Empowering security and performance of TPA pertinent in
single cloud to Multi-cloud
R.Sugumar, Asst. prof., Department of computer science CAHCET, Melvisharam, Vellore District, Tamil Nadu, India. sugumar_prof@rediffmail.com
Abstract The use of cloud computing has increased rapidly in many organizations and it also deployed in technologies like 3G, 4G and pervasive applications. Ensuring the security of cloud computing is a major factor in the cloud computing environment as users often store sensitive information with cloud storage providers (CSP), but these providers may be untrusted. Even though a TPA audits the users data with correctness and integrity, dealing with single cloud providers is predicted to become less popular with service availability failure, possibility of malicious insiders and Byzantine faults in the single cloud. A movement towards Multi-Clouds or in other words inter-clouds or clouds- of- clouds has emerged recently; hence we need to protect the user data in Multi-Clouds with greater security in the form of public batch auditing and dynamic certification to perform continuous monitoring from single to Multi- Clouds, by this, it is to implement Cipher text Policy Attribute Based Encryption(CP-ABE)[6] to achieve secure data sharing and also provides forward and data sharing and also provides forward and backward security in cloud computing to improve the security and performance with many number of users using the single to multi cloud environment[18].
Dr. A.Rajesh, Professor and Head, Department of computer science CAHCET, Melvisharam, Vellore District, Tamil Nadu, India. amrajesh73@gmail.com
T.S. Karthick, Asst. prof., Department of Information Technology CAHCET, Melvisharam, Vellore District, Tamil Nadu, India. Karthick_ts@rediffmail.com. Keywords: TPA(third party auditor), CSP(cloud service provider), CP-ABE(cipher text policy Attribute based Encryption), TPACA(third party auditor certificate authority) 1. Introduction The use of cloud computing has become popular among small and medium companies use cloud computing services for various reasons to provide fast user access and their application to reduce their infrastructure costs. Cloud providers should address privacy and security issues in the infrastructure has the greater impact in the field of cloud computing[9]. Dealing with the single cloud become less popular among the users, because potential problems like service availability and security reasons like malicious insiders are the factors that affects the single cloud, so the movement of single cloud to multi-cloud has increased rapidly to overcome such issues[19].
1.1.Background In this commercial world, various computing needs are to be provided for the users and companies , who use cloud services Reliability and availability should be maintained with the CSP in the form of Data Centers, they are maintaining in any part of the world. Apart from these, customers who are worried about their data which contains sensitive information such as medical records or financial information and business related data has to be stored securely.
Fig. 1. Cloud computing with TPA 1.2.Cloud Computing Components The cloud computing model consists of five characteristics, three delivery models and four deployment models[18] Layer Cloud computing components Five characteristics On Demand Broad network access Resource pooling Rapid elasticity Measured service Three delivery models IaaS PaaS SaaS Four deployment models Public Private Community Hybrid
Table1: Cloud Computing Components
1.3Cloud service providers Examples An example of IaaS is Amazon web service. An example of PaaS is GoogleApps. An example of SaaS is the salesforce.com CRM application. Service created by Amazon EC 2
provides customers with scalable servers to access the large-scale distributed infrastructure for Academic Institutions. Cloud storages, such as Amazon S 3 , Microsoft SkyDrive, or Nirvanic CloudNas, permits customers to acces online data. GoogleApps provides repositories for online collaboration tools. 1.4.Multi-cloud The term Multi-cloud is called as inter- clouds or Clouds_of_Clouds. The main objective of Multi-cloud is to avoid depedancy on any one individual cloud and it controls several clouds. The users goal of using cloud computing is not limited or satisfied with single cloud, while each CSP hold theirs infrastructure in different way to provide services.
Fig2. Example for Multi-clouds 1.5Analysis of Multi-cloud. According to recent IDC survey, the top challenge fo 74% of CIOs in relation to cloud computing is security. 80% of company management fear security threats and loss of control of data and systems. In October 2009, many users of sidekick service in Microsoft were lost for several days. In 2009, 67% of research on security in single cloud only 33% of research was on Multi- Clouds. In 2010, 80% of research on security in single cloud, whereas only 20% was directed in area of Multi-Clouds[19]. In 2011,2012 and 2013 there was no prominent research issue on Multi-Clouds that were on single clouds. 1.6.Security Risks in Single and Multi- clouds While users upload their sensitive information to cloud, CSP audits the user data with the TPA without knowing the data, it verifies the Integrity and correctness of data. In single cloud, due to any Byzantine failure or service unavailability , network problems with disaster or some other leads the user data in risks. Even they had been protecting using Crypto systems, CSP cannot assure the risk involved in Single cloud or Multi-cloud. 2. System Model and Architecture. This architecture states that the owner uploads the data with the semi-trusted cloud servers with encrypted cryptosystems. When users want to access the data from cloud servers, users has to be maintained by the Certificate Authority who issues the authentication certificate to user to access data. After obtaining the certificate user and owners share the data with the attributes verification for data access.
