum level of security and the efficiency that should not impact the customer: we want a transparent solution for the user. Sect. 4 concerns the key management. In cloud computing solution based simply on private keys is simply not realistic because such solution is not scalable and very difficult to manage. Among the basic functions of any key management system, we find the registration of users, the revocation for the users that leave the system, the management of the different crypto periodes etc... The most standard solution to do this task consists in using a PKI (Public key infrastructure) and in distributing certificates to users. Sect. 5 reviews techniques to insure the privacy in the cloud environement. 2 Cloud and Security According the definition of NIST [78], Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. 2.1 Essential Characteristics 1. On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. 2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). 3. Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. 4. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. 5. Measured service. Cloud systems automatically control and optimize resource use by leveraging ISBN:

3 a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. 2.2 Service Models 1. Software as a Service (SaaS). The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based ), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited userspecific application configuration settings. 2. Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. 3. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). 2.3 Deployment Models 1. Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. 2. Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. 3. Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. 4. Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). 2.4 Security issues associated with the cloud There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing software, platform, or infrastructure-as-a-service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information. The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. This introduces an additional layer of virtualization that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or hypervisor. While these concerns are largely theoretical, they do exist. For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker s whish. We can summarize threats as follows: ISBN:

4 Table 1: Threats Summary for Iaas [64] Iaas component Threats / Challenges Service Level Agreement Monitoring and enforc- (SLA) ing SLA. Monitor QoS attributes. Utility Computing Measuring and billing with Multiple levels of providers On-demand billing system availability. Cloud Software Attacks against XML. Attacks against web services. Networks and Internet connectivity Virtualization Denial of service (DOS) Man-In-The-Middle attack (MITM). IP Spoofing. Port Scanning. DNS spoofing. Security threats sourced from host: We cannot solve in this paper the set of security issues in cloud that could be partially solved by the use of IDS, IPS, anti-viruses etc, thus, as we see in the next section, we concentrate our effort on problem that can be solved by a correct use of cryptography. 3 Symmetric Encryption In order to provide confidentiality of the data stored and used in the cloud, we proposed to review three different encryption solutions that operate at different levels. 3.1 Securing the data at the application level Applications hosted in the cloud could support encryption of sensitive data directly within the application. This solution provides a true end-to-end encryption controlled by the end user at his own computer level. Computer Hardware Monitoring from host. VMs Communications between VMs and host. VMs modification. Security threats sourced from VM: Monitoring VMs from other VM. Communication between VMs. Virtual machines Mobility Resources Denial of Service (DoS). VMs provisioning and migration. Physical attacks against computer hardware. Data security on retired or replaced storage devices. Figure 1: Encryption at application level At no time, cloud or network providers, will be aware of the information that is transmitted. Moreover, an attacker that can sniff or manipulate the network traffic will not get access to the data. The only way to compromise the data will be to compromise the users computer itself. Users will need to be very careful with the secret key used for encryption because no third party will be able to provide it back if lost. This solution is not compatible with a web application that are likely to be used in cloud base business. Implementing this solution requires to modify the application at core level to allow encryption. This could be very challenging and need support from application developers. 3.2 Securing the communication to access cloud information Transmitting data to a secure channel could also be done by deploying an IPSec VPN or using a Secure socket (SSL/TLS). IPSec VPN is a protocol suite that aims at securing the Internet protocol (IP) communication by providing authentication, integrity, confidentiality, anti-replay and non-repudiation at layer 3 (Internet network layer). Depending on the protocol and mode of operation used, it operates in different ways and provides different functions [1] ([RFC 4308]). It is defined by IIETF RFC4301 [2]. A Secure ISBN:

