Cloud Security Using Third Party Auditing and Encryption Service

Transcription

1 Cloud Security Using Third Party Auditing and Encryption Service Dissertation Submitted in partial fulfillment of the requirements for the degree of Master of Technology, (Computer Engineering) by Swaroop S. Hulawale MIS No: under the guidance of Professor : S. U.Ghumbre DEPARTMENT OF COMPUTER ENGINEERING AND INFORMATION TECHNOLOGY, COLLEGE OF ENGINEERING, PUNE-5 June, 2013

2 DEPARTMENT OF COMPUTER ENGINEERING AND INFORMATION TECHNOLOGY, COLLEGE OF ENGINEERING, PUNE CERTIFICATE This is to certify that the dissertation titled Cloud Security Using Third Party Auditing and Encryption Service has been successfully completed. By Swaroop S. Hulawale ( ) SIGNATURE SIGNATURE Prof. S U. Ghumbre Dr. J V. Aghav Project Guide, Head of Dept, Department of Computer Engineering Department of Computer Engineering and Information Technology, and Information Technology, College of Engineering Pune, College of Engineering Pune, Shivajinagar, Pune - 5 Shivajinagar, Pune - 5.

3 Abstract Cloud Computing is evolving and considered next generation architecture for computing. Typically cloud computing is a combination of computing recourses accessible via internet. Historically the client or organisations store data in data centers with firewall and other security techniques used to protect data against intrudes to access the data. Since the data was confined to data centers in limits of organisation, the control over the data was more and well defined procedures could be used for accessing its own data. However in cloud computing, since the data is stored anywhere across the globe, the client organisation have less control over the stored data. To built the trust for the growth of cloud computing the cloud providers must protect the user data from unauthorised access and disclosure. One technique could be encryting the data on client side before storing it in cloud storage, however this technique has too much burden from client perspective in terms of key management, maintainence perspective etc. Other way could be this kind of security service like computing hash of dat and verifying integrity of data, encryption/decryption service if provided by same cloud storage provider, the data compromise cannot be ruled out since same provider has access to both storage and security service. Divide and rule can be one of the techniques, meaning dividing the responsibilities amongst different cloud services providers can benefit the client. A trusted 3rd party cloud provider be used to provide security services, while the other cloud provider would be data storage provider. The trusted 3rd party security service provider would not store any data at its end, and its only confined to providing security service. The application or software will provide data integrity verification by using hashing algorithm like SHA-1, provide encryption/decryption using symmetric algorithm like AES, and defining band of people who can access the shared data securely can be achieved by defining access list. The Software is only responsible for encryption/decryption, computing/verifying the hash of the data and does not store any data in trusted 3rd party security system server. The encrypted data along and original data hash are stored in Separate Cloud (Security Cloud), therefore even if the storage cloud system administrator has access user data, since the data is encrypted it will be difficult for the system administrator to understand the encrypted data. While the user downloads the data from Storage Cloud, it is decrypted first and then new hash is calculated which is then compared with

4 hash of original data stored in Security Cloud. Finally, this software/application provides the user with the ability to store the encrypted data in Storage cloud and hash and encryption/decryption keys in security cloud service, and no single cloud service provider has access to both. Other benefit of delegating responsibility to trusted 3rd party is that it reliefs the client from any kind of key management or over head is maintainance of any key information related to data on it device, because of which it allows the client to use any browser enabled devices to access such service. Keywords - Cloud computing; Hash service; encryption and decryption service; data protection and integrity.

5 Contents List of Figures iii 1 INTRODUCTION Motivation Problem Definition Objectives Literature Survey Overview of cloud Overview of working of cloud Cloud Layers Cloud Service Models Cloud Deployment Models Security issues in cloud Cryptography Summary System Design Business Model with separate encryption/decryption and hashing service Typical Scenarios In Design Data Upload Scenario User Data Download Scenario Group User Data Download Scenario Algorithm selection Selection Of AES Technologies Used i

6 4 Implementation Outline of the AES Algorithm Implementation Details Testing and Result Testinng Result Summary Conclusion and Future work Conclusion Future Work

