Address for Correspondence

Transcription

1 Research Paper CLOUD STORAGE AUGMENTATION WITH MULTI USER REPUDIATION AND DATA DE-DUPLICATION 1 J.K. Periasamy, 2 B. Latha Address for Correspondence 1 Research Scholar, Information and Communication Engineering, Anna University, Chennai & Computer Science and Engineering, Sri Sairam Engineering College, Chennai, Tamilnadu, India. 2 Professor and Head, Computer Science and Engineering, Sri Sairam Engineering College, Chennai,Tamilnadu, India. ABSTRACT One of the major applications of Cloud computing is Cloud Storage where data is stored in virtual cloud servers provided by numerous third parties. De-duplication is a technique established in cloud storage for eliminating duplicate copies of repeated data. The storage space is reduced and the capacity of bandwidth is increased in the server using Data Deduplication. It is related to intelligent data compression and single-instance data storage.to take the complexity out of managing the Information Technology infrastructure, the storage outsourcing has become the popular option. The latest techniques to solve the complications of protective and efficient public auditing for dynamic and shared data are still not secure against the collusion that is, the illegal agreement of the cloud storage server and the multiple user repudiation in workable cloud storage. Hence, to prevent the collusion attack in the existing system and to provide an effective global auditing and data integrity, the group user repudiation is performed based on ordered sequence of values commit and group signature is generated with secure hash algorithm. The group user data is encrypted using block ciphers and bilinear transformation. This work also introduces a new approach in which each user holds an independent master key for encryption using convergent keys technique and out sourcing them to the cloud. The storage optimization was achieved with the help of messaging scheme between sender and receiver over the network, which reduces the overheads correlated with the duplication detection and query processes. The planned system also uses binary diff technique rule to identify the unique data chunk which is stored in the cloud. The breach of privacy and leakage of data can be prevented to acceptable level. The data chunk size is set by the user. Moreover, this work also proposes a feasible technique to detect storage of copyright and hazardous content in Cloud. KEYWORDS Cloud Computing, Global auditing, Data integrity, User repudiation, Data De-duplication, Hashing, Data Chunks, Bundling, Copyrighted contents I. INTRODUCTION Storing data in the cloud has become the integral part of business organizations and other enterprise solutions. The best cloud data storage services are provided by Google Drive, Dropbox, Mega, Tresorit, pcloud and OneDrive [12]. The authorization of cloud storage provides the determination of authenticated identity for specified set of resources. Consolidation of data centers reduces the cost significantly. The management of cloud storage includes the apparent new risk management such as data unavailability, breaching privacy, multiple integration of organizations, leakage of data and issues in compliances. The security aspect of cloud storage involves protection, privacy, recoverability, reliability and integrity. Effective security in cloud can be achieved using data encryption services, authorization and management services, access control services, monitoring and auditing services. Cloud storage is a virtualized infrastructure with instant scalability, elasticity, multi-tenancy and huge resources. The surface area attack increases in storage outsourcing. The data is distributed and stored in different location which increases the risk of unauthorized physical access. The multiple data is shared with multiple users in cloud hence, large numbers of keys are required for secure storage. The number of networks over which the data travels gets increased. During transmission the risk in data read can be mitigated by encryption technology. Encryption protects the data that is transmitted in cloud. Outsourced data in cloud is more prone to hackers and national security agencies. The sites which permit file sharing must enable piracy and copyright infringement. Reliability and availability depends on the network and the service provider. The essential aspect of the cloud service provider is the security audit. A. Data De-Duplication Process Data De-duplication is one of the specialized data compression techniques for eliminating repeated data. It is used to enhance the storage and network utilization for reducing the number of bytes during data transfers. During the De-duplication process, the transferred file is divided into number of chunks based on dynamically specified bytes by the user and then unmatched chunks of data are identified and stored during the analysis process. In the analysis, other chunks were compared to the already stored copy and whenever a