5 socket (SSL/TLS) is initialized at layer 5 (OSI session layer) by an handshake using an asymmetric cipher in order to establish a set of cipher settings and a shared key for that session. Then, at layer 6 (OSI presentation layer) it encrypts the rest of the communication using a symmetric cipher and the session key. Figure 2: Secure channel encryption As the data are only encrypted during transport, using a secure channel will provide protection again network snooping and is compatible with almost any existing software. Secure channel will not protect data from being accessed by the cloud provider nor if the user s computer is compromised. Initialisation phase is also subject to attacks [3]. To implement secure sockets on an existing Web application, software reconfiguration on server side will be required but nothing should be done on the client side as every major web browser already includes SSL support. For other kind of applications, IPsec VPN will require to install and configure software on both sides. For both technologies, a pre-shared secret need to be securely shared. How this secret key is transmitted is a question that will be solved in section Securing the storage of data withing a operation system in the cloud To provide confidentiality when the data are stored in the cloud, the operating system data partition can be encrypted. Encryption could be done on system, data and swap partition. We recommend to enable encryption on all partitions to ensure maximum confidentiality. Encrypting only data partition could lead to side channel attacks exploiting the information contained in clear text on file systems [ 1.amazonaws.com/oldsite-htdocs/pub/coldboot.pdf]. Figure 3: Storage of data within a operation system in the cloud This solution is compatible with every application and protect data from being accessed by the cloud provider. As data are not encrypted during transport, communication interception will compromise the data. This solution can be implemented transparently and with minimal effort on the cloud operating system side. This is a one time operation that should be supported by the cloud provider itself. 3.4 Technical solution comparaison and recommandations Data encryption and decryption at application level only Data transport using encrypted protocols Data encryption on cloud storage network snooping;universal compatibility universal compatibility;cloud provider access to data* Protection provided network snooping; Man in the middle attacks; cloud provider access to data Residual issues user computer compromised* ;Not compatible with web application;no secret key recovery user computer compromised;man in the middle attacks*;cloud provider access to data network snooping;user computer compromised; Man in the middle attacks effort Developper to implement solution within the application Software deployment at most, configuration only for web application. Minimal initial configuration required at cloud storage level Table 2: Technical solution comparaison Table 3: * : Depending on implementation flaw or specific conditions We recommend to implement encryption at the application level whenever this is possible. This solution will provide maximum data confidentiality. We recommend that the solution forces encryption even on the user s computer. In this setup, the attacker will have to maintain a surveillance of the users computer long enough to catch the user secret key to decrypt the data. We believe that this raised the security level to a state sponsor attack only. If application level encryption is not possible, we recommend to combine Data transport using encrypted protocols and Data encryption on cloud storage technique to reduce risks. In this combined setup, compromising the users computer will be the only way to compromise the data. We believed that a motivated offensive security expert will be able to compromise data within a reasonable time frame. Lawful interception or regulations may require users to give access to his data. This kind of official request is out of scope of this paper but may impact solution choices.we believe that cloud provider should ISBN:

