Integrity Verification In Multiple Cloud Storage Using Cooperative PDP Method

Transcription

1 Integrity Verification In Multiple Cloud Storage Using Cooperative PDP Method * Usha Sundari Dara 1 M. Swetha Chandra 2 1PG Student (M. Tech) Dept. of CSE, TRR College of Engineering, Hyderabad, AP, India 2Assistant Professor, Dept. of CSE, TRR College of Engineering, Hyderabad, AP, India Abstract: In this paper we propose Provable data possession (PDP), a probabilistic proof method for CSPs to prove the data integrity without downloading the whole data. In recent years, cloud computing has rapidly expanded as an alternative to conventional computing model since it can provide a flexible, dynamic, resilient and cost effective infrastructure. When multiple internal and/or external cloud services are incorporated, we can get a distributed cloud environment, i.e., multicloud. Multicloud is the extension of hybrid cloud. When multicloud is used to store the clients data, the distributed cloud storage platforms are indispensable for the clients data management. Of course, multicloud storage platform is also more vulnerable to security attacks. In this Paper, We prove the security of our scheme based on multi-prover zero-knowledge proof system, which can satisfy completeness, knowledge soundness, and zero-knowledge properties and we also present the performance optimization mechanisms for our scheme. Keywords: Interactive Protocol, Zero-knowledge, Multiple Cloud, Cooperative, Integrity Verification, Multi-Prover, cloud service providers. 1. Introduction Cloud computing has become a faster profit growth point in recent years by providing a comparably low-cost, scalable, position-independent platform for clients' data. Although commercial cloud services have revolved around public clouds, the growing interest of building private cloud on open-source cloud computing tools forces local users to have a flexible and agile private infrastructure to run service workloads within their administrative domains. Private clouds are not exclusive for being public clouds, and they can also support a hybrid cloud model by supplementing a local infrastructure with computing capacity from an external public cloud. By using virtual infrastructure management (VIM) [1], a hybrid cloud can allow remote access to its resources over the Internet via remote interfaces, such as the Web services interfaces that Amazon EC2 uses. In recent years, cloud storage service has become a faster profit growth point by providing a comparably low-cost, scalable, position-independent platform for clients data. Since cloud computing environment is constructed based on ISSN: Page 4272

2 open architectures and interfaces, it has the capability to incorporate multiple internal and/or external cloud services together to provide high interoperability. Such a distributed cloud environment is called as a multi-cloud (or hybrid cloud). Often, by using virtual infrastructure management (VIM), a multi-cloud allows clients to easily access his/her resources remotely through interfaces such as Web services provided by Amazon EC2. There exist various tools and technologies for multi cloud, such as Platform VM Orchestrator, VMware vsphere, and Ovirt. These tools help cloud providers construct a distributed cloud storage platform (DCSP) for managing clients data. However, if such an important platform is vulnerable to security attacks, it would bring irretrievable losses to the clients. For example, the confidential data in an enterprise may be illegally accessed through a remote interface provided by a multi-cloud, or relevant data and archives may be lost or tampered with when they are stored into an uncertain storage pool outside the enterprise. Therefore, it is indispensable for cloud service providers (CSPs) to provide security techniques for managing their storage services. Provable data possession (PDP) (or proofs of retrievability (POR)) is such a probabilistic proof technique for a storage provider to prove the integrity and ownership of clients data without downloading data. The proof-checking without downloading makes it especially important for large-size files and folders (typically including many clients files) to check whether these data have been tampered with or deleted without downloading the latest version of data. Thus, it is able to replace traditional hash and signature functions in storage outsourcing. Various PDP schemes have been recently proposed, such as Scalable PDP and Dynamic PDP. However, these schemes mainly focus on PDP issues at un-trusted servers in a single cloud storage provider and are not suitable for a multi-cloud environment. With the growing popularity of clouds, the tools and technologies for hybrid clouds are emerging recently, such as the platform VM Orchestrator, VMware vsphere, and Ovirt. They help users construct a comparably low-cost, scalable, location-independent platform for managing clients' data. However, if such an important platform is vulnerable to security attacks, it would bring irretrievable losses to the clients, for example, the confidential data in an enterprise may be illegally accessed by using remote interfaces, or the relevant data and archives are lost or tampered with when they are stored into an uncertain storage pool outside the enterprise. Therefore, it is indispensable for cloud service providers (CSP s) to provide secure management techniques to ensure their storage services. ISSN: Page 4273

