Security Issues in Cloud Computing & Study on Encryption Method

Transcription

1 Security Issues in Cloud Computing & Study on Encryption Method K Sharath Kumar, N.ANJANEYULU, B.VENKANNA Abstract -Encryption scheme perform sequence implicit operation on the plaintext by processing the original text which supports all the operations increases the storage capacity and provides the secure data transfer. We describe encryption techniques for services of cloud evaluates the security issues, analysis of Homomorphic and HIPAA protects the cloud environment and deals with serious security concerns access to cloud data. Comparison both the encryption techniques Homomorphic is best efficient. Keywords Homomorphic Encryption, HIPAA, Cloud computing, Security. 1. INTRODUCTION Computing in its purest form has changed hands multiple times first from near the beginning when mainframes were predicted to be the future of computing. Most of our data is stored on local networks with servers that may be clustered and sharing storage approach has had time to be developed into stable architecture and provide decent redundancy when deployed right. The cloud is easy to misunderstand what makes up the structure and function. The term cloud computing is the data centre, viewing the cloud as logical rather than a physical. Figure 1 Structure of Cloud Organizations and individuals can benefit from mass computing and storage provided by large companies with stable and strong cloud architectures. As new technologies emerge often tend to build on the success of previous developments. Cloud computing technology makes the resource as a single point of access to the client and is implemented as pay usage and abstracted infrastructures completely virtualized environment quipped with dynamic free of software and hardware installations. Growing number of companies have to process huge amounts of data in a cost efficient manner operators such as internet search engines like Google Yahoo or Microsofts. The development of distributed applications on top such architecture many of these companies have also built customized data processing framework Google Map Reduce Merge can be classified by terms like high throughput computing or many task computing depending on the amount of data and the number of tasks involved in the computation. Although these systems differ in design their programming models share similar objectives namely hiding the hassle of parallel programming fault tolerance and execution optimizations form the developer. The processing framework then takes care of distributing the program among the available nodes and executes each instance of the program on the appropriate fragment of data. To process large amounts of data occasionally running their own data centre is obviously not an option. Cloud computing has emerged as a promising approach to a large IT infrastructure on a short term pay per usage basis which includes Amazon EC2 customer allocate access and control a set of virtual machines which run inside their data centres and only charge them for the period of time the machines are allocated.the virtual machine abstraction of clouds fits the architecture assumed by the data processing a popular open source implementation of Google Map Reduces framework already have begin to promote using their framework. 2. Related Work Cloud computing outsourcing that fulfills all aforementioned requirements such as input output privacy correctness soundness guarantee has been shown feasible in theory by Gennaro et al. It is currently not practical due to its huge computation complexity instead of outsourcing general functions in the security community, Atallah et al explore a list of work for securely outsourcing specific applications. The customized solutions are expected to be more efficient than the general way of constructing the circuits. A set of problem dependent disguising techniques are proposed for different scientific applications like linear algebra sorting, string pattern matching etc Atallah et al give two protocol designs for both secure sequence comparison outsourcing and secure algebraic computation outsourcing. However both protocols use heavy cryptographic primitive such as homomorphism Volume 2, Issue 3 May June 2013 Page 442

2 encryptions and/or oblivious transfer and do not scale well for large problem set. Atallah et al. give a provably secure protocol for secure outsourcing matrix multiplications based on secret sharing. While this work outperforms their previous work in the sense of single server assumption and computation efficiency (no expensive cryptographic primitives), the drawback is the large communication overhead. Namely, due to secret sharing technique, all scalar operations in original matrix multiplication are expanded to polynomials, introducing significant amount of overhead. Considering the case of the result verification, the communication overhead must be further doubled, due to the introducing of additionalpre-computed random noise matrices. Another existing work list of work that relates to secure multiparty computation introduced by Yao and later extended by Goldreich