- Email: [email protected]
Credential Based Authentication Approach for Dynamic Group in Cloud Environment
Available online at www.sciencedirect.com
ScienceDirect Procedia Computer Science 48 (2015) 166 – 172
International Conference on Intelligent Computing, Communication & Convergence (ICCC-2014) (ICCC-2015) Conference Organized by Interscience Institute of Management and Technology, Bhubaneswar, Odisha, India
Credential Based Authentication Approach for Dynamic Group in Cloud Environment Selvamani Ka, Pradeep Kumar Aryab a
Assistant Professor, Department of Computer Science & Engineering, Anna University, Chennai-600025, India b Research Scholar, Department of Computer Science & Engineering, Anna University, Chennai-600025, India
Abstract Solutions provided by Cloud computing not only includes the issues inherited from related technologies such as virtualization and distributed computing, but also new concerns associated to complexity of the cloud ecosystem composed by the cloud entities and their interactions. Authentication plays an important aspect in Cloud computing. This proposed system concentrates on authentication with reasonable time factor and reduce data traffic in the Cloud computing process. In addition, this system also identifies and analysis the credential management that focus on the cloud ecosystem for dynamic groups. Moreover a framework for credential classification that analyses the unifying concept and its related service is proposed and implemented. This proposed system proves to be more efficient when compare to other existing technology. © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). © 2014 The Authors. Published by Elsevier B.V. Peer-review responsibility scientific committee of International Conference Computer, University of Communication Science and Technology. Selection andunder peer-review underof responsibility of scientific committee of Missouri on and Convergence (ICCC 2015)
Keywords: Cloud computing; Authentication; Credentials; ecosystem.
1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of scientific committee of International Conference on Computer, Communication and Convergence (ICCC 2015) doi:10.1016/j.procs.2015.04.166
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
167
1. Introduction The most important aspect of security in cloud computing is to secure data from various threats in the cloud environment. This paper aims in providing solution for security and to promote the integration of services and various resources in distributed environments. It is necessary to ensure privacy and isolation of data and resources by considering the various levels of granularity, features which can be addressed by employing adequate mechanisms for authentication and authorization. This research paper aims in developing an authentication mechanism that reduces the authentication time in cloud computing as well as, it also minimizes the computation cost and secures multi owner data sharing scheme in the dynamic group. Moreover, this paper aims is developing the state of the art framework for credential management and solutions for cloud computing. The rest of the paper is organized as follows. Section II presents the related work done in this area. Section III discusses the definitions for identities and credentials, provides a model for defining these elements, presents a classification for credentials, and defines their lifecycles. Section IV consolidates the concepts studied in the preceding sections and proposes a framework for studying, classifying and defining credentials for cloud computing. Finally, section V presents a final conclusion related to the definitions, framework presented, and future work. 1.1. Cloud Ecosystem Computing the cloud resources are complex in rich environments [2]. By enabling large-scale integration of building blocks, the development and deployment of Web applications is simplified. The cloud ecosystem is the composition of services, vendors, end users and technologies, and also their interactions and interfaces [3], [4]. However, the growing diversity of these elements poses as a significant challenge in order to build portable and adaptable applications. Subsections II-A and II-B provide two complementary concepts for organizing this ecosystem. The first one is based on cloud deployment models. The second is based on the distinction between inside and outside cloud. 1.1.1
Deployment Models
