Public Auditing For Shared Data with Symposium on Security in the Cloud

Transcription

1 DOI / ISSN IJESC Research Article October 2015 Issue Public Auditing For Shared Data with Symposium on Security in the Cloud M. SUBHA, M.Sc, M.Phil, M.CA (Phd) 1, R.NIRMALA M.C.A. 2 Asst Professor 1, M, Phil (Full Time) Research. Scholar 2 Department of CS Kaamadhenu Arts & Science College, Sathyamangalam, Tamil Nadu, India Abstract With data storage and sharing services in the cloud, useran easily modify and share data as a group. To ensure shared data integrity can be verified publicly, users in the group need to compute signatures on all the blocks in shared data. Different blocks in shared data are generally signed by different users due to data modifications performed by different users. For security reasons, once a user is revoked from the group, the blocks which were previously signed by this revoked user must be re-signed by an existing user. The straightforward method, which allows an existing user to download the corresponding part of shared data and re-sign it during user revocation, is inefficient due to the large size of shared data in the cloud. In this paper, we propose a novel public auditing mechanism for the integrity of shared data with efficient user revocation in mind. By utilizing the idea of proxy re-signatures, we allow the cloud to re-sign blocks on behalf of existing users during user revocation, so that existing users do not need to download and re-sign blocks by themselves. In addition, a public verifier is always able to audit the integrity of shared data without retrieving the entire data from the cloud, even if some part of shared data has been re-signed by the cloud. Moreover, our mechanism is able to support batch auditing by verifying multiple auditing tasks simultaneously. Experimental results show that our mechanism can significantly improve the efficiency of user revocation Introduction With data storage and sharing services (such as Drop box and Google Drive) provided by the cloud, people can easily work together as a group by sharing data with each other. More specifically, once a user creates shared data in the cloud, every user in the group is able to not only access and modify shared data, but also share the latest version of the shared data with the rest of the group. Although cloud providers promise a more secure and reliable environment to the users, the integrity of data in the cloud may still be compromised, due to the existence of hardware/software failures and human errors [2] G. Ateniese, [3]. H. Shacham To protect the integrity of data in the cloud, a number of mechanisms [3] H. Shacham [15] (HIPPA)have been proposed. In these mechanisms, a signature is attached to each block in data, and the integrity of data relies on the correctness of all the signatures. One of the most significant and common features of these mechanisms is to allow a public verifier to efficiently check data integrity in the cloud without downloading the entire data, referred to as public auditing (or denoted as Provable Data Pos-session [3]) H. Shacham. This public verifier could be a client who would like to utilize cloud data for particular purposes (e.g., search, computation, data mining, etc.) or a third-party auditor (TPA) who is able to provide verification services on data integrity to users. Most of the previous works [3] H. Shacham [13] H. Shacham and B. Waters,focus on auditing the integrity of personal data. Different from these works, several recent works [14] M. A. Shah, M. Baker, J. C. Mogul, and R. Swaminathan, [15] (HIPPA) focus on how to preserve identity privacy from public verifiers when auditing the integrity of shared data. Unfortunately, none of the above mechanismonsiders the efficiency of user revocation when auditing the correctness of shared data in the cloud. With shared data, once a user modifies a block, she also needs to compute a new signature for the modified block. Due to the modifications from different users, dif-ferent blocks are signed by different users. For security reasons, when a user leaves the group or misbehaves, this user must be revoked from the group. As a result, this revoked user should no longer be able to access and modify shared data, and the signatures generated by this revoked user are no longer valid to the group [16] S. Yu, C. Wang, K. Ren, and W. Lou. Therefore, although the content of shared data is not changed during