Auditing-as-a-Service for Cloud Storage

Transcription

1 Auditing-as-a-Service for Cloud Storage Alshaimaa Abo-alian, N. L. Badr, M. F. Tolba, Faculty of Information and Computer Sciences, Ain shams University, Cairo, Egypt Abstract. Cloud Storage Service (CSS) is a vital service of cloud computing which relieves the burden of storage management, cost and maintenance. However, Cloud storage introduces new security and privacy challenges that make data owners worry about their data. It is essential to have an auditing service to verify the integrity of outsourced data and to prove to data owners that their data is correctly stored in the Cloud. Recently, many researchers have focused on validating the integrity of outsourced data and proposed various schemes to audit the data stored on CSS. However, most of those schemes deal with static and single copy data files and do not consider data dynamic operations on replicated data. Furthermore, they do not have the facility to repair corrupt data. In this paper, we address these challenging issues and propose a public auditing scheme for multiple-copy outsourced data in CSS. Our scheme achieves better reliability, availability, and scalability by supporting replication and data recovery. Keywords: cloud storage, auditing, probabilistic encryption, fountain codes, cryptographic hash algorithms. 1 Introduction Recently, cloud storage service offers attractive features such as massive scalability, elasticity, reliability, pay as you go, and self-provisioning. On the other hand, it is susceptible to security and privacy threats. For example, data could be lost in the cloud because of cloud outages [18] and the cloud service providers may choose to hide data loss and claim that the data is still correctly stored in the cloud. In addition, the cloud service providers may be dishonest and they may discard the data which has not been accessed or rarely accessed or maintain fewer replicas than what is paid for to save the storage space in order to increase the profit margin by reducing cost. Since users may not retain a local copy of outsourced data and may not trust the cloud service provider, It is a significant aspect for the cloud adfa, p. 1, Springer-Verlag Berlin Heidelberg 2014

2 service provider to provide data security practices to convince data owners that their outsourced data is correct and safe. Thus, many researchers have focused on checking the integrity of outsourced data and proposed various schemes and protocols to audit the data stored on CSS. Any system model of auditing scheme consists of three entities as mentioned in [4]: 1. Data Owner: an entity, which has large data files to be stored in the cloud and can be either individual consumers or organizations. 2. Cloud Storage Server (CSS): an entity, which is managed by Cloud Service Provider (CSP), has significant storage space and computation resource to maintain the clients data. 3. Third Party Auditor or Verifier (TPA): an entity, which has expertise and capabilities to check the integrity of data stored on CSS. In view of the verifier role in the model, all auditing schemes fall into two classes: private auditing and pubic auditing [7]. In private auditing, only Data owner who can audit CSS to verify the correctness of outsourced data [8]. Unfortunately, private auditing schemes have two drawbacks: (a) They impose an online burden on the data owner to verify data integrity and (b) Data owner must have huge computational resources for auditing. In Public auditing or Third party auditing, Data owners can delegate the auditing task to an independent third party auditor (TPA), without dedication of their computation resources [8]. However, pubic auditing schemes should ensure that the privacy of the verified data is maintained against disclosure by the TPA. Several auditing schemes such as [2,3,4], [9,10,11,12] were proposed under different cryptographic assumptions. Most of these schemes [12,13] deal with integrity verifications and do not support data recovery in case of data corruption. Some schemes [5], [9], [11] deal only with archival static data files and does not consider dynamic operations such as insert, delete and update. Whereas many schemes support only private auditing such as [3], [10], [12]. In this paper, we propose a public and privacy- preserving auditing scheme for single-copy and multiple-copy, moreover for dynamic data files. We improve the CSP's efficiency and achieve better reliability, availability, and scalability by supporting replication and data recovery. The rest of the paper is organized as follows. Section 2 overviews related work. In section 3, we provide the detailed description of our auditing

