- Email: [email protected]
Lightweight and Compromise Resilient Storage Outsourcing with Distributed Secure Accessibility in Mobile Cloud Computing
TSINGHUA SCIENCE AND TECHNOLOGY ISSNll1007-0214ll06/09llpp520-528 Volume 16, Number 5, October 2011
Lightweight and Compromise Resilient Storage Outsourcing with Distributed Secure Accessibility in Mobile Cloud Computing* Wei Ren1,**, Linchen Yu1, Ren Gao2, Feng Xiong3 1. School of Computer Science, China University of Geosciences, Wuhan 430074, China; 2. Department of Electronic Engineering, Hubei University of Economics, Wuhan 430205, China; 3. Department of Management Science and Engineering, Ningbo University, Ningbo 315211, China Abstract: Mobile Cloud Computing usually consists of front-end users who possess mobile devices and back-end cloud servers. This paradigm empowers users to pervasively access a large volume of storage resources with portable devices in a distributed and cooperative manner. During the period between uploading and downloading files (data), the privacy and integrity of files need to be guaranteed. To this end, a family of schemes are proposed for different situations. All schemes are lightweight in terms of computational overhead, resilient to storage compromise on mobile devices, and do not assume that trusted cloud servers are present. Corresponding algorithms are proposed in detail for guiding off-the-shelf implementation. The evaluation of security and performance is also extensively analyzed, justifying the applicability of the proposed schemes. Key words: mobile cloud computing; privacy; integrity; storage security
Introduction Mobile Cloud Computing (MCC) is an emerging computational paradigm with fast penetration of lightweight Mobile Devices (MDs) to end users and rapid deployment of Cloud Servers (CSs)[1-3]. MCC not only takes the advantages of CSs that provide resilient capabilities in terms of computation and storage at back-end, but also takes the advantages of MDs that provide pervasive accessing and ubiquitous computing at front-end. The marriage of CSs and MDs not only balances the tradeoff between resource requirement Received: 2011-06-22; revised: 2011-08-26
** Supported by the Special Fund for Basic Scientific Research of Central Colleges, China University of Geosciences (Wuhan) (No. 090109), the National Natural Science Foundation of China (No. 61170217), and the Scientific Research Fund of Zhejiang Provincial Education Department (No. 20070952)
** To whom correspondence should be addressed. E-mail: [email protected]
and mobility demand for a single mobile user, but also constructs a cooperative connection between multiple mobile users. It broadly enlarges the computing power of individual mobile users and seamlessly links multiple cooperators in a mobile group[4,5]. In MCC, MDs inherently need to migrate some computation and storage tasks to CSs. If CSs are trusted, it would be perfect for the migration; but if CSs are distrusted, there will arise a critical problem. That is, how to maintain the outsourced computation and storage being trusted[6]. In this paper, we focus on the storage outsourcing in distrusted CSs (computation outsourcing is usually conducted in trusted CSs). After a MD creates a file and processes it, it may upload it into a CS or multiple CSs. Host user or other cooperators may access it in the future distributedly. Obviously, the privacy and integrity of the file must be maintained in the storage of CSs during the period between uploading and accessing[7,8].
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
Although there exists some papers addressing related or similar problems in storage Cloud[9-12], subtle design for secure outsourcing storage in MCC has not been extensively explored. Some solutions assume CSs are trusted, which may be a too strong (unrealistic) assumption to constrain the applicability. Besides, the mobility of MDs and cooperative accessibility of files on CSs are not yet carefully considered. Moreover, as MDs may be lost incidently, the storage of MDs are vulnerable to exposure, which is inappropriately ignored. Thus, all above situations are tackled in the design of this paper, and our schemes can guarantee the privacy and integrity of outsourcing files or data but maintain lightweight in terms of computation. We firstly propose an encryption based scheme for the situation of single accessible CS. Next, we propose a coding based scheme for the situation that multiple CSs are available without relying on encryption. We finally propose a sharing based scheme to further decrease the computation overhead by only relying on exclusive-or operation. The contributions of the paper are listed as follows: (1) we propose a family of secure storage schemes for MCC even if all CSs are distrusted; (2) our scheme can support secure accessibility from multiple users, even if storage of MDs is exposed; (3) our scheme is lightweight in that it only relies on exclusive-or operation and hash function. The rest of the paper is organized as follows. In Section 1 we discuss the basic assumption and models used throughout the paper. Section 2 provides the detailed description of our proposed schemes and extensive analysis. Section 3 gives an overview on relevant prior work. Finally, Section 4 concludes the paper.
