Empowering security and performance of TPA pertinent in

single cloud to Multi-cloud

R.Sugumar, Asst. prof.,
Department of computer science
CAHCET, Melvisharam,
Vellore District, Tamil Nadu, India.
sugumar_prof@rediffmail.com

Abstract
The use of cloud computing has
increased rapidly in many organizations and it
also deployed in technologies like 3G, 4G and
pervasive applications. Ensuring the security of
cloud computing is a major factor in the cloud
computing environment as users often store
sensitive information with cloud storage
providers (CSP), but these providers may be
untrusted. Even though a TPA audits the users
data with correctness and integrity, dealing with
single cloud providers is predicted to become
less popular with service availability failure,
possibility of malicious insiders and Byzantine
faults in the single cloud. A movement towards
Multi-Clouds or in other words inter-clouds or
clouds- of- clouds has emerged recently; hence
we need to protect the user data in Multi-Clouds
with greater security in the form of public batch
auditing and dynamic certification to perform
continuous monitoring from single to Multi-
Clouds, by this, it is to implement Cipher text
Policy Attribute Based Encryption(CP-ABE)[6]
to achieve secure data sharing and also provides
forward and data sharing and also provides
forward and backward security in cloud
computing to improve the security and
performance with many number of users using
the single to multi cloud environment[18].


Dr. A.Rajesh, Professor and Head,
Department of computer science
CAHCET, Melvisharam,
Vellore District, Tamil Nadu, India.
amrajesh73@gmail.com

T.S. Karthick, Asst. prof.,
Department of Information Technology
CAHCET, Melvisharam,
Vellore District, Tamil Nadu, India.
Karthick_ts@rediffmail.com.
Keywords: TPA(third party auditor), CSP(cloud
service provider), CP-ABE(cipher text policy
Attribute based Encryption), TPACA(third party
auditor certificate authority)
1. Introduction
The use of cloud computing has become
popular among small and medium companies
use cloud computing services for various
reasons to provide fast user access and their
application to reduce their infrastructure costs.
Cloud providers should address privacy and
security issues in the infrastructure has the
greater impact in the field of cloud
computing[9].
Dealing with the single cloud become
less popular among the users, because potential
problems like service availability and security
reasons like malicious insiders are the factors
that affects the single cloud, so the movement of
single cloud to multi-cloud has increased rapidly
to overcome such issues[19].


1.1.Background
In this commercial world, various
computing needs are to be provided for the users
and companies , who use cloud services
Reliability and availability should be maintained
with the CSP in the form of Data Centers, they
are maintaining in any part of the world. Apart
from these, customers who are worried about
their data which contains sensitive information
such as medical records or financial information
and business related data has to be stored
securely.

Fig. 1. Cloud computing with TPA
1.2.Cloud Computing Components
The cloud computing model consists of
five characteristics, three delivery models and
four deployment models[18]
Layer Cloud computing
components
Five characteristics On Demand
Broad network
access
Resource pooling
Rapid elasticity
Measured service
Three delivery
models
IaaS
PaaS
SaaS
Four deployment
models
Public
Private
Community
Hybrid

Table1: Cloud Computing Components

1.3Cloud service providers Examples
An example of IaaS is Amazon web
service. An example of PaaS is GoogleApps. An
example of SaaS is the salesforce.com CRM
application. Service created by Amazon EC
2

provides customers with scalable servers to
access the large-scale distributed infrastructure
for Academic Institutions.
Cloud storages, such as Amazon S
3
,
Microsoft SkyDrive, or Nirvanic CloudNas,
permits customers to acces online data.
GoogleApps provides repositories for online
collaboration tools.
1.4.Multi-cloud
The term Multi-cloud is called as inter-
clouds or Clouds_of_Clouds. The main
objective of Multi-cloud is to avoid depedancy
on any one individual cloud and it controls
several clouds. The users goal of using cloud
computing is not limited or satisfied with single
cloud, while each CSP hold theirs infrastructure
in different way to provide services.