In the definition provided by NIST [9] clouds are described as elastic environments which provide ubiquitous ondemand access to shared pools of configurable resources. Multiple platforms and interfaces provide versatile access to services, and these can be categorized according to the features they provide (software, platform and infrastructure as a service – SaaS, PaaS and IaaS). The deployment models define the complexity of a cloud by determining how it is used and managed, which are the main factors involved and how they are organized in the ecosystem. Four models are defined in this paper mainly – private, public, community and hybrid clouds. Private clouds are used by a specific organization or group of users and represent more restricted environments in terms of who is able to use and manage the resources. Public clouds are extremely attractive due to scalability and low compute, storage, and management costs [2]. They are employed to offer services concentrated in the SaaS and PaaS layers targeting end users. Finally, the other levels of organization (community and hybrid) represent more complex scenarios with a multitude of possible roles and interactions. 1.1.2 Inside and Outside Cloud The two main types of communication can be distinguished in the ecosystem. The first is the interaction between
168
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
cloud elements (inside security), such as virtual machines and services. The second is the exchange of information and data with an element outside. Most of the solutions address the interfaces between the end user and the cloud service (the outside cloud security), represented by authentication mechanisms. Security between elements inside the cloud is related to issues such as data and resource isolation, malicious insiders, insecure internal interfaces, and data leakage [5]. These aspects are overlooked specially in private clouds, although it is clear that they are not inherently secure [6], [7]. Nevertheless, it is clear that both perspectives are important to provide reliable and secure environments for applications to be built and deployed on, leading to the development of robust and practical solutions. 2. Related Work ENISA security assessment [10] covers many aspects related to operational security in terms of resource provisioning, authorization and identity provisioning and credential management. These include registration of new users, employment of standards (such as e-Government Interoperability Framework), use of different levels of identity and credential checks based on the resources required, key management and controls against credential compromise or theft. The creation of new virtual machines and the need for self-authentication is also a challenge which requires some form of secret while keeping system scalability. This mechanism allows the virtual machine to authenticate itself to other parties by generating different certificates for specific software and virtualization layers used to create the VM plus an unique identification of the instance. The CSA security guidance [12] also addresses concepts related to attribute-based credentials (ABCs) [13], [14] other studies present more detailed research on identities and credentials [10], [11], and also authentication and authorization infrastructures [1]. 2.1. Dynamic Group in Cloud The four main issues in dynamic group [20] are namely user authentication, cost efficiency [21], load balancing and robustness. Cost efficiency is to minimize the total number of files returned from the cloud. Note that keywords are uniformly distributed in the file set, and the probability of each keyword in a file is the same. Hence, this problem is equivalent to minimizing the total number of keywords [15, 16] in the combined queries. Since more common keywords in a group of queries will generate less keyword in the combined queries, we need to group users with the most common keywords together. The basic idea of our grouping strategy is to construct a public dictionary that consists of the universe of keywords. A user authentication process is one of the most important features of any group. If any new user wants to join the group [17], the group managers have to verify their identity and need to authenticate for accessing the group data. The dynamic group has a liberty that any member can join and leave the group in any time. For that concern we need an authentication approach for restricting unauthorized access in the group. We attempt to devise a dynamic grouping strategy in a cloud environment and also attempt to prevent the unauthorized access [22] by the hacker in the dynamic group moreover the grouping problem is addressed and the cost efficiency, load balancing, and robustness are maintained. We have evaluated Extensive experiments on the analytical model to validate our grouping strategies. 3. Identities and Credentials The previous section presented strategies to evaluate the complexity of the cloud ecosystem. These strategies facilitate the identification of main roles and the interactions between them. In order to enable control over these aspects it is necessary to provide mechanisms for authentication and authorization, promoting the use of identities and credentials [8].