match occurs, the matched chunk was replaced with a reference point to the already stored chunk. In the given file, the same byte of the chunks may occur numerous times, thus the amount of chunks storage and time can be reduced using this technique. The match frequency is calculated based on chunk size. In this system is based on the in-line data Deduplication method which occurs during data transfer. The transferred data is split into chunks and each chunk is encrypted using convergent encryption where the key for encryption is generated from plain text of the chunk itself and the checksum has been generated for each chunk are used for naming of respective chunks which can be easily recognized the duplicates. Once the duplicates are recognized, they will be truncated and the rest of the chunks will be sent to the storage. There are different overheads in implementing as follows (a) Every duplication query brings one extra round trip time of latency. (b) Termination of TCP connections for non-duplicate chunks in the original data. To overcome these derelictions, a technique called in-memory filter and inherent data locality to reduce the frequency of disk lookups, is proposed. The scattered chunks are bundled together into a single TCP connection and this method is named as bundling. The duplicate chunks are usually clustered and data locality preserved for already detected

2 chunk is utilized to reduce the number of duplication queries. Moreover, the messaging back scheme helps the sender to recognize the duplicate hash value that has been sent from the receiver. The redundant chunk transfer will be reduced using Messaging Back Scheme. B. Role of Dedup in Cloud Backing up the data from your cell phone to the cloud is a routine process. In the back end, the service providers need to protect and store massive amounts of data within the data centers. So, the Cloud Service Providers (CSPs) have implemented the technology named De-duplication shortly called as Dedup. Dedup is used to eliminate the duplicate files occupy the storage unnecessarily. CSPs can enhance their storage and maintenance easily with at most security and provide service to the customer with minimum cost. C. In-line De-duplication In-line De-duplication is the pre-process Deduplication, which removes the duplicates before storing it in the permanent storage. It removes the chunk in the file when the file is transferred; the identified chunk matches with the chunk in the storage or receiver. With this method the storage required to store the file after transfer is very less compared to post process De-duplication where the De-duplication is done in a periodic manner after storing the files with duplicates in the storage. This system uses this in-line De-duplication method with some other added techniques like filters, Cache, disk chunks, and messaging back mechanism that facilitates the process in a great manner. D. Convergent Encryption Convergent encryption is one of the encryption methods where the encryption key is generated from the plain text of the file itself. When the file produces the same checksum thereby; the duplicates are recognized with no collision. This procedure has advantages when compared to the other any encryption techniques, namely SHA-1. There is less chance of collision. Probably, duplicates identification is false in SHA-1. The files with same plain text may produce a different checksum and in other cases files with different plain text may produce the same checksum. So the system cannot eliminate the duplicates accurately in this case it is said to be high in collision. II. RELATED WORK A scheme to realize an efficient and secure data integrity auditing for share dynamic data with multiuser modification was used. The techniques like vector commitment, Asymmetric Group Key Agreement (AGKA) and group signature with user revocation [1] was adopted to achieve the data integrity auditing of remote data. The innovative design on polynomial authentication tags which allows composition of tags of different data blocks was achieved. For system scalability, in addition entrust the cloud with the ability to accumulate authentication tags [2] from multiple writers into one writer while sending the integrity proof of information to the verifier (who may be general cloud users). A new auditing mechanism for shared data with efficient user revocation in the cloud was provided. When a user in the group is revoked, the partially trusted cloud will re-sign the blocks that were signed by the revoked user with [3] proxy re-signatures. The public or private verifier can audit the integrity of shared data without retrieving the entire data from the cloud database, even if some of the blocks in shared data have been re-signed by the cloud. Group signatures are the central cryptographic basic where users can anonymously and accountably sign messages on behalf of the group they belong to. Several adequate constructions with security proofs in the standard model has been appeared