IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 1

Transcription

1 Hash Message Authentication for Public Auditing in Secure Cloud Storage MK Siva Krishna Kanth 1, Dr.N. Chandra Sekhar Reddy 2, A. Praveen 3 Professor 2, CSE Dept., Professor 3, IT Dept., Institute of Aeronautical Engineering, HYD , AP, India sivakrishnakanth@gmail.com 1, naguchinni@gmail.com 2, praveenpranay@gmail.com 3 Abstract- Cloud computing is environment which enables convenient, efficient, ondemand network access to a shared pool of configurable computing resources Cloud computing is the arising technology to minimize the user burden in the updation of data in business using internet. Instead of local data storage and maintenance, the user is assisted with the cloud storage so that the user can remotely store their data and enjoy the on-demand high quality application from a shared pool of resources. The data stored must be protected in the cloud storage. To enhance the correctness of data, auditing process is done which is carried out by TPA(Third Party Auditor). The TPA must be efficient to audit without demanding the local copy of data. In this paper we have proposed a method that uses the keyed Hash Message Authentication Code (HMAC) with the Homomorphic tokens to enhance the security of TPA. I.Introduction Cloud service providers manage an enterprise-class infrastructure that offers a scalable, secure and reliable environment for users, at a much lower marginal cost due to the sharing nature of resources. Cloud computing is a long dreamed vision of computing utility, which enable the sharing of services over the internet. Cloud is a large group of interconnected computers, which is a major change in how we store information and run application. Cloud computing is a shared pool of configurable computing resources, ondemand network access and provisioned by the service provider[1]. Cloud computing is used by many software industries now a days as a new technology. Cloud computing gives flexibility to the user, when users put their data in the cloud, they need not manage the information stored in cloud storage. Cloud computing lets you access all your application and document from anywhere in the world. The advantage of cloud computing are cost saving, unlimited storage capacity, improved performance. Reduced software cost, increased data reliability and flexibility. Disadvantage of cloud computing is the security, stored data might not be secure it may get lost. In the history of IT, cloud computing has brought unprecedented benefits to the computing world. It has made it possible to have a different computing model that does not suffer with scarcity of resources. Cloud computing enables to share computing resources without the need for investment in pay as you use fashion. Cloud service providers such as Microsoft, Oracle, Amazon, Google etc. are able to provide huge clouds which are nothing but computing resources that are provided on demand through Internet [1]. The way IT infrastructure has been used; is changing with the emergence of cloud computing paradigm. One important aspect of cloud computing is that data is stored in a centralized server which is linked to cloud data center. The storage and other services provided by cloud can be utilized by individuals and organizations alike without the need for capital investment. To organizations and individuals cloud provides very useful benefits as they are relieved from storage management, investment, and maintenance [2]. Along with the advantages, it also has challenges in terms of security threats. This is because the users data is stored in a remote server which is considered untrusted. Users are IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 1

2 losing control over their data and the storage facilities are under control of cloud service providers. Thus the correctness or integrity of the data is questioned. The cloud data storage might be subjected to internal and external threats. It causes security concern on part of cloud users [3]. Security problems surfaced in cloud computing were known to the world [4], [5], [6]. On the other hand CSPs might have intentions to be unfair towards cloud users and their outsourced data besides hiding security flaws in their storage infrastructure [7], [8]. Out sourcing data to cloud have benefits in the long run provided the security risks are addressed positively. In order to secure cloud data the usage of cryptography to secure data is not feasible as the data is no longer physically stored in the user s machine [9]. At the same time obtaining complete data which has been outsourced for integrity verification is not ideal solution as it is expensive. Cloud users should be able to audit their data without the expensive approach as their systems are resource constrained [10], [7]. The data integrity verification should be done intuitively as that should not give trouble to end cloud so as to enable the owner of data to send integrity verification request to cloud server. Keeping all such things in mind, it is essential to have some sort of public auditing service which enables data owners to verify the data integrity with ease. The public auditing service takes care of periodical verification of data integrity. It helps cloud users to be confident of their outsourced data and cloud service providers can assure storage integrity that makes cloud usage much more popular by improving their services [11]. Many public auditing schemes were introduced for cloud computing [8], [12], [9], [13]. Many such schemes did not consider privacy protection of cloud users except [13]. Encrypting data before outsourcing [4], [9] provides security but adds unnecessary burden on the system. The problems in cryptography might jeopardize the interests of cloud users as it is not suitable solution for secure cloud storage. Therefore it is a wise choice to have public auditing of data dynamics pertaining to each and every user of particular cloud. In [13] introduced homomorpic linear authenticator [8], [12], [7] for enabling public third party auditability. In this paper we implement the protocols provided in [13] for Azure platform in order to make it robust and secure. Our contributions include implementation of privacy preserving protocol for third party auditing; supporting scalable auditing services; improved performance with respect to cloud storage security. II. Related Work Cloud computing is anything that involves services over the internet. These services are broadly classified into three categories: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). Cloud software as a service (SaaS) is the on-demand service developed for end users, provider will license the software for their own use. As the software is managed over the central location over the web, the user need not required to handle the upgrades. E.g-gmail. And the next service is cloud platform as a service (PaaS) is designed for the application developers, which provide all the facilities for developing the web applications easily with more features without the complexity of buying and maintaining the software and the infrastructure. The deployment models of cloud computing are public, private and hybrid cloud. Public cloud is generally for public owned by an organization. Public cloud (off-site and remote) describes cloud computing where resources are dynamically provisioned on an on-demand, self-service basis over the internet, via web application/web services, open API, from a third-party provider who bills on a utility computing basis. A private cloud IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 2