3 There exist various tools and technologies for multi cloud, such as Platform VM Orchestrator, VMwarevSphere, and Ovirt. These tools help cloud providers construct a distributed cloud storage platform for managing clients data. However, if such an important platform is vulnerable to security attacks, it would bring irretrievable losses to the clients. For example, the confidential data in an enterprise may be illegally accessed through a remote interface provided by a multi-cloud, or relevant data and archives may be lost or tampered with when they are stored into an uncertain storage pool outside the enterprise. Therefore, it is indispensable for cloud service providers to provide security techniques for managing their storage services. To check the availability and integrity of outsourced data in cloud storages, researchers have proposed two basic approaches called Provable Data Possession and Proofs of Retrievability. Ateniese et al. first proposed the PDP model for ensuring possession of files on un-trusted storages and provided an RSA-based scheme for a static case that achieves the communication cost. They also proposed a publicly verifiable version, which allows anyone, not just the owner, to challenge the server for data possession. They proposed a lightweight PDP scheme based on cryptographic hash function and symmetric key encryption, but the servers can deceive the owners by using previous metadata or responses due to the lack of randomness in the challenges. The numbers of updates and challenges are limited and fixed in advance and users cannot perform block insertions anywhere. 2. Architecture of proposed Multi- Cloud for Data Integrity Although existing PDP schemes offer a publicly accessible remote interface for checking and managing the tremendous amount of data, the majority of existing PDP schemes are incapable to satisfy the inherent requirements from multiple clouds in terms of communication and computation costs. To address this problem, we consider a multi-cloud storage service as illustrated in Figure 1. In this architecture, a data storage service involves three different entities: Clients who have a large amount of data to be stored in multiple clouds and have the permissions to access and manipulate stored data; Cloud Service Providers (CSPs) who work together to provide data storage services and have enough storages and computation resources; and Trusted Third Party (TTP) who is trusted to store verification parameters and offer public query services for these parameters. ISSN: Page 4274

4 Figure 1 Architecture for data integrity Model. In this architecture, we consider the existence of multiple CSPs to cooperatively store and maintain the clients data. Moreover, a cooperative PDP is used to verify the integrity and availability of their stored data in all CSPs. The verification procedure is described as follows: Firstly, a client (data owner) uses the secret key to pre-process a file which consists of a collection of n blocks, generates a set of public verification information that is stored in TTP, transmits the file and some verification tags to CSPs, and may delete its local copy; Then, by using a verification protocol, the clients can issue a challenge for one CSP to check the integrity and availability of outsourced data with respect to public information stored in TTP. In hybrid clouds, a collaborative work model provides some mutual channels among individual clouds. This kind of channels will no doubt increase the possibility of malicious attacks. For example, existing PDP schemes could provide an efficient integrity checking for outsourced data, however, most of these schemes ignore the problem of information leakage among the interactive processes. Thus, as a public verification service without a strong security mechanism for data protection, a malicious attacker could easily exploit such a service to obtain private data. This attack is extremely dangerous to the confidential data of an enterprise. Even though existing PDP schemes have addressed various aspects such as public verifiability [2], dynamics [4], scalability [3], and privacy preservation [10], we still need a careful consideration to the following attacks, which are more easily compromise the security of storage services in hybrid environments than those in public clouds. Data leakage attack: Through the interfaces of public clouds, various applications in hybrid clouds are allowed to access data in private clouds, so a PDP service (considered as a Daemon) undoubtedly provides a covert channel to access the secret data in private clouds. Therefore, if a PDP scheme cannot resist against the data leakage attacks, an adversary can easily obtain the entire data through the interactive proof process. For instance, Attack I and Attack 3 described in Appendix A and B demonstrates that a verifier can get the stored data after running or wiretapping sufficient verification communications. It is obvious that such an attack could significantly impact the privacy of outsourced data in clouds. Tag forgery attack: In hybrid clouds, an untrusted CSP has more opportunities ISSN: Page 4275

5 to induce a forgery attack, in which the CSP can cheat a verifier by generating a valid tag for the tampered data. For example, Attack 2 and Attack 4 given in Appendix A and B shows that a successful forgery attack can occur only if one of the following cases is happened: Clients modify data blocks in a file; Clients insert and delete blocks repeatedly in a file; Clients reuse the same file name to store multiple different files. Some security mechanisms, such as client-side encryption and access control, can be implemented in clouds to enhance the security of existing PDP schemes, but they will undoubtedly increase the computation and communication overheads of PDP services. In summary, it is essential to develop an efficient verification method for the data security in hybrid cloud environments. Furthermore, from the above-mentioned challenges, our objectives for checking integrity of outsourced data in hybrid clouds are as follows: Security aspect: Our scheme should provide adequate security features to resist some existing attacks, such as data leakage attack and tag forgery attack; Usability aspect: In the way of collaboration, a client should make use of the integrity check via a cloud service provider. Our scheme should conceal the details of the storage to reduce the burden on clients; and Performance aspect: Our scheme should have a higher performance for anomaly detection and only introduce lower communication and computation overheads. 3. Frame Work and Main Architecture Although PDP schemes evolved around public clouds offer a publicly accessible remote interface to check and manage the tremendous amount of data, the majority of today's PDP schemes is incapable of satisfying such an inherent requirement of hybrid clouds in terms of bandwidth and time. To solve this problem, we consider a hybrid cloud storage service as illustrated in Figure 2. In this architecture, we consider a data storage service involving three different entities: Granted clients, who have a large amount of data to be stored in hybrid clouds and have the permissions to access and manipulate these stored data; Cloud service providers (CSP s), who work together to provide data storage services and have enough storage space and computation resources; and Trusted third parties (TTP s), who are trusted to store the verification parameters and offer the query services for these parameters. Figure 2 Architectural Verification for data integrity in hybrid clouds ISSN: Page 4276