3 scheme. Then, we illustrate performance analysis of our scheme in section 4. Finally, we conclude in section 5. 2 Related work For verifying the integrity of single copy data outsourced in the cloud storage, Jun Liu et al. [4] considered the security problem of the auditing protocol proposed by Wang et al. [13] in the signature generation phase which allows the CSP to cheat by using blocks from different files during verification. Therefore, they presented a secure public auditing protocol based on the homomorphic hash function and BLS short signature scheme, which supports for public verifiability, data dynamics and privacy preserving. However, their protocol suffers from massive computation and communication costs. Ren et al. [6] proposed a privacy-preserving public auditing scheme using random masking and homomorphic linear authenticators (HLAs) [1]. Their auditing scheme also supports data dynamics using Merkle Hash Tree (MHT). In addition, it enables the auditor to perform audits for multiple users simultaneously and efficiently. Unfortunately, their scheme is vulnerable to the TPA offline guessing attack. Considering replicated data stored in multiple servers, Barsoum and Hasan [11] proposed two dynamic multi-copy provable data possession schemes: tree-based and map-based dynamic multi-copy provable data possession (TB-DMCPDP and MB-DMCPDP, respectively). These schemes prevent the CSP from cheating and using less storage by maintaining fewer copies through using the diffusion property of AES encryption scheme. The notable limitations of both schemes are high computation and communication costs. Besides, The replica number should be known to the authorized users to be able to generate the original file. Etemad and Kupcu [3] proposed a distributed and replicated DPDP (DR- DPDP) which provides transparent distribution and replication of user data over multiple servers where the cloud storage provider (CSP) may hide its internal structure from the client. They use persistent rank-based authenticated skip lists to make data dynamics more efficient. Their scheme supports

4 dynamic version control to enable accessing old values of updated data. On the other hand, DR-DPDP has three noteworthy disadvantages: First, it only supports private auditing. Second, it does not support recovery of corrupted data. Finally, the organizer looks like a central entity which may get overloaded and can cause a bottleneck. 3 Proposed scheme In this section, we first state some definitions applied in the design of the auditing scheme. Then, we describe the algorithms and the detailed phases of the auditing scheme for cloud storage. 3.1 Notations and Preliminaries In this sub-section, we list some notations and define some preliminaries used in the proposed scheme. F is a data file to be outsourced and consists of a finite ordered set of m blocks, i.e. F = {b 1, b 2,..., b m }. is a bilinear pairing; where, and be three multiplicative groups. Paillier Encryption: Paillier cryptosystem [14] is a probabilistic encryption scheme which creates different ciphertexts each time the same message is encrypted using the same key. Using a public key (N, g), a message m is encrypted to a ciphertext ct using equation (1): ct = g m x N mod N. (1) Using a secret key λ, Plaintext can be decrypted as: Where : m = L(ct λ mod N 2 ) * (L(g λ mod N 2 )) -1 mod N. (2) p, q are two prime numbers, N = p * q. λ = LCM (p-1, q-1). g is random number such that its order is a multiple of N; g. x is a random number and x.

5 L(u) = (u-1)/n. Raptor codes: A Raptor code [15] is a fountain code that encodes a message of k symbols into a limitless sequence of encoding symbols such that knowledge of any k or more encoding symbols allows the message to be recovered with some non-zero probability. A Raptor code [16] is specified by parameters (k, C, Ω (x)), where C is the (n, k) erasure correcting block code, called the pre-code, and Ω (x)) is the generator polynomial of the degree distribution of the LT code. ( ) (3) where Ω i is the probability that the degree of an output node is i. 3.2 Proposed Model The proposed scheme consists of nine polynomial time algorithms as shown in figure 1: Key Generation (KeyGen), Probabilistic encryption and replica generation (ReplicaGen), File Encoding (RaptorEncode), Hashing and Tag Generation (TagGen), Challenge Generation, Proof Generation, Proof Verification, Data Recovery and Data Modification. Key Generation (KeyGen): This algorithm is executed by the data owner. It takes as input security parameter 1 λ and its outputs: private key sk and public key pk for block tag generation, Hash secret key sk h, and pseudorandom function key Key PRF for replica generation. Replica Generation (ReplicaGen): This algorithm is executed by the data owner if s/he chooses multiple replica version. The number of replicas r and the file F are taken as input and generates r unique differentiable replicas {F i } 1 i r. This algorithm is run only once. Unique copies of each file block of file F is created by encrypting it using a probabilistic encryption scheme. We utilize Paillier encryption scheme [14] for replica generation because it is semantically secure and has efficient encryption complexity. File Encoding (RaptorEncode): This algorithm is executed by the data owner in order to support data recovery when s/he outsources singlecopy data file. RaptorEncode algorithm takes Key PRF, outputs encoded file F', and works as follows: F = {b 1,,, b k }, b i is s bits, is encoded by an erasure code (pre-code) to obtain F'= {y 1,,y k }. Then, Choose a random s s

