cloud security using third party auditing and encryption service
TRANSCRIPT
Cloud Security Using Third Party Auditing and
Encryption Service
Dissertation
Submitted in partial fulfillment of the requirements for the degree
of
Master of Technology, (Computer Engineering)by
Swaroop S. HulawaleMIS No: 121022014
under the guidance ofProfessor : S. U.Ghumbre
DEPARTMENT OF COMPUTER ENGINEERING ANDINFORMATION TECHNOLOGY,
COLLEGE OF ENGINEERING, PUNE-5
June, 2013
DEPARTMENT OF COMPUTER ENGINEERING AND
INFORMATION TECHNOLOGY,
COLLEGE OF ENGINEERING, PUNE
CERTIFICATE
This is to certify that the dissertation titled
Cloud Security Using Third Party Auditing
and Encryption Service
has been successfully completed.
By
Swaroop S. Hulawale
(121022014)
SIGNATURE SIGNATURE
Prof. S U. Ghumbre Dr. J V. Aghav
Project Guide, Head of Dept,
Department of Computer Engineering Department of Computer Engineering
and Information Technology, and Information Technology,
College of Engineering Pune, College of Engineering Pune,
Shivajinagar, Pune - 5 Shivajinagar, Pune - 5.
Abstract
Cloud Computing is evolving and considered next generation architecture for computing.
Typically cloud computing is a combination of computing recourses accessible via inter-
net. Historically the client or organisations store data in data centers with firewall and
other security techniques used to protect data against intrudes to access the data. Since
the data was confined to data centers in limits of organisation, the control over the data
was more and well defined procedures could be used for accessing its own data. However
in cloud computing, since the data is stored anywhere across the globe, the client organ-
isation have less control over the stored data. To built the trust for the growth of cloud
computing the cloud providers must protect the user data from unauthorised access and
disclosure. One technique could be encryting the data on client side before storing it in
cloud storage, however this technique has too much burden from client perspective in
terms of key management, maintainence perspective etc. Other way could be this kind
of security service like computing hash of dat and verifying integrity of data, encryp-
tion/decryption service if provided by same cloud storage provider, the data compromise
cannot be ruled out since same provider has access to both storage and security service.
Divide and rule can be one of the techniques, meaning dividing the responsibilities
amongst different cloud services providers can benefit the client. A trusted 3rd party
cloud provider be used to provide security services, while the other cloud provider would
be data storage provider. The trusted 3rd party security service provider would not store
any data at its end, and its only confined to providing security service. The application
or software will provide data integrity verification by using hashing algorithm like SHA-1,
provide encryption/decryption using symmetric algorithm like AES, and defining band
of people who can access the shared data securely can be achieved by defining access list.
The Software is only responsible for encryption/decryption, comput-
ing/verifying the hash of the data and does not store any data in trusted 3rd party
security system server. The encrypted data along and original data hash are stored in
Separate Cloud (Security Cloud), therefore even if the storage cloud system administrator
has access user data, since the data is encrypted it will be difficult for the system adminis-
trator to understand the encrypted data. While the user downloads the data from Storage
Cloud, it is decrypted first and then new hash is calculated which is then compared with
hash of original data stored in Security Cloud. Finally, this software/application provides
the user with the ability to store the encrypted data in Storage cloud and hash and en-
cryption/decryption keys in security cloud service, and no single cloud service provider
has access to both. Other benefit of delegating responsibility to trusted 3rd party is that
it reliefs the client from any kind of key management or over head is maintainance of any
key information related to data on it device, because of which it allows the client to use
any browser enabled devices to access such service.
Keywords - Cloud computing; Hash service; encryption and decryption service; data
protection and integrity.