1
Problem Formation
1.1
Network model and operation model
In typical MCC scenarios, we specify three major operators or entities in discussion. (1) MD: Mobile Device. It is a device equipped with capabilities such as computing, storage and wireless communication. For example, smart phone, tablet PC, or wireless sensor node. (2) CS: Cloud Server. It is a service provider in cloud computing, which usually provides storage or computing service. Only storage service is considered
521
in this paper. It can be further divided into two categories: portal CS and back-end CS. The former one is accessed by MD directly; The latter one is accessed by portal CS. (3) U: User. It is a person who manipulates MD. Multiple users may exist who want to access the same file or data in CS. The operated object is a file or data, both denoted as F . It is a file to be uploaded (downloaded) into (from) CS. Two basic operation models are as follows. (1) Storing as a Service. CS works as a storage service provider. F is created and operated at MD. U uploads F into CS. Upon retrieval of file F , U downloads F from CS. U may modify local F and update the remote F by re-uploading modified version into CS. (2) Computing as a Service. CS works as a computing platform. F is created at CS and operated at CS. We only discuss the first operation model in this paper. In the second one, CS needs to be fully trusted, so the security problem is trivial. Figure 1 depicts related entities in MCC. 1.2
Trust model
We assume MD is semi-trusted. The computation in MD is trusted, as it is usually difficult for attackers to change the implementation code in installed functions. The storage in MD is distrusted, as attackers may steal some data in MD by installing malicious software. Or, MD may be lost incidently and all storage is exposed. In summary, we assume MD follows the specification in proposed scheme but stored data may be lost, which keeps trust assumption for MD to the
Fig. 1
Entities in mobile cloud computing
Tsinghua Science and Technology, October 2011, 16(5): 520-528
522
minimum. CS is assumed distrusted. Its attack model comprises of total loss of data, malfunctioned in computing, data modification, and data exposure. Links between MD and portal CS consist of one or more hops, wireless and/or wired channels. However, link security such as privacy and integrity is inherently provided by media access layer protocols such as IEEE 802.11, or IP layer protocols such as IPSec. Thus, we assume the links are trusted and focus on the centric issue (such as distrusted cloud servers) in this paper. As we clearly define the trust model, we can compare the security of proposed schemes when the same security goals are achieved. That is, the proposed scheme is more secure if the assumption of its underlying trust model is weaker (e.g., semi-trust is weaker than trust, distrust is weaker than semi-trust). The security requirement fulfilled in this paper is data confidentiality and data integrity of user’s files in MCC, underlying respective trust models.
2
Proposed Schemes
In this section, we propose a family of schemes to solve the security requirement. We list all major notations used in the remainder of the paper in Table 1. 2.1
Encryption based Scheme (EnS)
We firstly propose an Encryption based Scheme called EnS to illustrate our motivation. In this scheme, file encryption and integrity checking are conducted by MD itself, as called. The scheme EnS is described as Table 1 Notations F FN
File (or Data) to be uploaded into Cloud side
FS
File Size of F
File Name of F
Mobile Device MD CS Cloud Server ENC(∙,∙) Symmetric Key Encryption function DEC(∙,∙) Symmetric Key Decryption function H (∙)
Hash function
MAC
File Integrity Authentication Code
EnS
Encryption based Scheme
CoS
Coding based Scheme
ShS
Sharing based Scheme
follows: 2.1.1 Uploading process (1) Before uploading file F into CS, MD prompts for asking U to input a password, denoted as PWD. (2) MD generates encryption key EK = H (PWD) || FN || FS) and integrity key IK = H (FN) || PWD || FS) , where FN is the name of the file F (character string will be changed to bit string), and FS is the size of the file F . (3) MD encrypts F with EK as F ′ = ENC( F , EK). MD generates file integrity authentication code, denoted as MAC = {H ( F , IK)}. (4) MD sends {F ′ || H (FN) || MAC} to portal CS. MD stores T = 〈FN〉 locally and deletes EK and IK. 2.1.2 Downloading process (1) Suppose MD wants to fetch F with the name FN, MD then sends H (FN) to CS. CS searches in 〈 F ′, H (FN),MAC〉 sends back {F ′ || MAC} that matches H (FN) to MD. (2) MD prompts for asking U to input corresponding PWD for the FN. (3) MD generates encryption key EK = H (PWD || FN || FS) and integrity key IK = H (FN || PWD || FS), where FS is the size of F ′, which has | F ′ | = | F |= FS . (4) MD decrypts out F = DEC( F ′, EK), and checks whether MAC = H ( F , IK) is held. Note that, downloading process for a cooperator (instead of U ) requires a preparation stage. That is, suppose a cooperator wants to fetch F , she will consult from U for FN and PWD off-line, e.g., via a mobile phone call. We thus propose Algorithm 1 and Algorithm 2. “//” is comment mark. All functions are conducted at MD except that Retrieve() is revoked at CS. Here, “Require” means input and “Ensure” means output. Algorithm 1 MD Uploading Function Require F Ensure T = 〈FN〉, M = {F ′ || H (FN) || MAC} FN ⇐ GetFileName( F ) FS ⇐ GetFileSize( F ) PWD ⇐ PromptToGetPWD(FN) EK ⇐ H (PWD || FN || FS) IK ⇐ H (FN || PWD || FS) F ′ ⇐ ENC( F , EK)
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
MAC ⇐ H ( F , IK) Send(CS, M = {F ′ || H (FN) || MAC}) //i.e., MD → CS:{F ′ || H (FN) || MAC} T = 〈FN〉 ⇐ Store(FN) //T is a table for storing FN Delete(EK,IK) Algorithm 2 MD Downloading Function Require FN Ensure F , Valid,Invalid M = {F ′ || MAC} ⇐ Retrieve(CS, H (FN)) //i.e., MD → CS:{H (FN)}, CS → MD:{F ′ || MAC} F ′ ⇐ GetF ′( M ) FS ⇐ GetFileSize( F ′) MAC ⇐ GetMAC( M ) PWD ⇐ PromptToGetPWD(FN) EK ⇐ H (PWD || FN || FS) IK ⇐ H (FN || PWD || FS) F ⇐ DEC( F ′, EK) if ( MAC == H ( F , IK) ) then print “Valid” else print “Invalid” end if
As MD is semi-trusted (storage may be exposed but computation is usually properly conducted), PWD is not stored at MD. As PWD is memorable by U , the length is limited. To extend password entropy for defending brute force searching of PWD at CS, FN is included in the generation of EK and IK. FS is included for distinguishing each modification of file F with the same FN. EK and IK are distinct, for further improving the security. We state the analysis in detail in the following propositions. Proposition 1 The confidentiality of F can be guaranteed, even if portal CS is fully distrusted. Proof The confidentiality of F is guaranteed by F ′ = ENC(F , EK) and thus relies on the secrecy of EK. Without EK, it is computationally infeasible to compute F from F ′. As EK = H (PWD || FN || FS), CS usually computes EK by brute force searching of PWD and randomly guessing of FN. If storage on MD may be compromised, e.g., T = 〈FN〉 may be exposed, attackers at CS side are still difficult to reveal FN due to the one-wayness of H (FN), as attackers at CS only possess H (FN) ( CS is fully distrusted). To reveal F ′, attackers have to install malicious code at MD to send all FN in T to CS; Or, have to install malicious code that can
523
search T to find FN matching H (FN) . Either will induce a large volume of transmission traffic, or will induce an obvious time with processing peak. Both of them may be detected by ordinary intrusion detection system at MD. Therefore, CS has to reveal FN from H (FN) in M by random guess, which has only Pr1 = 1 / 2|FN| possibility to succeed. The successful probability for guessing EK is Pr2 = 1 / 2min(| H (⋅)|,|PWD|). Thus the probability to reveal F from F ′ is Pr1Pr2 , which is negligible when | H (∙) |, | PWD | or | FN | is large. , Proposition 2 The integrity of F can be guaranteed, even if portal CS is fully distrusted. Proof The proof is similar to the above proof. , Proposition 3 The scheme EnS is sufficient and necessary for the confidentiality and integrity of F if portal CS is remote and only one portal CS stores F′ . Proof (Sketch) Sufficient direction is proofed above. Next, we proof the necessary direction. Portal CS is remote, F thus has to be transformed into F ′ such that it is computationally infeasible to compute F from F ′ at CS. That is, Pr{F | F ′, F ′⇐ f ( F )}< ε (n) , where ε (n) is a negligible polynomial related to security parameter n. However, MD can recover F from F ′ by presenting a secret. That is, Pr{F | F ′, F ′⇐ f ( F ), secret} = 1 . The secret itself is required in f . Thus, Pr{F | F ′, F ′ ⇐ f ( F ,secret),secret} = 1 . The transformation function f indeed works as an en, cryption function. 2.2
Coding based Scheme (CoS)
We observe that under some situations multiple CSs may be presented. To further decrease the computation overhead of encryption function in power consumption, we propose a Coding based Scheme called CoS without encryption function but maintaining the secrecy of F as follows. 2.2.1 Uploading process (1) Before uploading file F into CS, MD prompts for asking U to input a password, denoted as PWD. (2) MD divides F into d = R | F | / (n ∗ t )X parts, denoted as F [i ][ j ], 1 j d , 1 i t ; Each one thus has n ∗ t bits. Suppose d portal CSs are available.