7 List of Figures 2.1 Cloud Layers System Architecture Use Case User Data Upload Scenario User Data Download Scenario Group User Data Download Scenario ClientApp Login Form New User Registration User Uploads Confidential File User Adds Accessor To Confidential File Accessor Viewing Confidential File Owner Viewing Confidential File Sample Input Encrypted Confidential File Stored In Storage Cloud iii

8 Chapter 1 INTRODUCTION 1.1 Motivation With evolution of computers the life of people became more and more easily. They where able to keep there data on there devices, and started finding ways to make them accessible to others, for example say by using floppy, writable disks, which was followed by portable hard-disk, all these where expensive in there own way during there time. The data was very much private on personal devices like PC,laptops, mobile phones etc, therefore sharing data with others was considered to be expensive. As the world of computing got more advanced the ways for sharing data started becoming cheaper and cheaper. In recent years a new term has evolved call Cloud which is provided by different provides, and which is nothing but facility or service of different resources or components like hardware, platform, storage s, software etc, and it is gaining importance because it frees the user from maintenance perspective on a investment of some money for the use of these services provided by cloud service providers. Now to provide such service to the client, naturally the provider s must have and rather can have access to resources which are used by the people/clients. Among the reasons these access are greatly required are for maintenance perspective. And definitely since billions of clients will be thinking about using such service, the infrastructure ought to be capable enough to support them, and these resources ought to be shared between billions of client s. Service availability, data syncronization between different devices, availability of data via any devices which includes browser facility make cloud more attractive. Now since the info gets shared or stored in providers area, the client 1

9 gets worried about privacy of its data, although there are certain agreements and SLA which are agreed by cloud provider and client. Now although client have a platform to generally share the info, the expense of securing his/her data or in a nutshell making its data private gets costlier. The cloud term is of interest not just to the patient clients but to organizations as well. With organization as a consumer the concern of data security becomes multifold. Consider a typical example of small scale business that has different departments like HR, Finance, etc. We will focus on finance department since finance details of any business/company/organization is considered to be very sensitive and must be confidential. Therefore if the little scale company thinks of using the cloud services like storage. Storing all account/finance related information in cloud stored makes it prone to leakage of sensitive information tell un-authorized users. Therefore securing this finance data is vital before it gets uploaded to the storage cloud, and just in case the data stored in cloud storage gets tampered there should be a method to verify the integrity of the data, moving futher specific band of people should have access to this data which may be folks from finance deparment of client company or special auditors. Simply speaking the client must have the ability to store the data securely, verify the integrity of the data, share the data securely with specific band of people. 1.2 Problem Definition The clients concern about data security, data integrity, and sharing data with specific band of men and women must be addressed. You can find multiple means of achieving this, example encryting data on client machine and then storing the information to cloud storage server, computing hash of the information on client machine and storing hash of data in client machine, client trying out the responsibility of sharing the trick key about encryption with specific band of people. Therefore it becomes more tedious for client to keep these information and share such information, more over in the event the device which stores such information is lost or stolen it pose a threat to the total data. Another way could be same storage cloud provider providing the service for secured sharing, hashing, encryption/decryption, but since administratives can have use of both services for maintainance, the security service provided by the cloud storage provider, the information might be compromised. The aforementioned approches burdens the client by which 2

10 makes it additionally accountable for securing it data before storing it to the cloud storage. 1.3 Objectives Our objective is to build a security service which will be provided with a trusted 3rd party, and would lead to providing only security services and wouldn t store any data in its system. Detailing it further. 1. To construct Web service system which would provide data integrity verification, provide encryption/decryption of the consumer data. 2. Defining access list for sharing data securely with specific band of individuals. 3. To construct thin client application which would call this web service before uploading/downloading the data to and from cloud. 3

11 Chapter 2 Literature Survey The analysis behind this topic could be subdivided into 3 different sub- fields: 1. Study of cloud computing and various cloud computing models IaaS, PaaS, SaaS etc, study of different business models, and study of service level agreements. 2. Study of security issues in cloud. 3. Study of Cryptography. 2.1 Overview of cloud Cloud computing describes the combination of logical entities like data, software which are accessible via internet. Client data is generallly stored in banks of servers spread across the globe. Historically, each software like a phrase processor or paint brush required a license to be installed on clients machine. However with this is of workgroup becoming more highlighting, the client-server model arrived to existence, which provided large storing capabilities allowing users to host applications with data for workgroup. The client machine would demand a browser to get into these server functionality, and would use client CPU and memory for processing. Cloud computing will vary from traditional client-server model by providing applications from the server which are executed and managed by a client s internet browser, with no installed client version of a credit card application require. Cloud providers frees the client from software license management etc, since the services are accessible via internet. Software as a Service (SaaS), given by cloud company, require 4

