Data Integrity Issues in Cloud Storage System-A Survey

Transcription

1 Data Integrity Issues in Cloud Storage System-A Survey K. Karthika Lekshmi 1, Dr. E. Baburaj 2 1 Assistant Professor, Department of Information Technology, Cape Institute of Technology, jk_karthika@yahoo.co.in 2 Professor, Department of Computer Science and Engineering, Sun College of Engineering & Technology, alanchybabu@gmail.com Abstract Cloud Computing is an emerging technology, which provides a scalable service delivery model where we can obtain computing resources, networking and storage space on demand based on servicelevel agreements. It provides a way to move the applications and sensitive databases to the large data centers. However, there is no guarantee that the data stored in the cloud are secure or not and the contents are original or altered by any Third Party Auditor or by the cloud. Many schemes have been proposed to deal with security issues in an un-trusted server. Many of the earlier works addresses the data integrity issues in Cloud using Third Party Auditor (TPA). Many request / response protocols were proposed in which the cloud server itself performed the integrity of the data by provable data possession and by proof of retrievability. Most of the previous work deals only with static data while recent works support dynamic operations. Some schemes allow public verifiability while others not. The aim of this study is twofold 1) To discuss the security challenges regarding outsourcing of data 2) To survey the various methods used to ensure the integrity of the outsourced data. 1. Introduction Keywords: Cloud Computing, Data Dynamics, Data Integrity Cloud computing is an effective way to reduce costs and improve IT capabilities. A Cloud [1] is a type of parallel and distributed system consisting of a collection of interconnected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources based on service-level agreements established through negotiation between the service provider and consumers. Types of the cloud model include public, private, community and hybrid clouds. The characteristics provided by the cloud computing includes independent resource pooling, on-demand self-service, elasticity, pay-per-use, virtualization, increased storage and trust worthy metering service, etc. To implement these features; cloud computing systems offer services at various levels, from the bottom layer to the top layer (refer Figure1). Infrastructure-as-a-Service (IaaS) is offered in the bottom layer, which delivers services in the forms of storage, network, and computational capability. Platformas a-service (PaaS) is the middle layer which delivers services in the form of environment for software execution. Software as a Service (SaaS) locates in the top layer, which offers software applications as a service. In addition to that, the cloud provider uses management tools in the life-cycle management of the service instance, dynamic configuration and allocation of resources in order to manage a large cloud system, metering and billing services. In general, cloud computing is built over the following minimum level technologies, which includes web applications and web services (instances of service oriented architecture), virtualization techniques for both hardware and software, cryptographic techniques for data security. Virtualization in cloud computing is the key element that separates system functionality and implementation from physical resources Cloud Services Cloud providers offer three basic categories of services such as computation service, storage service and networking service. For instance, AWS (Amazon Web Services) offers the public cloud computing services such as Elastic Compute Cloud (EC2), SimpleDB, Simple Storage Services (S3), Simple Queue Service (SQS) and many other internal networking services that connect the other services. Basically cloud providers offer four common types of services [2]. International Journal of Digital Content Technology and its Applications(JDCTA) Volume8, Number3, June

2 Elastic Compute Clusters: It consists of a set of virtual instances that run a client application code. Clusters are elastic in that the number of instances can be increased dynamically based on the application s workload. Cloud user (Web browser, Terminal, Mobile Apps) SaaS ( , Games, Virtual Desktop) Provider: SALESFORCE, NETSUITE PaaS (OS, Programming Language Execution Environment, Database, Web-server) Provider: APPENGINE, AZURE IaaS (Virtual Machine, Server, Storage, Network) Provider: RACKSPACE.COM, GO GRID, AWS Figure 1. Cloud service layers Persistent Storage Services: These services store application s data and state; all instances in the cluster can access them. The common types of storage services are Table storage similar to a traditional database. Blob storage keeps binary objects such as user photos and videos. Queue storage to implement a global message queue that enables synchronization across virtual instances. Intra-Cloud Networks: These are high-bandwidth and low-latency networks, which connect virtual instances with each other and with storage services. Wide-Area Networks: It connects the cloud data centers with end hosts on the Internet. Cloud providers operate with several data centers located in different geographical regions so any user s request can be easily served by a nearby data center thus it reduces WAN latency Organization The remaining part of this paper is organized as follows. We review the security challenges when outsourcing the data in cloud computing in the next section. In Section 3, Cloud storage systems with the integrity checking support, including Provable Data Possession (PDP), Scalable PDP, Proof Of Retrievability (POR) and Public auditing by TPA had been presented. Then, Section 4 discusses the other cloud storage systems. Comparative analysis and future directions are given in Section 5 and 6 respectively. Finally, the conclusion is given in Section Security Challenges in Outsourcing the Data Data outsourcing helps the client or owner of the data move their large volume of data to a