6 provide solutions to their customers to enforce confidentiality in respect with applicable laws. 4 Asymmetric Keys and Identity management To solve the problem of authentification and non repudiation, we use to consider the standard PKI. We suggest here to review this sytem and to propose another one which is less known but certainly more efficient for a cloud computing. 4.1 Public Key Infrastructure A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the registration authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation (see Fig 4) Issues in cloud based PKI According to us and as explained in [70], there can be three issues that can complicate the implementation of PKI on cloud: 1. Storing Private Keys In Scalable And Mobile Systems: The three factors to consider when designing the system are scalability, mobility and automation. A solution must be able to add more CAs on demand, be relatively consistent in required time to sign certificates and always be available. Hence, the solution must support the CA operations being movable to another less strained server if the number of requested signatures increases beyond the limit of the Hardware Security Module or the service unexpectedly fails. To able to move all CA operations to another server, all data regarding that CA must be moved between databases and the private key has to be moved or be the same at the new location. However, there exists no sufficiently secure procedure to move private keys between Hardware Security Modules (HSMs) autonomously. Therefore, the same private keys must be predefined in HSMs at all available locations of that CA. The ability to move the CA to another location and to bind private keys on demand provides scalability in the number of signatures the system can handle. The scalability of the number CAs at one location is relative to the number of keys the Hardware Security Module is able to store. 2. Certificate Authority Separation: One essential requirement of a cloud based PKI is that one customer should only be able to see and use its own CAs. Consequently, there must be separation between CAs and customers. 3. Providing Secure Authentication And Authorization: Only a number of predefined CAs can issue certificates to administrators due to the trust store in the application server. Other CAs issuing administrator certificates can be added but that requires restarting of the application server. The purpose of this is to give each customer a dedicated CA to issue certificates to its administrators. Figure 4: Diagram of a public-key infrastructure[69] 4. Managing revocation. For huge system, managing revocation is not so simple with a PKI. ISBN:

7 In order to avoid such complication we propose to use the following technique based on Identity Based Cryptography. 4.2 IBE We briefly summarize what is Identity based cryptography and the bilinear pairing. The idea of IBC appeared in 1984 in [65], but without the introduction of elliptic curves. The bilinear pairing appears in 2001 [66]. Identity-based systems allow any party to generate a public key from a known identity value such as an ASCII string. A trusted third party, called the Private Key Generator (PKG), generates the corresponding private keys. To operate, the PKG first publishes a master public key, and retains the corresponding master private key (referred to as master key). Given the master public key, any party can compute a public key corresponding to the identity ID by combining the master public key with the identity value. To obtain a corresponding private key, the party authorized to use the identity ID contacts the PKG, which uses the master private key to generate the private key for identity ID. As a result, parties may encrypt messages (or verify signatures) with no prior distribution of keys between individual participants. This is extremely useful in cases where pre-distribution of authenticated keys is inconvenient or infeasible due to technical restraints. However, to decrypt or sign messages, the authorized user must obtain the appropriate private key from the PKG. The steps involved are depicted in this diagram: with the following properties: Bilinearity: P, Q G 1, a, b Z q, we have ê(ap, bq) = ê(p, Q) ab Non-degeneracy: There exist P, Q G 1 such that ê(p, Q) = 1 Computability: There exists an efficient algorithm to compute ê(p, Q) P, Q G Hierrachical architecture for cloud computing [67] As shown in Fig.6, IBHM (Identity based Hierarchical model) for cloud computing (IBHMCC) is composed of three levels [68]. The top level (level-0) is root PKG. The level-1 is sub-pkgs. Each node in level-1 corresponds to a data-center (such as a Cloud Storage Service Provider) in the cloud computing. The bottom level (level-2) are users in the cloud computing. In IBHMCC, each node has a unique name. The name is the nodes registered distinguished name (DN) when the node joins the cloud storage service. For example, in the Fig.6, DN of the root node is DN 0, DN of node M is DN M and DN of node N is DN N. We define the identity of node is the DN string from the root node to the current node itself. For example, the identity of entity N is ID N = DN 0 DN M DN N. denotes string concatenation. We further define ID N I 0 = DN 0, IDN 1 = DN O DN M, IDN 2 = DN 0 DN M DN N. The rule is applicable to all nodes in the hierarchical model. The deployment of IBHMCC needs two modules: Root PKG setup and Lowerlevel setup. Root PKG setup: Root PKG acts as follows: 1. Generate groups G 1, G 2, of some prime order q and an admissible pairing ê : G 1 G 1 G 2 ; 2. Choose an arbitrary generator P G 1 ; Figure 5: ID Based Encryption: Offline and Online Steps[67] Let G 1 be a cyclic additive group of prime order q, and G 2 be a cyclic multiplicative group of the same order q. A bilinear pairing is a map ê : G 1 G 1 G 2 3. Choose cryptography hash functions H 1 : {0, 1} G 1, H 2 : G 2 {0, 1} n for some n; 4. Pick a random α Z q and set Q 0 = αp, P 0 = H 1 (DN 0 ), S 0 = αp 0. The root PKGs master key is S 0 and the system parameters are G 1, G 1 2, ê, Q 0, P, P 0, H 1, H 2. ISBN:

8 Identity-Based Encryption (IBE): IBE is based on the above Root PKG setup and Lower-level setup algorithms. It is composed by two parts: Encryption and Decryption. Encryption: Assume E 1 and E 2 are two entities in the cloud computing. The identity of the entity E 2 is ID E2 = DN 0 DN 1 DN 2. To encrypt message m with ID E2, E 1 acts as follows: 1. Compute P 1 = H 1 (DN 0 DN 1 ), P 2 = H 1 (DN 0 DN 1 DN 2 ); Figure 6: Hierarchical architecture for cloud computing Lower-level setup 1. Assume there are m nodes in the level-1. For each node, the root PKG acts as follows (let X be an arbitrary node in the m nodes): 2. Compute the public key of node X: P X = H 1 (ID X ) where ID X = DN 0 DN X ; 3. Pick the secret point ρ X Z q for the node X. ρ X is only known by node X and its parent node; 4. Set the secret key of node X: S X = S 0 +ρ X P X ; 5. Define the Q-value: Q IDX I 1 = ρ X P Q IDX I 1 is public. After the above five steps are finished, all nodes in the level-1 get and securely keep their secret keys and the secret points. On the other hand, the public key and the Q-value are publicized. Then, each node in the level-1 similarly repeats the above steps (2-5). Similarly, all nodes in level-2 keep the secret keys and the secret point while publicizing the public key and Q-value Identity-Based Encryption and Signature for IBHMCC For the need in cloud computing, we have to propose an encryption and signature schemes. Therefore, as we know that identity-based encryption (IBE) and identity-based signature (IBS) schemes are well known, it can be considered for IBHMCC in the following. 2. Chose a random r Z q; 3. Output the ciphertext rp, rp 1, rp 2, H 2 (g r ) m, where g = ê(q 0, P 0 ) which can be precomputed. Decryption: After receiving the ciphertext C = U 0, U 1, U 2, V, the entity E 2 can decrypt C using its secret key S E2 = S 0 + ρ 1 P 1 + ρ 2 P 2 where ρ 1 is the secret point of node DN 0 DN 1 DN 2 : 1. Compute d = ê(u 0,S E2 ) 2 i=1 ê(q ID E2 I i,u i ) Q IDE2 I 1 = ρ 1 P, Q IDE2 I 2 = ρ 2 P ; 2. Output the message m = H 2 (d) V. where Identity-Based Signature (IBS): IBS is also based on Root PKG setup and Lower-level setup algorithms. It incorporates two algorithms: signature and verification. Signature: To sign a message m, the entity E 2 acts as follows: 1. Compute H 1 (DN 0 DN 1 DN 2 m); 2. Compute δ = S E2 +ρ 2 P m, where ρ 2 is the secret point of the entity E 2 ; 3. Output the signature δ, P m, Q IDE2 I 1, Q IDE2 I 2. Verification: Other Entities can verify the signature by acting as follows: Confirm ê(p, δ) = ê(p, ρ 2 P m )ê(q 0, P 0 ) 2 ê(q IDE2 I i, P i ). i=1 if the equation is true, the signature is validated. ISBN:

9 4.2.3 Identity-Based cryptography to manage users storage in cloud computing Here we assume that an initial registration of users has been done. Then for any new session, it is clear that the users can be authentified through standard authentification protocol. By using the IBE and IBS, user can send securly through the network the passphrase that enable the encryption of the operating system as it is considered in section 3. To do this we recommend to use the TLS protocol or an IPsec-VPN. Secure communication between users of the same group is insured by the IBE system. We believe that the use of the HIBE and HIBS system and the combination with an OS encryption solution allow to remove the inerent problem of PKI and avoid inerent problem of Homomorphism. In particular, the revocation is anymore a difficulty since revocated user will not have new asymmetric key to communicate. as we have seen, mainly, a system based on identity requires one server when a standard PKI requires 3 ones. Almost no key has to be registered, each public key can be computed from the identity itself and PKG has a secret key to generate all private keys. 5 Private information retrieval In cryptography, a private information retrieval (PIR) protocol allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved. PIR is a weaker version of 1-out-ofn oblivious transfer, where it is also required that the user should not get information about other database items. One trivial, but very inefficient way to achieve PIR is for the server to send an entire copy of the database to the user. In fact, this is the only possible protocol that gives the user information theoretic privacy for their query in a single-server setting. There are two ways to address this problem: one