6 To support this architecture, a cloud storage provider also needs to add corresponding modules to implement collaborative PDP services. For example, OpenNebula is an open source, virtual infrastructure manager that integrated with multiple virtual machine managers, transfer managers, and external cloud providers. In Figure 3, we describe such a cloud computing platform based on OpenNebula architecture [1], in which a service module of collaborative PDP is added into cloud computing management platform (CCMP). This module is able to response the PDP requests of TTP through cloud interfaces. In addition, a hash index hierarchy (HIH), which is described in details in Section III-C, is used to provide a uniform and homogeneous view of virtualized resources in virtualization components. For the sake of clarity, we use yellow color to indicate the changes from original OpenNebula architecture. In this architecture, we consider the existence of multiple CSP s to collaboratively store and maintain the clients' data. Moreover, a collaborative PDP is used to verify the integrity and availability of their stored data in CSP s. The verification flowchart is described as follows: Firstly, the client (data owner) uses the secret key to pre-processes the file, which consists of a collection of n blocks, generates a set of public verification information that is stored in TTP, transmits the file and some verification tags to CSP s, and may delete its local copy; At a later time, by using a verification protocol for collaborative PDP, the clients can issue a challenge for one CSP to check the integrity and availability of outsourcing data in terms of public verification information stored in TTP. Figure 3 Cloud computing platform for CPDP service based on OpenNebula Signal n s t c Q θ Table 1 Signal Representation Representation No. of blocks in a file No. of Sectors in each block No. of index coefficients in a query No of clouds to store in a file Set of index coefficients pairs The response for a challenge Q A representative architecture for data storage in hybrid clouds is illustrated as follows: this architecture is a hierarchical structure 1l on three layers to represent the relationship among all blocks for stored resources. This kind of architecture is a nature representation of file storage. We make use of this simple hierarchy to organize multiple CSP services, which involves private clouds or public clouds, by shading the differences between these ISSN: Page 4277

7 clouds. In this architecture, the resources in Express Layer are split and stored into three CSP s, that have different colors, in Service Layer. In turn, each CSP fragments and stores the assigned data into the storage servers in Storage Layer. We also make use of colors to distinguish different CSP s. Moreover, we follow the logical order of the data blocks to organize the Storage Layer. This architecture could provide some special functions for data storage and management. For example, there may exist overlap among data blocks (as shown in dashed line) and skipping (as shown on a non-continuous color). But these functions would increase the complexity of storage management. Def: A response is called homomorphic verifiable response in PDP protocol, if given two responses ei and ej for two challenges Qi and Qj from two CSPs, there exists an efficient algorithm to combine them into a response e corresponding to the sum o{the challenges Qi U Qj. Homomorphic verifiable response is the key technique of collaborative PDP because it not only reduces the communication bandwidth, but also conceals the location of outsourcing data in hybrid clouds. SECURITY AND PERF ORMANCE ANALYSIS The collaborate integrity verification for distrusted outsourcing data, in essence, is a multi-prover interactive proof system (IP S), so that the correspondence construction should satisfy the security requirement of IP S. Moreover, in order to ensure the security of verified data, this kind of construction is also a Multi-Prover Zero-knowledge Proof (MPZKP) system [5], [ I I], which can be considered as an extension of the notion of an interactive proof system (IP S). Roughly speaking, the scenario of MPZKP is that a polynomial-time bounded verifier interacts with several provers whose computational power is unlimited. Given an assertion L, such a system satisfies three following properties: (1) Completeness: whenever x E L, there exists a strategy for provers that convinces the verifier that this is the case; (2) Soundness: whenever x tt L, whatever strategy the provers employ, they will not convince the verifier that x E L; (3) Zero-knowledge: no cheating verifier can learn anything other than the veracity of the statement. Since this construction is directly derived from MPZKP model, the soundness and zero-knowledge properties can protect our construction from various attacks as follows: Security for tag forging attack: The soundness means that it is infeasible to fool the verifier into accepting false statements. It is also regarded as a stricter notion of unforgeability for the file tags. To be exact, soundness is defined as follows: for every "invalid" tag (J* tt TagGen(sk, F), there doesn't exists an interactive machine P* can pass verification with any verifier V* with noticeable probability. ISSN: Page 4278