Contents
List of Figures iii
1 INTRODUCTION 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Literature Survey 4
2.1 Overview of cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Overview of working of cloud . . . . . . . . . . . . . . . . . . . . 5
2.1.2 Cloud Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.3 Cloud Service Models . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.4 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . 7
2.1.5 Security issues in cloud . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.6 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 System Design 11
3.1 Business Model with separate encryption/decryption and hashing service. 11
3.2 Typical Scenarios In Design . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.1 Data Upload Scenario . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.2 User Data Download Scenario . . . . . . . . . . . . . . . . . . . . 14
3.2.3 Group User Data Download Scenario . . . . . . . . . . . . . . . . 15
3.3 Algorithm selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.3.1 Selection Of AES . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4 Technologies Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
i
4 Implementation 20
4.1 Outline of the AES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2 Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5 Testing and Result 26
5.1 Testinng Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6 Conclusion and Future work 28
6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
List of Figures
2.1 Cloud Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 User Data Upload Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.4 User Data Download Scenario . . . . . . . . . . . . . . . . . . . . . . . . 16
3.5 Group User Data Download Scenario . . . . . . . . . . . . . . . . . . . . 17
4.1 ClientApp Login Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 New User Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3 User Uploads Confidential File . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 User Adds Accessor To Confidential File . . . . . . . . . . . . . . . . . . 24
4.5 Accessor Viewing Confidential File . . . . . . . . . . . . . . . . . . . . . 25
4.6 Owner Viewing Confidential File . . . . . . . . . . . . . . . . . . . . . . 25
5.1 Sample Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 Encrypted Confidential File Stored In Storage Cloud . . . . . . . . . . . 27
iii
Chapter 1
INTRODUCTION
1.1 Motivation
With evolution of computers the life of people became more and more easily. They where
able to keep there data on there devices, and started finding ways to make them acces-
sible to others, for example say by using floppy, writable disks, which was followed by
portable hard-disk, all these where expensive in there own way during there time. The
data was very much private on personal devices like PC,laptops, mobile phones etc, there-
fore sharing data with others was considered to be expensive. As the world of computing
got more advanced the ways for sharing data started becoming cheaper and cheaper. In
recent years a new term has evolved call ”Cloud” which is provided by different provides,
and which is nothing but facility or service of different resources or components like hard-
ware, platform, storage’s, software etc, and it is gaining importance because it frees the
user from maintenance perspective on a investment of some money for the use of these
services provided by cloud service providers.
Now to provide such service to the client, naturally the provider’s must
have and rather can have access to resources which are used by the people/clients. Among
the reasons these access are greatly required are for maintenance perspective. And defi-
nitely since billions of clients will be thinking about using such service, the infrastructure
ought to be capable enough to support them, and these resources ought to be shared
between billions of client’s. Service availability, data syncronization between different
devices, availability of data via any devices which includes browser facility make cloud
more attractive. Now since the info gets shared or stored in providers area, the client
1
gets worried about privacy of its data, although there are certain agreements and SLA
which are agreed by cloud provider and client. Now although client have a platform to
generally share the info, the expense of securing his/her data or in a nutshell making its
data private gets costlier.
The cloud term is of interest not just to the patient clients but to orga-
nizations as well. With organization as a consumer the concern of data security becomes
multifold. Consider a typical example of small scale business that has different depart-
ments like HR, Finance, etc. We will focus on finance department since finance details
of any business/company/organization is considered to be very sensitive and must be
confidential. Therefore if the little scale company thinks of using the cloud services like
storage. Storing all account/finance related information in cloud stored makes it prone to
leakage of sensitive information tell un-authorized users. Therefore securing this finance
data is vital before it gets uploaded to the storage cloud, and just in case the data stored
in cloud storage gets tampered there should be a method to verify the integrity of the
data, moving futher specific band of people should have access to this data which may be
folks from finance deparment of client company or special auditors. Simply speaking the
client must have the ability to store the data securely, verify the integrity of the data,
share the data securely with specific band of people.
1.2 Problem Definition
The clients concern about data security, data integrity, and sharing data with specific
band of men and women must be addressed. You can find multiple means of achieving
this, example encryting data on client machine and then storing the information to cloud
storage server, computing hash of the information on client machine and storing hash of
data in client machine, client trying out the responsibility of sharing the trick key about
encryption with specific band of people. Therefore it becomes more tedious for client to
keep these information and share such information, more over in the event the device
which stores such information is lost or stolen it pose a threat to the total data. Another
way could be same storage cloud provider providing the service for secured sharing, hash-
ing, encryption/decryption, but since administratives can have use of both services for
maintainance, the security service provided by the cloud storage provider, the informa-
tion might be compromised. The aforementioned approches burdens the client by which
2
makes it additionally accountable for securing it data before storing it to the cloud storage.