is to make the server computationally bounded and the other is to assume that there are multiple non-cooperating servers, each having a copy of the database. The problem was introduced in 1995 by Chor, Goldreich, Kushilevitz and Sudan [51] in the information-theoretic setting and in 1997 by Kushilevitz and Ostrovsky in the computational setting [53]. The authors of [51] showed the following: Assume you have k 2 copies of databases of size n. Then there are PIR schemes of complexity n which achieve complete information theoretic security. The authors of [51] came up with PIR schemes that enable private retrieval of records from replicated databases, with a nontrivially small amount of communication. In such protocols, users query each server holding the database. The protocol ensures that each individual server (by observing only the query it receives) gets no information about the identity of the items of user interest. We now make the notion of private information retrieval schemes more concrete. We model the database as a k-long q-ary string x that is replicated between r non-communicating servers. The user holds an index i (which is an integer between 1 and k) and is interested in obtaining the value of the i-th coordinate of x. To achieve this goal, the user tosses some random coins, queries each of the r servers and gets replies from which the desired value can be computed. The query to each server is distributed independently of i therefore each server gets no information about what the user is after. Formally, Definition 1 A r-server private information retrieval protocol is a triplet of non-uniform algorithms P = (Q, A, C): We assume that each algorithm is given k as an advice. At the beginning of the protocol, the user U tosses random coins and obtains a random string rand: Next U invokes Q(i, rand) to generate an r-tuple of queries (que 1,..., que r ). For j [r], U sends que j to the server S j. Each server S j, j [r] responds with an answer ans j = A(j, x, que j ). Finally, U computes its output by applying the reconstruction algorithm C(ans 1,..., ans r, i, rand). A protocol as above should satisfy the following requirements: Correctness: For any k, x [q] k and i [k]. U outputs the correct value of x i with probability 1 (where the probability is over the random strings rand). Privacy: Each server individually learns no information about i. More precisely, we require that for any k and for any j [r], the distributions que j (i, rand) are identical for all values i [k]. The communication complexity of a PIR protocol P is a function of k measuring the total number of bits communicated between the user and the servers, maximized over all choices of x [q] k, i [k], and random inputs. The major goal of PIR related research to design r-server private information retrieval schemes with optimal (i.e., the smallest possible) amount of ISBN:

10 communication for every r. Following the paper of Chor et al. [51] there has been a large a body of work on private information retrieval [54 62]. A large number of extensions of the basic PIR model have also been studied. These include extensions to t-private protocols, in which the user is protected against collusions of up to t servers [55, 63] extensions which protect the servers holding the database in addition to the user, termed symmetric PIR [71, 72]; extensions to computational schemes [73] that only ensure that a server cannot get any information about the user s intensions unless it solves a certain computationally hard problem; and other extensions [74]. In many of those extensions the protocols are obtained by adding some extra layers on top of a basic private information retrieval scheme. Therefore improving parameters of basic private information retrieval schemes yields improvements for many other problems. See [75] for surveys of PIR literature. The gap between upper and lower bounds for communication complexity of private information retrieval schemes is fairly large. Currently, the most efficient r-server schemes for r 3 are obtained through r-query locally decodable codes. Communication complexity of such schemes is roughly logarithmic in the codeword length of corresponding codes. This, for instance, yields 3-server schemes with exp log k log log k communication to access a k-bit database [76]. Two server private information retrieval schemes do not rely on locally decodable codes (LDCs). The most effficient such schemes to date require O(k 1/3 ) communication [51]. The best lower bound for the communication complexity of two server PIR is 5 log k due to Wehner and de Wolf [60]. Single server PIR schemes require Θ(k) communication [51]. We present a two server scheme based on polynomial interpolation. 