Security Framework for Cloud Data Sharing

Cloud computing is a growing technology that offers storage as a service to user where data is maintained, managed, backed up remotely. Security of cloud-based applications and data is one of the key concerns of cloud customers. Encryption techniques have previously been proposed to provide users with confidentiality in terms of outsource storage; however, many of these encryption algorithms are weak, enabling data security to be breached simply by compromising an algorithm. We propose a combination of encryption algorithms and distribution servers to improve database confidentiality.

The main goal of this work is to develop a secure and efficient auditing scheme with the capabilities such as privacy preservation, confidentiality, and data integrity. So it satisfies all the requirements as well as it reduces cloud server burden. Cloud computing can be defined as a new flair of computing in which real time scaling and virtualized resources are provided as a services. Providing security for data is a major concern in cloud storage systems even though it comes with attractive benefits[1, 2]. The internal and external threats cause the data in cloud to be deleted or corrupted or tampered [4, 5].

In specific any external adversary tries to alter the content of the stored data and convinces the owner of the data that their data stored in cloud is correct and intact [6]. This is being done for high profit. Hence it becomes essential to verify the correctness and integrity of the outsourced data moved to cloud. Data privacy, protection of data, data availability, data location, and secure data transmission are some issues that need to be looked up in cloud data security. Threats, data loss, service disruption, outside malicious attacks, and multi tenancy issues are some of the security challenges in the cloud.

Data integrity means maintaining the correctness of stored user’s data on the cloud. Any unauthorized users should not be able to modify or hack the stored data on the cloud. Cloud computing providers are trusted for maintaining the data integrity and accuracy of the data. Data confidentiality is also an important factor from user’s point of view as users tend to store their important and confidential data on the cloud. M. Meena AbarnaSri Krishna College of Technology, Coimbatore meenu. abarna97@gmail. com Authentication and access control strategies are used to ensure data confidentiality.

The data confidentiality issue can be resolved by increasing the cloud reliability and trustworthiness in Cloud computing. Therefore, data security, data integrity, privacy and confidentiality of the stored data on the cloud are the important factors to be considered from user’s point of view[2]. To meet this requirement, new methods or techniques should be developed and implemented. Data auditing is a new concept introduced in cloud computing to deal with secure data storage. Auditing is a process of verification of user data. It can be carried out either by the user himself (data owner) or by a TPA.

It helps to maintain the integrity of data stored on the cloud. Similarly, asymmetric key cryptography involves decryption on the provider’s side, allowing providers to infer sensitive information. The three network entities viz. the data owner, cloud server and TPA are present in the cloud environment. The data owner is responsible to store data on the storage server provided by the cloud service provider (CSP). TPA keeps a check on the client’s data by verifying the integrity of data on demand. It notifies data owner if any variation or fault is found in data owner’s data. Fig. 1 shows the cloud data storage architecture.

II.LITERATURE SURVEY

There are many issues that Cloud computing undergoes on the integrity and privacy of the user’s stored data at cloud. It is important from the user’s perspective to develop a secure and efficient method to guarantee the integrity and privacy of dat stored in the cloud.

(a) Wang et al. [4] has proposed a privacy preserving public auditing protocol. It uses an independent TPA for auditing the data. For this purpose, public key based Homomorphic linear authenticator (HLA) along with random masking techniques is used. But it is susceptible to existential forgeries attacks such as message attack from a malicious cloud server and an outside attacker. To resolve this issue, Wang et al. [3] proposed a new improved scheme which tends to be more secure than the previous proposed protocol [4]. It is also a public auditing scheme with TPA. It is developed to perform data auditing on behalf of users. Wang et al. [6] proposed another protocol that supports both public auditing and data dynamics by using the BLS based HLA along with Merkle Hash Tree (MHT). It achieves the integrity of data, but fails to provide confidentiality of the data stored on the cloud. Wang et al. [7] has also proposed a design to detect the modified blocks easily using homomorphic token pre-computation and later erasure coded technique is used to acquire the desired blocks from different servers.