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
169
3.1. Credentials Classification Credentials can be used to represent a plethora of information, containing attributes that describe details about the entity, actions it can perform, and rules it has to follow in the cloud environment. These characteristics can be summarized by the following proposed categories: • Metadata: Credentials used to store information about the entity, such as attributes for identification, migration between clouds, to keep record about lifecycle changes, employment (or usage), and ownership; •Authorization: Credentials stating what actions an entity can perform, what resources it can access, and any advantages it is entitled to receive; • Obligation: Credentials defining the rules and policies an entity has to follow within the context of the cloud, including financial obligations, legal aspects, and operational directives. This credentials classification helps to identify the types of information that have to represent according to service requirements in terms of reliability, privacy, and infrastructural security. A credential represents a set of attributes and consequently it can incorporate more than one type or category. 3.2. Lifecycles Another important difference between credentials and identities is their lifecycles. Based on several references [18], [21], we start by defining the main states from a credential lifecycle: • Create: Issue a new credential using attributes proofed by a trusted authority, thus guaranteeing the validity of the credential itself and the attributes it represents; • Store: Save the credential in a database, disk file or only memory, depending on the implementation of the credential management system; • Use: Retrieve or just check credential information to perform some operation or verify authentication and authorization directives; • Update: Change information from a credential or reissue it completely (for example, if the expiration of a certain authorization is changed, or the access control restrictions are modified); • Revoke: Invalidate some credential (for example, after the expiration of a license for using some service), without deleting it or unlinking it from its owner; • Archive: Save credential in a separate storage [19] unit for future audits (relating the credential to logged events) or to leave it unusable until the owner requests a formal reactivation; and • Destroy: Permanent and complete disposal of the credential and any related information. Fig 1 satisfies the states and their possible transitions. The created credential must be stored (persistently or not) in order to be used by other systems. A stored credential can also be updated when required by the system or demanded by the user, in case of changes in the attributes the credential represents. Use Group Signature
Create Group Signature Destroy Group Signature
Archive Group Signature
Store Group Signature
Revoke Group Signature
Update Group Signature
Fig 1. Proposed Credentials Lifecycle
Finally, when the credential is no longer necessary or it has lost its validity it is revoked. The Revoke state is transitory and the credential is either archived or permanently destroyed. The final transition between Destroy and Create states is not directly implemented in real solutions, but the attributes from an already destroyed credential can be reused to issue a new one, giving continuity to the cycle. The identity lifecycle presents less possible states and transitions, is shown in Fig. 2. Once created, the identity represents a set of immutable and perennial attributes
170
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
which distinguish an entity from the others, thus any sort of updating operations is not required. In a cloud service this could be a fixed and unique number (a virtual machine id, for instance). A possible analogy is the name of a person, which can be used as an identifier but not a unique one, versus a national registration number which is truly unique to the person. The other excluded states are Revoke and Destroy. A provider may consider these states in order to save resources. However, from a theoretical perspective the identity is unique to an entity; consequently the information used to create this identity should not be reused for other entities, thus avoiding reissuing an old identity to a new entity Use Identity
Create Identity Store Identity
Archive Identity Fig 2. Proposed Identities lifecycle
. 4. Proposed System Cloud systems and services demand a credential management system to provide reliable authentication and authorization. Either to develop or adopt a credential management system for a service, it is necessary to consider the following factors: This first factor is closely related to the credentials classification of group. Entities
Lifecycle Deployment Model
Group Auth Framework
Requirements Categories
Services Fig 3.Proposed authentication framework
The type of service that is going to be offered. The cloud organization in terms of architecture and ecosystem organization. The security, privacy and compliance requirements which have to be addressed not only by credential management but the entire service itself. The entities that will be controlled regarding authentication and authorization. The lifecycle of the identities and credentials. This proposed framework summarized all the above fact is shown in Fig. 3. The credentials classification adopted in the framework is the one proposed in this paper. The cloud deployment models and service types are based on NIST cloud definition. The security requirements are based on the organization presentation. It was used the concept of cloud entities, as well as the lifecycles for identities and credentials. The authentication and authorization framework for group aims at facilitating the implementation of these mechanisms for cloud computing. It summarizes the concepts that influence the credential management solution to be adopted for a service of a specific type and setup or deployment model. It also allows the comparison of requirements for this solution when modifying some of the elements in the group. For example, if a test bed experimentation service has to be migrated to a community cloud, there are decisions to be made regarding how credentials are going to be issued and managed by the group.
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
171
5. Result
Fig. 4 Time consumption versus cloud requests.
Figure 4 shows the graph that represents the time consumption versus the cloud request. Once the cloud environment receives the user request, it categories the job priority and the job is selected based on the user request in the cloud environment in turn the user request is processed. But, the user has a responsibility to mention the user type and the service type to be performed. 6. Conclusion This proposed robust authentication and authorization mechanisms is able to provide better instruments for addressing issues such as isolation and access control in complex cloud environments such as a public or community clouds. In this proposed work, the first contribution is identifying a set of categories for credentials and adapts them to the cloud context. The categories are useful to define what kind of information has to be represented in terms of credentials for a specific system or service, and how this information can be grouped and organized. The second major contribution is the identification of important elements that have to be considered when adopting or developing a solution for authentication and authorization. This activity motivated the assembling of the authentication and authorization framework which summarizes the concepts that pivot around identities and credentials for cloud computing. References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.