thirdparty provider (server). Individuals and enterprises are outsourcing their complex data into the cloud due to its greater flexibility and cost-efficiency. This creates many security issues and challenges in data confidentiality and integrity. Many previous works focused the data integrity and authentication issues (i.e., confirming that how the server returns correct data to its client s queries). Encrypting the data before outsourcing is the simplest way to enforce data integrity and authorized access in the cloud. Many of the common encryption schemes protect data confidentiality, but which limit the storage system functionality because few numbers of operations are allowed over encrypted data. Recent research works focus on outsourcing data in an encrypted form with efficient query support over encrypted data. However, encryption doesn t make the complete solution. It leads the following problems [3]. Encrypted data must be decrypted at the time of downloading either by the client or third party auditor, but it increases the bandwidth cost. Since the data stored in the cloud are in the encrypted form, it makes the user difficult to use the data and apply a searching operation over the encrypted data. So, many researchers focus on searchable encryption schemes, which includes some pre built encrypted search index through that user securely search over the encrypted data without decrypting it. 44

3 However, when the amount of outsourced data and on-demand data users increases, then meeting the system usability, performance and scalability become a major problem. In this context several challenging research problems remain, which include, similarity and secure ranked search over encrypted data, applying secure range query, multi-keyword search and secure search over non textual data such as graphs or numerical data. Other issues of outsourcing data service in the cloud include the following i) Cryptographic techniques need a local copy of the data to ensure the data integrity, availability and long-term storage correctness, but this is not viable when storage is outsourced. Thus enabling a unified auditing architecture is important, with data dynamic support and public verifiability. ii) Proof of ownership to prevent the exposure of user data via side channels. iii) iv) Remote assessment of failure vulnerabilities in the cloud. Different users use different access privileges and policies with regard to the data. When we outsource the data, it is difficult and inefficient to enforce secure and reliable data access among a large number of users. v) Trustworthy Service Metering: To make the profitable service, CSPs charge the customers according to the volume of resources they consume. For example, the Amazon EC2 charges users based on the time during which the specified EC2 instances are in a running state, but Google AppEngine charges based on the total number of CPU cycles a user application consumes. Hardware virtualization allows multiple users to run tasks on the same infrastructure without interfering with each other, and it permits sharing of resources, such as memory, network bandwidth and I/O. This resource sharing can t be perfectly isolated. As a result, CSPs might incorrectly produce the user s usage report. So a unified mechanism is needed to measure the amount of resource consumption for the benefit of both cloud users and CSPs. vi) Multitenancy: Cloud environment also presents severe security threats and privacy vulnerabilities to both the cloud infrastructure and cloud users. CSPs use hardware virtualization to hide computing platform s physical characteristics. Virtualized environments share similar functionalities with existing operating systems and applications in the physical environment, this sharing leads to privacy leaks. vii) Secure computation outsourcing mechanisms are needed to protect sensitive workload information and to ensure that the computed results returned from the cloud are correct. viii) Data recovery vulnerability: As per the resource pooling characteristic, resources allocated to one user may be reallocated to another user in the near future. It might be, therefore, possible to recover data written by the previous user. All these issues address the importance of a unified storage auditing architecture. To ensure data confidentiality, integrity, and availability, the storage provider must offer the following minimum level capabilities [4], that include 1) Efficient encryption schemes to ensure that the shared storage environment safeguard all data 2) Enforcing access controls to prevent unauthorized access of the data. 3) Data backup and safe storage of the backup media. 3. Cloud Storage with Integrity Support Periodical data integrity verification without the local copy of data files at the un-trusted server is one of the major issues with cloud data storage. While designing a remote data integrity checking protocol, certain requirements have to be satisfied: privacy preservation, unbound number of queries, data dynamics, public verifiability, block less verification and recoverability [17]. The following section explores the various integrity checking protocols, which guarantee the integrity of the outsourced data along with access control at various levels Provable Data Possession (PDP) The model for provable data possession (PDP) [5] introduces the first provably-secure challenge/response protocol for practical PDP schemes that allows a client to verify whether the data 45