in the frequent years. Like standard PKIs, group signatures need a powerful revocation system to be practical. A new method for scalable revocation, related to the Naor-Naor-Lotspiech (NNL) [4] broadcast encryption framework that interacts easily with techniques for building group signatures in the standard model was proposed. Data De-duplication removes the duplicates in the storage to optimize the storage. This is done based on a prescribed time interval in the data center. Initially, this needs storage in plethora. However, it is unlike the in-line De-duplication process where the duplicates are removed before storing. Data Deduplicate over networks, that is in-line process Deduplication brings more advantages to storage optimization. But all these are achieved with the cost of various parameters like latency, disk lookups and TCP terminations. Few drawbacks are there in the existing system like latency, Unnecessary TCP terminations, Unwanted disk lookups. A method was developed for more protected Deduplication. It introduces a new key known as dekey concept where the master key of the user is shared among the key management service providers. So the master key will not be compromised by the hackers easily. Unfortunately, it is implemented in post process De-duplication, which needs larger storage for initial storage and might have duplicate files in abundance. [5] De-duplication method was designed for cloud backup in both local and global, especially for personal storage. This scheme is better suited for laptops, desktops, and data backups, but incompatibility when it comes to smart phones and tablet data backups. This scheme focuses on post process De-duplication where the initial storage will be large and needs larger bandwidth for data transfer to back up storage.[6] The system was proposed for content delivery acceleration and wide area network optimization using a pack junking algorithm. The drawbacks of this system are High computational cost and tedious efficiency. [7,8] A system was proposed for the avionics network where the main work is to deal with the satellite communication and other geographical message passing. So it obviously needs predictability. This increases the necessity of large bandwidth. The possibility of redundant data generation is a real time scheduling which makes De-duplication difficult. So they have proposed a De-duplication-aware Deficit Round Robin based scheduling. They have used a filtering method to speed up the De-duplication process. [9] A method was proposed for removing the redundant data using various techniques such as a caching management mechanism, fingerprinting technique, etc., in cellular networks. They have shown the

3 experimental results as 50% bandwidth ig savings in wi-fi networks and 60% savings in mobile data networks. [11]. A genetic algorithm is used to store the records in the database in an efficient manner. [13] III. SYSTEM ARCHITECTURE De-duplication of similar chunks within the incoming files towards the receiver or storage is done by several continuous processes that include Cache mechanisms in both sender and receiver. Here the sender de-duplicates the input file s similar chunks using the Cache that contains the duplicates chunks hash value received from the receiver and transfers the input file to the receiver for further duplicate detection. Then the receiver starts checking for duplicates with Cache on it and the filter as well. Once the files are recognized as unique, it is stored on disk with its supplementing details. [10] The bundling of the sparsely distributed multiple chunks into one TCP connection removes the overhead of unnecessary TCP terminations that occurs often when it sees the duplicate file. In additional, the duplicate queries reduced to fewer numbers by increasing the size of data represented by the hash values in each query. This is achieved with the high cost of large memory for caching the data being queried. Usage of convergent encryption makes no collision in the chunk recognition for duplicates. In the Fig. 1,the owner of the group will be activated by the cloud service provider (CSP). It offers the storage and application services available via a private or public network [14]. They will enable the users to access the necessary resources through the internet. To provide such resources providers often fall back upon new providers in the cloud. The group owners are authenticated by the cloud service provider. There are several group members registered into a group which will be maintained by the group owner. There are two types of data that are stored in the cloud. The first kind is the data that is created by the user and then uploaded in the cloud. The other kind is the data that is created on the cloud platform. Data produced prior to the already uploaded data into a cloud platform may be governed by appropriate copyright laws depending on the cloud server, while the data that is created after storage brings about a totally advanced dimension of ownership. IV. IMPLEMENTATION A. Splitting Large File and Transferring into receiver The large file is sent from sender to receiver without splitting it into chunks and this has been received at the receiver. The large file is split into less size of Fig. 1. System Architecture chunks and is sent from the sender to the receiver. These chunks are received at the receiver as it is, which is merged into a large file as per its source file in the sender side, and then it is stored in the database. Fig. 2. Splitting a Large file and transferring into the receiver