3 environment is often the first step for a corporation prior to adopting a public cloud initiative. Private cloud are two types onpremise private cloud and externally hosted private cloud. Externally hosted private cloud is cheaper than the on-premise private cloud, externally hosted private cloud are hosted with single organization or specific third party specializing in cloud. The combination of private and public cloud id the hybrid cloud. A hybrid cloud environment consist of computing resources on-site(on premise) and off-site(public cloud). By integrating public cloud services, user can leverage cloud solutions which are too costly to maintain the specific function in on-premise like virtual server disaster recovery. Related works were carried out by Yan Zhu et al [3]. about the data which the user puts into the cloud will be sent to the Cloud Service Provider(CSP) and a copy of it is also sent to the Third Party Auditor (TPA) which checks for the correctness of the data. Dynamic audit service is done for verifying the integrity of un-trusted and outsourced storage. Here periodic sampling is done to minimize the computation cost of TPA and storage service provider. The related works carried out by Qian Wang et al [4]. studied that so as to ensure the credibility of the data that is being used during the auditing process a remote integrity checking protocol is used. This protocol is suitable for integrity protection of the data stored in cloud. It supports dynamic operations like insertion, deletion and updation of data. To achieve efficient data dynamic, and to improve the storage by manipulating the classic merkle hash tree for block tag authentication[4]. Further Nandeesh et al [5]. carried out future work on the physical possession of the outsourced data in cloud computing storage creates new security risk. To secure TPA based storage using homomorphic tokens and distributed erasure coded data, which allow to audit the cloud storage with minimum computation cost. To achieve efficient data dynamic operations, we improve the storage on outsourced data including data modification, deletion and updation. To provide redundancy parity vector and guarantees data dependability using erasure-correcting code in the distribution preparation[6]. Mururalikrishnan Ramane et al [7]. studied further about the public auditing schemes are used efficiently in auditing the data stored in cloud, it solves the issue of restricting TPA to access of the data openly. This scheme verifies the metadata rather than actual data which provides secure cloud storage that supports privacy preserving public auditing. Dalia Attas et al [8]. studied further on cloud computing to ensure the integrity of the data stored in the cloud storage, TPA supported with digital signature is used for efficient auditing. This doesn t affect the original data and also audits without demanding local copy of data. Checking is done in the cloud service provider(csp) and TPA. The digital signature first performs hash function using message-digest algorithm(md5)[9]. Compute encryption with private key on the other hand decryption by using public key with hash value containing reverse order of its original data. Considerable research was involved on cloud storage security issues. First of that kind is in [8] proposed by Ateniese et al. [8]which ensures provable data procession. They performed audit on outsourced data using RSA based homomorphic authenticators. One of the schemes proposed by them provides data access to external auditor which may cause security problems. Another security model was proposed by Juels et al. [9]. They used the concept of error correcting codes for proof of irretrievability. The limitation of this solution is that the number of audits is fixed. Moreover this works with only encrypted data. This work was later improved by Bowers et al. [14]. The proof of irretrievability is further studied and improved by Dodi et al. [15]. Afterwards, it is further enhanced with the usage of BLS signatures by Shacham et al. [12]. However, their approaches are not privacy preserving. IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 3