1.3 Objectives
Our objective is to build a security service which will be provided with a trusted 3rd
party, and would lead to providing only security services and wouldn’t store any data in
its system. Detailing it further.
1. To construct Web service system which would provide data integrity verification,
provide encryption/decryption of the consumer data.
2. Defining access list for sharing data securely with specific band of individuals.
3. To construct thin client application which would call this web service before upload-
ing/downloading the data to and from cloud.
3
Chapter 2
Literature Survey
The analysis behind this topic could be subdivided into 3 different sub- fields:
1. Study of cloud computing and various cloud computing models IaaS, PaaS, SaaS
etc, study of different business models, and study of service level agreements.
2. Study of security issues in cloud.
3. Study of Cryptography.
2.1 Overview of cloud
Cloud computing describes the combination of logical entities like data, software which
are accessible via internet. Client data is generallly stored in banks of servers spread
across the globe.
Historically, each software like a phrase processor or paint brush required
a license to be installed on clients machine. However with this is of workgroup becoming
more highlighting, the client-server model arrived to existence, which provided large
storing capabilities allowing users to host applications with data for workgroup. The
client machine would demand a browser to get into these server functionality, and would
use client CPU and memory for processing.
Cloud computing will vary from traditional client-server model by provid-
ing applications from the server which are executed and managed by a client’s internet
browser, with no installed client version of a credit card application require. Cloud
providers frees the client from software license management etc, since the services are
accessible via internet. Software as a Service (SaaS), given by cloud company, require
4
browser enabled devices like personal computers, laptops, and latest devices like smart-
phone, tablets etc, to access these services once an individual is registered in cloud. For
instance, in case an individual opts for storage service from the cloud provider, then she
or he can upload personal information, code, music, movies, songs, photographs, which
are stored anywhere across the planet in the server bank under cloud company, the ge-
ographic storage location is generally kept unknown to the user. Since only browser
enabled device are sufficient to access these files, different devices could be kept in sync.
2.1.1 Overview of working of cloud
Generally the cloud services are browser based, therefore any browser enabled
device such as for instance laptop, desktop, smartphone, tablets can used to gain access
to these services, the services at providers end may be hosted on any platform, from
windows, linux, etc, which are accessible via internet. As an example consider a regular
income and expenditure application which gives different analysis on expenditure by a
person, this application could be executing on cloud providers server, whilst the client
browser will allow client to feed in the inputs and visualize the analysis prepared for the
inputs provided, these analysis computation is completed at server side. Suppose this
application can futher create documentation on monthly bases which often can be stored
in cloud storage once again relieving the client from storing or processing the file on its
side. Because the cloud services are offered via internet, a significant factors which play a
important role in performance are speed of internet, processing power of the individual.
While the cloud providers have server banks, to boost the processing power, multi-
ple server are often used internally by the cloud service provides. This pooling is invisible
to the client. On another hand if these heavy tasks were to be executed on client side,
it would require investment in hardware, time. Due to cloud, it frees the client from
buying expensive hardware and investing his/her valuable time, since time is money.
Having studied the overview of working cloud, let’s now understand some of the essential
characteristics
• On-the-fly service
A consumer can require more capabilities at any movement of time, example pro-
cessing power for huge task, and these requirement must of fulfilled without human
5
intervention and be invisible to client [4].
• Wide Accessibility
Generally the cloud service are available via standard network protocols, it promotes
different types of clients platforms (like, smart phones, laptops etc) for accessing
these services [4].
• Pooling Of Resources
The pooling of the resources at cloud providers end is invisible to the end client,
and resource assignment is done dynamically depending the need of the client [4].