12 browser enabled devices like personal computers, laptops, and latest devices like smartphone, tablets etc, to access these services once an individual is registered in cloud. For instance, in case an individual opts for storage service from the cloud provider, then she or he can upload personal information, code, music, movies, songs, photographs, which are stored anywhere across the planet in the server bank under cloud company, the geographic storage location is generally kept unknown to the user. Since only browser enabled device are sufficient to access these files, different devices could be kept in sync Overview of working of cloud Generally the cloud services are browser based, therefore any browser enabled device such as for instance laptop, desktop, smartphone, tablets can used to gain access to these services, the services at providers end may be hosted on any platform, from windows, linux, etc, which are accessible via internet. As an example consider a regular income and expenditure application which gives different analysis on expenditure by a person, this application could be executing on cloud providers server, whilst the client browser will allow client to feed in the inputs and visualize the analysis prepared for the inputs provided, these analysis computation is completed at server side. Suppose this application can futher create documentation on monthly bases which often can be stored in cloud storage once again relieving the client from storing or processing the file on its side. Because the cloud services are offered via internet, a significant factors which play a important role in performance are speed of internet, processing power of the individual. While the cloud providers have server banks, to boost the processing power, multiple server are often used internally by the cloud service provides. This pooling is invisible to the client. On another hand if these heavy tasks were to be executed on client side, it would require investment in hardware, time. Due to cloud, it frees the client from buying expensive hardware and investing his/her valuable time, since time is money. Having studied the overview of working cloud, let s now understand some of the essential characteristics On-the-fly service A consumer can require more capabilities at any movement of time, example processing power for huge task, and these requirement must of fulfilled without human 5

13 intervention and be invisible to client [4]. Wide Accessibility Generally the cloud service are available via standard network protocols, it promotes different types of clients platforms (like, smart phones, laptops etc) for accessing these services [4]. Pooling Of Resources The pooling of the resources at cloud providers end is invisible to the end client, and resource assignment is done dynamically depending the need of the client [4]. Measured service Cloud has enough resources, and amount used by each client is measured by metering capability, and controlled at some level, for optimized resource usage, (like storage) [4] Cloud Layers At high level, cloud computing architecture can be partitioned into 1. Client or front end platform (thin or thick client). 2. Back-end platform (storage server etc). 3. The network (Internet etc) These client platforms communicate with the cloud data storage via an application (hosted on middleware), accessible via a browser Cloud Service Models In this section let s understand different service models of cloud. SaaS Software as a Service (SaaS) also known as on-demand software, as it name says allows client to use software services supplied by cloud provider via web browser. The management of server, internal cloud network, operating system, application configuration on middleware are responsibilities of cloud provider. SalesForce is among SaaS company which supplies different software services. 6

14 Figure 2.1: Cloud Layers PaaS Platform as a Service (PaaS) as the names suggests, cloud provider provides platform for deployment of user application, but doesn t give control of underlying hardware or infrastructure (storage, network). IaaS Infrastructure as a Service (IaaS) wherein limited accessibility for group of infrastructure is provided to the client for storage, network, processing etc. The client can deploy and execute is application using these infrastructure, the key advantage is frees the client on buys or purchasing top end servers, softwares, data-center space, network infrastructure etc. The clients are charged on per-use basis [4] Cloud Deployment Models In this section we focus our attention to some of the primary cloud models Public Cloud Public cloud is a couple of resources such as for instance storage or application, are made available to the general public online by the cloud provider. The client is is billed based on the usage or the service may be free. Community Cloud 7