user revocation, the blocks, which were previously signed by the revoked user, still need to be resigned by an existing user in the group. As a result, the integrity of the entire data can still be verified with the public keys of existing users only. PROBLEM STATEMENT State of the Problem As illustrated in the system model in this paper includes three entities: the cloud, the public verifier, and users (who share data as a group). The cloud offers data storage and sharing services to the group. The public verifier, such as a client who would like to utilize cloud data for particular purposes (e.g., search, computation, data mining, etc.) [6] C. Wang, Q. Wang, K. Ren, and W. Lou, or a third-party auditor (TPA) who can provide verification services on data integrity aims to check the integrity of shared data via a

2 challenge-and-response protocol with the cloud. In the group, there is one original user and a number of group users. The original user is the original owner of data. This original user creates and shares data with other users in the group through the cloud. Both the original user and group users are able to access, download and modify shared data. Shared data is divided into a number of blocks. A user in the group can modify a block in shared data by performing an insert, delete or update operation on the block. In this work, we assume the cloud itself is semi-trusted, which means it follows protocols and does not pollute data integrity actively as a malicious adversary, but it may lie to verifiers about the incorrectness of shared data in order to save the reputation of its data services and avoid losing money on its data services. In addition, [12] Security guidance for critical areas of focus in cloud computing, 2009,-[20] C. Wang, Q. Wang, K. Ren, and W. Lou, we also assume there is no collusion between the cloud and any user during the design of our mechanism. Generally, the incorrectness of share data under the above semi-trusted model can be introduced by hardware/software failures or human errors happened in the cloud. Con-side ring these factors, users do not fully trust the cloud with the integrity of shared data.. Related Work The system model includes the cloud, the public verifier, and users. Cloud Servers allowentralizing all the business data and applications into a single cloud server environment. By utilizing the Remote Desktop services on a cloud server, one can allow staff to access their desktop, data and applications from anywhere at any time. Cloud servers eliminate the need for in-house server equipment and network infrastructure, so one can save on IT service costs and take care of critical offsite data protection all at the same time. Remote Desktop Cloud Serveran turn the old outdated PC into a powerful remote computing environment providing access to all the latest Microsoft Office software and business applications if there is a stable internet connection. Cloud servers are fully scalable so the possibilities are up to the user. Cloud storage is a model of data storage where the digital data is stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company.[11] A. Juels and J. Burton S. Kaliski, These cloud storage providers are responsible for keeping the data available and accessible, and the physical environment protected and running. People and organizations buy or lease storage capacity from the providers to store end user, organization, or application data. Cloud storage services may be accessed through a colocated cloud compute service, a web service application programming interface (API) or by applications that utilize the API, such aloud desktop storage, a cloud storage gateway or Web-based content management systems Objective: Cloud Server The introduction of third party auditing in cloud computing reduces the burden of the users to check the integrity of the data stored in the cloud. In cloud computing, the outsourced data are not only accessed but also updated frequently by users for various application purposes. Thus supporting data dynamic operations in cloud including block level operations of modification, deletion and insertion is of vital importance. In this paper, we propose a new idea to support data dynamics by using the fractal tree representation along with privacy preserving public auditing protocol. We first identify the difficulties and security problems associated with the schemes used in prior works and then implement a