Nelson Mimura Gonzalez, Marco Antônio Torrez Rojas, Marcos Vinícius Maciel da Silva, “A framework for authentication and authorization credentials in cloud computing”, 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications,2013. R. Geambasu, S. Gribble, and H. Levy, “Cloudviews: Communal data sharing in public clouds,” in Workshop on Hot Topics in Cloud Computing (HotCloud), 2009. L.-J. Zhang and Q. Zhou, “CCOA: Cloud Computing Open Architecture,” in Web Services, 2009. ICWS 2009. IEEE International Conference on, july 2009, pp. 607 –616. B. Sotomayor, R. Montero, I. Llorente, and I. Foster, “Virtual Infrastructure Management in Private and Hybrid Clouds,” Internet Computing, IEEE, vol. 13, no. 5, pp. 14 –22, sept.- oct. 2009. D. Hubbard, L. J. H. Jr, and M. Sutton, “Top threats to cloud computing,” Cloud Security Alliance, Tech. Rep., March 2010. [Online]. Available: cloudsecurityalliance.org/research/ projects/top-threats-to-cloud-computing. J. Kinsella, “5 (more) key cloud security issues,” Sep 2012. [Online]. Available: http://www.csoonline.com/article/717307/5-more-keycloud-security-issues. J. Bloomberg, “Why Public Clouds are More Secure than Private Clouds,” Feb 2012. [Online]. Available: http://www.zapthink.com/2012/02/07/ why-public-clouds-are-more-secure-than-private-clouds. C. Metz, “AAA protocols: authentication, authorization, and accounting for the Internet,” Internet Computing, IEEE, vol. 3,no. 6, pp. 75 – 79, Nov/Dec 1999. P. Windley, Digital identity. O’Reilly Media, Incorporated,2005. U. Fragoso-Rodriguez, M. Laurent-Maknavicius, and J. Incera-Dieguez, “Federated identity architectures,” in Work in progress session, Annual Computer Security Application Conference, 2006. C. Satchell, G. Shanks, S. Howard, and J. Murphy, “Knowing me–knowing you. end user perceptions of digital identity management systems,” in Proceedings of the 14th European Conference on Information System, 2006. CSA, “Security guidance for critical areas of focus in cloud computing,” Cloud Security Alliance, Tech. Rep., December 2009. K. Frikken, M. Atallah, and J. Li, “Attribute-based access control with hidden policies and hidden credentials,” Computers,IEEE Transactions on, vol. 55, no. 10, pp. 1259–1270, 2006. T. Barton and J. Basney, “Identity federation and attributebased authorization through the globus toolkit, shibboleth,gridshib, and myproxy,” in 5th Annual PKI R&D Workshop, 2006. F. Corradini, E. Paganelli, and A. Polzonetti, “The egovernment digital credentials,” International Journal of Electronic Governance, vol. 1,
172
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
no. 1, pp. 17–37, 2007. 16. D. B. Cross, P. J. Hallin, M. W. Thomlinson, and T. C.Jones, “Digital identity management,” April 2010, uS Patent 7,703,128. 17. A. Bhargav-Spantzel, A. C. Squicciarini, and E. Bertino, “Establishing and protecting digital identity in federation systems,” Journal of Computer Security, vol. 14, no. 3, pp.269–300, 2006. 18. E. Bertino, F. Paci, R. Ferrini, and N. Shang, “Privacypreserving digital identity management for cloud computing,”Data Engineering, vol. 32, no. 1, 2009. 19. J. Lopez, R. Oppliger, and G. Pernul, “Authentication and authorization infrastructures (aais): a comparative survey,” Computers & Security, vol. 23, no. 7, pp. 578–590, 2004. 20. Xuefeng Liu, Yuqing Zhang, Boyang Wang, and Jingbo Yan “Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud” IEEE transactions on parallel and distributed systems, vol. 24, no. 6, june 2013. 21. M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R.H. Katz, A. Konwinski, G. Lee, D.A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,” Comm. ACM, vol. 53,no. 4, pp. 50-58, Apr. 2010. 22. J. Kangasharju, J. Roberts, and K. Ross, “Object replication strategies in content distribution networks,” Computer Communications,2002.