Fig2. Example for Multi-clouds
1.5Analysis of Multi-cloud.
According to recent IDC survey, the top
challenge fo 74% of CIOs in relation to cloud
computing is security.
80% of company management fear security
threats and loss of control of data and systems.
In October 2009, many users of sidekick service
in Microsoft were lost for several days.
In 2009, 67% of research on security in single
cloud only 33% of research was on Multi-
Clouds.
In 2010, 80% of research on security in single
cloud, whereas only 20% was directed in area of
Multi-Clouds[19].
In 2011,2012 and 2013 there was no prominent
research issue on Multi-Clouds that were on
single clouds.
1.6.Security Risks in Single and Multi-
clouds
While users upload their sensitive
information to cloud, CSP audits the user data
with the TPA without knowing the data, it
verifies the Integrity and correctness of data. In
single cloud, due to any Byzantine failure or
service unavailability , network problems with
disaster or some other leads the user data in
risks. Even they had been protecting using
Crypto systems, CSP cannot assure the risk
involved in Single cloud or Multi-cloud.
2. System Model and Architecture.
This architecture states that the owner
uploads the data with the semi-trusted cloud
servers with encrypted cryptosystems. When
users want to access the data from cloud servers,
users has to be maintained by the Certificate
Authority who issues the authentication
certificate to user to access data. After obtaining
the certificate user and owners share the data
with the attributes verification for data access.

2.1.Frame work for Multi-cloud Security
This frame work consists of six steps to
carry out the security model.
2.1.1. Step1: System Initialization: The
system initialization will have TPA Certificate
Authority (TPACA) and Attribute Authority
(AA). The TPACA will provide private keys to
the users and Data owners. Attributes Authority
(AA) holds the private key which shared
between users and Data owners goes for
verification.


Fig.3. System Architecture

2.1.2. Step 2: Generation of Secret Key
by TPACA: when Data owners upload their
data with content keys m by using symmetric
encryption methods, then encrypt the content
keys by running the {GPK,(PK
aid1n
) with
aid
k
}[6].
2.1.3. Step3: Attribute Authority
Setup(AAs): This AAs setup algorithm is run
by each attribute authority. It takes the attribute
universe Uaid managed by the AAaid as input, it
outputs a secret and public key pair (SKaid,
PKaid). It generate secret key as SkeyGen
(GPP,PK
uid
,GPK
uid
,GSK
uid
,SK
aid
,S
uid,aid
)S
K
uid,aid
.
2.1.4. Step 4:Data Encryption by owners:
Owners first encrypt the data m with content
keys by using symmetric encryption methods as
Parameters(GPP), a set of public keys
({PK
aidk
}
aidk
) for attribute authority encryption
to outputs a cipher text CT.
2.1.5. Step 5: Data Decryption by users:
Users run the decryption algorithm to get the
content keys and use them to further decrypt the
data.
Decrypt:
(CT, PK
uid
,GSK
uid
{SK
uid,aidk
})K. User run
this decryption algorithm to get the cipher text,
by this K, user goes to access policy.
2.1.6. step6: Challenge Response
protocol: This step consists of three steps, User
key Generation by AAs. Secret key update by
users and cipher text update by server.
UkGen: (SK
aid
,SK
uid
) UK
aid,uid
. This key is
generated by corresponding secret key attribute
identity and the user attribute identity and
outputs a new user key with attributes along
with users identity.
SKupdate: SK
uid,aid
,UK
aid,uid
SK
uidaid
.The
secret key update algorithm is run by each user
uid. It takes as inputs the current secret key of
the users SKuidaid,UKaid,uid outputs a new
secret key and updates to server.
CTupdate(CT,UK
uid,aid
)CT. This is run by
the cloudservers. It takes as inputs the cipher
texts which contain the attribute UKaid,uid and
update UKaid,uid as new CT[6].
3. System Implementation

In this section, we give an detailed
construction of our system model which consists
of System Initialization, Generation of secret
key, Attribute Authority setup, Data Encryption
by owners, Data Decryption by users and a
Challenge Response protocol.