new scheme for providing dynamic operations. Study of work: To fully ensure the data integrity and save the cloud useromputation resources as well as online burden, it is of critical importance to enable public auditing service for cloud data storage, so that users may resort to an independent third party auditor (TPA) to audit the outsourced data when needed. The TPA, who has expertise and capabilities that users do not, can periodically check the integrity of all the data stored in the cloud on behalf of the users,[8] B. Wang, B. Li, and H. Li, -[10] B. Wang, B. Li, and H. Li, which provides a much more easier and affordable way for the users to ensure their storage correctness in the cloud. Moreover, in addition to help users to evaluate the risk of their subscribed cloud data services, the audit result from TPA would also be beneficial for the cloud service

3 providers to improve their cloud based service platform, and even serve for independent arbitration purposes. In a word, enabling public auditing services will play an important role for this nascent cloud economy to become fully established; where users will need ways to assess risk and gain trust in the cloud. Algorithm K Star Classifier K Star is a memory-based classifier that is the class of a test instance is based upon the class of those training instances similar to it, as determined by some similarity function. The use of entropy as a distance measure has several benefits. Amongst other things it provides a consistent approach to handling of symbolic attributes, real valued attributes and missing values. K* is an instance-based learner which uses such a measure [6] C. Wang, Q. Wang, K. Ren, and W. Lou, The K* function is then defined as: K* is not strictly a distance function. For example, K*(a a) is in general non-zero and the function (as emphasized by the notation) is not symmetric. Although possibly counterintuitive the lack of these properties does not interfere with the development of the K* algorithm below. The following properties are provable: System Architecture Specification of K* Let I be a (possibly infinite) set of instances and T a finite set of transformations on I. Each t T maps instances to instances: t: I I. T contains a distinguished member σ (the stop symbol) which for completeness maps instances to themselves (σ(a) = a). Let P be the set of all prefix codes from T* which are terminated by σ. Members of T* (and so of P) uniquely define a transformation on I: t(a) = tn (tn-1 (... t1(a)...)) where t = t1,...tn A probability function p is defined on T*. It satisfies the following properties: As a consequence it satisfies the following: ( 1 ( The probability function P* is defined as the probability of all paths from instance a to instance b : t is easily proven that P* satisfies the following properties: Model Description ( HAPS: Construction ) Because traditional proxy re-signature schemes are not blockless verifiable, if we directly apply these proxy resignature schemes in the public auditing mechanism, then a verifier has to ( download the entire data to check data integrity[16] S. 4 Yu, C. Wang, K. Ren, and W. Lou which

4 will significantly reduce the efficiency of auditing. Therefore, we first propose a homomorphic authenticable proxy re-signature (HAPS) scheme, which is able to satisfy blockless verifiability and non-malleability. Our proxy resignature scheme includes five algorithms: KeyGen, ReKey, Sign, ReSign and Verify. Scheme Details: Let G 1 and G 2 be two groups of order p, g be a generator of G 1, e : G 1 G 1 G 2 be a bilinear map, w be a random element of G 1. The global parameters are (e, p, G 1, G 2, g, w, H), where H is a hash function with H : {0, 1} G 1. KeyGen. Given global parameters (e, p, G 1, G 2, g, w, H), a user u A selects a random a Z p, and outputs his/her public key pk A = g a and private key sk A = a. ReKey. The proxy generates a re-signing key rk A B as follows: (1) the proxy generates a random r Z p and sends it to user u A ; (2) user u A computes and sends r/a to user u B, where sk A = a; (3) user u B calculates and sends rb/a to the proxy, where sk B = b; (4) the proxy recovers rk A B = b/a Z p. (We assume that private and authenticated channels exist between each pair of entities, and there is no collusion.) Sign. Given private key sk A = a, block m Z p and block identifier id, user u A outputs the signature on block m as: σ = (H(id)w m ) a G 1. (1) ReSign. Given