ScienceDirect Procedia Computer Science 48 (2015) 166 – 172
International Conference on Intelligent Computing, Communication & Convergence (ICCC-2014) (ICCC-2015) Conference Organized by Interscience Institute of Management and Technology, Bhubaneswar, Odisha, India
Credential Based Authentication Approach for Dynamic Group in Cloud Environment Selvamani Ka, Pradeep Kumar Aryab a
Assistant Professor, Department of Computer Science & Engineering, Anna University, Chennai-600025, India b Research Scholar, Department of Computer Science & Engineering, Anna University, Chennai-600025, India
Abstract Solutions provided by Cloud computing not only includes the issues inherited from related technologies such as virtualization and distributed computing, but also new concerns associated to complexity of the cloud ecosystem composed by the cloud entities and their interactions. Authentication plays an important aspect in Cloud computing. This proposed system concentrates on authentication with reasonable time factor and reduce data traffic in the Cloud computing process. In addition, this system also identifies and analysis the credential management that focus on the cloud ecosystem for dynamic groups. Moreover a framework for credential classification that analyses the unifying concept and its related service is proposed and implemented. This proposed system proves to be more efficient when compare to other existing technology. © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). © 2014 The Authors. Published by Elsevier B.V. Peer-review responsibility scientific committee of International Conference Computer, University of Communication Science and Technology. Selection andunder peer-review underof responsibility of scientific committee of Missouri on and Convergence (ICCC 2015)
Keywords: Cloud computing; Authentication; Credentials; ecosystem.
1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of scientific committee of International Conference on Computer, Communication and Convergence (ICCC 2015) doi:10.1016/j.procs.2015.04.166
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
167
1. Introduction The most important aspect of security in cloud computing is to secure data from various threats in the cloud environment. This paper aims in providing solution for security and to promote the integration of services and various resources in distributed environments. It is necessary to ensure privacy and isolation of data and resources by considering the various levels of granularity, features which can be addressed by employing adequate mechanisms for authentication and authorization. This research paper aims in developing an authentication mechanism that reduces the authentication time in cloud computing as well as, it also minimizes the computation cost and secures multi owner data sharing scheme in the dynamic group. Moreover, this paper aims is developing the state of the art framework for credential management and solutions for cloud computing. The rest of the paper is organized as follows. Section II presents the related work done in this area. Section III discusses the definitions for identities and credentials, provides a model for defining these elements, presents a classification for credentials, and defines their lifecycles. Section IV consolidates the concepts studied in the preceding sections and proposes a framework for studying, classifying and defining credentials for cloud computing. Finally, section V presents a final conclusion related to the definitions, framework presented, and future work. 1.1. Cloud Ecosystem Computing the cloud resources are complex in rich environments [2]. By enabling large-scale integration of building blocks, the development and deployment of Web applications is simplified. The cloud ecosystem is the composition of services, vendors, end users and technologies, and also their interactions and interfaces [3], [4]. However, the growing diversity of these elements poses as a significant challenge in order to build portable and adaptable applications. Subsections II-A and II-B provide two complementary concepts for organizing this ecosystem. The first one is based on cloud deployment models. The second is based on the distinction between inside and outside cloud. 1.1.1
Deployment Models
In the definition provided by NIST [9] clouds are described as elastic environments which provide ubiquitous ondemand access to shared pools of configurable resources. Multiple platforms and interfaces provide versatile access to services, and these can be categorized according to the features they provide (software, platform and infrastructure as a service – SaaS, PaaS and IaaS). The deployment models define the complexity of a cloud by determining how it is used and managed, which are the main factors involved and how they are organized in the ecosystem. Four models are defined in this paper mainly – private, public, community and hybrid clouds. Private clouds are used by a specific organization or group of users and represent more restricted environments in terms of who is able to use and manage the resources. Public clouds are extremely attractive due to scalability and low compute, storage, and management costs [2]. They are employed to offer services concentrated in the SaaS and PaaS layers targeting end users. Finally, the other levels of organization (community and hybrid) represent more complex scenarios with a multitude of possible roles and interactions. 1.1.2 Inside and Outside Cloud The two main types of communication can be distinguished in the ecosystem. The first is the interaction between
168
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