3.1. Overview
We propose a new multiauthority CP-ABE
based on single authority, which is constructed
using the Third Party Certificate Authority who
verifies the attributes of Data owners, users and
check the revoked user attribute when access the
data from the CSPs.
The TPACA with Data owners tie together
accepts the registration of owners. It assigns a
global user identity uid to each user and a global
authority identity aid to each attribute authority
in the system, secret keys issued by different
AAs for the same uid can be tied together for
decryption.
To deal with the security issue, instead of
using the system unique public key to encrypt
data, out system requires all attribute authorities
to generate their own public key and uses them
to encrypt the data with Global Public
Parameter(GPP) this prevent CA from
Decryption the cipher texts.
To make the Challenge Response protocol,
we are making the User Key Generation
(UKGen) with attribute identity and also update
the secret key with user attribute key and
identity of AAs and update in the CSPs servers.
Finally Cipher text update is made when the user
key generated in cloud server and these cipher
text key and generated in cloud server and these
cipher text is issued to user, when they want to
access the data in cloud servers with the
attributes shared between users and data owners.

3.1.1. System Initialization
The system initialization contains TPACA
and AAs will run the Third Party audit and
Attributes assigning to users and data owners
who will hold their private keys to match the
Global Public Parameter(GPP), in case of
verification GPP={r1,r2,rn}. When
TPACA assumes the r1,r2, the parameters which
will pair the private keys of users and Data
owners to upload the data, first it will have the
registration for user and data owners, this
registration scheme will ask for attributes of
users and Data GPP={g
1
r
1
,g1r
2
.g
n
r
n
}.

3.1.2Generation of Secret Key by TPACA
When data owners upload the data with
some attributes and it is encrypted by attributes
identity(aid) then it authenticates with
Certificate identity(uid), which is issued by
TPACA
{GPK(PKuid1,aid1
= g
1
r
1
uid,aid,g
n
r
n
uid
n
aid
n
)
=GPK
uid1n,aid1..n
.

3.1.3. Attribute Authority Setup(AA)
In this algorithm, the collection of user
attributes and Data owner attributes are stored in
some data set; which will provide the secret key,
that is obtained by matching the public key pair
AAaid as input,
SkeyGen(GPP,GPK
uid
,GPk
uid
,GSK
uid
,SK
aid
,
Su
id,aid
)
={GPK,(PK
aid1..n
)with
uidK
}
=SKuid
n
aid
n


3.1.4. Data Encryption by owners
Before hosting the data m to Cloud
servers Data owner process will have, first it
divides the data in to several data components as
m={m1mn} according to logical granularities
eg., data divided in to {name, address, D.0.B,
employee, salary, Ph.no. etc.,}, second it
encrypts data components with different content
keys{k1..kn} using symmetric encryption
methods, third it defines the access structure
mechanism M
i
for each content K
i
{i=1n}, The
encryption algorithm takes GPP a public keys
for all the AAs in the data set and produces the
cipher text
= GPP,{PK
aidk
}
aidk

=k(
aidAAs
PK aid
k

=PK
aid1..n
=CT.

3.1.5. Data Decryption by users
After the data are uploaded in the m cloud
servers when user wants to access the data from
the cloud servers. In normal scenario, user login
in to the CSPs and with the normal registration
he has the authentication to download the data,
but in our system we provide an interface which
will stop the users at the point of interface
TPACA will judge the user with Authentication
entity, these entities will be already been issued
by Data owners. Now it user authenticates he
had been provided with the cipher text CT with
some user attribute, if it is correct he may able to
download the data. The Decryption algorithm
follows for Cipher text verification is
Decrypt(CT,GPKuid,GSKuid{SKuid,aid}K
= (
aidAAs
Kaid
k
uid
k
}
=(
aidAAs
g
uid,
r
uid..n
)
=CT,GPK
uid,
GSK
uid

=K
uid.
Then the user can use the decrypted content key
K to further decrypt the encrypted data
component.

4. Security Analysis
We prove our data access control is
secure when we achieve both forward security
and backward security like the AA
id
and
GPP
uidaid
at the time of data upload encryption
and with CT, GPK
uid,
GSK
uid
we obtain the K to
decrypt the content[6].