15 Community cloud share the underlying infrastructure with other organization which share common interest like security etc. It s not completely public and the fee is shared by community members. Neither it is totally public not fully private. Private Cloud Private cloud as it name says, is internal to an organization. It can either be managed internally or by trusted 3rd party. The cloud is only accessible to internal organization or say designated employee of the organization Security issues in cloud Every coin has 2 side, and cloud computing is no exception. There is criticism about privacy in cloud model, because of the fact that administrator have access to data stored in the cloud. They can unintentionally or intentionally access the client data. Traditional security or protection techniques need a reconsideration for cloud. Except for private cloud where organization does not have control over the equipment, the progress of cloud is seems little slow, because organizations think instead of compromising on the security of the data, they are still willing to invest in buying private equipment to setup there own infrastructure. Security issues which are of concern to the client can be classified into sensitive data access, data segregation, bug exploitation, recovery, accountability, malicious insiders, account control issues. Like different disease have different medicines, different cloud security issues have different solutions, like cryptography, use of more than one cloud provider, strong service level agreement between client and cloud service provider. Heavy investment is needed to secure the compromising data in cloud. Cloud can grow only if it is possible to build a trust in client, and which can be built only if security concerns are being addressed. Following are some of the concerns, 1. System Complexity Compared to traditional data center the cloud architecture is much more complex. Therefore while considering security, security of all these components and interaction of these components with each other needs to be addressed [13]. 2. Shared Multi-tenant Environment Since the cloud need to provide service to millions of client, a logical separation of data is done at different level of the application stack [13]. Because of which a 8

16 attacker in the face off client can exploit the bugs gaining access to data from other organizations [13]. 3. Internet-facing Services The cloud service which is accessed over the internet via browser, the quality of service delivered on the network is another concern [13]. 4. Loss of control As the data of client is stored anywhere across the world control loss over physical, logical of system,and alternative control to clients assets, mis-management of assets are some additional concerns [13] Cryptography Cryptography is a field of computer science & mathematics which deals with information security and related issues, in particular encryption and authentication. In greek the word kryptos mean hidden while the word graphein mean to write. During encryption a plain-text is converted into cipher text, while the reverse process termed as decryption converts the cipher text into plain-text. The cipher is in unreadable format. AES The Advanced Encryption Standard (AES) is a symmetric key encryption/decryption algorithm for converting plain-text to cipher text and vice-versa. Since the same key or master key is used, the must be kept secret or with trusted 3rd party, because compromise of this key would mean compromise to the data. Deffie Hellman Diffie Hellman key exchange is a technique to exchange cryptographic keys between 2 parties with no prior knowledge of each other. It allows the 2 parties to establish a secret key which can be used for further secured communication. SHA-1 SHA stands for Secure Hash Algorithm, SHA-1 is a cryptographic hash function technique where hash of data is computed. As compared to SHA-0, SHA-1 is widely used because it corrects errors in SHA hash specification, which led to weakness. 9

17 2.2 Summary The literature survey helped us gain a better insight with reference to cloud computing, different models of cloud computing, current security issue. Understanding different encryption/decryption algorithms like AES, SHA-1, Deffie Hellman. During the survey it is noted that lot of research is going on in cloud computing security issues and how to overcome the security issues and to gain cloud users confidence. 10

18 Chapter 3 System Design In the proposed design, a hash service data integrity verification, encryption/decryption service, and provision for defining list of people which can access data securely, is provided by a trusted 3rd party which is separate from the storage cloud provider. 3.1 Business Model with separate encryption/decryption and hashing service. The system provides hash, accessl list, encryption/decryption by a trusted 3rd party over the network in the form of Software as a Service (SaaS)[1]. The system has a separate storage service which is also provided as a SaaS. The data storage for each client is done in database in the form of BLOB. The trusted 3rd party which provides these securty services does not store any data at its ends, and stores only master key for each client for data encryption and decryption, and hash of the data which is calculated on client side. To enhance the security, the communication between client and security server is secured using Diffie Hellmen key, which is used as a input for AES. This division of responsibility has big effect, as no single provider has access to other data and security key, hash at the same time. Figure 3.1. is an overview of the architecture where storage and encryption/decryption/hash services (security services) are separated. For example (as described in chapter 1, Motivation) a small or medium scale business who wish to store all its account related data in cloud storage, will first calculate the hash of the data, encrypt the data using encryption 11