4 From the above given Fig. 2, it is understood that files are sent from sender to receiver in a sequential process. In the sender side, files are split into a number of chunks and these chunks are bundled. These chunks are transferred through one TCP. These chunks are received and checked and finally it is sent to the receiver. B. Encrypting the Chunks and Producing the Hash Value In transferring the chunks, there may be a possibility of transferring duplicate chunks as well as identifying these similar chunks with the help of convergent encryption is the concept of this procedure, as shown in the Fig. 3. This process is done by encrypting each chunk using the convergent encryption. It is the type of encryption, the key is generated from the plain text of the chunk itself and the key is used encrypt and decrypt the data in a secure manner. Any chunk is having the same plain text will be creating the same checksum as a result of convergent encryption, and this is different from other techniques. Fig. 3. Encrypting the chunks and producing the Hash Value C. Bundling the Chunks in a Single TCP Session in Sender Side The bundling method is implemented to avoid the TCP terminations and establishments for nonduplicated chunks that may be sparse in the original file. There are two bundling techniques to bundle sparsely distributed chunks into a large block of data to be carried in a single TCP session. This uses disk chunk, Cache, messaging back scheme to evolve this work efficiently. D. Implementing the messaging back technique from receiver to sender In this system, the messaging back technique is implemented. In this technique, the sender recognized the duplicate hash values of chunks that are already present in the receiver or stored. So the sender will not send the duplicate query to receiver in-order to check whether the data chunk is already present in storage. This technique stops the numerous of disk lookup operations and duplicate queries. The hash value of duplicate chunks is identified by the receiver and send the hash value of that particular chunk to the sender. The sender s Cache could help the sender check the input file s value against this hash value. If these chunks of has values are equivalanced, then the input file will not transfer to the receiver. Otherwise, it transfers the file as it has different hash value and will be checked for further duplicate detection in the receiver. E. Implementing Binary Diff technique at the receiver Once the original chunks are received at the receiver, they are further split into unique chunks in accordance with the predetermined size using Binary Diff technique. Binary Diff detects further duplicate chunks. It highlights duplicate chunks after comparison with stored chunks. The red mark indicates unique chunks and black mark indicates duplicate. V. TECHNIQUES INVOVLED A. Bilinear Transformation The ciphertext is produced through transformations from one domain to other domain. The bits of original data are transformed into another set of bits. The constants like a, b, c, d acts as the key. The encryption is done using pseudo random numbers to choose the index of the shared data. It generates a random number in a specified range which will be the index for the position selected in the shared data. The text that is selected will be transformed into 128 bit hash code. This 128 bit hash code will be separated into four parts and then it will be denoted as constants.in the Fig. 4, a mapping, where A denotes the plane which may be complex and it is of the form and c,d,e,f A are constants. be the complex variables located in different planes is called the bilinear transformation from the plane A to A. The bilinear transformation is the blend of the rotation and translation. The cipher text will be received by the third party auditor and he will divide the shared data into pseudo random numbers and. The cipher text is produced using the known mathematical function. Fig. 4. Bilinear transformation from domain (x,y) to domain (u,v) B. Vector Commitment The commitment must hide the information without revealing it to the unauthorized user. The committed message allows position binding so that the ordered values can be committed together rather than a single message [15]. The position binding states that no two values can be located in the same position. The commitment needs to be updated. Position binding is satisfied by the vector commitment.