(b)Bouganim and Pucheral [8] have proposed a hardware software solution for the database outsource confidentiality issue, claiming that no software solution is guaranteed, given Internet security variability. Their idea is basically to install a smartcard on the cloud side that will work as a mediator. The data is then encrypted by the smartcard before being inserted into the database, and then decrypted before being sent to the user. This method is premised on an assumption of secure communication between the user and the cloud. The smart card is fully controlled by the client, so the cloud is simply used as encrypted data storage. This approach has limitations in terms of processing power as well as memory capacity and thus does not offer a practical solution for the outsourcing of confidential data due to the weakness of the smartcard and the difficulty of installing the card into the cloud provider ‘s server. The situation worsens if the database system needs to be distributed.

(c)Popa et al. [4] recently proposed a practical solution to improve the confidentiality level for outsourced data from curious cloud providers. Their scheme consists of a number of components, including encryption algorithms, proxy, and user’s application. This concept relies on the fact that no single encryption algorithm can support all types of queries, so the researchers investigated encryption algorithms that allow for queries to be issued to encrypted data. They came up with six encryption algorithms that can be used to support the fundamental query structure. Other studies belonging to this category can be found in [5]–[9]. In the existing systems, the task of computing the proof for integrity check of data is carried out by a cloud server who is also responsible for storing huge amount of user’s data. Thus increasing the burden of storage as well as the task of verification proof generating on the cloud server. There is a need to propose a system which does not increase the load on cloud server in the auditing process. All the factors mentioned above are important and need to be achieved for a reliable scheme. Therefore, it is necessary to develop an efficient and secure auditing scheme which can perform public auditing effectively by maintaining both the integrity and confidentiality of stored data.

III.PROPOSED SYSTEM

We propose a combination of encryption algorithms and a distribution technique that together form a novel contribution to this research.

A. Encryption algorithm

The algorithm used in our scheme is Honey encryption algorithm.

1.Password-Based Encryption

Weak passwords aren’t just a problem for hashing; they also impact users’ ability to encrypt sensitive data using password-based encryption (PBE). PBE carries essentially the same vulnerability to guessing attacks as hashing PBE basics. A PBE scheme consists of an encryption function enc and a corresponding decryption function dec. A message M is encrypted under a password P as a cipher text C = encP(M). The message can be decrypted as M = decP(C). Given a decryption attempt using an incorrect password P¹P , decP(C)outputs an error message—which we can think of for convenience as a special error symbol ^. A popular standard for PBE is PKCS (Public-Key Cryptography Standard) #5 v2.0.7 (Practitioners often use the key-derivation function PBKDF2 from PKCS #5 v2.0 to derive encryption or decryption keys from passwords. However, advances in cipher and cipher-mode design since the publication of PKCS #5 v2.0 motivate the use of authenticated encryption modes such as EAX over PKCS #5 v2.0 recommendations.)

2.Introducing HE

For some kinds of messages, HE provides security that’s beyond the brute-force bound and thus unobtainable with traditional PBE. HE constructs a ciphertext C that decrypts under any password to a plausible-looking message. Under HE, P yields a fake message M that looks as valid to an attacker as M. As you’ll see, our HE schemes accomplish this by first applying a specialized encoding mechanism and then encrypting the result with a conventional password-based encryption scheme. Our approach is conceptually similar to, but technically different from, compression followed by encryption. Suppose Alice’s password manager database is encrypted with HE and decrypts under an incorrect master password P * to yield a list of fake passwords or accounts. An attacker who tries these passwords online will fail to impersonate Alice. HE’s security properties might seem counterintuitive. With traditional PBE, an unbounded attacker, one who can make an unlimited number of guesses against (a bounded-length) P, can crack C with 100-percent success. Surprisingly, against an HE ciphertext, such an adversary can’t successfully decrypt C with certainty, even if P is weak.