• Measured service
Cloud has enough resources, and amount used by each client is measured by metering
capability, and controlled at some level, for optimized resource usage, (like storage)
[4].
2.1.2 Cloud Layers
At high level, cloud computing architecture can be partitioned into
1. Client or front end platform (thin or thick client).
2. Back-end platform (storage server etc).
3. The network (Internet etc)
These client platforms communicate with the cloud data storage via an application
(hosted on middleware), accessible via a browser.
2.1.3 Cloud Service Models
In this section let’s understand different service models of cloud.
• SaaS
Software as a Service (SaaS) also known as “on-demand software”, as it name says
allows client to use software services supplied by cloud provider via web browser.
The management of server, internal cloud network, operating system, application
configuration on middleware are responsibilities of cloud provider. SalesForce is
among SaaS company which supplies different software services.
6
Figure 2.1: Cloud Layers
• PaaS
Platform as a Service (PaaS) as the names suggests, cloud provider provides plat-
form for deployment of user application, but doesn’t give control of underlying
hardware or infrastructure (storage, network).
• IaaS
Infrastructure as a Service (IaaS) wherein limited accessibility for group of infras-
tructure is provided to the client for storage, network, processing etc. The client can
deploy and execute is application using these infrastructure, the key advantage is
frees the client on buys or purchasing top end servers, softwares, data-center space,
network infrastructure etc. The clients are charged on per-use basis [4].
2.1.4 Cloud Deployment Models
In this section we focus our attention to some of the primary cloud models
• Public Cloud
Public cloud is a couple of resources such as for instance storage or application, are
made available to the general public online by the cloud provider. The client is is
billed based on the usage or the service may be free.
• Community Cloud
7
Community cloud share the underlying infrastructure with other organization which
share common interest like security etc. It’s not completely public and the fee is
shared by community members. Neither it is totally public not fully private.
• Private Cloud
Private cloud as it name says, is internal to an organization. It can either be
managed internally or by trusted 3rd party. The cloud is only accessible to internal
organization or say designated employee of the organization.
2.1.5 Security issues in cloud
Every coin has 2 side, and cloud computing is no exception. There is criticism about
privacy in cloud model, because of the fact that administrator have access to data stored
in the cloud. They can unintentionally or intentionally access the client data. Traditional
security or protection techniques need a reconsideration for cloud. Except for private
cloud where organization does not have control over the equipment, the progress of cloud
is seems little slow, because organizations think instead of compromising on the security
of the data, they are still willing to invest in buying private equipment to setup there
own infrastructure. Security issues which are of concern to the client can be classified
into sensitive data access, data segregation, bug exploitation, recovery, accountability,
malicious insiders, account control issues.
Like different disease have different medicines, different cloud security issues have different
solutions, like cryptography, use of more than one cloud provider, strong service level
agreement between client and cloud service provider. Heavy investment is needed to
secure the compromising data in cloud. Cloud can grow only if it is possible to build
a trust in client, and which can be built only if security concerns are being addressed.
Following are some of the concerns,
1. System Complexity
Compared to traditional data center the cloud architecture is much more complex.
Therefore while considering security, security of all these components and interaction
of these components with each other needs to be addressed [13].
2. Shared Multi-tenant Environment
Since the cloud need to provide service to millions of client, a logical separation
of data is done at different level of the application stack [13]. Because of which a
8
attacker in the face off client can exploit the bugs gaining access to data from other
organizations [13].
3. Internet-facing Services
The cloud service which is accessed over the internet via browser, the quality of
service delivered on the network is another concern [13].
4. Loss of control
As the data of client is stored anywhere across the world control loss over physical,
logical of system,and alternative control to clients assets, mis-management of assets
are some additional concerns [13].
2.1.6 Cryptography
Cryptography is a field of computer science & mathematics which deals with information
security and related issues, in particular encryption and authentication. In greek the word
kryptos mean ”hidden” while the word graphein mean ”to write”. During encryption a
plain-text is converted into cipher text, while the reverse process termed as decryption
converts the cipher text into plain-text. The cipher is in unreadable format.
