SYMMETRIC CRYPTOGRAPHIC KEY MANAGEMENT IN CLOUD PARADIGM Supervisor: Dr. Muhammad Awais Shibli Presented By: Faiza Fakhar Reg. No.: 2010-NUST-MS PhD-IT-27 Date: 12 th February, 2014
AGENDA Overview of Cloud Computing Security Mechanism Motivation Thesis Problem Statement My Contributions Proposed Protocol Architecture Implementation Details Evaluation Conclusion Future Work
OVERVIEW OF CLOUD COMPUTING Reference: Cloud Security Alliance, Security guidance for critical areas of focus in cloud computing version 3.0.
CLOUD SECURITY CONCERNS
SECURITY MECHANISM
OVERVIEW OF CRYPTOGRAPHY Asymmetric Symmetric Cryptography is One of security mechanisms Protect information from disclosure and disruption. It is used during information exchange and secure storage of data. One important aspect of cryptography is key management,
OVERVIEW OF CRYPTOGRAPHIC KEY MANAGEMENT
MOTIVATION Literature Review
LITERATURE REVIEW In domain eleven of there guide, they identified cryptographic key management at public or hybrid cloud is a challenge. New technology section highlights a cloud based key management system is required. NIST highlight cryptographic key management at the premises of public cloud provider as issue in a draft Reference: Cloud Security Alliance, Security guidance for critical areas of focus in cloud computing version 3.0 visited at http://www.cloudsecurityalliance. org/guidance/csaguide.v3.0.pdf on 26 th December 2011. Reference: Elaine Barker, Dennis Branstad, Santosh Chokhani and Miles Smid, Cryptographic Key management workshop summary, NIST Interagency report 7609 at Computer Security Division, National Institute of Standards and Technology, January 2010. Reference: Wayne Jansen and Timothy Grance, Guidelines on security and privacy in public cloud computing, NIST draft Special publication 800-144 at Computer Security Division, National Institute of Standards and Technology, January 2011.
LITERATURE REVIEW Issues for consumer of public/hybrid cloud No access on physical servers. Data locality problem. Multitenant environment. Local laws and jurisdiction. Different data threats at cloud environment. Lake of key management techniques on cloud Cryptographic keys cannot share /store on cloud paradigm securely. Searching/manipulation on encrypted data is challenging on cloud as cryptographic keys are not available and data cannot decrypt.
THESIS PROBLEM STATEMENT How securely Symmetric cryptographic keys can be stored, retrieved and distribute at Cloud paradigm?
THIS RESEARCH CHALLENGES... Secure storage of symmetric cryptographic key at Cloud. On the fly computation of cryptographic key Cryptographic key sharing on Cloud paradigm
DEDUCTIVE RESEARCH APPROACH Theory Literature Survey Hypothesis Is cryptographic key can be securely store and retrieve to an from the cloud storage Implementation Proof of concept to find observations Confirmation Proposed protocol has been evaluated in Scyther
MY CONTRIBUTIONS For LAB Implementation /Demo of OpenStack and Amazon Cloud Publications Survey Paper Core Paper Implementation A prototype for proof of proposed concept Installation Manual Java Docs War file Sql script Commented code Verification & Validation Scyther
SURVEY PAPER Paper : Comparative Analysis of Security Mechanisms in Cloud Paradigm Published in 15 th IEEE International Conference on Advance Communication Technology (ICACT) January 27-30, 2013 Phoenix Park, Pyeongchang, Korea.
CONCEPTUAL PAPER Paper : Management of Symmetric Cryptographic Key in Cloud based Environment. Accepted In: 7th IEEE International Conference for Internet Technology and Secured Transactions (ICITST-2012) December 9-12, 2012, London, UK Published in 15 th IEEE International Conference on Advance Communication Technology (ICACT) January 27-30, 2013 Phoenix Park, Pyeongchang, Korea.
IMPLEMENTATION DETAILS J2EE is used for prototype development Shamir s Secret Splitting Algorithm Bouncy Castle API for PKCS7 implementation Java Security APIs for Encryption/Decryption Jboss Server for deployment Configure SSL support of Jboss server Database Server MySQL for key components storage
HIGH LEVEL ARCHITECTURE OF PROPOSED PROTOCOL
COMMITTEE SUGGESTION ON MID DEFENSE Dr. Abdul Ghafoor How to secure communication b/w browser and server. Evaluate protocol using some protocol verification tools. Dr. Zahid Anwar Identify specific threats for your thesis area. Clearly write assumptions. Dr. Fauzan Be confident and clearly explain the problem to be solved. Threats have to be explained and how mitigate those threats.
ASSUMPTIONS We assume that java random number generates true random number while using it in prototype. We assume single component of cryptographic key as user password while implementing prototype. This thesis will research based and implements a prototype of proposed protocol and deploy it for testing where all settings will available for testing environment only. The graphical user interface of the prototype will not be restricted to confirm design standards of human computers.