4 stored on the server is original or not without retrieving it. This model produces probabilistic proofs of data possession, i.e., the verification process is done by sampling random sets of blocks instead of the complete data file from the server, through that it minimizes the network communication. The client maintains a constant amount of metadata locally to verify the integrity of data possessed by the server. This scheme is data format independence and unlimited number of challenges can be made by the client to prove the data possession. The client initially pre-processes the file and generates a small amount of information called metadata that is stored locally and then transmits the original data file to the server. Clients may encrypt a file before outsourcing. This pre-processing may alter the file or expand the file to include additional metadata to be stored at the server. The server is now ready to respond the challenges issued by the client. Once the client issues a challenge to the server, the server computes a function of the stored file, and then it sends the information back to the client. The client verifies the result using its local metadata information. This paper introduces the concept of RSA based Homomorphic Verifiable Tags (HVTs), which is the basic element of this PDP scheme. HVTs allow the verification of data possession without accessing the actual data file. This is a public key-based technique thus it allows public verifiability (i.e., any verifier can challenge and obtain the proof of data possession). This PDP scheme consists of four algorithms, namely 1) Keygen() - Run by the client to generate public and private keys, 2) Tagblock() - Run by the client to generate the metadata, 3) Genproof() - Run by the server who generates proof of possession and 4) Checkproof() - Run by the client to validate the proof of possession Scalable PDP In paper [6], a highly efficient and secure, scalable PDP technique based on symmetric key operation in both Setups (performed once) and Verification phase is proposed. The main idea of this scheme is that, before outsourcing, the owner of the data (client) pre-computes a limited number of short possession verification tokens. Each token cover some set of data blocks. Initially, the client generates in advance n possible random challenges and the corresponding answers (called tokens) during the Setup phase. Once all tokens are computed, the client moves the entire set of tokens to the server by encrypting each token with an authenticated encryption function along with the actual data file. Subsequently, if the owner wants to obtain a proof of data possession, it challenges the server with a set of random block indices. To respond this challenge, the server computes a short integrity check over the specified blocks of the corresponding indices and returns it to the owner. For the proof to hold, the returned integrity check value computed by the server must match the corresponding value computed in advance by the client. However, in this scheme, the owner can keep the possession verification tokens either locally or outsourcing them to the server in encrypted form. This protocol is very efficient in terms of computation and bandwidth, but it supports a limited number of verifications only and this scheme is unsuitable for public verification by third party. Moreover, it efficiently supports block level dynamic operations, such as the block update, block deletion, single block appends and bulk appends for outsourcing the dynamic data. This scheme is provably secure in the Random Oracle Model (ROM) and avoids any bulk encryption of a data file Proof of Retrievability (POR) POR is a protocol in which a server proves to a client that the target file is unaltered, meaning that the client can retrieve the file from the server with high probability. A. Juels and B. Kaliski proposed a scheme called proof of retrievability for large files using Sentinels [7]. In the setup phase, the verifier randomly embedded these sentinels among the data blocks. During the verification phase, the verifier challenges the cloud server by specifying the positions of sentinels and asking the server to return the associated sentinel values. If the server modifies or deletes the original data, then sentinels would also be affected with a certain probability. However, sentinels should be indistinguishable from other regular blocks; this implies that blocks must be encrypted. This scheme is best suited for storing encrypted files. POR cannot be used for public databases; its use is limited to confidential data only. In addition, the number of verification is limited and fixed a priori. This is because sentinels, and their position within 46

5 the data block, must be exposed to the server at every verification. The revealed sentinels cannot be used again. The main role of sentinel is the necessity to access only a small portion of the file instead of accessing the entire file for each verification. However, it makes the storage overhead at the server, as well as the client side because they are inserted additionally and stored. As this scheme involves the encryption of the file F using a secret key, it becomes more complex when the data to be encrypted is large. POR protocol is designed to protect a static archived file F. Many enhanced works based on POR protocol [7] has been proposed in the papers [8] [9] Public Auditing by TPA Qian Wang in his paper used the Third Party Auditor (TPA), for integrity verifications and evaluation of the performance. In his paper [10] he addressed scalable and efficient public auditing system for data storage security in Cloud Computing, and he proposed a protocol which supports dynamic data operations, especially insertion, deletion, data modification and batch auditing where TPA performs multiple auditing tasks simultaneously for different users System Model and Design Goals His network architecture model for cloud storage includes three different network entities. They are 1) Client: An individual consumer or organization, which stores large data files in the cloud, 2) Cloud Storage Server (CSS): An entity which provides storage for their clients and 3) Third Party Auditor (TPA): An entity, which replaces the clients upon request. Design goals include 1) Public auditability support: Any client or TPA can challenge the server for the correctness of the data files stored in the cloud periodically on demand, 2) Dynamic data operation support: Clients are allowed to perform dynamic block-level data operations on the data files such as insertion, deletion, and data modification and 3) Block less verification: Challenged file blocks should not be retrieved by the verifier during