et al. and many others. Secure multiparty computation allows two or more parties to jointly compute some general function while hiding their inputs to each other. General SMC can be very inefficient Du and Atallah et al. have proposed a series of customized solutions under the SMC context to a spectrum of special computation problems, such as privacy-preserving cooperative statistical analysis, scientific computation, geometric computations, sequence comparisons, etc. [3]. However, directly applying these approaches to the cloud computing model for secure computation outsourcing would still be problematic. The major reason is that they did not address the asymmetry among the computational powers possessed by cloud and the customers, i.e., all these schemes inthe context of SMC impose each involved parties comparable computation burdens, which we specifically avoid in the mechanism design by shifting as much as possible computation burden to cloud only. Another reason is the asymmetric security requirement. In SMC no single involved party knows all the problem input information, making result verification a very difficult task. But in our model, we can explicitly exploit the fact that the customer knows all input information and thus design efficient result verification mechanism. Detecting the unfaithful behaviours for computation outsourcing is not an easy task, even without consideration of input/output privacy. Verifiable computation delegation, where a computationally weak customer can verify the correctness of the delegated computation results from a powerful but untrusted server without investing too many resources, has found great interests in theoretical computer science community. Some recent general result can be found in Goldwasser et al. [4]. In distributed computing and targeting the specific computation delegation of one-way function inversion, Golle et al. [5] propose to insert some pre-computed results (images of ringers ) along with the computation workload to defeat untrusted (or lazy) workers. In [6], Du. et al. propose a method of cheating detection for general computation outsourcing in grid computing. The server is required to provide a commitment via a Merkle tree based on the results it computed. The customer can then use the commitment combined with a sampling approach to carry out the result verification (without re-doing much of the outsourced work.) However, all above schemes allow server actually see the data and result it is computing with, which is strictly prohibited in the cloud computing model for data privacy. Thus, the problem of result verification essentially becomes more difficult, when both input/output privacy is demanded. 3. SECTION 3.1 Future directions for Cloud Computing:Cloud computing is essentially just a new delivery model, earlier version of the time sharing functions with a number of commercial technological upgrades. Factors such as speed to market lack of capital investment utility pricing investment elastic capacity and financial surety around charging methodologies are prompting many of today s leaders to see cloud as the perfect solution. Figure 2 Processes of Cloud Servers Depending on infrastructure there are four deployment models Public cloud: It is usually owned by a large organization (e.g Amazon EC2 Googles AppEngine and Microsoft s Azure). The owner organisation makes its infrastructure available to the general public via a multitenant model on a self-service basis delivered over the internet. This is the most cost effective model leading to substantial savings for the user with privacy and security issues the physical location of the provider s infrastructure Private Cloud: It refers to cloud infrastructure in a single tenant environment it defers from the Volume 2, Issue 3 May June 2013 Page 443

3 traditionalcentre in its predominant use of virtualization. It may be managed by the tenant organization or by a third party within or outside the tenant premises. A private cloud costs more than the public cloud with a data centre as evidenced by concur technologies Community cloud: According to NIST the community cloud refers to a cloud infrastructure shared by several organizations within a specific community. It may be managed by any one of the organizations or a third party Security Issue for Cloud Computing: Security is main issue for IT executives when it comes to cloud adoption. However cloud computing is an agglomeration of technologies operating systems storage networking virtualization each fraught with inherent security issues. Data security risk stems primarily from loss of physical personnel and logical control of data Issues include virtualization vulnerabilities. SaaS vulnerabilities exposed private user files phishing scams and other potential data breaches. Leakage and interception economic and distributed denial of service and loss of encryption keys and unique risks also arise due to the multi-tenancy and resource sharing models as pointed out. Data containing social insurance details health data and financial information raise issues about authorization. Data remembrance or persistence remains