4 In order to ensure secure storage and retrieval in cloud computing Shah et al. [16], [11] introduced TPA (Third Party Auditing). Towards it they encrypted data first and then using pre-computed symmetric keyed hashes for auditing purposes. However, this scheme has limitation as it works only with encrypted files. In the recent literature it is found that researcher focuses on data dynamics besides data security which is stored in cloud. First partially dynamic PDP (Provable Data Procession) scheme was introduced by Ateniese et al. [17]. They achieved it using symmetric cryptography. Similar kind of work was done by Wang et al. [18] with some additional feature known as error localization. In their subsequent work [7], they combined techniques such as MHT and HLS for supporting data dynamics in cloud storage. At the same time Erway et al. [19] proposed a scheme for provable data procession with full data dynamics. Linear combination of blocks was used to verify the integrity of cloud storage. Thus [8] and [12] do not providing privacy preserving data integrity. In other prior works, remote data procession protocol was introduced by Sebe et al. [20]. This protocol has no limitations in integrity verification. Across many servers running in distributed environment, data integrity checking was studied by Schwarz and Miller [21]. In the similar fashion Curtmola et al. [22] made experiments on provable data procession in multiple server replicas. In fact they improved the scheme proposed in [8] in order to scale it to multiple server replicas without the need for encoding each replica separately thus providing guaranteed data integrity. Erasure correcting codes were used by Bowers et al. [23] which is an extended model of proof of irretrievability. All the schemes discussed about provide mechanisms for auditing cloud storage. However, they do not meet the true requirements of the privacy preserving auditing. Moreover they do not support batch auditing. Wang et al. [13] proposed privacy preserving public auditing which supports batch auditing too. cloud data storage service involving three different entities, as illustrated in Fig. 1: the cloud user (U), who has large amount of data files to be stored in the cloud; the cloud server (CS), which is managed by the cloud service provider (CSP) to provide data storage service and has significant storage space and computation resources (we will not differentiate CS and CSP hereafter); the third party auditor (TPA), who has expertise and capabilities that cloud users do not have and is trusted to assess the cloud storage service reliability on behalf of the user upon request. Users rely on the CS for cloud data storage and maintenance. They may also dynamically interact with the CS to access and update their stored data for various application purposes. To save the computation resource as well as the online burden, cloud users may resort to TPA for ensuring the storage integrity of their outsourced data, while hoping to keep their data private from TPA. We consider the existence of a semi-trusted CS as [16] does. Namely, in most of time it behaves properly and does not deviate from the prescribed protocol execution. However, for their own benefits the CS might neglect to keep or deliberately delete rarely accessed data files which belong to ordinary cloud users. Moreover, the CS may decide to hide the data corruptions caused by server hacks or Byzantine failures to maintain reputation. We assume the TPA, who is in the business of auditing, is reliable and independent, and thus has no incentive to collude with either the CS or the users during the auditing process. However, it harms the user if the TPA could learn the outsourced data after the audit. To authorize the CS to respond to the audit delegated to TPA s, the user can sign a certificate granting audit rights to the TPA s public key, and all audits from the TPA are authenticated against such a certificate. These authentication handshakes are omitted IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 4

5 III. Hash message authentication Hash based message authentication code is cryptographic hash function which is all about the concatenation of message and the key and hash them together. It is the method of calculating message authentication code with cryptographic hash function by using secret cryptographic key. The hash algorithm used to generate the authentication code is SHA. The authentication code used to verify the data integrity and authentication of the message using the security key which is necessary for producing the code. The authentication code produced by the normal hash function can be reproduced without any normal constraints. The cryptographic strength of the hash function, the size of the hash output and the size and quality of the key determines the cryptographic strength of HMAC. HMAC doesn t serve the purpose of being a provider of message integrity by itself. It is one of the components in the protocol that provides message integrity. Though the HMAC is not designed to encrypt the message itself it serves as a protection shield for man in the middle attack. HMAC supports hash algorithms like MD5,SHA 1, SHA 256 and etc. Structure of The output of the HMAC is the binary authentication code which equals in the length to that of the hash function digest. The security of the HMAC is directly proportional to the underlying hash function. Hence security of HMAC is said to be weaker if the underlying hash function is MD5 and stronger if the underlying hash function is SHA 512. The threats of the HMAC are said to be forgery and the key recovery attacks, but these threats need large number of message pairs for the analysis. Data integrity being one of the most important feature in the cloud computing. So as to ensure the data integrity message authentication code is used along with the hash function like Secured Hash Algorithm(SHA). The hash function is chose based on speed and security concerns. The SHA generates a separate key using a hash function by passing the original message to the hash function. This process is carried out by both the user and the auditor. The data integrity is verified by comparing the values that are received from the hash function by the user and the auditor. The hash function does the process of condensing arbitrary size message to fixed size by processing the message in blocks through compression function which are either custom or Fig1. Hash message authentication block cipher based[11]. HMAC is a symmetric process which makes use of secret and hash algorithm for the generation of authentication code. The authentication code is the core factor which ensures data integrity and authenticity because a secret key is necessary to reproduce the authentication code. HMAC is used because it ensures the usage of hash functions without any modifications and these hash functions can be used in any software that is widely available. The HMAC provides the advantage of preserving the original performance of the hash function without subjecting it to any degradation. Algorithm Step 1 If the length of K = B: set K0 = K. Go to step 4. IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 5