2.1 Distribution-Transforming Encoders

The one-time pad operates over general bit strings, without sensitivity to message formats or properties. HE instead models the space of plaintext messages using a distribution-transforming encoder (DTE). Let pm be a probability distribution over the message space ℳ, meaning that a user selects M Îℳ for encryption with probability pm(M). (We give an example for this intuition later.) A DTE encode encodes M as an ℓ-bit seed S Î {0, 1}ℓ. Thisencoding needn’t be unique: many seeds might correspond to M, in which case encode selects one such seed uniformly at random. (Every seed, however, corresponds to a unique message).We require that encode be efficiently invertible. In other words, given S, we can decode through the inverse DTE decode(S) =M,which returns S’s unique corresponding message.With a DTE that gives strong security (as we explain later), decode accurately generates pm. In this case, selecting S uniformly at random from {0, 1}ℓ and decoding to obtain M = decode(S) returns
approximately the original pm. In other words, the DTE is a good model of the message distribution.

2.2 Another View of HE Honey encryption introduces many interesting technical challenges. A good DTE is tailored to the message distribution over which encryption is taking place. Constructing a DTE for highly structured data, such as credit card numbers, is relatively straightforward but can otherwise be challenging. For example, constructing a DTE for the databases in password managers requires understanding how users select suites of passwords. Currently, researchers only have a good understanding of user selection of individual passwords (thanks to the Rock You breach). Fortunately, DTEs don’t have to be perfect to provide useful security. HE raises other interesting challenges. For instance, what happens if a user mistypes a password and decrypts a cipher text (for example, an encrypted password database) into a wrong but valid looking message? Several approaches to this typo-safety problem exist, such as associating different images or colors with different plaintexts, as in checking decrypted passwords online automatically. Identifying the best approach remains an interesting open problem.

B. Distribution servers

Cloud computing data security is an evolving sub domain of network security, computer security and information security. Data is stored on different servers. So the clients have to trust on cloud service provider on the data availability as well as data security [15]. Sometimes cloud service provider may hide data integrity and data corruptions issues from clients to maintain the reputation, to avoid this problem we introduce flexible and an effective third party auditing mechanism. Third party auditor is like an inspector. Third party auditor is used for audits the user outsourced data. Third party auditor helps data owner to make sure that his information is safe in cloud [12]. Cloud users save his data in cloud servers so that data reliability as well as data security is primary concern. Data integrity verification at untrusted server is one of the biggest concerns with cloud data storage [2] [3].

IV.FUTURE WORK

To the best of our knowledge, this is the first work that addresses the problem of securing data stored in multiple server systems when the cryptographic material is exposed. In the following, we survey relevant related work in the areas of all-or-nothing transformations, secret-sharing techniques.

A. All or Nothing Transformations

All-or-nothing transformations (AONTs) were first introduced in [26] and later studied in [8], [12]. The majority of AONTs leverage a secret key that is embedded in the output blocks. Once all output blocks are available, the key can be recovered and single blocks can be inverted. AONT, therefore, is not an encryption scheme and does not require the decryptor to have any key material. Resch et al. [5] combine AONT and information dispersal to provide both fault-tolerance and data secrecy, in the context of distributed storage systems. In [25], however, an adversary which knows the encryption key can decrypt data stored on single servers.

B. Bastion: Security against Key Exposure

Bastion, which ensures that plaintext data cannot be recovered as long as the adversary has access to all but two cipher text blocks—even when the encryption key is exposed. Bastion first encrypts the data with one round of block cipher encryption, and then applies an efficient linear post-processing to the cipher text. By doing so, Bastion relaxes the notion of all-or-nothing encryption at the benefit of increased performance. More specifically, the first round of Bastion consists of CTR mode encryption with a randomly chosen key K, i.e., y′ = Enc(K, x). The output cipher text y′ is then fed to a linear transform which is inspired by the scheme of [8]. Namely, our transform basically computes y = y′ ・A where A is a square matrix such that: (i) all diagonal elements are set to 0, and (ii) the remaining off-diagonal elements are set to 1.