8 Security for data leakage attack: In order to protect the confidentiality of the checked data, we are more concerned about the leakage of private information in the verification process. In actual practice, we introduce the collaborative PDP scheme to construct an audit system architecture for outsourcing data in hybrid clouds by replacing TTP with a third party auditor (TPA) in Figure 2. In this architecture, data owner and granted clients need to dynamically interact with CSP to access or update their data for various application purposes. However, we neither assume that CSP is trusted to guarantee the security of the stored data, nor assume that data owner has the ability to collect the evidence of the CSP's fault after errors have been found. Hence TPA, as a trust third party (TTP), is used to ensure the storage security of their outsourcing data. We assume the TPA is reliable and independent, and thus has no incentive to collude with either CSP s or users during the auditing process. 4. Conclusions In this paper, we addressed the construction of collaborative integrity verification mechanism for distributed data outsourcing in hybrid clouds. Based on homomorphic verifiable responses and hash index hierarchy, we proposed a collaborative provable data possession scheme to support dynamic scalability on multiple storage servers. Our performance analysis indicated that our proposed solution only incurs a small constant amount of communications overhead. As part of future work, we would extend our work to explore more effective CPDP constructions. First, from our experiments we found that the performance of CPDP scheme, especially for large files, is affected by the bilinear mapping operations due to its high complexity. To solve this problem, RSAbased constructions may be a better choice, but this is still a challenging task because the existing RSAbased schemes have too many restrictions on the performance and security. Acknowledgements The authors would like to thank the anonymous reviewers for their comments which were very helpful in improving the quality and presentation of this paper. References: [1] G. Ateniese, R. Dipietro, L. V. Mancini, G. Tsudik, Scalable and Efficient Provable Data Possession SecureComm 2008, [2] S. Y Ko, T. Hoque, B. Cho, and T. Gupta, "On availability o f intermediate data in cloud computations," in Proc. 12th Usenix Workshop on Hot Topics in Operating Systems (HotOS Xll), 2009, pp [3] S. Pallickara, I. Ekanayake, and G. Fox, "Granules: A lightweight, streaming runtime for cloud computing with support, for map-reduce," in CLUSTER, 2009, pp [4] C. C. Erway, A. Kupcu, C. Papamanthou, R. Tamassia, Dynamic Provable Data Possession, CCS 09, 2009, ISSN: Page 4279

9 [5] F. Sebe, J. Domingo-Ferrer, A. Martinez-balleste, Y. Deswarte, J. Quisquater, Efficient Remote Data Integrity checking in Critical Information Infrastructures, IEEE Transactions on Knowledge and Data Engineering, 20(8), 2008, 1-6. [6] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, D. Song, Provable data possession at untrusted stores, CCS 07, 2007, [7] B. Sotomayor, R. S. Montero, T. M. Llorente, and T. T. Foster, "Virtual infrastructure management in private and hybrid clouds," IEEE Internet Computing, vol. 1 3, no. 5, pp , [8] G. Ateniese, R. C. Burns, R. Curtmola, I. Herring, L. Kissner, Z. N. I. Peterson, and D. X. Song, "Provable data possession at untrusted stores," in ACM Conference on Computer and Communications Security, 2007, pp [9] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, "Scalable and efficient provable data possession," in Proceedings of the 4th international conference on Security and privacy in communication netowrks, SecureComm, 2008, pp [10] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, 1. Stoica, and M. Zaharia, "Above the clouds : A berkeley view of cloud computing," EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS , Feb [Online]. Available: Rpts/2009IEECS html [11] H. Shacham and B. Waters, "Compact proofs of retrievability," in ASIACRYPT, 2008, pp [12] H. Hu, L. Hu, and D. Feng, On a class of pseudorandom sequences from elliptic curves over finite fields, IEEE Transactions on Information Theory, vol. 53, no. 7, pp , [13] A. Bialecki, M. Cafarella, D. Cutting, and O. O Malley, Hadoop: A framework for running applications on large clusters built of commodity hardware, Tech. Rep., [Online]. Available: Authors Profile: Usha Sundari Dara is pursing her master s degree (M.Tech in CSE) from TRR College of Engineering, Hyderabad M. Swetha Chandra is working as an Assistant Professor in Computer Science Department at TRR College of Engineering, Hyderabad. She a had an Experience of two years in teaching filed. ISSN: Page 4280