• AES
The Advanced Encryption Standard (AES) is a symmetric key encryption/decryption
algorithm for converting plain-text to cipher text and vice-versa. Since the same
key or master key is used, the must be kept secret or with trusted 3rd party, because
compromise of this key would mean compromise to the data.
• Deffie Hellman
Diffie Hellman key exchange is a technique to exchange cryptographic keys between
2 parties with no prior knowledge of each other. It allows the 2 parties to establish
a secret key which can be used for further secured communication.
• SHA-1
SHA stands for ”Secure Hash Algorithm”, SHA-1 is a cryptographic hash function
technique where hash of data is computed. As compared to SHA-0, SHA-1 is widely
used because it corrects errors in SHA hash specification, which led to weakness.
9
2.2 Summary
The literature survey helped us gain a better insight with reference to cloud computing,
different models of cloud computing, current security issue. Understanding different
encryption/decryption algorithms like AES, SHA-1, Deffie Hellman. During the survey
it is noted that lot of research is going on in cloud computing security issues and how to
overcome the security issues and to gain cloud users confidence.
10
Chapter 3
System Design
In the proposed design, a hash service data integrity verification, encryption/decryption
service, and provision for defining list of people which can access data securely, is provided
by a trusted 3rd party which is separate from the storage cloud provider.
3.1 Business Model with separate encryption/decryption and
hashing service.
The system provides hash, accessl list, encryption/decryption by a trusted 3rd party over
the network in the form of ”Software as a Service” (SaaS)[1]. The system has a separate
storage service which is also provided as a SaaS. The data storage for each client is done
in database in the form of ”BLOB”. The trusted 3rd party which provides these securty
services does not store any data at its ends, and stores only master key for each client for
data encryption and decryption, and hash of the data which is calculated on client side.
To enhance the security, the communication between client and security server is secured
using Diffie Hellmen key, which is used as a input for AES. This division of responsibility
has big effect, as no single provider has access to other data and security key, hash at the
same time.
Figure 3.1. is an overview of the architecture where storage and encryption/decryption/hash
services (security services) are separated. For example (as described in chapter 1, Moti-
vation) a small or medium scale business who wish to store all its account related data in
cloud storage, will first calculate the hash of the data, encrypt the data using encryption
11
Figure 3.1: System Architecture
service and then store the data in storage provided by separate provider. The system also
provides functionality where other users from small scale business Company will be able
to access data which is stored in cloud storage. The sessions between client and security
server is secured using Diffie Hellmen Key and AES as the encryption algorithm. SHA-1
is used for calculating the hash of the data, and AES is used a encryption/decryption
algorithm for computing cipher at security server end. Figure 3.2 show the use case
diagram of the system.
3.2 Typical Scenarios In Design
Typical 3 basic scenarios are, user data upload, user data download, group user access.
In this section we discuss the each of these scenarios.
3.2.1 Data Upload Scenario
1. The end user login to the system with his/her username & password.
12
Figure 3.2: Use Case
2. Once the user is authenticated, the Deffie Hellman key is exchanged for the session.
3. Now a user can select the files which he/she wants to upload it to storage cloud.
4. The user can also select is he/she wants to share the file with specific users.
5. The hash of the data in file is calculated, using SHA-1 ( original hash ).
6. The data in file is now encrypted using DH keys.
7. The complete encrypted file and original hash of file data, are now transferred to
Security Cloud.
8. At Security Cloud, encrypted files is decrypted back using DH key, while the hash
is sorted in security cloud database.
9. The decrypted file is now encrypted with Symmetric Algorithm namely AES, using
the Master Key generated for each user during user creation.
10. File ID, original hash ( file/data hash ), master key for each user are stored in
Security Cloud database.
13
11. The Security Cloud now discards any contents of the files from its system, and does
not store any file contents in its system.
12. The Encrypted file is sent back to user, to be uploaded to Storage Cloud.
13. The user now can upload the encrypted file to Storage Cloud.
Figure 3.3: User Data Upload Scenario
3.2.2 User Data Download Scenario
1. The end user login to the system with his/her username & password.
2. Once the user is authenticated, the Deffie Hellman key is exchanged for the session.
3. Now a user can select the files which he/she wants to download it from storage
cloud.