cloud elements (inside security), such as virtual machines and services. The second is the exchange of information and data with an element outside. Most of the solutions address the interfaces between the end user and the cloud service (the outside cloud security), represented by authentication mechanisms. Security between elements inside the cloud is related to issues such as data and resource isolation, malicious insiders, insecure internal interfaces, and data leakage [5]. These aspects are overlooked specially in private clouds, although it is clear that they are not inherently secure [6], [7]. Nevertheless, it is clear that both perspectives are important to provide reliable and secure environments for applications to be built and deployed on, leading to the development of robust and practical solutions. 2. Related Work ENISA security assessment [10] covers many aspects related to operational security in terms of resource provisioning, authorization and identity provisioning and credential management. These include registration of new users, employment of standards (such as e-Government Interoperability Framework), use of different levels of identity and credential checks based on the resources required, key management and controls against credential compromise or theft. The creation of new virtual machines and the need for self-authentication is also a challenge which requires some form of secret while keeping system scalability. This mechanism allows the virtual machine to authenticate itself to other parties by generating different certificates for specific software and virtualization layers used to create the VM plus an unique identification of the instance. The CSA security guidance [12] also addresses concepts related to attribute-based credentials (ABCs) [13], [14] other studies present more detailed research on identities and credentials [10], [11], and also authentication and authorization infrastructures [1]. 2.1. Dynamic Group in Cloud The four main issues in dynamic group [20] are namely user authentication, cost efficiency [21], load balancing and robustness. Cost efficiency is to minimize the total number of files returned from the cloud. Note that keywords are uniformly distributed in the file set, and the probability of each keyword in a file is the same. Hence, this problem is equivalent to minimizing the total number of keywords [15, 16] in the combined queries. Since more common keywords in a group of queries will generate less keyword in the combined queries, we need to group users with the most common keywords together. The basic idea of our grouping strategy is to construct a public dictionary that consists of the universe of keywords. A user authentication process is one of the most important features of any group. If any new user wants to join the group [17], the group managers have to verify their identity and need to authenticate for accessing the group data. The dynamic group has a liberty that any member can join and leave the group in any time. For that concern we need an authentication approach for restricting unauthorized access in the group. We attempt to devise a dynamic grouping strategy in a cloud environment and also attempt to prevent the unauthorized access [22] by the hacker in the dynamic group moreover the grouping problem is addressed and the cost efficiency, load balancing, and robustness are maintained. We have evaluated Extensive experiments on the analytical model to validate our grouping strategies. 3. Identities and Credentials The previous section presented strategies to evaluate the complexity of the cloud ecosystem. These strategies facilitate the identification of main roles and the interactions between them. In order to enable control over these aspects it is necessary to provide mechanisms for authentication and authorization, promoting the use of identities and credentials [8].
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
169
3.1. Credentials Classification Credentials can be used to represent a plethora of information, containing attributes that describe details about the entity, actions it can perform, and rules it has to follow in the cloud environment. These characteristics can be summarized by the following proposed categories: • Metadata: Credentials used to store information about the entity, such as attributes for identification, migration between clouds, to keep record about lifecycle changes, employment (or usage), and ownership; •Authorization: Credentials stating what actions an entity can perform, what resources it can access, and any advantages it is entitled to receive; • Obligation: Credentials defining the rules and policies an entity has to follow within the context of the cloud, including financial obligations, legal aspects, and operational directives. This credentials classification helps to identify the types of information that have to represent according to service requirements in terms of reliability, privacy, and infrastructural security. A credential represents a set of attributes and consequently it can incorporate more than one type or category. 3.2. Lifecycles Another important difference between credentials and identities is their lifecycles. Based on several references [18], [21], we start by defining the main states from a credential lifecycle: • Create: Issue a new credential using attributes proofed by a trusted authority, thus guaranteeing the validity of the credential itself and the attributes it represents; • Store: Save the credential in a database, disk file or only memory, depending on the implementation of the credential management system; • Use: Retrieve or just check credential information to perform some operation or verify authentication and authorization directives; • Update: Change information from a credential or reissue it completely (for example, if the expiration of a certain authorization is changed, or the access control restrictions are modified); • Revoke: Invalidate some credential (for example, after the expiration of a license for using some service), without deleting it or unlinking it from its owner; • Archive: Save credential in a separate storage [19] unit for future audits (relating the credential to logged events) or to leave it unusable until the owner requests a formal reactivation; and • Destroy: Permanent and complete disposal of the credential and any related information. Fig 1 satisfies the states and their possible transitions. The created credential must be stored (persistently or not) in order to be used by other systems. A stored credential can also be updated when required by the system or demanded by the user, in case of changes in the attributes the credential represents. Use Group Signature