an issue due to replication and distribution of data even after a user has left a cloud provider. Third party with growing value of corporate information access can lead to a potential loss of intellectual property and trade secrets malicious insider who abuses access rights to tenant information. The fear of corporate espionage and data warfare also stems from third party control. Privacy data in the cloud is usually globally distributed which raises concerns about jurisdiction data exposure and privacy. Summarized the main privacy issues of cloud computing. Suppose the users may give their personal information without knowing where the data was stored. Risk of not complying with government policies as would be explainedfurther cloud vendors expose sensitive information risk liability. 4. Problem: Cloud is a web application CRM SCM middleware, networking storage and servers of three models that are software as a service, platform as a service and infrastructure as a service hits the million users. It contains data remembrance or persistence remains an issue due to replication and distribution of data even after a user left a cloud provider. To monitor the cloud data security as implemented to create, store, share, archive or destroy the data every time. Homomorphic encryption is the secure to protect information on cloud Homomorphic Encryption:Homomorphic cryptography is mathematics and computer science presented the first scheme in 2009 on homomorphic, the secret function evaluation private information retrieval or searchable encryption in general. Homomorphic is a encryption technology for securing cloud data to assure users of the security of information in cloud. Private cloud to its portfolio of supported environments introduced homomorphic encryption which secures one of the least aspects of cryptography. Suppose spilt key technology assured the security of data by only allowing the secret key to be derived algorithmically from the halves of the keys. Homomorphic encryption ensures that the actual keys are no longer stored anywhere. Figure 3 Homomorphic Encryption Split key used when data is stored and homomorphic techniques are used when data is accessed, keys are encrypted in the cloud and maintains by the user. Provides the security features for cloud encryption services 1. Master key is never exposed 2. A compromise involving one object does not afford attackers access to other objects as each is secured using its own encrypted symmetric key.gaining access to or control over one system in a complex network has been primary means of gaining a foothold inside as a means to further access the intended target. Investigation report shows that 94% of all data compromised involved servers and remaining increase in this statistic over the findings make the security of individual systems. Problem attempting to address key management in the cloud is too often overlooked and storing full keys anywhere in the data centre. If all data stored in the cloud were encrypted effectively solves issues of data security third party control and privacy legal issues however a user would be unable to leverage power of the cloud to carry out computation on data without decrypting it or shipping it entirely back to the user for computation. Cloud provider has to decrypt the data first perform the computation and then send the result to the user. Volume 2, Issue 3 May June 2013 Page 444

4 4.2. HIPAA Encryption:HIPAA encryption standard in the security rule is deemed "addressable" meaning that the covered entity (CE) must either implement encryption or come up with a 'reasonable and appropriate' solution to meet the regulatory requirement. To add to the already complicated interpretation of the rule(s), the recent HITECH Act specifies severe penalties for breaches of unsecured PHI, and further states that these penalties do not apply if data is encrypted or otherwise rendered unusable, unreadable, or indecipherable. Practical implication is that CEs will have exposure to regulatory penalties unless data is encrypted. Recent audits by OCR, OIG, and other agencies indicate that these agencies will not hesitate to impose sanctions for noncompliance involving a failure to encrypt. Identify the specific areas requiring encryption and implement the appropriate measures to safeguard the data. Some of these major areas are illustrated in the following pages, with guidance on when and how to encrypt. To encrypt the analysis would apply to both data vehicles for breach, and is the first area to address when implementing encryption. As an example, most patients have access to , and it is a well understood technology. The protocols used for sending were created a long time ago when there was little if any concern for privacy of the information being sent. The data being delivered is transmitted in what is commonly referred to as Plain Text. What this means is that a person could intentionally intercept data flowing between the sender and the receiver without much effort, and could read the entire message. In this manner, this person could be copying the data, or transferring it at will. Figure 4: HIPAA Encryption transfer data using key. We can hide data at desktop level and cloud server Protect the data from local process to gateway using below. 