re-signing key rk A B, public key pk A, signature σ, block m Z p and block identifier id, the proxy? checks that Verify(pk A, m, id, σ) = 1. If the verification result is 0, the proxy outputs ; otherwise, it outputs σ = σ rka B = (H(id)w m ) a b/a = (H(id)w m ) b G 1. (2) Verify. Given public key pk A, block m, block identifier id, and signature σ, a verifier outputs 1 if and 0 otherwise. HAPS: Security Analysis e(σ, g) = e(h(id)w m, pk A ), (3) We now prove the correctness of the above proxy re-signature scheme. Based on the properties of bilinear maps, we have e(σ, g) = e((h(id)w m ) a, g) = e(h(id)w m, pk A ). Then, we wish to show that our proxy re-signature scheme is unforgeable and homomorphic authenticable. Theorem 1: It iomputational infeasible to generate a forgery of a signature under HAPS. Proof: Following the standard security model defined in the previous proxy re-signature scheme we show that our proxy re-signature scheme is able to resist forgery. The security of HAPS includes two aspects: external security and internal security. [18] A. L. Ferrara, M. Greeny, S. Hohenberger, External security means an external adversary cannot generate a forgery of a signature; internal security means that the proxy cannot use its re-signature keys to sign on behalf of honest users. The logic of this proof is that if an external or internal adversary is able to generate a forgery of a signature under HAPS, then we could find an algorithm to solve the CDH problem, which however should be computational infeasible to solve under the CDH assumption. External Security: An external adversary cannot generate a forgery of a signature. We show that if a (t, ǫ )-algorithm A, operated by an external adversary, can generate a forgery of a signature under HAPS after making at most q H hash queries, at most q S signing queries, at most q R re-signing queries, and requesting q K public keys, then there exists a (t, ǫ)-algorithm B that can solve the CDH problem in G 1 with t t + q H c G1 + q S c G1 + 2q R c P and ǫ ǫ /q H q K, where one exponentiation on G 1 takes time c G1 and one pairing operation takes time c P. On input (g, g a, g b ), the CDH algorithm B simulates a proxy re-signature external security game for algorithm A as described in Due to space limitations, we omit the details of the external security game in this paper, further details of this proof can be found in our technical report Internal Security: The proxy cannot use its re-signature keys to sign on behalf of honest users. We now prove that, if a (t, ǫ )-algorithm A, operated by the proxy, can generate a forgery of a signature after making at most q H hash queries and q S signing queries, then there exists a (t, ǫ)- algorithm B that can solve the CDH problem in G 1 with t t + q H c G1 + q S c G1 and ǫ ǫ /q H q K. On input (g, g a, g b ), the CDH algorithm B simulates a proxy re-signature internal security game for algorithm A as illustrated in Due to space limitations, we omit the details of the internal security game in this paper, further details of this proof can be found in our technical report Because under the external or internal security game, if a forgery of a signature can be generated, then we can find an algorithm to solve the CDH problem in G 1, which contradicts to the assumption that the CDH problem is computational infeasible in G 1. Therefore, it is computational infeasible to generate a forgery of a signature under HAPS. Privacy-Security Public Auditing Scheme To achieve privacy-preserving public au-diting, we propose to uniquely integrate the homo-morphic linear authenticator with random masking technique. In our protocol, the linear combination of sampled blocks in the server s response is masked with randomness generated the server. With random

5 masking, the TPA no longer has all the necessary information to build up a correct group of linear equations and therefore cannot derive the user s data content, [5] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou,-[16] S. Yu, C. Wang, K. Ren, and W. Lou, no matter how many linear combinations of the same set of file blockan be collected. On the other hand, the correctness validation of the block-authenticator pairan still be carried out in a new way which will be shown shortly, even with the presence of the randomness. Our design makes use of a public key based HLA, to equip the auditing protocol with public auditability. Specifically, we use the HLA proposed