the verification process. PKC based homomorphic authenticators (BLS or RSA signature based authenticators) are used. These authenticators are unforgeable metadata generated from individual data blocks, and they are securely aggregated. Merkle Hash Tree [11] is the authentication structure, which is used to perform the verification process with public auditability. This protocol consists of two algorithms. Keygen(): It generates client s public key and a private key. SigGen(): It preprocesses the data file and generates the homomorphic authenticators with metadata. The client computes the signature for each block and generates a root r of the Merkle Hash Tree (MHT), the client then signs the root r using the private key Integrity Verification and Data Modification To check the integrity of the outsourced data, the client or TPA can challenge the prover (server) by specifying the positions of the data blocks to be checked. Upon receiving this, the server computes the data blocks and the corresponding signature blocks, send it to the verifier with a small amount of auxiliary information. After receiving the responses from the server, the verifier generates a root r of MHT and check for the authentication. This scheme efficiently handles fully dynamic data operations, including data modification, data insertion and data deletion. A basic block updating operation refers to the replacement of the particular block b 1 with the new block b 1. Suppose if the client wants to modify the block b 1 to b 1, then the client generates the corresponding signature σ 1 for b 1, then; he sends a modification request message to the server. Upon receiving the request, the server runs Execmodification and replaces the block b 1 with b 1, replaces σ1 with σ 1, replaces h (b 1 ) with h (b 1 ) in the Merkle hash tree and generates the new root r. Finally, the server sends the proof for this operation to the client. Similar kind of approach is used for data insertion and data deletion. The issue of privacy of data is not addressed in this approach. 4. Other Cloud Storage Systems 4.1. Erasure Code Based Cloud Storage System Hsiao-Ying Lin in his paper [12], proposed a secure distributed storage system using threshold proxy re-encryption scheme integrated with erasure code over exponents. This system allows a user to 47

6 forward their data directly to another user in the cloud without retrieving the data from the storage servers. This method integrates encryption, encoding, and forwarding. The proxy re-encryption scheme supports three main functions 1) Encoding operations over encrypted data, 2) Forwarding operations over encoded and encrypted data and 3) Partial decryption operations in an efficient way. Their distributed storage system model consists of users, n storage servers for storage service and m key servers for key management and consists of four operations namely System Setup, Data Storage, Data Forwarding and Data Retrieval. System Setup Phase: Each user is assigned a public-secret key pair (P K, S K ). The user then distributes his secret key S K to key servers such that there exists a key share between each key server and a particular user with a threshold value t via the Shamir secret sharing scheme [16]. Data Storage Phase: A message that we want to store is decomposed into k blocks. Each plaintext block B i is converted into a corresponding ciphertext block C i. The user performs this encryption and sends it to some randomly chosen storage servers. Each storage server then makes a codeword symbol by linearly combining the ciphertexts with randomly chosen coefficients and stores it. Data Forwarding Phase: If the user A wants to forward his message in an encrypted form with an identification to user B, then A uses his secret key S K and B s public key P K to generate a re-encryption key, and this is sent to all storage servers. Storage server re-encrypts its codeword symbol by making use of this re-encryption key. Thus the combination of ciphertexts under B s public key forms the reencrypted codeword symbol. Data Retrieval Phase: User A sends a request to retrieve a message from storage servers and sends a retrieval request to key servers. Each key server gets the codeword symbols by requesting v randomly chosen storage servers after performing the authentication process with user A. Then it uses the key share with user A to do the partial decryption on the received codeword symbols. Finally, user A obtains the original message M by combining the partially decrypted codeword symbols Access Control and Assured Deletion Cloud storage providers typically keep multiple backup copies of data for fault-tolerance reasons. It is important to remove all backup copies upon requests of deletion safely by the provider. Time-based file assured deletion securely deletes the files, which mean that making it permanently inaccessible after a predefined time duration, which is introduced in [14]. Yang Tang in his paper [15] addressed FADE secure overlay cloud storage system that achieves fine-grained access control and file assured deletion. Access control allows the authorized parties having access privileges to access the outsourced data on the cloud. Assured deletion makes inaccessible to anybody the outsourced data upon requests of deletion of data. In FADE, data files are associated with a set of single or boolean combination of file access policies (e.g., time expiration) such that the users who satisfy the access policies only be permitted to access the files. It uses the cryptographic schemes, including threshold secret sharing [16] and attribute-based encryption (ABE) [18], [19]. In this system three types of cryptographic keys are used 1) Data key: for encryption or decryption of data files via symmetric key encryption (e.g., AES) 2) Control key: for policy-based deletion, it is associated with a particular policy and is used to encrypt/decrypt the data keys of the files protected by the same policy 3) Access key: for policy-based access control, it is associated with a particular policy and is built on attribute-based encryption to successfully decrypt an encrypted file. The file content is encrypted with a data key; data key is then encrypted with the control key associated with the policy. When the policy is revoked, the corresponding control key will be removed from the key manager and hence the encrypted content of the file cannot be recovered with the control key of the policy. Thus, we say the file is assuredly deleted Basic Operations of FADE In FADE, clients interact with the cloud using the following four operations: Upload (file, policy): The client encrypts the input file according to the specified policy. Here, the file is encrypted using the 128-bit AES algorithm with the cipher block chaining (CBC) mode. Additionally, the client appends the encrypted file size and the HMAC-SHA1 signature to the end of encrypted file for integrity checking. It then sends the encrypted file and the metadata onto the cloud. 48