14
4. The encrypted file is now downloaded from storage cloud to users mach in.
5. The complete encrypted file is now transferred to Security Cloud.
6. The data in file is now encrypted using DH keys.
7. The complete encrypted file and original hash of file data, are now transferred to
Security Cloud.
8. At Security Cloud, decrypted files with Symmetric Algorithm namely AES using
Master Key stored in security cloud database for each user.
9. The decrypted file is now encrypted with DH key.
10. The DH encrypted file and hash of the corresponding file is now passed to the users.
11. At user end, on receiving the encrypted file, it is decrypted with DH keys.
12. The hash of decrypted file is calculated using SHA-1 and original hash are now com-
pared to see if they match, and accordingly appropriate message like, File tampered
or File is intact are flashed on user screen. Thus the integrity of the data is verified.
3.2.3 Group User Data Download Scenario
1. The end user login to the system with his/her username & password.
2. Once the user is authenticated, the Deffie Hellman key is exchanged for the session.
3. Now a user can select the files which are shared by other user.
4. The encrypted file is now downloaded from storage cloud to users machine.
5. The complete encrypted file is now transferred to Security Cloud.
6. At Security Cloud, decrypted files with Symmetric Algorithm namely AES using
Master Key stored in security cloud database for each user.
7. The decrypted file is now encrypted with DH key.
8. The DH encrypted file is now passed to the group users.
9. At user end, on receiving the encrypted file, it is decrypted with DH key.
15
Figure 3.4: User Data Download Scenario
10. The group user can now view the file; & the data integrity is also verified at group
users end.
Since the responsibility is divided between 2 providers, Storage Cloud
provider and Security Cloud provider are different, the Storage Cloud provider although
has access to file/data, it is in encrypted format, and it has no access to any kind of
encryption/decryption keys. Second, as the Security Cloud only stores users master key
and encrypted data hash, and does not store any data/file, therefore it has no use of the
keys. In case the data/file is tampered anywhere it will be caught during the integrity
verification. Third, while the session keys are established during the user login, all the
cascading data transfer is secured. This allows the user to access its data from any
machine, which is one of the definite of cloud services. Thus the user data transferred
16
Figure 3.5: Group User Data Download Scenario
and stored in secured manner in storage cloud. Fourth it is possible to share data with
preferred band of people securely.
3.3 Algorithm selection
In this section we discuss some of the advantages of selection of particular algorithms
over the other. We begin with discussion of AES.
3.3.1 Selection Of AES
Broadly speaking the encryption/decryption can be done via symmetric key or asym-
metric key.In symmetric algorithms, both parties share the secret key for both encryp-
tion/decryption, and from privacy perceptive it is important that this key is not compro-
mised, because cascading data will then be compromised. Symmetric encryption/decryption
require less power for computation. On the other hand asymmetric algorithms use pairs
of keys, of which one key is used for encryption while other key is used for decryption.
17
Generally the private key is kept secret and generally held with the owner of data or
trusted 3rd party for the data, while the public key can be distributed to others for
encryption. The secret key can’t be obtained from the public key. In our case since
the encryption/decryption is performed on trusted 3rd party server, symmetric key is
used, and it delegates the burden of key management to the trusted 3rd party. If key
management where to be done at clients end it would mean,
1. either they have to remember the big key
2. store the key in all devices/machine which will be used to access the cloud services,
which make user device a bottleneck.
3. individual owner has to take the responsibility of sharing the key with specific
authorized group of user which he/she define.
While on the other hand using symmetric key encryption the master key or private key
usage which would be stored in security cloud provider per user gives the client the
advantage like,
1. freedom from remembering any key.
2. Client can use any device/machine to access the data stored in cloud.
3. the client need not worry as to how the data will be shared securely, the client just
need to define the individual whom he/she wants to share the data with.