5.1 From codes to schemes The following lemma obtains an r-server private information retrieval scheme out of any perfectly smooth r-query locally decodable code, i.e., a code where each decoder s query is distributed perfectly uniformly over the set of codeword coordinates. Lemma 2 [77]. Suppose there exists a perfectly smooth q-ary r-query locally decodable code C encoding k-long messages to N-long codewords; then there exists an r-server private information retrieval scheme with O(r log 2 (Nq)) communication to access a q-ary k-long database. Theorem 3 [77]. For every integer t 2 and for all k 2, there exists a 3 2 t 2 -server private information retrieval scheme with ) exp t ((log k) 1/t (log log k) 1 1 t bit communication to access a k-bit database. One of the earliest applications of locally decodable codes was to worstcase to average-case reductions in computational complexity theory. This application requires LDCs with polynomial length and polylogarithmic query complexity. Such codes can be obtained from Reed Muller codes. Currently, Reed Muller codes are the best known LDCs in the regime of medium query complexity. The length of RM codes of query complexity log k is only slightly superpolynomial. To date Reed Muller codes and multiplicity codes constitute the only known classes of locally correctable codes. It is interesting to see if there are locally correctable codes in the regime of low query complexity that are shorter than Reed Muller codes. In particular we do not know if matching vector codes can be made locally correctable. 6 Conclusion We have exposed few secure solutions that could be used in a Iaas cloud, we believe that these solutions are realistic and that securing a cloud properly is available by using the existing cryptographic material. Currently secure storage in cloud is an open problem but existing operating systems encryption as TrueCrypt allows users to work without latency problems. PKI is enabling computer to computer communications in the Cloud because it offers a cryptographically strong method of authentication which can be tied to the secure transport mechanism, TLS. The security of any system is not a question of if the system is secure or not, it is a question of how secure it is or in other words, to what extent it is secure. Every system has flaws, either in the design or in the nature of the system, thus absolute security cannot be guaranteed for any system. Technologies and incentives to access or destroy systems emerge as technology moves forward and the value of the system increases. Hence, a system can only be classified secure to an extent or not secure at all. One critical factor in security is cost. To limit the incentives to break the system, the cost of breaking the system should be higher or equal to the ISBN:

11 value of the information the system is protecting. The paper has discussed a model to build trust in Cloud using public key Infrastructure and Identity based cryptography. We prefer the use of Identity based cryptography for some reason of scalability and management. As we have seen, PKI is certainely much more costly on almost all point of view. Finally we proposed to investigate toward PIR solution in order to offer to cloud users privacy. This last subject is open and merits research to make it less costly in term of complexity. Acknowledgements: The research was supported by the compagny Numergy ( References: [1] P. Hoffman. Cryptographic Suites for IPsec. IETF Request for Comments: [2] S. Kent, K. Seo. Security Architecture for the Internet Protocol. IETF Request for Comments: [3] Steve Dispensa, Marsh Ray. Renegotiating TLS Man-In-The-Middle. Paper /Renegotiating TLS.pdf [4] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. Paper [5] Mell P, Grance T. The NIST definition of cloud computing. NIST Special Publication. 2011: [6] Bessani A, Correia M, Quaresma B, et al. DEP- SKY: dependable and secure storage in a cloudof-clouds. 6th Conference on Computer Systems (EuroSys11), 2011: [7] Chen Y, Sion R. On securing untrusted clouds with cryptography ACM Workshop on Privacy in the Electronic Society (WPES 2010), 2010: [8] Chow S S M, Chu C, Huang X, et al. Dynamic secure cloud storage with provenance. Cryptography and Security: from Theory to Applications, LNCS, Springer-Verlag. 2011, 6805: [9] Kamara S, Lauter K. Cryptographic cloud storage. 14th International Conference on Financial Cryptography and Data Security, LNCS, IFCA/Springer-Verlag. 2010, 6054: [10] Kumbhare A, Simmhan Y, Prasanna V. Designing a secure storage repository for sharing scientific databases using public clouds. Second International Workshop on Data Intensive Computing in the Clouds (DataCloud-SC11), New York, ACM. 2011: [11] Li M, Yu S, Lou W, et al. Toward privacyassured cloud data services with flexible search functionalities. 3rd International Workshop on Security and Privacy in Cloud Computing (SPCC 2012), IEEE ICDCS [12] Lu Y, Tsudik G. Enhancing data privacy in the cloud. IFIP Advances in Information and Communication Technology, 2011, 358: [13] Patil D H, Bhavsar R R, Thorve A S. Data security over cloud. IJCA Proceedings on Emerging Trends in Computer Science and Information Technology (ETCSIT2012) etcsit1001, 2012, ETCSIT(5): [14] Wang C, Cao N, Li J, et al. Secure ranked keyword search over encrypted cloud data. IEEE 30th International Conference on Distributed Computing Systems (ICDCS), 2010: [15] Danezis G, Livshits B. Towards ensuring client-side computational integrity. 