7 Download (file): The client fetches the file and policy metadata information from the cloud. It decrypts the file after checking the integrity of the encrypted file. Revoke (policy): The key manager permanently revokes the specified policy upon request of client. All files associated with the policy will be deleted. Renew (file, new-policy): The client first retrieves the metadata of the given file and updates the metadata with the new policy. Finally, it sends the metadata based on new policy back to the cloud ABE with Verifiable Outsourced Decryption Attribute-based encryption (ABE) [19] is a type of public-key based encryption where encryption and decryption of data are performed based on user attributes and access policies. It provides flexible access control over the encrypted data stored in the cloud by access polices and attributes associated with private keys and ciphertexts. There exist several ciphertext-policies ABE (CP-ABE) [20], [21]. In a CP-ABE scheme, every ciphertext is associated with an access policy on attributes, and every user s private key is associated with a set of attributes. A user can decrypt a ciphertext only if the set of attributes associated with the user s private key satisfies the access policy associated with the ciphertext. In most of the existing ABE schemes, the decryption operation is expensive because, the number of pairing operations required to decrypt a ciphertext increase when the complexity of the access policy increases. Figure 2. ABE System with outsourced decryption Green et al., in his paper [22] proposed an Attribute-Based Encryption system with outsourced decryption that reduces the decryption overhead for clients at a certain level. In this system, a user provides a cloud service provider a transformation key TK that helps the cloud to translate any ABE ciphertext CT into a simple ciphertext SCT (refer Figure 2) based on the user s attributes or access policy. Thus, it largely eliminates the computational overhead of the user to recover the original message from the transformed simple ciphertext message. Security of an ABE with outsourced decryption ensures that an opponent, including an un-trusted cloud not to learn anything about the encrypted message. This scheme does not guarantee that the transformation done by the cloud is correct or not. The secure ABE scheme with outsourced decryption proposed by Green et al. is not verifiable; moreover, this method relies on Random Oracles (RO) [23]. This model consists of five algorithms: Setup(), Encrypt(), Keygen-Out( (), Transform() ), Decrypt-Out(). According to the definition of Green et al. [22], the algorithm Decrypt-Out() recovers the plaintext from the private key of the user and the transformed ciphertext, not considering the original ciphertext. This omission of the original ciphertext makes it difficult to find the correctness of the transformationn under the definition of [22]. In paper [24], ABE with verifiablee outsourced decryption is addressed where; a user can efficiently check the correctness of the transformation made by the cloud. They proved the security and verifiability of this scheme without relying on random oracles. The model with verifiability [24] consists of the following seven algorithms instead of five algorithms as in [22]. Setup() - Generate public parameters and a secret key, Keygen() - Generate a private key, Encrypt() - Creates ciphertext from the message and an access structure, Decrypt() - Outputs a message from a private key and a ciphertext, GenTk() - Outputs a transformation key and the corresponding retrieving key, Transform-Out() - Outputs a partially decrypted ciphertext, Decrypt-Out() - Outputs plain text from a ciphertext CT, partially decrypted ciphertext SCT and a retrieving key. 49

8 This scheme reduces the computation time required for resource-limited devices to recover plaintexts. Here the algorithm Decrypt-Out() takes the transformed ciphertext and the original ciphertext to obtain the message, and a small portion of the original ciphertext is enough to check the correctness of the transformation Secure Multi-Owner Data Sharing: Mona This is a cloud storage system [13] which provides an efficient and secure multi-owner data sharing scheme for sharing group resources in the cloud by preserving the identity privacy of the user. It offers flexible sharing services by any member in the dynamic group. Salient features of Mona include 1) Any user in the group is allowed to share data securely with others, 2) Ability to support dynamic groups, 3) New granted users can directly decrypt the data files stored in the cloud without contacting the data owners, 4) User revocation can be done easily without changing the private keys of the remaining users and 5) Provide privacy-preserving access control to users, which permit any member of a group to anonymously use the cloud services. The system model consists of three entities: 1) The cloud which provides un-trusted storage services, 2) Group manager is responsible for new user registration, revocation, and tracing the real identity of a data owner when disputes occur and 3) Group members are a set of permitted or registered users they store and share their data