6 binary matrix A = [A 1,, A s ] T where each A 1 is an s bit vector. For each 1 i n, Create authenticators δ 1,, δ n as: ( ) (4) Finally, F' = {y 1,,y k, δ 1,, δ n } is the encoded file. For each encoded block, a coding vector is attached where each bit represents whether the corresponding original block is combined into F' or not. Fig. 1. The proposed auditing scheme. Hashing and Tag Generation (TagGen): This algorithm is run by the data owner. It takes the private key sk, the secret hash key sk h, and the unique differentiable file replicas {F i } 1 i r or the encoded file F' as inputs. Its output is the tags set Φ = {σ j } 1 j n which is an ordered collection of tags for the data blocks. Figure 2 illustrates a detailed description of TagGen algorithm. It is valuable to note that we embed the file identifier F ID into the block tag to prevent the CSP from cheating and using data blocks from different files and passing the audit. Embedding a timestamp of each data block T j into the block tag to authenticate the tag and maintain the block versions. We

7 utilize the BLS tag generation due to its homomorphic verifiable property which aggregate the signatures of distinct blocks into a single short one and verify it at one time, and thus reduce storage overhead and communication costs for challenge and response messages. 1. TagGen for Single-Copy file: Φ TagGen(sk, sk h, F') Divide File F' into an ordered collection of blocks {mj} ; 1 j n. Generate a tag for each block bjas follows: ( ( ) ), Φ = {σj}1 j n Where FID= Filename n u; i.e. File identifier and Tj is a timestamp. Send the tags set Φ to the TPA. Send the data blocks {mj} along with their signatures Φ to the CSP and delete them from the local storage. 2. TagGen for Multiple-replica file: Φ TagGen(sk, sk h, {F i } 1 i r ) Divide each distinct file replica Fi into an ordered collection of blocks {mj} ; 1 j n. Generate a tag for each block bjj as follows: ( ( ) ) Where FID= Filename n u ;i.e. File identifier and Tj is a timestamp. Generate an aggregate tag σj for the blocks at the same indices in each replica Fj as Send the tags set Φ = {σj}1 j n to the TPA. - Send the data blocks {mj} along with their Fig. 2. TagGen algorithm.

8 Challenge Generation: In this algorithm, the TPA challenges the CSP to verify the integrity of all outsourced replicas. The TPA sends c (number of blocks to be challenged; 1 c n ) and two distinct PRF keys at each challenge: k 1 and k 2. The PRF keyed with k 1 is used to generate c random indices which the file blocks that the CSP should use to prove the integrity. The PRF keyed with k 2 is used to generate y j random values that are associated with each random index j and used by the CSP while generating the response. Then, the challenge set Q = {(j, y j )} of pairs of random indices and values is generated at the CSP. Proof Generation: This algorithm is run by the CSP, upon receiving the challenge set Q, to generate a proof that it is still correctly storing all replicas. The CSP computes ( ( ) ) ( ( ) ) (5) The CSP sends the proof to the TPA. Proof Verification: This is run by the TPA. It takes as input the public key pk, the challenge set Q, and the proof returned from the CSP, The TPA checks the following verification equation: ( ) ( ( ( ) ) ) (6) and outputs TRUE if the verification equation passed, or FALSE otherwise. Data Recovery: To repair a corruption on the - storage server, the TPA uses the corresponding coding vectors to generate the encoded blocks. is generated by the XOR combination of original blocks as Data Modification: To support efficient dynamic operations, we utilize a map-version table which is an authenticated data structure stored on the TPA to validate the data dynamics on all file replicas. The map-version table consists of four columns: Index (j), block number (B j ), version number (V j ) and timestamp (T j ). The index denotes the current block number of the data block m j. B j denotes the original block number of the data block m j. V j (7)

9 denotes the current version number of the data block m j which is increased by 1 each time the data block is modified. T j denotes the timestamp used for generating the tag. The dynamic operations in our proposed scheme are preformed via a request in the form Modify(j, Op, ) where Op is the dynamic operation; i.e. 0 for deletion, 1 for insertion, and 2 for update. is the new block value. 4 Performance Analysis In this section we evaluate the performance of our proposed scheme as we list its features in Table 2 and make a comparison of our scheme and the state of the art (refer to Table 1 for notations). Let r, n, k denote the number of replicas, the number of blocks per replica and the number of sectors per block (in case of block fragmentation), respectively. s denotes the block size. c denotes the number of challenged blocks. Table 1. Notation of cryptographic operations. Notation MUL ADD EXP H Cryptographic operation Multiplication in group Addition in group Exponentiation in group Hashing into group Pairing Bilinear pairing ; e(u, v) 5 Experiments and Discussion Our experiments are conducted using MATLAB and Java on a system with an Intel Core i5 processor running at 2.2 GHz and 4 GB RAM running Windows 7. In our implementation, we use Java Pairing-Based Cryptography (JPBC) library version To achieve 80-bit security parameter, the elliptic curve group we work on has a 160-bit group order and the size of modulus N is 1024 bits. All files used in the experiments are downloaded from the Human Genome Project at NCBI [17]. All results are the averages of 20 trials.