19 Figure 3.1: System Architecture service and then store the data in storage provided by separate provider. The system also provides functionality where other users from small scale business Company will be able to access data which is stored in cloud storage. The sessions between client and security server is secured using Diffie Hellmen Key and AES as the encryption algorithm. SHA-1 is used for calculating the hash of the data, and AES is used a encryption/decryption algorithm for computing cipher at security server end. Figure 3.2 show the use case diagram of the system. 3.2 Typical Scenarios In Design Typical 3 basic scenarios are, user data upload, user data download, group user access. In this section we discuss the each of these scenarios Data Upload Scenario 1. The end user login to the system with his/her username & password. 12

20 Figure 3.2: Use Case 2. Once the user is authenticated, the Deffie Hellman key is exchanged for the session. 3. Now a user can select the files which he/she wants to upload it to storage cloud. 4. The user can also select is he/she wants to share the file with specific users. 5. The hash of the data in file is calculated, using SHA-1 ( original hash ). 6. The data in file is now encrypted using DH keys. 7. The complete encrypted file and original hash of file data, are now transferred to Security Cloud. 8. At Security Cloud, encrypted files is decrypted back using DH key, while the hash is sorted in security cloud database. 9. The decrypted file is now encrypted with Symmetric Algorithm namely AES, using the Master Key generated for each user during user creation. 10. File ID, original hash ( file/data hash ), master key for each user are stored in Security Cloud database. 13

21 11. The Security Cloud now discards any contents of the files from its system, and does not store any file contents in its system. 12. The Encrypted file is sent back to user, to be uploaded to Storage Cloud. 13. The user now can upload the encrypted file to Storage Cloud. Figure 3.3: User Data Upload Scenario User Data Download Scenario 1. The end user login to the system with his/her username & password. 2. Once the user is authenticated, the Deffie Hellman key is exchanged for the session. 3. Now a user can select the files which he/she wants to download it from storage cloud. 14

22 4. The encrypted file is now downloaded from storage cloud to users mach in. 5. The complete encrypted file is now transferred to Security Cloud. 6. The data in file is now encrypted using DH keys. 7. The complete encrypted file and original hash of file data, are now transferred to Security Cloud. 8. At Security Cloud, decrypted files with Symmetric Algorithm namely AES using Master Key stored in security cloud database for each user. 9. The decrypted file is now encrypted with DH key. 10. The DH encrypted file and hash of the corresponding file is now passed to the users. 11. At user end, on receiving the encrypted file, it is decrypted with DH keys. 12. The hash of decrypted file is calculated using SHA-1 and original hash are now compared to see if they match, and accordingly appropriate message like, File tampered or File is intact are flashed on user screen. Thus the integrity of the data is verified Group User Data Download Scenario 1. The end user login to the system with his/her username & password. 2. Once the user is authenticated, the Deffie Hellman key is exchanged for the session. 3. Now a user can select the files which are shared by other user. 4. The encrypted file is now downloaded from storage cloud to users machine. 5. The complete encrypted file is now transferred to Security Cloud. 6. At Security Cloud, decrypted files with Symmetric Algorithm namely AES using Master Key stored in security cloud database for each user. 7. The decrypted file is now encrypted with DH key. 8. The DH encrypted file is now passed to the group users. 9. At user end, on receiving the encrypted file, it is decrypted with DH key. 15

23 Figure 3.4: User Data Download Scenario 10. The group user can now view the file; & the data integrity is also verified at group users end. Since the responsibility is divided between 2 providers, Storage Cloud provider and Security Cloud provider are different, the Storage Cloud provider although has access to file/data, it is in encrypted format, and it has no access to any kind of encryption/decryption keys. Second, as the Security Cloud only stores users master key and encrypted data hash, and does not store any data/file, therefore it has no use of the keys. In case the data/file is tampered anywhere it will be caught during the integrity verification. Third, while the session keys are established during the user login, all the cascading data transfer is secured. This allows the user to access its data from any machine, which is one of the definite of cloud services. Thus the user data transferred 16