with others in the group. Regarding security, this paper focuses the following areas: 1) Access control (protecting the data from unauthorized access), 2) Data confidentiality (incapable of learning the content of the stored data), 3) Anonymity and traceability (accessing the cloud without revealing the real identity of the user) Basic Mona Operations System Initialization: Done by the group manager, which generates system parameter using hash function and symmetric encryption algorithm. User Registration: Each user A is registered with identity ID A, user A obtains a private key which is then used for group signature generation and file decryption. User Revocation: Performed by the group manager via the creation and updating of the revocation lists (RL). RL is bounded by the signature, which then moves to the cloud. File Generation: To store or share the file the group manager performs the following steps. The user sends the request to obtain the revocation list (RL) from the cloud using group identity. After verifying the validity of the RL, the data file F is encrypted. The message format for uploading the data includes a group-id, Data-ID, Ciphertext, Hash, Time and Group Signature. This is then uploaded into the cloud server, and Data-ID is added into the shared data list by the manager. Upon receiving the data, the cloud server first performs its validity check using a group signature, revocation verification and finally store the data file into the cloud. File Deletion: This is done by either the group manager or the data owner. To delete a file, the group manager generates a signature and sends the signature along with Data-ID (unique data file identity) to the cloud. The deletion will be taking place in the cloud if the hash value created is equal to the hash value contained in the file. File Access: To access the shared file, a member gets the data file and the RL from the cloud server by sending a data request. Then it performs the revocation verification. The file is decrypted after verifying the validity of the file. The downloaded file format coincides with that of the uploaded file. Traceability: When a data dispute occurs, the group manager performs the tracing operation to find the real identity of the data owner. Given a signature, the group manager uses his private key to compute the real identity of the owner. 5. Comparative Analysis Provable data possession scheme [5] minimizes the file block accesses and the server side computation. It requires a small amount of communication per challenge thus it reduces the clientserver communication. Homomorphic verifiable tags help to verify data possession without having access to the actual data file. 50

9 Methods 1. Basic Provable Data Possession [5] 2. Scalable PDP [6] 3. Proofs Of Retrievability (POR) [7] 4. Public auditing scheme by TPA [10] 5. Erasure Code based cloud storage system [12] 6. FADE: Access control and assured deletion [15] 7. Attribute-Based Encryption (ABE) [24] 8. Multi-Owner Data Sharing: Mona [13] Query Support & Verifiability Allows unlimited number of queries. Public key based approach thus allows public verifiability. Allows a prefixed number of queries. It uses symmetric key cryptography, so third party verification is not possible. The number of verification is limited and fixed a priori. Encryption is done using secret key. It supports public verifiability and batch auditing. This method integrates encryption, encoding, and forwarding. Correctness of data is addressed by a threat model against chosen plaintext attack. FADE is designed with the underlying assumption that the encryption mechanism is secure. So it doesn t address the public verifiability. It allows the user to check the correctness of the transformation made by the cloud during outsourced decryption. It is not an integrity checking protocol, but provides secure sharing of data, Table 1. Comparative Analysis Outsourcing Technique Files are encrypted and outsourced. Possession verification tags over data blocks are created and outsourced, along with the data file. Best suited for encrypted files. It encrypts the file F and randomly embeds a set of check blocks called sentinels. The encoded files (Reed Solomon codes) along with homomorphic authenticators are outsourced. Encrypted messages are encoded by the storage server and stored. The client sends the encrypted file along with the metadata (Encrypted file size, signature, policies associated with the file) onto the cloud. Encrypted data with access polices and attributes associated with private keys and ciphertexts are stored in the cloud. Files are encrypted and stored. The message format of a file includes group- Dynamicity Support It considers static type data only. It supports dynamic operations in block level, such as block level modification, deletion and append. POR protocol is designed to protect a static archived file. Support of fully dynamic data operations, including block insertion, deletion and modification. Data storage, data forwarding, and data retrieval operations are addressed without data dynamicity. Clients interact through upload, download, revoke and renew operations. It focuses controlled access and assured deletion. It focusses verifiable outsourced decryption without data dynamicity. It supports file upload, file deletion, file access and traceability of files Key Components Homomorphic verification tags. Erasure codes, cryptographic hash functions such as SHA-1, SHA-2 are used. Symmetric-key cryptography and efficient error coding. PKC based homomorphic authenticators (BLS or RSA signatures) are used. Threshold proxy re-encryption scheme integrated with erasure code over exponents. 128-bit AES with cipher block chaining (CBC) mode for encryption, HMAC-SHA1 signatures for integrity checking are used. Ciphertext policy ABE scheme, LSSS (Linear Secret Sharing Scheme) access structures are used. Group signature and dynamic broadcast encryption 51