4.1. Forward Security
After each attribute revocation operation,
the version of the revoked attribute will be
updated. When new users join the system, their
secret keys are associated with attributes with
the latest version. However, previously
published cipher texts are encrypted under
attributes with old version. The cipher text
update algorithm in our protocol can update
previously published cipher texts into the latest
attribute version, such that newly joined users
can still decrypt previously published cipher
texts, if their attributes can satisfy access
policies associated with cipher texts. This
guarantees the forward security[6].

4.2. Backward Security
During the secret key update phase, the
corresponding AA generates an update key for
each non revoked user. Because the update key
is associated with the users global identity uid,
the revoked user cannot use update keys of other
non-revoked users to update its own secret
key[6], even if it can compromise some non-
revoked users. Moreover, suppose the revoked
user can corrupt some other AAs the item in the
secret key can prevent users from updating their
secret keys with update keys of other users, This
guarantees the backward security.

5. Performance Analysis
To evaluate the performance of CP-ABE,
we conducted several experiments on a virtual
machine with core2Duo based on jPBC
library[20], we measured the time required for
encryption and decryption under various
scenarios, beside we measured the cipher text
size overhead, that is acceptable cost in storage.
We can see the encryption and
decryption time of CP-ABE has a significant
linear correlation with the size of published
content and the complexity of access policy.
Considering the file size , even for a file of 120
mb, it cost less than 6 seconds. Considering the
complexity of access policy, encryption and
decryption time for an access control strategy
tree with 80 leaves is still no more than 6
seconds.



Fig.4. CP-ABE encryption and decryption time
cost: (a) the x -axis corresponds to the
complexity of the access policy.

Fig.5. CP-ABE encryption and decryption time
cost: (b) the x-axis corresponds to the
complexity of access


6. Conclusion
It is clear that although the use of cloud
computing has rapidly increased; cloud
computing security is major issue, at the same
time users dont want to lose their data. By this
proposed method, even any failures occurs in the
cloud environment by malicious insiders, by
byzantine fault or due to any server crash
happens in disaster users can recover the datas
with correctness, integrity and consistence from
cloud service providers. From this greater
security is obtained either the user process the
data from single cloud or Multi-Clouds with
higher performance.
7. References
[1].An Efficient Public Batch Auditing Protocol for Data
Security in Multi-Cloud Storage He Kai, Huang Chuanhe+,
Wang Jinhai, Zhou Hao, Chen Xi, Lu Yilong, Zhang
Lianzhen, Wang Bin Computer School, Wuhan University,
Wuhan, China- 2013 8th Annual ChinaGrid Conference.

[2].Data Storage Security Challenges in Cloud computing,
Sajjad Hashemi1 1Department of Computer Engineering,
Science and Research Branch, Islamic Azad University,
West Azarbayjan, Iran- International Journal of Security,
Privacy and Trust Management ( IJSPTM) Vol 2, No 4,
August 2013.


Published
content ID
File size (KB)
Before
encryption
After
encryption
Added
size

1 239 241 2
2 473 475 2
3 951 953 2
4 1843 1845 2
5 3711 3713 2
6 7365 7367 2
7 14844 14846 2
8 29511 29513 2
9 58678 58680 2
10 116632 116634 2


Table.2. File size before and after encryption
of CP-ABE.


[3].Using Third Party Auditor for Cloud Data Security: A
Review Ashish Bhagat Department Of Computer Science
& Engineering, India Lovely Professional University, Ravi
Kant Sahu School of Computer Engineering, Lovely
Professional University India. International Journal of
Advanced Research in Computer Science and Software
Engineering Volume 3, Issue 3, March 2013.

[4].Article:The Edge of the Cloud Maria R. Ebling IBM
T.J. Watson Research Center Eyal de Lara University of
Toronto Alec Wolman Microsoft Research Ada
Gavrilovska Georgia Institute of Technology.

[5].Ensuring Privacy in Data Storage as a Service for
Educational Institution in Cloud Computing J. Angela
Jennifa Sujana Asst. Professor, Department of Information
Technology Mepco Schlenk Engg. College Sivakasi, India ,
Dr. T. Revathi Professor, Department of Information
Technology Mepco Schlenk Engg. College Sivakasi, India
- 2012 International Symposium on Cloud and Services
Computing.