6 Step 2 If the length of K > B: hash K to obtain an L byte string, then append (B-L) zeros to create a B-byte string K0 (i.e., K0 = H(K) 00 00). Go to step 4. Step 3 If the length of K < B: append zeros to end of K create a B-byte string K0 (e.g., if K is 20 bytes in length and B = 64, then K will be appended with be appended with 44 zero bytes 0x00). Step 4 Exclusive-Or K0 with ipad to produce a B-byte string: K0 ipad. Step 5 Append the stream of data text to to the string resulting from step 4:(ko ipad) Text. Step 6 Apply H to the stream generated in step 5:H((ko ipad) text). Step 7 exclusive-or Ko with opad :ko opad. Step 8 Append the result from step 6 to step 7: (ko opad) H((KO ipad) text). Step 9 Apply H to the result from step 8: H((ko opad) H((ko ipad) text)). Step 10 Select the leftmost t bytes of the result of step 9 as the MAC. IV. Conclusion In this paper the cloud storage, user put their data in the cloud and no longer posses the data locally. One of the key issue is to detect the modification and corruption during the auditing process by TPA. The third party auditing allow to save time and computation resources with reduced online burden of the user. Security for the data stored in cloud during the auditing process can be provided by HMAC along with the homomorphic tokens with erasure coded data. References [1] P. Mell and T. Grance, Draft NIST working definition of cloudcomputing, Referenced on June. 3rd, ting/ index.html. [2] C. Wang, Q. Wang, K.Ren, and W.Lou, Privacy-Preserving Public Auditing for Secure Cloud Storage, in Proc. Of IEEE INFOCOM 10,March [3] Y. Zhu,Z. Hu,Gail-J Ahn, H. Hu,Stephen S. Yau, Fellow, IEEE, Ho G. An, and Shimin Chen, Dynamic Audit Services for Integrity Verification of Outsourced Storages in Clouds,in Proc.of IEEE SAC 11 March [4] Q. Wang, C. Wang, Kui Ren, W.Lou and Jin Li, Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing, in IEEE transaction on parallel and distributed system May [5] Nandeesh.B.B, Ganesh Kumar R, Jitendranath Mungara Secure and Dependable Cloud Services for TPA in Cloud Computing International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: , Volume-1, Issue-3, August [6] M. A. Shah, M. Baker, J. C. Mogul, and R. Swaminathan, Auditing to keep online storage service honest, in Proc. Of HotOS 07, CA, USA: USENIX Association, 2007, pp.1-6. [7] Muralikrishnan Ramane and Bharath Elangovan, A Metadata Verification Scheme for Data Auditing in Cloud Environment, International Journal on Cloud Computing: Services and Architecture(IJCCSA), Vol.2, no.4, August [8] Dalia Attas and Omar Batrafi Efficient integrity checking technique for securing client data in cloud computing, October [9] S. Balakrishnan, G. Saranya, S. Shobana, S. karthikeyan, Introducing Effective Third Party Auditing(TPA) for Data Storage in Cloud IJCST Vol. 2, Issue 2, June [10] Cryptography and Network Security Chapter 12 Hash Algorithms. es/csc736/notes/lecture12.pdf IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 6

7 [11] DSA, Hash functions and HMACs spring-2008-cs442/slides/lecture6.pdf. [12] H. Shacham and B. Waters, Compact proofs of retrievability, inproc. of Asiacrypt, vol. 5350, Dec 2008, pp [13] Cong Wang, Student Member, IEEE, Sherman S.M. Chow, Qian Wang, Student Member, IEEE,Kui Ren, Senior Member, IEEE, and Wenjing Lou, Senior Member, IEEE, Privacy- Preserving Public Auditing for Secure Cloud Storage, IEEE TRANSACTIONS ON COMPUTERS, [14] K. D. Bowers, A. Juels, and A. Oprea, Proofs of retrievability:theory and implementation, in Proc. of ACM workshop on CloudComputing security (CCSW 09), 2009, pp [15] Y. Dodis, S. P. Vadhan, and D. Wichs, Proofs of retrievability viahardness amplification, in TCC, 2009, pp [16] M. A. Shah, M. Baker, J. C. Mogul, and R. Swaminathan, Auditing to keep online storage services honest, in Proc. of HotOS 07,2007, pp [17] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, Scalable and efficient provable data possession, in Proc. of SecureComm 08,2008, pp [18] C. Wang, Q. Wang, K. Ren, and W. Lou, Towards secure and dependablestorage services in cloud computing, IEEE Transactionson Service Computing, 2011, to appear. [19] C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia, Dynamic provable data possession, in Proc. of CCS 09, 2009, pp [20] F. Sebe, J. Domingo-Ferrer, A. Mart ınez- Balleste, Y. Deswarte, andj.-j. Quisquater, Efficient remote data possession checking in critical information infrastructures, IEEE Transactions on Knowledge and Data Engineering, vol. 20, no. 8, pp , August IJCSIET-ISSUE4-VOLUME2-SERIES1 Page 7