10 anonymity, data confidentiality and traceability of files. id, data-id, ciphertext, hash, time and group signature. in a dynamic group. techniques are used for data sharing with others. This scheme helps us to verify possession of large datasets by sampling the server s storage. The light-weight and provably secure PDP scheme [6] exceeds prior work in the aspect of storage, bandwidth and computation overheads. It also supports block level dynamic operations, thus allows outsourcing of dynamic data. This scheme is built over symmetric key cryptography so it is unsuitable for verification by third-party. The Sentinel-based POR protocol is suitable for real-world application [7], enable more flexible and cost-effective storage architectures. It provides quality-of-service assurance, i.e. a file can be retrieved within a certain time bound. POR provides more rigorous and dynamic enforcement of service policies and at the same time it leads to a number of possible directions for future research. Since this protocol is designed to protect a static archived file F, partial updates to F would weaken the security guarantees of this protocol. The problem of partial file updates through the dynamic addition of sentinels or MACs are not addressed. Another research lies in the implementation of efficient, practical POR system by changing the design attributes, modeling methods, protocol variants and tradeoffs with service assurances. Paper [10] provides a simultaneous public auditability scheme for checking the integrity of remote data by constructing a verification protocol with the support of dynamic data files through the use of bilinear aggregate signature and Merkle Hash Tree (MHT) construction. Evaluating the quality of service from a different perspective or objective by TPA is still a challenging task. In paper [12], the threshold proxy re-encryption scheme is used that supports data forwarding operations in a distributed way. This system has key servers and storage servers; storage server is responsible for encoding and re-encryption, and key server is responsible for partial decryption. Proxy re-encryption scheme significantly reduce the communication and computation cost of the owner. Here the communication cost of the owner is independent of the length of the message. The storage servers perform the re-encryption operation instead of the owner using the re-encryption key provided by him. Thus, the computation cost of re-encryption operation depends on the storage servers. It supports robust data storage. FADE [15], present access control and policy-based file assured deletion, in which files are deleted and made unrecoverable by anyone when their associated file access policies are revoked. The time performance of FADE (File transmission time, Metadata transmission time, Cryptographic operation time) drops when the size of the data file is large, the time will increase when the number of policies associated with a file increase. Verifiable outsourced decryption [24] ensures that an opponent not to learn anything about the encrypted message and verifiability allows a user to check on the correctness of the transformation made by the cloud. Outsourcing substantially reduces the computation time required for devices with limited computing resource to recover the plaintext. The bulk of the decryption operation is now handled by the proxy. The transformed ciphertext is not only much efficient to decrypt but also much smaller in size. In this implementation, each partially-decrypted ciphertext has a constant size of 392 bytes, regardless the complexity of its corresponding ciphertext policy. The paper Mona [13] achieves efficient access control, support of data confidentiality, hiding the real identity of the cloud user (anonymity) and traceability. Revoked users cannot utilize the cloud after their revocation. In Mona, the format of the message creates the extra storage overhead, to store the file about 248 bytes. The computation cost of client in Mona depends upon the number of revoked users. If the number of revoked user increases the cost also increases. The computation cost of the cloud is independent of the size of the requested file either for access or for deletion operation, because the size of the signed message is constant. Any authorized cloud user can anonymously share data with other cloud users using group signature and dynamic broadcast encryption methods. The encryption computation cost and storage overhead of this scheme are independent of the number of revoked users. 52

11 6. Future Research Directions There are several challenges associated with auditing online storage services. A more challenging problem is periodical integrity verification of the file without explicit knowledge of the full file i.e., without the local copies of the data file. The server must respond every user s query. The absence of this represents partial or total data loss due to hardware failure, management problems or by some threats. The server may convince the client by hiding the data loss. Many schemes have been proposed to find the server misbehavior. Some schemes use probabilistic proof of data possession. Some schemes use sentinels hidden among the regular blocks to detect data modifications by the server. Some schemes can be applied to the encrypted files only. Many of the schemes support limited and fixed number of queries. Detecting the misbehavior of the server for large file system with unlimited number of client query support is still a challenge. Outsourcing the encrypted data and allowing query support and fully dynamic data operations over the encrypted data is also an important issue. Many schemes need preprocessing or encoding prior to storage. This step increases some computational overhead beyond that of simple encryption or hashing as well as larger storage requirement of the service provider. Most of the schemes consider three performance parameters 1) Computational Complexity: It includes the cost to preprocessing a file (Meta data generation, MAC, etc.) to produce a proof of preprocessing, verification of that proof, 2) Block access Complexity: Total number of blocks needed to proof the data possession and 3) Communication Complexity: The amount of data transferred