24 Figure 3.5: Group User Data Download Scenario and stored in secured manner in storage cloud. Fourth it is possible to share data with preferred band of people securely. 3.3 Algorithm selection In this section we discuss some of the advantages of selection of particular algorithms over the other. We begin with discussion of AES Selection Of AES Broadly speaking the encryption/decryption can be done via symmetric key or asymmetric key.in symmetric algorithms, both parties share the secret key for both encryption/decryption, and from privacy perceptive it is important that this key is not compromised, because cascading data will then be compromised. Symmetric encryption/decryption require less power for computation. On the other hand asymmetric algorithms use pairs of keys, of which one key is used for encryption while other key is used for decryption. 17

25 Generally the private key is kept secret and generally held with the owner of data or trusted 3rd party for the data, while the public key can be distributed to others for encryption. The secret key can t be obtained from the public key. In our case since the encryption/decryption is performed on trusted 3rd party server, symmetric key is used, and it delegates the burden of key management to the trusted 3rd party. If key management where to be done at clients end it would mean, 1. either they have to remember the big key 2. store the key in all devices/machine which will be used to access the cloud services, which make user device a bottleneck. 3. individual owner has to take the responsibility of sharing the key with specific authorized group of user which he/she define. While on the other hand using symmetric key encryption the master key or private key usage which would be stored in security cloud provider per user gives the client the advantage like, 1. freedom from remembering any key. 2. Client can use any device/machine to access the data stored in cloud. 3. the client need not worry as to how the data will be shared securely, the client just need to define the individual whom he/she wants to share the data with. 3.4 Technologies Used In order to implement a cloud architecture or a Software As A Service (SaaS architecture) we need 1. WebService Need to implement a web service. 2. GlassFish Server to host web service 3. SOAP API to be able to call web service at client side we need to use SOAP API or even XML. version Java

26 5. Operating System Windows MySQL

27 Chapter 4 Implementation In previous sections we have discussed about the system architecture, different scenarios and algorithms that we will be using to implement them. 4.1 Outline of the AES Algorithm Constants: int Nb = 4; // but it might change someday int Nr = 10, 12, or 14; // rounds, for Nk = 4, 6, or 8 Inputs: array in of 4*Nb bytes // input plaintext array out of 4*Nb bytes // output ciphertext array w of 4*Nb*(Nr+1) bytes // expanded key Internal work array: state, 2-dim array of 4*Nb bytes, 4 rows and Nb cols Algorithm: void Cipher(byte[ ] in, byte[ ] out, byte[ ] w) { byte[ ][ ] state = new byte[4][nb]; state = in; // actual component-wise copy AddRoundKey(state, w, 0, Nb - 1); // see Section 4 below for (int round = 1; round Nr; round++) { SubBytes(state); // see Section 3 below ShiftRows(state); // see Section 5 below MixColumns(state); // see Section 5 below AddRoundKey(state, w, round*nb, (round+1)*nb - 1); // Section 4 } SubBytes(state); // see Section 3 below ShiftRows(state); // see Section 5 below 20

28 AddRoundKey(state, w, Nr*Nb, (Nr+1)*Nb - 1); // Section 4 out = state; // component-wise copy } 4.2 Implementation Details In this section we discuss some the important implementation details. The overall project was divided into 2 components, namely, ClientApp,Encryption/Decryption Service, Storage Service ClientApp The ClientApp is java web startup application. The Client Login Form is shown in Figure 4.1. Figure 4.1: ClientApp Login Form 21

29 Web Start has an advantage over applets in that it overcomes many compatibility problems with browsers Java plugins and different JVM versions. On the other hand, Web Start programs are no longer part of the web page. They are independent applications that run in a separate frame For a new user, the client/user has to register, by click on Register in Login Form, and then login with its own user, as shown in Figure 4.2. Figure 4.2: New User Registration Let us re-visit the example discussed in chapter 1. The head of the account department finalizes the YDT Summary report for the small scale business. He/She then wants to upload the document to cloud storage. The user click s on Upload Data button, it then click s on Upload File, and selects the file to be uploaded from its device/machine. The user now select if he/she wants to make the file as private which will be only accessible to itself or it wants to make it shared with others as well, suppose it make its shared and click s on UPLOAD, while uploading the file it shows appropriate messages wherever necessary. 22