Create Group Signature Destroy Group Signature
Archive Group Signature
Store Group Signature
Revoke Group Signature
Update Group Signature
Fig 1. Proposed Credentials Lifecycle
Finally, when the credential is no longer necessary or it has lost its validity it is revoked. The Revoke state is transitory and the credential is either archived or permanently destroyed. The final transition between Destroy and Create states is not directly implemented in real solutions, but the attributes from an already destroyed credential can be reused to issue a new one, giving continuity to the cycle. The identity lifecycle presents less possible states and transitions, is shown in Fig. 2. Once created, the identity represents a set of immutable and perennial attributes
170
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
which distinguish an entity from the others, thus any sort of updating operations is not required. In a cloud service this could be a fixed and unique number (a virtual machine id, for instance). A possible analogy is the name of a person, which can be used as an identifier but not a unique one, versus a national registration number which is truly unique to the person. The other excluded states are Revoke and Destroy. A provider may consider these states in order to save resources. However, from a theoretical perspective the identity is unique to an entity; consequently the information used to create this identity should not be reused for other entities, thus avoiding reissuing an old identity to a new entity Use Identity
Create Identity Store Identity
Archive Identity Fig 2. Proposed Identities lifecycle
. 4. Proposed System Cloud systems and services demand a credential management system to provide reliable authentication and authorization. Either to develop or adopt a credential management system for a service, it is necessary to consider the following factors: This first factor is closely related to the credentials classification of group. Entities
Lifecycle Deployment Model
Group Auth Framework
Requirements Categories
Services Fig 3.Proposed authentication framework
The type of service that is going to be offered. The cloud organization in terms of architecture and ecosystem organization. The security, privacy and compliance requirements which have to be addressed not only by credential management but the entire service itself. The entities that will be controlled regarding authentication and authorization. The lifecycle of the identities and credentials. This proposed framework summarized all the above fact is shown in Fig. 3. The credentials classification adopted in the framework is the one proposed in this paper. The cloud deployment models and service types are based on NIST cloud definition. The security requirements are based on the organization presentation. It was used the concept of cloud entities, as well as the lifecycles for identities and credentials. The authentication and authorization framework for group aims at facilitating the implementation of these mechanisms for cloud computing. It summarizes the concepts that influence the credential management solution to be adopted for a service of a specific type and setup or deployment model. It also allows the comparison of requirements for this solution when modifying some of the elements in the group. For example, if a test bed experimentation service has to be migrated to a community cloud, there are decisions to be made regarding how credentials are going to be issued and managed by the group.
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
171
5. Result
Fig. 4 Time consumption versus cloud requests.
Figure 4 shows the graph that represents the time consumption versus the cloud request. Once the cloud environment receives the user request, it categories the job priority and the job is selected based on the user request in the cloud environment in turn the user request is processed. But, the user has a responsibility to mention the user type and the service type to be performed. 6. Conclusion This proposed robust authentication and authorization mechanisms is able to provide better instruments for addressing issues such as isolation and access control in complex cloud environments such as a public or community clouds. In this proposed work, the first contribution is identifying a set of categories for credentials and adapts them to the cloud context. The categories are useful to define what kind of information has to be represented in terms of credentials for a specific system or service, and how this information can be grouped and organized. The second major contribution is the identification of important elements that have to be considered when adopting or developing a solution for authentication and authorization. This activity motivated the assembling of the authentication and authorization framework which summarizes the concepts that pivot around identities and credentials for cloud computing. References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.