in, which is based on the short signature scheme proposed by Boneh, Lynn and Shacham (hereinafter referred as BLS signature) Support for Batch Auditing Efficiency Improvement. As shown in Equation 2, batch auditing not only allows TPA to perform the multiple auditing tasks simultaneously, [11] A. Juels and J. Burton S. Kaliski, but also greatly reduces the computation cost on the TPA side. This is because aggregating K verification equations into one helps reduce the number of relatively expensive pairing operations from 2K, as required in the individual auditing, to K + 1. Thus, a considerable amount of auditing time is expected to be saved. Identification of Invalid Responses. The verification equation (Equation 2) only holds when all the responses are valid, and fails with high probability when there is even one single invalid response in the batch auditing, as we will show in Section 4. In many situations, a response collection may contain invalid responses, especially {µ k } 1 k K, caused by accidental data corruption, or possibly malicious activity by a cloud server. The ratio of invalid responses to the valid could be quite small, and yet a standard batch auditor will reject the entire collection. To further sort out these invalid responses in the batch auditing, we can utilize a recursive divide-and-conquer approach (binary search), as suggested by Specifically, if the batch auditing fails, we can simply divide the collection of responses into two halves, and recurse the auditing on halves via Equation 2. TPA may now require the server to send back all the {R k } 1 k K, as in individual auditing. we show through carefully designed experiment that using this recursive binary search approach, even if up to 18% of responses are invalid, batch auditing still performs faster than individual verification. Security Analysis We evaluate the security of the proposed scheme by analyzing its fulfillment of the security guarantee de-scribed, namely, the storage correctness and privacy-preserving property. We start from the single user case, where our main result is originated. Then we show the security guarantee of batch audit-ing for the TPA in multi-user setting [20] C. Wang, Q. Wang, K. Ren, and W. Lou Storage Correctness Guarantee We need to prove that the cloud server cannot gen-erate valid response for the TPA without faithfully storing the data, aaptured by Theorem 1. Theorem 1: If the cloud server passes the Audit phase, then it must indeed possess the specified data intact as it is. Proof: The proof consists of two steps. First, we show that there exists an extractor of µ in the random oracle model. Once a valid response {σ, µ } are ob-tained, the correctness of this statement follows from Theorem Now, the cloud server is treated as an adversary. The extractor controls the random oracle h( ) and answers the hash query issued by the cloud server. For a challenge γ = h(r) returned by the extractor, the cloud server outputs {σ, µ, R} such that the following equation holds.[19] R e(σ γ, g) = e((h (W i ) νi ) γ u µ, v). (3) Suppose that an extractor can rewind a cloud server in the protocol to the point just before the challenge h(r) is given. Now the extractor sets h(r) to be γ =6 γ. The cloud server outputs {σ, µ, R} such that the following equation holds. R e(σ γ, g) = e((h (W i ) νi ) γ u µ, v). (4) The extractor then obtains {σ, µ = (µ µ )/(γ γ )} as a valid response of the underlying proof of storage system [13]. To see, recall that σ i = (H (W i ) u mi ) x, divide (3) by (4), we have e(σ γ γ, g) = e(( H (Wi ) νi ) γ γ u µ µ, v) e(σ γ γ, g) = e(( H (W i ) νi ) γ γ, g x )e(u µ µ, g x ) multi-user setting is very similar to that of Theorem 2, σγ γ = ( H (Wi ) νi ) x(γ γ ) u x(µ µ ) ν i γ γ x(γ γ ) ( σ ) = ( H (W i ) ) u I ν i

6 ux(µ µ ) ux(µ µ ) = ( (σ i /H (W i ) x ) νi ) γ γ = ( (uxmi ) νi ) γ γ Computing, Communications of the ACM, vol. 53, no. 4, pp , Apirl [2] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song, Provable Data Possession at Untrusted Stores, in the Proceedings of ACM CCS 2007, 2007, pp µ µ = ( m i ν i ) (γ γ ) ( m i ν i ) = (µ µ )/(γ γ ). Feature work: Homomorphism authenticators are enforceable verification metadata generated from individual data blocks, which can be securely aggregated in such a way to assure an auditor that a linear combination of data blocks iorrectly computed by verifying only the aggregated authenticator.