3.4 Technologies Used
In order to implement a cloud architecture or a Software As A Service (SaaS architecture)
we need
1. WebService – Need to implement a web service.
2. GlassFish Server – to host web service
3. SOAP API – to be able to call web service at client side we need to use SOAP API
or even XML. version 3.2.
4. Java 1.6.
18
5. Operating System Windows 7.
6. MySQL 5.2.
19
Chapter 4
Implementation
In previous sections we have discussed about the system architecture, different scenarios
and algorithms that we will be using to implement them.
4.1 Outline of the AES Algorithm
Constants: int Nb = 4; // but it might change someday
int Nr = 10, 12, or 14; // rounds, for Nk = 4, 6, or 8
Inputs: array in of 4*Nb bytes // input plaintext
array out of 4*Nb bytes // output ciphertext
array w of 4*Nb*(Nr+1) bytes // expanded key
Internal work array: state, 2-dim array of 4*Nb bytes, 4 rows and Nb cols
Algorithm:
void Cipher(byte[ ] in, byte[ ] out, byte[ ] w) {
byte[ ][ ] state = new byte[4][Nb];
state = in; // actual component-wise copy
AddRoundKey(state, w, 0, Nb - 1); // see Section 4 below
for (int round = 1; round ¡ Nr; round++) {
SubBytes(state); // see Section 3 below
ShiftRows(state); // see Section 5 below
MixColumns(state); // see Section 5 below
AddRoundKey(state, w, round*Nb, (round+1)*Nb - 1); // Section 4
} SubBytes(state); // see Section 3 below
ShiftRows(state); // see Section 5 below
20
AddRoundKey(state, w, Nr*Nb, (Nr+1)*Nb - 1); // Section 4
out = state; // component-wise copy
}
4.2 Implementation Details
In this section we discuss some the important implementation details. The overall project
was divided into 2 components, namely, ClientApp,Encryption/Decryption Service, Stor-
age Service
ClientApp
The ClientApp is java web startup application. The Client Login Form is shown in Figure
4.1.
Figure 4.1: ClientApp Login Form
21
Web Start has an advantage over applets in that it overcomes many compatibility prob-
lems with browsers’ Java plugins and different JVM versions. On the other hand, Web
Start programs are no longer part of the web page. They are independent applications
that run in a separate frame For a new user, the client/user has to register, by click on
”Register” in Login Form, and then login with its own user, as shown in Figure 4.2.
Figure 4.2: New User Registration
Let us re-visit the example discussed in chapter 1. The head of the account department
finalizes the ”YDT Summary” report for the small scale business. He/She then wants to
upload the document to cloud storage. The user click’s on ”Upload Data” button, it then
click’s on ”Upload File”, and selects the file to be uploaded from its device/machine. The
user now select if he/she wants to make the file as private which will be only accessible
to itself or it wants to make it shared with others as well, suppose it make its shared and
click’s on ”UPLOAD”, while uploading the file it shows appropriate messages wherever
necessary.
22
Figure 4.3: User Uploads Confidential File
Since the user has select shared, it now needs to define the list of people who will be able
to access the file, for this it click’s on ”Access List” button, followed by ”Add Accessor”
button, and search for the person who will be able to access the data, and click on
”DONE”, Figure 4.4.
This accessor list is defined in accesslist table defined at storage cloud. The accessor
will now be able to view this file securedly. One more advantage is, when the accessor
downloads the file by click on ”View Other’S DATA”, the accessor can see list of all
people and the data shared by these people with him/her, it verifies the integrity of the
data on selection of particular data for view, and can report to the head of department
if the data is tampered, Figure 4.5.
23
Figure 4.4: User Adds Accessor To Confidential File
Other Scenario will be the user want to download or view the data/file, for this he/she
clicks on ”Download Data”, followed by ”FETCH FILE LIST”, and selects the file to be
download it, click’s on ”Save File As”, and finally click’s on ”Download”, Figure 4.6
24
Figure 4.5: Accessor Viewing Confidential File
Figure 4.6: Owner Viewing Confidential File
25
Chapter 5
Testing and Result
Till now we have seen the system architecture, its implementation using AES, SHA-1
Deffie Hellman algorithms. This section gives the results of working model.