3rd ACM Workshop on Cloud Computing Security Workshop (CCSW11), New York, ACM. 2011: [16] Davenport J H. Cryptography and security in clouds. IBM Forum Zurich, 2011 [17] Dijk M, Juels A. On the impossibility of cryptography alone for privacy-preserving cloud computing. 5th USENIX Conference on Hot Topics in Security, Article 1-8, USENIX Association Berkeley [18] Gentry G. Fully homomorphic encryption using ideal lattices. 41st Annual ACM Symposium on Theory of Computing (STOC 2009), ACM, 2009: [19] Li H, Dai Y, Yang B. Identity-based cryptography for cloud security. Cryptography eprint Archive: Report 2011/169 ISBN:

12 [20] Silva D A R, Casano F J G, Orellana L A, et al. Encrypted domain processing for cloud privacy-concept and practical experience. International Conference on Cloud Computing and Services Science (CLOSER), 2011: [21] Takahashi T, Blanc G, Kadobayashi Y, et al. Enabling secure multitenancy in cloud computing: challenges and approachs nd Baltic Congress on Future Internet Communications (BCFIC), 2012: [22] Slamanig D. More privacy for cloud users: privacy-preserving resource usage in the cloud. 4th Hot Topics in Privacy Enhancing Technologies (HotPETs), 2011 [23] Slamanig D. Efficient schemes for anonymous yet authorized and bounded use of cloud resources. Selected Areas in Cryptography, LNCS, 2012, 7118: [24] Cloud security alliance. Security Guideline for Critical Areas of Focus in Cloud Computing V3.0, 2011 [25] Wu J, Ping L, Ge X, et al. Cloud storage as the infrastructure of cloud computing. International Conference on Intelligent Computing and Cognitive Informatics, 2010: [26] Popa R A, Lorch J R, Molnar D, et al. Enabling security in cloud storage SLAs with Cloud- Proof. Microsoft TechReport MSR-TR-2010, 2010, 46: 1-12 [27] Subashini S, Kavitha V. A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 2011, 34(1): 1-11 [28] Tang Y, Lee P P C, Lui J C S, et al. FADE: secure overlay cloud storage with file assured deletion. Security and Privacy in Communication Networks. 2010, LNICST 50: [29] Chase M, Kamara S. Structured encryption and controlled disclosure. ASIACRYPT 2010, LNCS. 2010, 6477: [30] Kamara S, Papamanthou C, Roeder T. CS2: a semantic cryptographic cloud storage system. Microsoft Research, Tech.Rep.MSR-TR , 2011 [31] Ko R K L, Jagadpramana P, Mowbray M, et al. TrustCloud: a framework for accountability and trust in cloud computing IEEE World Congress on Services, 2011: [32] Liu Q, Tan C C, Wu J, et al. Reliable reencryption in unreliable clouds. IEEE Global Telecommunications Conference (GLOBE- COM), 2011 [33] Barua M, Liang X, Lu X, et al. ESPAC: enabling security and patient-centric access control for ehealth in cloud computing. International Journal of Security and Networks, 2011, 6(2): [34] Bethencourt J, Sshai A, Waters B. Ciphertextpolicy attribute-based encryption. IEEE Symposium on Security and Privacy, 2007: [35] Boneh D, Franklin M K. Identity-based encryption from the Weil Pairing. 21th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO01), 2001: [36] Kumbhare A, Simmhan Y, Prasanna V. Cryptonite: a secure and performant data repository on public clouds IEEE 5th International Conference on Cloud Computing, 2012: [37] Simmhan Y, Giakkoupis M, Cao B, et al. On using cloud platform in a software architecture for smart energy grids. CloudCom, 2010 [38] Zarandioon S, Yao D, Ganaphthy V. K2C: cryptography cloud storage with lazy revocation and anonymous access. Securecomm, 2011 [39] Somorovsky J, Meyer C, Tran T, et al. SEC2: secure moblie solution for distributed public cloud storages. 2nd International Conference on Cloud Computing and Services Science (CLOSER), 2012: [40] Boneh D, Gentry C, Waters B. Collusion resistant broadcast encryption with short ciphertexts and private keys. CRYPTO05, LNCS, Springer-Verlag. 2005, 3621: [41] Fiat A, Naor M. Broadcast encryption. CRYPTO93, LNCS. 1994, 773: [42] Micali S, Rabin M O, Vadhan S P. Verifiable random functions. 40th Annual Symposium on Foundations of Computer Science (FOCS), 1999: [43] Ruj S, Nayak A, Stojmernovic I. DACC: distributed access control in clouds International Joint Conference of IEEE TrustCom- 11/IEEE ICESS-11/FCST-11, IEEE Computer Society, 2011: ISBN:

13 [44] Lewko A B, Waters B. Decentralizing attributebased encryption. EUROCRYPT 2011, LNCS. 2011, 6632: [45] Kiayias A, Tsiounis Y, Yung M. Group encryption. ASIACRYPT07, 2007: [46] Feng J, Chen Y, Summerville D H. A fair multi-party non-repudiation scheme for storage clouds International Conference on Collaboration Technologies and Systems (CTS 2011), 2011: [47] Feng J, Chen Y, Summerville D, et al. Enhancing cloud storage security against rollback attacks with a new fair multi-party nonrepudiation protocol IEEE Conference on Consumer Communications and Networking (CCNC), 2011: [48] Boneh D, Shacham H. Group signatures with verifier-local revocation. ACM Conference on Computer and Communications Security (CCS 2004), New York, ACM, 2004: [49] Delerablee C. Identity-based broadcast encryption with constant size Ciphertexts and private keys. ASIACRYPT 2007, LNCS, Springer- Verlag. 2007, 4833: [50] H. Aiache, M. Lauriano, C. Sieux and C. Tavernier. Nested Encryption Library for automated IPSec-based Anonymous Circuits Establishment. 6th WSEAS International Conference on Information Security and Privacy (ISP 07), Puerto De La Cruz, Tenerife, Canary Islands, Espagne dcembre 14-16, 2007 [51] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private information retrieval. Journal of the ACM (JACM), 45: , November [52] Yanbin Lu, Gene Tsudik. Enhancing Data Privacy in the Cloud. Trust Management V, IFIP Advances in Information and Communication Technology Volume 358, 2011, pp [53] Eyal Kushilevitz, Rafail Ostrovsky: Replication Is Not Needed: Single Database, Computationally-Private Information Retrieval. FOCS 1997: [54] Andris Ambainis. Upper bound on the communication complexity of private information retrieval. In 32nd International Colloquium on Automata, Languages and Programming (ICALP), volume 1256 of Lecture Notes in Computer Science, pages Springer, Berlin, Heidelberg, [55] Amos Beimel, Yuval Ishai, and Eyal Kushilevitz. General constructions for informationtheoretic private information retrieval. Journal of Computer and System Sciences, 71: , 2005 [56] Amos Beimel, Yuval Ishai, Eyal Kushilevitz, and Jean-Francios Raymond. Breaking the O ( n 1/2k 1) barrier for information-theoretic private information retrieval. In 43rd IEEE Symposium on Foundations of Computer Science (FOCS), pages , 2002 [57] Klim Efremenko. 3-query locally decodable codes of subexponential length. In 41st ACM Symposium on Theory of Computing (STOC), pages 39-44, 2009 [58] Toshiya Itoh and Yasuhiro Suzuki. New constructions for query-efficient locally decodable codes of subexponential length. IEICE Transactions on Information and Systems, pages , 2010 [59] Prasad Raghavendra. A note on Yekhanin s locally decodable codes. In Electronic Colloquium on Computational Complexity (ECCC), TR07-016, 2007 [60] Stephanie Wehner and Ronald de Wolf. Improved lower bounds for locally decodable codes and private information retrieval. In 32nd International Colloquium on Automata, Languages and Programming (ICALP), volume 3580 of Lecture Notes in Computer Science, pages Springer, Berlin, Heidelberg, 2005 [61] David WoodruK and Sergey Yekhanin. A geometric approach to information theoretic private information retrieval. In 20th IEEE Computational Complexity Conference (CCC), pages , 2005 [62] Sergey Yekhanin. Towards 3-query locally decodable codes of subexponential length. Journal of the ACM, 55: 1-16, 2008 [63] Omer Barkol, Yuval Ishai, and Enav Weinreb. On locally decodable codes, self-correctable codes, and t-private PIR. In International Workshop on Randomization and Computation (RANDOM), pages , 2007 [64] W. Dawoud, I. Takouna, C. Meinel. Infrastructure as a service security: Challenges and solutions. 7th International Conference on Informatics and Systems. Cairo, Egypte ISBN:

14 [65] Adi Shamir, Identity-Based Cryptosystems and Signature Schemes. Advances in Cryptology: Proceedings of CRYPTO 84, Lecture Notes in Computer Science, 7:47 53, 1984 [66] Dan Boneh, Matthew K. Franklin, Identity- Based Encryption from the Weil Pairing Advances in Cryptology - Proceedings of CRYPTO 2001 (2001) [67] encryption [68] Hongwei Li1, Yuanshun Dai1, Bo Yang. Identity-Based Cryptography for Cloud Security. [69] Diagram of a public-key infrastructure Infrastructure.svg [70] PKI reborn in cloud by Jaimee Brown and Peter Robinson RSA, The Security Division of EMC found at: /previewbody/ /nms-301 %20-%20PKI%20Reborn%20in%20the%20 Cloud.pdf [71] Yael Gertner, Yuval Ishai, Eyal Kushilevitz, and Tal Malkin. Protecting data privacy in private information retrieval schemes. Journal of Computer and System Sciences, 60: , 2000 [72] Moni Naor and Benny Pinkas. Oblivious transfer and polynomial evaluation. In 29th ACM Symposium on Theory of Computing (STOC), pages , 1999 [73] Eyal Kushilevitz and Rafail Ostrovsky. Replication is not needed: Singledatabase computationally-private information retrieval. In 38rd IEEE Symposium on Foundations of Computer Science (FOCS), pages , 1997 [74] Giovanni Di-Crescenzo, Yuval Ishai, and Rafail Ostrovsky. Universal serviceproviders for private information retrieval. Journal of Cryptology, 14: pages 37-74, 2001 [75] gey Yekhanin. Private information retrieval. Communications of the ACM, 53(4): pages 68-73, 2010 [76] Klim Efremenko. 3-query locally decodable codes of subexponential length. In 41st ACM Symposium on Theory of Computing (STOC), pages 39-44, 2009 ISBN: [77] Sergey Yekhanin.locally decodable codes. Ninth IACR Theory of Cryptography Conference TCC 2012 [78] NIST Definition of Cloud Computing - Computer Security Resource.