10 Table 2. Comparison between our proposed scheme and the-state-of-the-art. Figure 3 illustrates the computational time for our proposed scheme and for the [11] scheme using different number of replicas, 1 GB file, 16 KB block size, corruption rate = 1% and detection probability = 99.99%. Fig. 3. The computational time of our scheme and [11]. The CSP computational time of our proposed scheme, as shown figure 3(a), is about 5 times faster than that of [11] due to the tag aggregation and fast

11 decryption of the Paillier scheme. Although the TPA computational time of our scheme, as shown figure 3(b), is faster than that of [11] for small number of replicas, the TPA computational time of [11] is independent on number of replicas and performs efficiently for larger number of replicas. 6 Conclusion In this paper, we propose a dynamic public auditing scheme for verifying the integrity of replicated data in cloud storage. We utilize the homomorphic BLS tags and cryptographic SHA-256 algorithm to guarantee that the scheme is privacy-preserving. We exploit Paillier probabilistic encryption scheme for efficient replica differentiation to prevent the CSP from cheating and maintaining fewer replicas than what is paid for. To achieve efficient data dynamics, we utilize the map-version table which improves the computation time of dynamic operations and the proof generation. we take benefit of the efficient encoding and decoding of Raptor codes to support data recovery. The performance analysis show that the proposed scheme is complete, provably secure, and efficiently comparable to the already existing schemes. 7 References 1. Ateniese, G., Kamara, S., Katz, J.: Proofs of Storage from Homomorphic Identification Protocols. In: 15th Int l Conf. Theory and Application of Cryptology and Information Security: Advances in Cryptology (ASIACRYPT), pp Springer Berlin Heidelberg (2009) 2. Zhang, Y., Blanton, M.: Efficient dynamic provable possession of remote data via balanced update trees. In: the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIA CCS '13), pp ACM, New York, NY, USA (2013) 3. Etemad, M., Kupcu, A.: Transparent, Distributed, and Replicated Dynamic Provable Data Possession. In: the 11th international conference on applied cryptography and network, pp Springer Berlin Heidelberg (2013) 4. Liu, H., Zhang, P., Lun, J.: Public Data Integrity Verification for Secure Cloud Storage. Journal of Networks. 8(2), (2013) 5. Yuan, J., Yu, S.: Proof of retrievability with public verifiability and constant communication cost in cloud. In: the 2013 international ACM workshop on Security in cloud computing, pp ACM (2013)

12 6. Wang, C., Chow, S. S. M., Wang, Q., Ren, K., Lou, W.: Privacy-Preserving Public Auditing for Secure Cloud Storage. IEEE Transactions on Computers. 62(2), (2013) 7. Zheng, Q., Xu, S.: Secure and Efficient Proof of Storage with Deduplication. In: the second ACM conference on data and application security and privacy, pp ACM (2012) 8. Yang, K., Jia, X.: Data storage auditing service in cloud computing: challenges, methods and opportunities. World Wide Web. 15(4), (2012) 9. Jia, X., Ee-Chein, C.: Towards efficient provable data possession. In: the 7th ACM sympoium on Information, Computer, and Communications Security, ASIACSS 12 (2012) 10. Chen, B., Curtmola, R.: Robust Dynamic Provable Data Possession. In: the 32nd International IEEE Conference on Distributed Computing Systems Workshops, pp IEEE (2012) 11. Barsoum, A. F., Hasan, M. A.: Integrity verification of multiple data copies over untrusted cloud servers. In: 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012), pp IEEE Computer Society (2012) 12. Liu, F., Gu, D., Lu, H.: An improved dynamic provable data possession model. In: the 2012 IEEE International Conference on Cloud Computing and Intelligence Systems (CCIS), pp IEEE (2011) 13. Wang, Q., Wang, C., Ren, K., Lou, W., Li, J.: Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing. IEEE Transactions On Parallel And Distributed Systems. 22 (5), (2011) 14. Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Advances in cryptology EUROCRYPT 99, pp Springer Berlin Heidelberg (1999) 15. Shokrollahi, A.: Raptor Codes. IEEE Transactions On Information Theory. 52 (6), pp (2006) 16. Ho, T.: Summary of Raptor Codes. Scientific Commons (2003) 17. National Center for Biotechnology Information, Raphael, J. R.: The worst cloud outages of 2013(part 2),