5 a. Where is the security parameter and is the vector that has been committed. b. Where is the input sequence of messages. c. Where is the old message and is the updated or new message. d. it can be verified only if is a valid proof. C. Group Signature The original identity of the individual signer cannot be determined by the secret key of the group owner. This property is known as anonymity. The owner of the group must be able to trace the signer. The colluding group members cannot create a valid signature. a. Setup : given a parameter for security and the number of users permitted are. Choose only the bilinear groups of prime order with a generator. b. Join : the group manager and their corresponding user. c. Sign : where to sign, generate a one-time signature. D. Multi User Revocation The group signature assigned to that particular group user will be removed from the cloud database and the group user will no longer be able to access the group. If the revoked user tries to access the group by hacking other user s signature then an alert will be provided to the owner and the TPA to modify the hacked user s signature. Hence this user must resign the group with new signature. a. : First, find the subset of revoked users and. b. : The valid proof must return 1 otherwise 0. The signature check must be carried out by the third party auditor to investigate the validity of the group signature. It makes use of the verifier local revocation algorithm [1] to check the validity. E. Convergent Encryption Convergent encryption is the method of generating the key for encryption from the plain text of the file itself so that the files that have the same text will deliver the same checksum from that the duplicates can be recognized easily. If it's implemented properly, it is one of secure form of encryption in preventing those who are not aware of obtaining it from the encrypted data. Such type of algorithms is as follows Find the hash worth for every chunk once spilt the file. The key for encryption is the hash value. The encrypted data is then hashed. This hash value is termed as the 'locator'. The receiver receives locator value which is sent by the sender. If the server already has the info, it will increment the reference count doubled if desired. If the server doesn't, the sender uploads it. The sender need not send the key to the server. The server will validate the receiver while not knowing the key just by checking the hash of the encrypted data. A sender and receiver will view the data from storage using the key. The sender sends info to the server then the server search the data for them and response it. Finally, decryption is done by the sender side which is used key. This result is 100% settled, thus any purchasers encrypting an equivalent data can generate an equivalent key, locator, and encrypted data. F. Cache Cache is implemented in both sender and receiver, which identifies duplicates in two steps. First, the sender Cache identifies the duplicate chunks. Second, the duplicates of the file are identified by the Cache and filtered in the receiver. G. Bundling TCP connections get terminated and established for each non-duplicate chunk that may be sparse in the original file. To avoid this frequent setting up and termination of TCP connections, there are two bundling modules to bundle the distributed scatter chunks into a large block of data to be carried in a single TCP session. H. Filtering If no identical value is found, the filter is queried to determine if the incoming value is new. The Bloom filter indicates that the probability of duplicates ought to be high, the receiver confirms duplicate clasp on the hard drive. Another way, the copyrighted contents are not allowed to store if it already exists. VI. RESULTS AND EVALUATIONS The owner of the group must be activated by the CSP as shown in Fig. 5,the services will be available to the owner only when it is activated by the CSP. CSP authenticates the group owner by activating it in its portal. Group id will be selected by each group owner during their registration with CSP. Secure code will be mailed to the group users for their personal access. Number of group users gets registered under each group owner and they will also receive a unique secret code. Secure code is generated using polynomial time algorithm. The owner of the group will generate two keys as shown in Fig. 6, the public key will be used by the user of the group to encrypt the file. The private key will be used by the public auditor to verify the file and to decrypt it. The group signature for each encrypted block will be generated and it will be stored secretly as cipher text which is shown in Fig. 7. In the Fig. 8,the private key must be correctly entered by the authorized group user. If not the user will be immediately revoked. This will prevent the file access by robots. This method can be implemented in various fields where a group of users are maintained by an owner. The application includes educational institutions, health care organizations, banking sectors and multinational companies which are much prone to cloud services.zz