2.1.Frame work for Multi-cloud Security This frame work consists of six steps to carry out the security model. 2.1.1. Step1: System Initialization: The system initialization will have TPA Certificate Authority (TPACA) and Attribute Authority (AA). The TPACA will provide private keys to the users and Data owners. Attributes Authority (AA) holds the private key which shared between users and Data owners goes for verification.
Fig.3. System Architecture
2.1.2. Step 2: Generation of Secret Key by TPACA: when Data owners upload their data with content keys m by using symmetric encryption methods, then encrypt the content keys by running the {GPK,(PK aid1n ) with aid k }[6]. 2.1.3. Step3: Attribute Authority Setup(AAs): This AAs setup algorithm is run by each attribute authority. It takes the attribute universe Uaid managed by the AAaid as input, it outputs a secret and public key pair (SKaid, PKaid). It generate secret key as SkeyGen (GPP,PK uid ,GPK uid ,GSK uid ,SK aid ,S uid,aid )S K uid,aid . 2.1.4. Step 4:Data Encryption by owners: Owners first encrypt the data m with content keys by using symmetric encryption methods as Parameters(GPP), a set of public keys ({PK aidk } aidk ) for attribute authority encryption to outputs a cipher text CT. 2.1.5. Step 5: Data Decryption by users: Users run the decryption algorithm to get the content keys and use them to further decrypt the data. Decrypt: (CT, PK uid ,GSK uid {SK uid,aidk })K. User run this decryption algorithm to get the cipher text, by this K, user goes to access policy. 2.1.6. step6: Challenge Response protocol: This step consists of three steps, User key Generation by AAs. Secret key update by users and cipher text update by server. UkGen: (SK aid ,SK uid ) UK aid,uid . This key is generated by corresponding secret key attribute identity and the user attribute identity and outputs a new user key with attributes along with users identity. SKupdate: SK uid,aid ,UK aid,uid SK uidaid .The secret key update algorithm is run by each user uid. It takes as inputs the current secret key of the users SKuidaid,UKaid,uid outputs a new secret key and updates to server. CTupdate(CT,UK uid,aid )CT. This is run by the cloudservers. It takes as inputs the cipher texts which contain the attribute UKaid,uid and update UKaid,uid as new CT[6]. 3. System Implementation
In this section, we give an detailed construction of our system model which consists of System Initialization, Generation of secret key, Attribute Authority setup, Data Encryption by owners, Data Decryption by users and a Challenge Response protocol.
3.1. Overview We propose a new multiauthority CP-ABE based on single authority, which is constructed using the Third Party Certificate Authority who verifies the attributes of Data owners, users and check the revoked user attribute when access the data from the CSPs. The TPACA with Data owners tie together accepts the registration of owners. It assigns a global user identity uid to each user and a global authority identity aid to each attribute authority in the system, secret keys issued by different AAs for the same uid can be tied together for decryption. To deal with the security issue, instead of using the system unique public key to encrypt data, out system requires all attribute authorities to generate their own public key and uses them to encrypt the data with Global Public Parameter(GPP) this prevent CA from Decryption the cipher texts. To make the Challenge Response protocol, we are making the User Key Generation (UKGen) with attribute identity and also update the secret key with user attribute key and identity of AAs and update in the CSPs servers. Finally Cipher text update is made when the user key generated in cloud server and these cipher text key and generated in cloud server and these cipher text is issued to user, when they want to access the data in cloud servers with the attributes shared between users and data owners.
3.1.1. System Initialization The system initialization contains TPACA and AAs will run the Third Party audit and Attributes assigning to users and data owners who will hold their private keys to match the Global Public Parameter(GPP), in case of verification GPP={r1,r2,rn}. When TPACA assumes the r1,r2, the parameters which will pair the private keys of users and Data owners to upload the data, first it will have the registration for user and data owners, this registration scheme will ask for attributes of users and Data GPP={g 1 r 1 ,g1r 2 .g n r n }.