Nelson Mimura Gonzalez, Marco Antônio Torrez Rojas, Marcos Vinícius Maciel da Silva, “A framework for authentication and authorization credentials in cloud computing”, 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications,2013. R. Geambasu, S. Gribble, and H. Levy, “Cloudviews: Communal data sharing in public clouds,” in Workshop on Hot Topics in Cloud Computing (HotCloud), 2009. L.-J. Zhang and Q. Zhou, “CCOA: Cloud Computing Open Architecture,” in Web Services, 2009. ICWS 2009. IEEE International Conference on, july 2009, pp. 607 –616. B. Sotomayor, R. Montero, I. Llorente, and I. Foster, “Virtual Infrastructure Management in Private and Hybrid Clouds,” Internet Computing, IEEE, vol. 13, no. 5, pp. 14 –22, sept.- oct. 2009. D. Hubbard, L. J. H. Jr, and M. Sutton, “Top threats to cloud computing,” Cloud Security Alliance, Tech. Rep., March 2010. [Online]. Available: cloudsecurityalliance.org/research/ projects/top-threats-to-cloud-computing. J. Kinsella, “5 (more) key cloud security issues,” Sep 2012. [Online]. Available: http://www.csoonline.com/article/717307/5-more-keycloud-security-issues. J. Bloomberg, “Why Public Clouds are More Secure than Private Clouds,” Feb 2012. [Online]. Available: http://www.zapthink.com/2012/02/07/ why-public-clouds-are-more-secure-than-private-clouds. C. Metz, “AAA protocols: authentication, authorization, and accounting for the Internet,” Internet Computing, IEEE, vol. 3,no. 6, pp. 75 – 79, Nov/Dec 1999. P. Windley, Digital identity. O’Reilly Media, Incorporated,2005. U. Fragoso-Rodriguez, M. Laurent-Maknavicius, and J. Incera-Dieguez, “Federated identity architectures,” in Work in progress session, Annual Computer Security Application Conference, 2006. C. Satchell, G. Shanks, S. Howard, and J. Murphy, “Knowing me–knowing you. end user perceptions of digital identity management systems,” in Proceedings of the 14th European Conference on Information System, 2006. CSA, “Security guidance for critical areas of focus in cloud computing,” Cloud Security Alliance, Tech. Rep., December 2009. K. Frikken, M. Atallah, and J. Li, “Attribute-based access control with hidden policies and hidden credentials,” Computers,IEEE Transactions on, vol. 55, no. 10, pp. 1259–1270, 2006. T. Barton and J. Basney, “Identity federation and attributebased authorization through the globus toolkit, shibboleth,gridshib, and myproxy,” in 5th Annual PKI R&D Workshop, 2006. F. Corradini, E. Paganelli, and A. Polzonetti, “The egovernment digital credentials,” International Journal of Electronic Governance, vol. 1,
172
K. Selvamani and Pradeep Kumar Arya / Procedia Computer Science 48 (2015) 166 – 172
no. 1, pp. 17–37, 2007. 16. D. B. Cross, P. J. Hallin, M. W. Thomlinson, and T. C.Jones, “Digital identity management,” April 2010, uS Patent 7,703,128. 17. A. Bhargav-Spantzel, A. C. Squicciarini, and E. Bertino, “Establishing and protecting digital identity in federation systems,” Journal of Computer Security, vol. 14, no. 3, pp.269–300, 2006. 18. E. Bertino, F. Paci, R. Ferrini, and N. Shang, “Privacypreserving digital identity management for cloud computing,”Data Engineering, vol. 32, no. 1, 2009. 19. J. Lopez, R. Oppliger, and G. Pernul, “Authentication and authorization infrastructures (aais): a comparative survey,” Computers & Security, vol. 23, no. 7, pp. 578–590, 2004. 20. Xuefeng Liu, Yuqing Zhang, Boyang Wang, and Jingbo Yan “Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud” IEEE transactions on parallel and distributed systems, vol. 24, no. 6, june 2013. 21. M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R.H. Katz, A. Konwinski, G. Lee, D.A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,” Comm. ACM, vol. 53,no. 4, pp. 50-58, Apr. 2010. 22. J. Kangasharju, J. Roberts, and K. Ross, “Object replication strategies in content distribution networks,” Computer Communications,2002.