6 Fig. 5. Activation of group owner by CSP Fig. 6. Key Generation Fig. 7. Generation of Group Signature Fig. 8. Revoking Group User for Entering Incorrect Private Key It also examines the behavior of the proposed system s data De-duplication result and identifies the copyrighted contents. As all the data chunks are flagged, the following value is calculated, marks indicate the unique chunks and black marks indicate the duplicate chunks > (1) Where m is the number of chunks that are flagged to be copyright and n is the total number of data chunks. If the percentage of the equation (1) value is greater than 50%, the system is identified that the file is copyrighted content. The performance of bandwidth increases and delay is reduced in the storage. The plots are drawn based on the m and n values and the value of m is from 1000 to In the Fig. 9,the result is observed that the greater the value of n number of chunks the file is split into, the more the accuracy of the results, which grows linearly. The sample results of Binary Diff Technique are shown in the below Fig. 10, which is done in Linux Operating System. The highlights are shown of duplicate chunks after comparison with stored chunks and unique chunks in the below Fig. 10. The red Fig. 9. Comparison ratio of m and n values

7 Fig. 10. Sample results of Binary Diff Technique VII. CONCLUSION The verifiable database with frequent updates is an important way to solve the problem of verifiable outsourcing of storage. A scheme to acquire effective and secure data auditing for shared dynamic data with multi-user modification is proposed. The scheme bilinear transformation, vector commitment, Asymmetric Group Key Engagement (AGKE) and group signatures with group user revocation are adopted to achieve the data integrity auditing of remote data. Beside the public data auditing, the aggregation of the three primitive enable the scheme to outsource cipher text database to remote cloud and support protective group users repudiation to shared data. Each and every chunk in the file is encrypted using the convergent encryption so that the similar chunk could produce the same checksum; thereby it can identify the duplicates. So far this has been implemented and will be used for the further development of the system that uses Cache and filtering mechanisms to overcome the disk lookups. The binary Diff technique is identified further duplicate chunks, and allocates reference points. Consequently, the copyrighted contents are not allowed to store if it already exists. REFERENCES [1] Jiang, Xiaofeng Chen and Jianfeng Ma, Public integrity auditing for shared dynamic cloud data with group user revocation, IEEE Transactions, 2015, DOI [2] Jiawei Yuan and Shucheng Yu, Efficient public integrity checking for cloud data sharing with multi-user modification, Proc. of IEEE INFOCOM, Toronto, Canada, 2014, pp [3] Boyang Wang, Baochun Li and Hui Li, Public auditing for shared data with efficient user revocation in the cloud, in Proc. of IEEE INFOCOM, Turin, Italy, 2013, pp [4] Benoit Libert, Thomas Peters, and Moti Yung,, Group signatures with almost-for-free revocation, in Proc. of CRYPTO 2012, USA, pp [5] Jin Li, Xiaofeng Chen, Mingqiang Li, Jingwei Li, Patrick P.C. Lee, and Wenjing Lou Secure De-duplication with Efficient and Reliable Convergent Key Management, IEEE Transactions On Parallel And Distributed Systems, Vol. 25, No. 6, June 2014, PP [6] Yinjin Fu, Hong Jiang, Nong Xiao, Lei Tian, Fang Liu, And Lei Xu Application-aware Local-global Source Deduplication For Cloud Backup Services of Personal Storage, IEEE Transactions On Parallel And Distributed Systems, Vol. 25, No. 5, May 2014, PP: [7] Yan Zhang, Nirwan Ansari On Protocol-independent Data Redundancy Elimination, IEEE Communications On Surveys & Tutorials, Vol. 16, No. 1, First Quarter 2014,PP: [8] Bing Zhou and Jiangtao Wen Efficient File Communication Via De-duplication Over Networks With Manifest Feedback, IEEE communications, letters, Vol. 18, No. 1, January [9] Yinjin Fu, Hong Jiang, Nong Xiao, Lei Tian, Fang Liu, And Lei Xu, Scheduling Heterogeneous Flows with Delay-Aware De-duplication for Avionics Applications, IEEE Transactions on Parallel and Distributed Systems, Vol. 23, No.9, Sept.2012, PP [10] Peter Christen A survey of Indexing Techniques for Scalable Record Linkage and De-duplication, IEEE Transaction on knowledge and Data Engineering, Vol 24, No.9, Sept. 2012, PP [11] W.K. Ng, Y. Wen, and H. Zhu, Private Data Deduplication Protocols in Cloud Storage, in the Proceedings. 27th Anniversary. ACM Symposium. Appl. Comput., S. Ossowski and P. Lecca, Eds., Mar.2012, pp [12] [13] Moise s G. De Carvalho, Alberto H.F. Laender, Marcos Andre Gonc alves, and Altigran S. Da Silva, A genetic programming approach to record De-duplication, IEEE transactions on knowledge and data engineering, Vol. 24, Issue:3, March [14] -provider -38. [15] D. Catalano and D. Fiore, Vector commitments and their applications, in Public-Key Cryptography - PKC 2013, Nara, Japan, 2013, pp