1. User creates message and selects to encrypt, gateway sends message normally 2. User checks for recipients public key 3. If key exists message is encrypted 4. If key doesn t exist encrypted message is stored on server 5. Once keys are exchanged message is recreated encrypted and allowed 6. Communicate key with available recipients. Encryption message include it as an attachment in another one is unencrypted . Secure zip, WinZip and PGP applications have the capability to compress the data into small file and apply the encryption. SECTION 5 5. Study on Encryption in Cloud: Homomorphic encryption is a category of system implementations might be weak and others might be strong doesn t make sense to entire category. Homomorphic cryptosystems have been used in crypto for a while including as neal points in voting system. Cloud computing provides clients with a virtual computing infrastructure on top of which they can store data and run applications. Homomorphic encryption system used to perform operations on encrypted data without knowing the private key the client is the only holder of the secret key. Consider the encryption if from Enc(a) and Enc(b) is to compute Enc (f(a,b)) where f can be +,* without using private key. According to an operation that allows to assess on data homomorphic encryption is the Goldwasser cryptosystems and the multiplicative homomorphic encryption. Securing data moving sensitive data into the cloud environment using public and private concerns. The ability to secure and control data in the cloud enables enterprises to unlock the benefits of cloud computing while meeting compliance requirements and managing security risks. Advantages of encryption in Cloud computing includes Rapid deployment: Data in Amazon EC2 is encrypted in place avoiding delays associated with re-architecting applications Granular: It is a file level encryption enforces encryption enables access control policies and audits usage at the Amazon EC2 server instance process and user layers. Confidence: provides a security solution certified to the US national institute of standards and technology FIPS standard using technology that has helped enterprises pass compliance audits for standards including PCI DSS, HIPAA and is deployed by the US government. Portability: Policy enforcement surrounds the data eliminating redundant policy stores for on-premise cloud infrastructure while ensuring consistent enforcement of security standards and adherence to compliance requirements in the enterprises and Amazon EC2 cloud. 6. CONCLUSION Encryption scheme describes the amount of time and computational resource required for the evaluation. Analysis shows the encrypted data stores on cloud and protects from the un authorization users mainly usefully for banking services. To prevent server from learning the file content of each segment searched by monitoring the users search patterns. Future direction of our analysis is to avoid the misuse objects without user presence Volume 2, Issue 3 May June 2013 Page 445

5 Reference [1] Acemoglu, D., 2009, Introduction to Modern Economic Growth, Princeton University Press [2] Armbrust, M., A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica and M. Zaharia, 2009, Above the Clouds: A Berkeley View of Cloud Computing, mimeo, UC Berkeley RAD Laboratory, [3] W. Du and M. J. Atallah, Secure multi-party computation problems and their applications: a review and open problems, in Proc. of NewSecurity Paradigms Workshop (NSPW), 2001, pp [4] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum, Delegating computation: interactive proofs for muggles, in Proc. of STOC, 2008, pp [5] P. Golle and I. Mironov, Uncheatable distributed computations, in Proc. of CT-RSA, 2001, pp [6] W. Du, J. Jia, M. Mangal, and M. Murugesan, Uncheatable grid computing, in Proc. of ICDCS, 2004, pp [5] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, , [6] Craig Gentry, A Fully Homomorphic Encryption Scheme, K Sharath Kumar received the B.Tech (CSE) from Pondicherry Engg. College, and the M.Tech(CSE) from Bharath University, India in He is currently working as Associate Professor in Sphoorthy Engineering College, Hyderabad, India. He is a Life Member in Indian Society of Technical Education. His area of interests are Software Engg., Cloud Computing and Image Processing. N.ANJANEYULUreceived the B.Tech(IT) from CVR College of Engg,Hyderabad, and M.Tech(IT) from Guru Nanak Engg College, Hyderabad, India in He is currently working as Assistant Professor in Sphoorthy Engineering College, Hyderabad, India. His area of interest includes Computer Networks, Network Security, Mobile Computing and Web Applications. B.VENKANNAreceived B.Tech(CSIT) from Noor Engg College, Shadnagar, and M.Tech(SE) from Ramappa Engg College, Warangal, India in He is currently working as Assistant Professor in Sphoorthy Engineering College, Hyderabad, India. His area of interest includes Mobile Computing and Object Oriented Concepts. Volume 2, Issue 3 May June 2013 Page 446