[17] D. Boneh, B. Lynn, and H. Shacham, Overview to achieve privacy-preserving public auditing, we propose to uniquely integrate the homomorphism authenticator with random mask technique. In our protocol, the linear combination of sampled blocks in the server s response is masked with randomness generated by a pseudo random function (PRF). CONCLUSION In this paper, we propose a privacy-preserving public auditing system for data storage security in Cloud Computing. We utilize the homomorphic linear authenticator and random masking to guarantee that the TPA would not learn any knowledge about the data content stored on the cloud server during the ef-ficient auditing process, which not only eliminates the burden of cloud user from the tedious and possibly expensive auditing task, but also alleviates the users fear of their outsourced data leakage. Considering TPA may concurrently handle multiple audit sessions from different users for their outsourced data files, we further extend our privacypreserving public auditing protocol into a multi-user setting, where the TPA can perform multiple auditing tasks in a batch manner for better efficiency. Extensive analysis shows that our schemes are provably secure and highly efficient When a user in the group is revoked, we allow the cloud to re-sign blocks that were signed by the revoked user with proxy re-signatures. Experimental results show that the cloud can improve the efficiency of user revocation, and existing users in the group can save a significant amount of computation and communication resources during user revocation. REFERENCES [1] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Kon-winski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, A View of Cloud [3] H. Shacham and B. Waters, Compact Proofs of Retrievability, in the Proceedings of ASIACRYPT Springer-Verlag, 2008, pp [4] C. Wang, Q. Wang, K. Ren, and W. Lou, Ensuring Data Storage Security in Cloud Computing, in the Proceedings of ACM/IEEE IWQoS 2009, 2009, pp [5] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, Enabling Public Veri-fiability and Data Dynamic for Storage Security in Cloud Computing, in the Proceedings of ESORICS Springer-Verlag, 2009, pp [6] C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy- Preserving Public Auditing for Data Storage Security in Cloud Computing, in the Pro-ceedings of IEEE INFOCOM 2010, 2010, pp [7] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S. Yau, Dynamic Audit Services for Integrity Verification of Outsourced Storage in Clouds, in the Proceedings of ACM SAC 2011, 2011, pp [8] B. Wang, B. Li, and H. Li, Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud, in the Proceedings of IEEE Cloud 2012, 2012, pp [9] N. Cao, S. Yu, Z. Yang, W. Lou, and Y. T. Hou, LT Codes-based Secure and Reliable Cloud Storage Service, in the Proceedings of IEEE INFOCOM 2012, 2012, pp [10] B. Wang, B. Li, and H. Li, Knox: Privacy-Preserving Auditing for Shared Data with Large Groups in the Cloud, in the Proceedings of ACNS 2012, June 2012, pp [11]A. Juels and J. Burton S. Kaliski, Pors: Proofs of retrievability for large files, in Proc. of CCS 07, Alexandria, VA, October 2007, pp [12] Cloud Security Alliance, Security guidance for critical areas of focus in cloud computing, 2009, cloudsecurityalliance.org. [13] H. Shacham and B. Waters, Compact proofs of retrievability, in Proc. of Asiacrypt 2008, vol. 5350, Dec 2008, pp

7 [14] M. A. Shah, M. Baker, J. C. Mogul, and R. Swaminathan, Auditing to keep online storage services honest, in Proc. of HotOS 07. Berkeley, CA, USA: USENIX Association, 2007, pp [15] 104th United States Congress, Health Insurance Portability and Accountability Act of 1996 (HIPPA), Online at aspe.hhs.gov/admnsimp/pl htm, [16] S. Yu, C. Wang, K. Ren, and W. Lou, Achieving secure, scalable, and fine-grained accesontrol in cloud computing, in Proc. of IEEE INFOCOM 10, San Diego, CA, USA, March [17] D. Boneh, B. Lynn, and H. Shacham, Short signatures from the Weil pairing, J. Cryptology, vol. 17, no. 4, qq. pp , [18] A. L. Ferrara, M. Greeny, S. Hohenberger, and M. Pedersen, Practical short signature batch verification, in Proceedings of CT-RSA, volume 5473 of LNCS. Springer-Verlag, 2009, pp [19] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, Scalable and efficient provable data possession, in Proc. of SecureComm 08, 2008, pp [20] C. Wang, Q. Wang, K. Ren, and W. Lou, Ensuring data storage security in cloud computing, in Proc. of IWQoS 09, July 2009, pp