[6].Expressive, Efficient and Revocable Data Access
Control for Multi-Authority Cloud Storage Kan Yang,
Student Member, IEEE, Xiaohua Jia, Fellow, IEEE- IEEE
TRANSACTIONS ON PARALLEL AND DISTRIBUTED
SYSTEMS.

[7].Oruta: Privacy-Preserving Public Auditing for Shared
Data in the Cloud Boyang Wang ,, Baochun Li and
Hui Li State Key Laboratory of Integrated Services
Networks, Xidian University, Xian, China Department
of Electrical and Computer Engineering, University of
Toronto, Toronto, Canada- 2012 IEEE Fifth International
Conference on Cloud Computing.

[8].Survey on Cloud Data Integrity Proof Techniques
Solomn Guadie worku, Zhong Ting, Qin Zhi-Guang School
of computer science and engineering University of
Electronic Science and Technology of China (UESTC)
Chengdu, China- 2012 Seventh Asia Joint Conference on
Information Security.

[9].TSAS:Third-Party Storage Auditing Service-
www.springer.com/978-1-4614-7872-0.

[10].QoS-Aware Data Replication for Data-Intensive
Applications in Cloud Computing Systems Jenn-Wei Lin,
Chien-Hung Chen, and J. Morris Chang, Senior Member,
IEEE- IEEE TRANSACTIONS ON CLOUD
COMPUTING, VOL. 1, NO. 1, JANUARY-JUNE 2013.

[11].Proof of Retrivability: A Third Party Auditor Using
Cloud Computing Vijayaraghavan U1, Madonna Arieth
R2, Geethanjali K3 1,2 Asst. Professor, Dept of CSE, RVS
College of Engineering& Technology, Pondicherry
University, India. 3Asst.Professor, Dept of EEE, RVS
College of Engineering& Technology, Pondicherry
University, India.- International Journal of Emerging
Technology and AdvancedEngineering Website:
www.ijetae.com (ISSN 2250-2459, ISO 9001:2008
Certified Journal, Volume 3, Issue 7, July 2013).

[12].Dynamic certification of cloud services,by Iryna
Windhorst and Ali SunyaevIEEE International conference
on Availability, reliability and security, 2013.

[13].security issues in cloud computing, Huaglory
Tianfield.2012, IEEE International conference of
systems,man and cybernetics.

[14]. Secure storage services in cloud computing,
S.Muthakshi, Dr.T.Meyyappan. Dept.cse, Alagappa
University, karaikudi, TamilNadu, India, IJCTT vol4.
Jun13.

[15].http://www.hindawi.com/journals/ijdsn/2013/469076/
[16]. http://www.enovance.com/en/products-
solutions/cloud-services/multi-cloud/multi-cloud-
management.
[17].http://www.gravitant.com/solutions/solutions-by-
initiative/multi-cloud-mgmt.html.
[18]. Cloud computing security: From single to multi-
clouds, Md. A.AlZain.. 2012 45
th
Hawaii International
conference on system sciences.
[19]. CloudSim: a toolkit for modeling and simulation of
cloud computing environments and evaluation of resource
provisioning algorithms, Rodrigo N. Calheiros1, Rajiv
Ranjan2, Anton Beloglazov1, Cesar A. F. De Rose3 and
Rajkumar Buyya1, , SOFTWARE PRACTICE AND
EXPERIENCE Softw. Pract. Exper. 2011; 41:2350
Published online 24 August 2010 in Wiley Online Library
(wileyonlinelibrary.com). DOI: 10.1002/spe.995

[20]. A PEFKS- and CP-ABE-Based Distributed Security
Scheme in Interest-Centric opportunistic Networks,
FeiWang,1,2 YongJun Xu,1 LinWu,1,2 Longyijia Li,3 Dan
Liu,3 and Liehuang Zhu3, International Journal of
Distributed Sensor Networks Volume 2013, Article ID
469076