in between the client and server to achieve the above three processes. To produce the scalable and efficient solution all the three cost must be minimized, supporting a constant network communication is also essential. To meet the performance goal PDP schemes provide probabilistic proof of data possession by accessing a random subset of blocks. Accessing all the file blocks is essential to achieve the deterministic guarantee. However, sending the entire file block to the client as a proof of data possession increases the bandwidth to arbitrarily large. Reducing the client and server side computation is also essential, but some schemes provide better performance at server side some on client side. Some schemes analyzed storage and computation complexities, correctness and security of a cloud storage system in terms of storage cost, computation cost and the correctness of a file. Some schemes consider time performance including file transmission time, metadata transmission time and cryptographic operation time. So, designing a system incorporating both time and cost benefits is very important. There should not be any restriction on the format of the data, so the system must be data format independence. Support of multiple files by a single client is also needed. Erasure codes help detect small changes to the file and possibly recover the entire file from the subset of its blocks. But erasure codes are very costly and impractical to file with a very large number of blocks. Encoding the file will expand the original file size and make impractical to do dynamic operations on files. Providing quality of service guarantee in terms of correctness of data, computation complexities, secure storage and response of client queries is another challenge to consider. 7. Conclusion Cloud storage is much more beneficial and advantageous than the earlier traditional storage systems, especially in scalability, cost reduction, portability and functionality requirements. Even though Cloud provides benefits to users, security and privacy of stored data in the cloud are still major issues in cloud storage. This paper presented a survey on issues in outsourcing the data, and the integrity checking protocols along with secure storage techniques in Cloud computing. Finally, comparative analysis and future research directions have been presented. Designing an efficient cloud storage system with secure access control and dynamic operations support, providing an audit service to check the data integrity and availability is still a hot topic in research. 8. References [1] Rajkumar Buyya, Chee Shin Yeo and Srikumar, Venugopal, Market-oriented cloud computing: Vision, hype, and reality for delivering IT services as computing utilities, In Proceedings of the 53

12 10th IEEE International Conference on High Performance Computing and Communications, pp. 5-13, [2] Ang Li, Xiaowei Yang, Srikanth Kandula and Ming Zhang, Comparing Public Cloud Providers, IEEE Internet Computing, Vol. 15, no. 2, pp , [3] Kui Ren, Cong Wang, and Qian Wang, Security Challenges for the Public Cloud, IEEE Internet Computing, vol. 16, no. 1, pp , [4] Lori M. Kaufman, Data Security in the World of Cloud Computing, IEEE Security & Privacy, vol. 7, no. 4, pp , [5] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song, Provable data possession at untrusted stores, ACM CCS, pp , [6] Giuseppe Ateniese, Roberto Di Pietro, Luigi V. Mancini, and Gene Tsudik, Scalable and Efficient Provable Data Possession, Secure Communication, ACM September [7] Juels and B. Kaliski, PORs: Proofs of Retrievability for Large Files, ACM CCS, pp , [8] Yevgeniy Dodis, Salil Vadhan, and Daniel Wichs, Proofs of Retrievability via Hardness Amplification, TCC 2009, pp , [9] Hovav Shacham and Brent Waters, "Compact Proofs of Retrievability, ASIACRYPT 2008, pp , [10] Qian Wang, Cong Wang, Kui Ren, Wenjing Lou, Jin Li, Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing, IEEE Transactions on parallel and Distributed Systems, vol.22, no.5, pp , May [11] R. C. Merkle, Protocols for Public key Cryptosystems, Proc. IEEE Symposium on Security and Privacy 80, pp , [12] Hsiao-Ying Lin, and Wen-Guey Tzeng, A Secure Erasure Code-Based Cloud Storage System with Secure Data Forwarding, IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 6, pp , June [13] Xuefeng Liu, Yuqing Zhang, Boyang Wang, and Jingbo, Yan, Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud, IEEE Transactions On Parallel And Distributed Systems, vol. 24, no. 6, pp , June [14] R. Perlman, File System Design with Assured Delete, In Proc. Network and Distributed System Security Symp. ISOC (NDSS), [15] Yang Tang, Patrick P.C. Lee, John C.S. Lui, and Radia Perlman, Secure Overlay Cloud Storage with Access Control and Assured Deletion, IEEE Transactions On Dependable and Secure Computing, Vol. 9, no. 6, pp , November/December [16] Shamir, How to Share a Secret, ACM Comm., vol. 22, no. 11, pp , Nov [17] Reenu Sara George and Sabitha S, Survey on Data Integrity in Cloud Computing, IJARCET, vol.2, No.1, Jan [18] V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data, Proc. 13th ACM Conf. Computer and Commucation Security (CCS), pp , [19] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. de Panafieu, and C.Ràfols, Attribute- Based Encryption Schemes With Constant-Size Ciphertexts, Theor. Comput. Sci., vol. 422, pp , [20] J. Bethencourt, A. Sahai, and B. Waters, Ciphertext-policy attribute based encryption, in Proc. IEEE Symp., Security and Privacy, pp , [21] L. Cheung and C. C. Newport, Provably secure ciphertext policy ABE, Proc. ACM Conf. Computer and Communications Security, pp , [22] M. Green, S. Hohenberger and B.Waters, Outsourcing the decryption of ABE ciphertexts, Proc. USENIX Security Symp., San Francisco, CA, USA [23] M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, in Proc. ACM Conf. Computerand Communications Security, pp , [24] Junzuo Lai, Robert H.Deng, Chaowen Guan, AND Jian Weng, Attribute-Based Encryption with Verifiable Outsourced Decryption, IEEE Transactions on information forensics and security, vol. 8, no.8, pp , August