VERIFICATION WITH SCYTHER Scyther is a tool used for verification and investigation of security protocols.
VERIFICATION WITH SCYTHER Agents for Proposed Protocol Agent Names Client AppServer DbSever1 Description Client agent will play the roll of client. AppServer agent will be performing as application or compute server as proposed in our protocol. DbServer1 agent will perform the roll of Data base server and we are assuming one database server to verify our proposed protocol. Attributes for Proposed Protocol Attribute Name nc nas tc tas wholekey userkeycomp envelopedkeycomponentinfo connectioninfo connectionobject Skey Description Nonce of client Nonce of Application Server Time Stamp of Client Time Stamp of Application Server Full Cryptographic key Component of Cryptographic key A PKCS#7 packet Connection Url for establishing connection An Object of connection Session Keys
SECURITY MECHANISM USED FOR POTENTIAL THREATS Sr. No. Threat Protection Granted Protection Mechanisms 1. Data Integrity Yes PKCS#7 Implementation and SSL provide data Integrity while travelling on network. 2. Data Authorization Yes PKCS#7 Implementation, SSL and User Owned component provide authorization as other user data cannot access without knowing user key component. 3. Network/Browser Security Yes SSL and PKCS#7 provides Network/Browser Security. 4. Data Segregation Yes Cryptographic Keys are in components form and cannot be access by any single user until user owned component. 5. Data Confidentiality Yes AES encryption of all components before storage provides confidentiality.
CONCLUSION Cryptographic keys are sensitive data and required on cloud platform in different cases but cannot store directly on cloud. This research discuses symmetric key management on cloud. Secret splitting & storage of cryptographic keys. On the fly computation of cryptographic key. PKCS#7 and SSL.
FUTURE DIRECTIONS Secret splitting algorithm Lack of standard bodies and standard for trust management and privacy management. A future research is to develop a standard framework for privacy and trust management at cloud.
REFERENCES [1]. Cloud Security Alliance, Security guidance for critical areas of focus in cloud computing version 3.0 visited on 26th December 2011 at http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf [2]. Elaine Barker, Dennis Branstad, Santosh Chokhani and Miles Smid, A Framework for Designing Cryptographic Key Management Systems, NIST draft Special publication 800-130 at Computer Security Division, National Institute of Standards and Technology, 15, June 2010. [3]. Piotr K. Tysowski, M.Anwarual Hasan, Re- Encryption-Based Key Management towards Secure and Scalable Mobile Applications in Clouds [4]. Tolga Acar, Mira Belenkiy, Carl Ellison, Lan Nguyen, Key Management in Distributed Systems research at Microsoft, 2010. [5]. An Introduction to Strong Key, white paper StrongAuth.Inc, October 2011. [6]. Gansen Zhao, Chunming Rongy, Jin Liz, Feng Zhangx and Yong Tang, Trusted Data Sharing over Untrusted Cloud Storage Providers, 2nd IEEE International Conference on Cloud Computing Technology and Science. [7]. Nadia Bennani, Ernesto Damiani and Stelvio Cimato, Toward cloud-based key management for outsourced databases, 2010 34th Annual IEEE Computer Software and Applications Conference Workshops. [8]. R. Cramer, I. Damg ard, and J. B. Nielsen. Multiparty computation from threshold homomorphic encryption. In B. Pfitzmann, editor, EUROCRYPT, volume 2045 of Lecture snotes in Computer Science, pages 280 299. Springer, 2001.
[9]. Elaine Barker, Dennis Branstad, Santosh Chokhani and Miles Smid, Cryptographic Key management workshop summary, NIST Interagency report 7609 at Computer Security Division, National Institute of Standards and Technology, January 2010. [10]. Wayne Jansen and Timothy Grance, Guidelines on security and privacy in public cloud computing, NIST draft Special publication 800-144 at Computer Security Division, National Institute of Standards and Technology, January 2011. [11] Shamir, A.: How to share a secret. In: Commun. ACM, vol. 22, no. 11, pp. 612 613 (1979) [12] Rabin, M.O.: Efficient dispersal of information for security, load balancing, and fault tolerance. In: Journal of The ACM 36(2), pp. 335 348 (1989) [13]. Resch, Jason; Plank, James (February 15, 2011). "AONT-RS: Blending Security and Performance in Dispersed Storage Systems". Usenix FAST'11, 2011 [14]. S.Jaya Nirmala, S.Mary Saira Bhanu, Ahtesham Akhtar Patel, A Comparative study of the secret sharing algorithms for secure data in the cloud, International Journal on Cloud Computing: Services and Architecture(IJCCSA),Vol.2, No.4, August 2012. [15]. G. Zhao, S. Otenko, and D. Chadwick, Distributed key Management for secure role based messaging, in Proceeding of The IEEE 20th International Conference on Advanced Information Networking and Applications (AINA2006), Vienna, Austria, April 2006. [16]. http://www.openstack.org
THANK YOU