3.1.2Generation of Secret Key by TPACA When data owners upload the data with some attributes and it is encrypted by attributes identity(aid) then it authenticates with Certificate identity(uid), which is issued by TPACA {GPK(PKuid1,aid1 = g 1 r 1 uid,aid,g n r n uid n aid n ) =GPK uid1n,aid1..n .
3.1.3. Attribute Authority Setup(AA) In this algorithm, the collection of user attributes and Data owner attributes are stored in some data set; which will provide the secret key, that is obtained by matching the public key pair AAaid as input, SkeyGen(GPP,GPK uid ,GPk uid ,GSK uid ,SK aid , Su id,aid ) ={GPK,(PK aid1..n )with uidK } =SKuid n aid n
3.1.4. Data Encryption by owners Before hosting the data m to Cloud servers Data owner process will have, first it divides the data in to several data components as m={m1mn} according to logical granularities eg., data divided in to {name, address, D.0.B, employee, salary, Ph.no. etc.,}, second it encrypts data components with different content keys{k1..kn} using symmetric encryption methods, third it defines the access structure mechanism M i for each content K i {i=1n}, The encryption algorithm takes GPP a public keys for all the AAs in the data set and produces the cipher text = GPP,{PK aidk } aidk
=k( aidAAs PK aid k
=PK aid1..n =CT.
3.1.5. Data Decryption by users After the data are uploaded in the m cloud servers when user wants to access the data from the cloud servers. In normal scenario, user login in to the CSPs and with the normal registration he has the authentication to download the data, but in our system we provide an interface which will stop the users at the point of interface TPACA will judge the user with Authentication entity, these entities will be already been issued by Data owners. Now it user authenticates he had been provided with the cipher text CT with some user attribute, if it is correct he may able to download the data. The Decryption algorithm follows for Cipher text verification is Decrypt(CT,GPKuid,GSKuid{SKuid,aid}K = ( aidAAs Kaid k uid k } =( aidAAs g uid, r uid..n ) =CT,GPK uid, GSK uid
=K uid. Then the user can use the decrypted content key K to further decrypt the encrypted data component.
4. Security Analysis We prove our data access control is secure when we achieve both forward security and backward security like the AA id and GPP uidaid at the time of data upload encryption and with CT, GPK uid, GSK uid we obtain the K to decrypt the content[6].
4.1. Forward Security After each attribute revocation operation, the version of the revoked attribute will be updated. When new users join the system, their secret keys are associated with attributes with the latest version. However, previously published cipher texts are encrypted under attributes with old version. The cipher text update algorithm in our protocol can update previously published cipher texts into the latest attribute version, such that newly joined users can still decrypt previously published cipher texts, if their attributes can satisfy access policies associated with cipher texts. This guarantees the forward security[6].
4.2. Backward Security During the secret key update phase, the corresponding AA generates an update key for each non revoked user. Because the update key is associated with the users global identity uid, the revoked user cannot use update keys of other non-revoked users to update its own secret key[6], even if it can compromise some non- revoked users. Moreover, suppose the revoked user can corrupt some other AAs the item in the secret key can prevent users from updating their secret keys with update keys of other users, This guarantees the backward security.
5. Performance Analysis To evaluate the performance of CP-ABE, we conducted several experiments on a virtual machine with core2Duo based on jPBC library[20], we measured the time required for encryption and decryption under various scenarios, beside we measured the cipher text size overhead, that is acceptable cost in storage. We can see the encryption and decryption time of CP-ABE has a significant linear correlation with the size of published content and the complexity of access policy. Considering the file size , even for a file of 120 mb, it cost less than 6 seconds. Considering the complexity of access policy, encryption and decryption time for an access control strategy tree with 80 leaves is still no more than 6 seconds.
Fig.4. CP-ABE encryption and decryption time cost: (a) the x -axis corresponds to the complexity of the access policy.
Fig.5. CP-ABE encryption and decryption time cost: (b) the x-axis corresponds to the complexity of access
6. Conclusion It is clear that although the use of cloud computing has rapidly increased; cloud computing security is major issue, at the same time users dont want to lose their data. By this proposed method, even any failures occurs in the cloud environment by malicious insiders, by byzantine fault or due to any server crash happens in disaster users can recover the datas with correctness, integrity and consistence from cloud service providers. From this greater security is obtained either the user process the data from single cloud or Multi-Clouds with higher performance. 7. References [1].An Efficient Public Batch Auditing Protocol for Data Security in Multi-Cloud Storage He Kai, Huang Chuanhe+, Wang Jinhai, Zhou Hao, Chen Xi, Lu Yilong, Zhang Lianzhen, Wang Bin Computer School, Wuhan University, Wuhan, China- 2013 8th Annual ChinaGrid Conference.