5.1 Testing Result
Lets use now take the example of ”Yearly Tax Deduction” Excel File which we provide
as a input to the system.
Figure 5.1: Sample Input
1. The file is exactly stored in encrypted format. The ”userdata” in storage cloud is
26
the table which stores the data for each user, Figure 5.2 shows the encrypted file
which was stored by a user.
Figure 5.2: Encrypted Confidential File Stored In Storage Cloud
2. Secondly, the keys, hash of data are stored in security cloud server in ”userkey”
table,while the hash of corresponding data is stored in ”filehash” table.
5.2 Summary
We have seen how the security service which is provided by trusted third party helps in
securing data, it provides the facility of data verification and allows data to be shared
between designated group of people.
27
Chapter 6
Conclusion and Future work
6.1 Conclusion
We have seen how delegation of responsibility trusted 3rd party which provides security
services secures user data. It reliefs the client from maintaining any kind of key infor-
mation and allowing the client for using any browser enabled device to access the cloud
services. It allows the client to verify the integrity of the data stored on download or
retrieval of its own stored data in cloud. The client can share the data securely with
specific band of people without any overhead of key distribution.
6.2 Future Work
1. To enhance the security more, a mechanism to secure the keys in security cloud can
be a area of research.
2. To reduce the overhead of network traffic can be another area of research.
28
Bibliography
[1] Jing-Jang Hwang, Hung-Kai Chuang,Yi-Chang Hsu, Chien-Hsing Wu, ”A Business
Model for Cloud Computing Based on a Separate Encryption and Decryption Ser-
vice,” Proceedings of the 2011 International Conference on Information Science and
Application, April 2011.
[2] Qian Wang ,Cong Wang ,Kui Ren ,Wenjing Lou ,Jin Li, ”Enabling Public Au-
ditability and Data Dynamics for Storage Security in Cloud Computing”, IEEE
TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22,
NO. 5, MAY 2011.
[3] Balachandra Reddy Kandukuri, Ramakrishna Paturi V, Dr. Atanu Rakshit, ”Cloud
Security Issues”, IEEE International Conference on Services Computing, pp. 517-
520, September 2009.
[4] Peter Mell, Timothy Grance, ”The NIST Definition of Cloud Computing”, NIST
Special Publication 800-145
[5] Ling Li, Lin Xu, Jing Li, Changchun Zhang,”Study on the Third-party Audit in
Cloud Storage Service”, 2011 International Conference on Cloud and Service Com-
puting
[6] L. M. Vaquero,L. Rodero-Merino,J. Caceres, and M. Lindner, ”A break in the
clouds: towards a cloud definition”, ACM SIGCOMM Computer Communication
Review, vol. 39, no. 1, pp. 50-55, January 2009.
[7] A. Parakh and S. Kak, ”Online data storage using implicit security”, Information
Sciences, vol. 179, issue 19, pp. 3323-3333 ,September 2009.
[8] C. Weinhardt, A. Anandasivam, B. Blau, N. Borissov, T. Meinl, W.Michalk, and
J. Stober, ”Cloud computing ? a classification, business models, and research di-
29
rections”, Business & Information Systems Engineering (BISE), vol. 1, no. 5, pp.
391-399, 2009.
[9] L. Lamport, ”Password authentication with insecure communication”, Communi-
cations of the ACM, vol. 24, no. 11, pp. 770-772, 1981.
[10] ”Announcing the ADVANCED ENCRYPTION STANDARD (AES)”, Federal In-
formation Processing Standards Publication 197. United States National Institute of
Standards and Technology (NIST). November 26, 2001. Retrieved October 2, 2012.
[11] William Stallings, ”Cryptography and Network Security”, 2009.
[12] Salesforce.com, Inc., ”Force.com platform”, Retrieved Dec. 2009, from
http://www.salesforce.com/tw/.
[13] http://www.cs.utsa.edu/ wagner/laws/AESintro.html
30