C. Secret Sharing

Secret sharing schemes [5] allow a dealer to distribute a secret among a number of shareholders, such that only authorized subsets of shareholders can reconstruct the secret. In threshold secret sharing schemes [11], [27], the dealer defines a threshold t and each set of shareholders of cardinality equal to or greater than t is authorized to reconstruct the secret. Secret sharing guarantees security against a non-authorized subset of shareholders; however, they incur a high computation/storage cost, which makes them impractical for sharing large files. Rabin [24] proposed an information dispersal algorithm with smaller overhead than the one of [27], however the proposal in [24] does not provide any security guarantees when a small number of shares (less than the reconstruction threshold) are available. Krawczyk[19] proposed to combine both Shamir’s [27] and Rabin’s[24] approaches; in [19] a file is first encrypted using AES and then dispersed using the scheme in [24], while the encryption key is shared using the scheme in [27]. In Krawczyk’s scheme, individual cipher text blocks encrypted with AES can be decrypted once the key is exposed.

V.CONCLUSION

A secure and efficient privacy preserving public auditing scheme is proposed. Privacy preserving public auditing is achieved with the help of TPA. It does the auditing without retrieving the data copy, therefore preserving the privacy of the data. The data are split into parts and then stored in the encrypted format at cloud for storage, thus maintaining the confidentiality of data. The cloud server is used only to store the encrypted form of data. Cloud server is not involved in verification proof computing, thus reduces online burden of cloud server. The proposed method satisfies all the auditing requirements as well as it reduces cloud server burden.

VI.REFERENCE

[1]. Ghassan O. Karame, Claudio Soriente, Krzysztof Lichota, Srdjan Capkun, “Securing Cloud Data under Key Exposure”, IEEE Transactions on Cloud Computing, 2017.
[2]. Swapnali S. More and Sangita S. Chaudhari, “Secure and efficient public auditing scheme for cloud storage” , HYPERLINK “http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=7910140” 2016.
[3]. Ahmed Albugmi, Madini O. Alassafi, Robert Walters and Gary Wills ,“Data security in cloud computing” 2016.
[4]. T. Subha and S. Jayashri, “Efficient privacy preserving integrity checking model for cloud data storage security”, 2016.
[5]. P.Mell and T.Grance, “The NIST Definition of Cloud
Computing”, NIST Special Publication – 800145, 2011;
[6].M.Lillibridge, S.Elnikety, A.Birrell, M.Burrows and M.Isard, “A Cooperative Internet Backup Scheme,” proc. USENIX
Ann.Technical Conf., pp.29-41, 2003.[7].Yong.Yu, Lei Niu, Guomin Yang, Yi Mu, Willy Susilo, “On the security of auditing mechanisms for secure cloud storage”, Future Generation Computer Systems 30(2014), 127-132.
[8].Lee Cheng-Chi, Lai Yan-Ming, Hsiao Chin-Sung, Cryptanalysis of a simple key assignment for access control based on polynomial. J Inf Secur Appl 2013; 18(4):215-8.
[9]. Li H, Dai Y, Tian L, Yang H, “ Identity-based authentication for cloud computing, Lecture Notes of Computer Science (LNCS), vol. 5931; 2009, p.157-166.
[10]. Yuan Zhang, Chunxiang Xu, Jining Zhao, Xiaojun Zhang, Junwei Wen, “Cryptanalysis of an Integrity checking scheme for cloud data sharing” , Journal of Information Security and applications (2015), I-6.
[11].N. Penchalaiah and R. Seshadri, “Effective Comparison and evaluation of DES and Rijndael Algorithm (AES),” International Journal of
Computer Science and Engineering, vol. 2, no. 05, p. 1641––1645,
2010.
[12] C. Paar and J. Pelzl, Understanding Cryptography: A textbook for
students and practitioners. Heidelberg: Springer-Verlag Berlin and
Heidelberg GmbH & Co. K, 2009.
[13] S Dhanaya. Privacy preserving third party auditing in cloud. Dissertation
report, 2015.
[14] Mohan Atreya, Stephen Paine, Benjamin Hammond, Stephen Wu, and
Paul Starrett. Digital signatures. Osborne/McGraw-Hill, 2002.[15] S. More and S. Chaudhari, “Third party public auditing scheme for cloud storage,” Procedia Computer Science, vol. 79, pp. 69–76, 2016.