[2].Data Storage Security Challenges in Cloud computing, Sajjad Hashemi1 1Department of Computer Engineering, Science and Research Branch, Islamic Azad University, West Azarbayjan, Iran- International Journal of Security, Privacy and Trust Management ( IJSPTM) Vol 2, No 4, August 2013.
Published content ID File size (KB) Before encryption After encryption Added size
Table.2. File size before and after encryption of CP-ABE.
[3].Using Third Party Auditor for Cloud Data Security: A Review Ashish Bhagat Department Of Computer Science & Engineering, India Lovely Professional University, Ravi Kant Sahu School of Computer Engineering, Lovely Professional University India. International Journal of Advanced Research in Computer Science and Software Engineering Volume 3, Issue 3, March 2013.
[4].Article:The Edge of the Cloud Maria R. Ebling IBM T.J. Watson Research Center Eyal de Lara University of Toronto Alec Wolman Microsoft Research Ada Gavrilovska Georgia Institute of Technology.
[5].Ensuring Privacy in Data Storage as a Service for Educational Institution in Cloud Computing J. Angela Jennifa Sujana Asst. Professor, Department of Information Technology Mepco Schlenk Engg. College Sivakasi, India , Dr. T. Revathi Professor, Department of Information Technology Mepco Schlenk Engg. College Sivakasi, India - 2012 International Symposium on Cloud and Services Computing.
[6].Expressive, Efficient and Revocable Data Access Control for Multi-Authority Cloud Storage Kan Yang, Student Member, IEEE, Xiaohua Jia, Fellow, IEEE- IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS.
[7].Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud Boyang Wang ,, Baochun Li and Hui Li State Key Laboratory of Integrated Services Networks, Xidian University, Xian, China Department of Electrical and Computer Engineering, University of Toronto, Toronto, Canada- 2012 IEEE Fifth International Conference on Cloud Computing.
[8].Survey on Cloud Data Integrity Proof Techniques Solomn Guadie worku, Zhong Ting, Qin Zhi-Guang School of computer science and engineering University of Electronic Science and Technology of China (UESTC) Chengdu, China- 2012 Seventh Asia Joint Conference on Information Security.
[10].QoS-Aware Data Replication for Data-Intensive Applications in Cloud Computing Systems Jenn-Wei Lin, Chien-Hung Chen, and J. Morris Chang, Senior Member, IEEE- IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. 1, NO. 1, JANUARY-JUNE 2013.
[11].Proof of Retrivability: A Third Party Auditor Using Cloud Computing Vijayaraghavan U1, Madonna Arieth R2, Geethanjali K3 1,2 Asst. Professor, Dept of CSE, RVS College of Engineering& Technology, Pondicherry University, India. 3Asst.Professor, Dept of EEE, RVS College of Engineering& Technology, Pondicherry University, India.- International Journal of Emerging Technology and AdvancedEngineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013).
[12].Dynamic certification of cloud services,by Iryna Windhorst and Ali SunyaevIEEE International conference on Availability, reliability and security, 2013.
[13].security issues in cloud computing, Huaglory Tianfield.2012, IEEE International conference of systems,man and cybernetics.
[14]. Secure storage services in cloud computing, S.Muthakshi, Dr.T.Meyyappan. Dept.cse, Alagappa University, karaikudi, TamilNadu, India, IJCTT vol4. Jun13.
[15].http://www.hindawi.com/journals/ijdsn/2013/469076/ [16]. http://www.enovance.com/en/products- solutions/cloud-services/multi-cloud/multi-cloud- management. [17].http://www.gravitant.com/solutions/solutions-by- initiative/multi-cloud-mgmt.html. [18]. Cloud computing security: From single to multi- clouds, Md. A.AlZain.. 2012 45 th Hawaii International conference on system sciences. [19]. CloudSim: a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms, Rodrigo N. Calheiros1, Rajiv Ranjan2, Anton Beloglazov1, Cesar A. F. De Rose3 and Rajkumar Buyya1, , SOFTWARE PRACTICE AND EXPERIENCE Softw. Pract. Exper. 2011; 41:2350 Published online 24 August 2010 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/spe.995
[20]. A PEFKS- and CP-ABE-Based Distributed Security Scheme in Interest-Centric opportunistic Networks, FeiWang,1,2 YongJun Xu,1 LinWu,1,2 Longyijia Li,3 Dan Liu,3 and Liehuang Zhu3, International Journal of Distributed Sensor Networks Volume 2013, Article ID 469076