30 Figure 4.3: User Uploads Confidential File Since the user has select shared, it now needs to define the list of people who will be able to access the file, for this it click s on Access List button, followed by Add Accessor button, and search for the person who will be able to access the data, and click on DONE, Figure 4.4. This accessor list is defined in accesslist table defined at storage cloud. The accessor will now be able to view this file securedly. One more advantage is, when the accessor downloads the file by click on View Other S DATA, the accessor can see list of all people and the data shared by these people with him/her, it verifies the integrity of the data on selection of particular data for view, and can report to the head of department if the data is tampered, Figure

31 Figure 4.4: User Adds Accessor To Confidential File Other Scenario will be the user want to download or view the data/file, for this he/she clicks on Download Data, followed by FETCH FILE LIST, and selects the file to be download it, click s on Save File As, and finally click s on Download, Figure

32 Figure 4.5: Accessor Viewing Confidential File Figure 4.6: Owner Viewing Confidential File 25

33 Chapter 5 Testing and Result Till now we have seen the system architecture, its implementation using AES, SHA-1 Deffie Hellman algorithms. This section gives the results of working model. 5.1 Testing Result Lets use now take the example of Yearly Tax Deduction Excel File which we provide as a input to the system. Figure 5.1: Sample Input 1. The file is exactly stored in encrypted format. The userdata in storage cloud is 26

34 the table which stores the data for each user, Figure 5.2 shows the encrypted file which was stored by a user. Figure 5.2: Encrypted Confidential File Stored In Storage Cloud 2. Secondly, the keys, hash of data are stored in security cloud server in userkey table,while the hash of corresponding data is stored in filehash table. 5.2 Summary We have seen how the security service which is provided by trusted third party helps in securing data, it provides the facility of data verification and allows data to be shared between designated group of people. 27

35 Chapter 6 Conclusion and Future work 6.1 Conclusion We have seen how delegation of responsibility trusted 3rd party which provides security services secures user data. It reliefs the client from maintaining any kind of key information and allowing the client for using any browser enabled device to access the cloud services. It allows the client to verify the integrity of the data stored on download or retrieval of its own stored data in cloud. The client can share the data securely with specific band of people without any overhead of key distribution. 6.2 Future Work 1. To enhance the security more, a mechanism to secure the keys in security cloud can be a area of research. 2. To reduce the overhead of network traffic can be another area of research. 28

36 Bibliography [1] Jing-Jang Hwang, Hung-Kai Chuang,Yi-Chang Hsu, Chien-Hsing Wu, A Business Model for Cloud Computing Based on a Separate Encryption and Decryption Service, Proceedings of the 2011 International Conference on Information Science and Application, April [2] Qian Wang,Cong Wang,Kui Ren,Wenjing Lou,Jin Li, Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing, IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 5, MAY [3] Balachandra Reddy Kandukuri, Ramakrishna Paturi V, Dr. Atanu Rakshit, Cloud Security Issues, IEEE International Conference on Services Computing, pp , September [4] Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing, NIST Special Publication [5] Ling Li, Lin Xu, Jing Li, Changchun Zhang, Study on the Third-party Audit in Cloud Storage Service, 2011 International Conference on Cloud and Service Computing [6] L. M. Vaquero,L. Rodero-Merino,J. Caceres, and M. Lindner, A break in the clouds: towards a cloud definition, ACM SIGCOMM Computer Communication Review, vol. 39, no. 1, pp , January [7] A. Parakh and S. Kak, Online data storage using implicit security, Information Sciences, vol. 179, issue 19, pp ,September [8] C. Weinhardt, A. Anandasivam, B. Blau, N. Borissov, T. Meinl, W.Michalk, and J. Stober, Cloud computing? a classification, business models, and research di- 29

37 rections, Business & Information Systems Engineering (BISE), vol. 1, no. 5, pp , [9] L. Lamport, Password authentication with insecure communication, Communications of the ACM, vol. 24, no. 11, pp , [10] Announcing the ADVANCED ENCRYPTION STANDARD (AES), Federal Information Processing Standards Publication 197. United States National Institute of Standards and Technology (NIST). November 26, Retrieved October 2, [11] William Stallings, Cryptography and Network Security, [12] Salesforce.com, Inc., Force.com platform, Retrieved Dec. 2009, from [13] wagner/laws/aesintro.html 30