Tsinghua Science and Technology, October 2011, 16(5): 520-528
524
(3) MD generates coding vector αˆ = [α1 ," , α t ]
by computing α i = H i (PWD || FN || FS),| H (∙) |= n,1
t, t ∈ Z,
i
i −1
where H (∙) = H (∙), H (∙) = H ( H (∙)), 2 i MD generates integrity key IK = H (α1 || " || α t ). (4) MD codes one part by using vector αˆ as 1
i
t
F ′[ j ] = ∑ α i ∗ F [i ][ j ], 1
j
t.
d.
i =1
MD generates MAC = {H ( F , IK)} . (5) MD sends {F ′[ j ] || H (FN + j )}, 1 j d to portal CS j , 1 j d . Randomly selects a j ′ ∈ d to inclose MAC in the packet. That is, MD → CS j′ : {F ′[ j ′] || H (FN + j ′) || MAC}. MD stores T = 〈FN〉 locally and deletes vector αˆ and IK. 2.2.2 Downloading process (1) When MD wants to fetch F with the name FN, it sends H (FN + j ) to CS j , where 1 j d . CS j retrieves its storage 〈F ′[ j ], H (FN + j )〉 according to H (FN + j ) and sends back F ′[ j ] to MD. In them, the packet from CS j′ includes MAC. It can be easily differentiated from the packet length, as the length of packet including MAC will be larger. (2) MD prompts for asking U to input corresponding PWD for the FN. (3) MD recovers αˆ by using αˆ = [α1 ,", α t ], α i = H i (PWD || FN || FS), 1 i t , where FS = | F ′ | .
(4) MD decrypts out F by using F [i ][ j ] = αˆ −1[i ] ∗ F ′[ j ], 1 i t , 1
j
d.
(5) MD generates integrity key IK = H (α1 || " || α t ). MD checks whether MAC = H ( F , IK) is held. Besides, the preparation stage for a cooperator is the same with that in the previous section. We thus propose Algorithm 3 and Algorithm 4. Algorithm 3 MD Uploading Function Require F , t , n, d //There are d CSs . F divides d parts. //Each part has t chunks. Each chunk has n bits. Ensure T = 〈FN〉, M [ j ] = {F ′[ j ] || H (FN + j )(|| MAC)} FN ⇐ GetFileName( F ) FS ⇐ n ∗ t ∗ d PWD ⇐ PromptToGetPWD(FN) for j = 1 to d do for i = 1 to t do F [i ][ j ] ⇐ GetChunckfromPoint( F , ( j −1) ∗ n ∗ t + i, n) end for
end for α [1] ⇐ H (PWD || FN || FS) for i = 2 to t do α [i + 1] ⇐ H (α [i ]) end for for j = 1 to d do for i = 1 to t do F ′[ j ] ⇐ F ′[ j ] + α [i] ∗ F [i][ j ] end for end for MAC ⇐ H ( F , IK) j ′ ⇐ Random()%d //Random() is a function return //pseudorandom value. for j = 1 to d do if ( j == j ′ ) then Send(CS j′ , M = {F ′[ j′] || H (FN + j′) || MAC}) // MD → CS j′ : {F ′[ j′] || H (FN + j′) || MAC} end if Send(CS j , M = {F ′[ j ] || H (FN + j )}) // MD → CS j : {F ′[ j ] || H (FN + j )} end if T = 〈FN〉 ⇐ Store(FN) Delete(αˆ , IK) Algorithm 4 MD Downloading Function Require FN Ensure F , Valid, Invalid for j = 1 to d do M = {F ′[ j ](|| MAC)} ⇐ Retrieve(CS j , H (FN + j )) // MD→CS j : {H (FN + j )}, CS j →MD:{F ′[ j ]}, // (1 j d , j <> j ′) // MD → CS j′ : {H (FN + j ′)}, // CS j′ → MD:{F ′[ j′] || MAC} F ′[ j ] ⇐ GetF ′( M ) if ( j == j ′ ) then MAC ⇐ GetMAC( M ) end if end for PWD ⇐ PromptToGetPWD(FN) FS ⇐ d ∗ n ∗ t α [1] ⇐ H (PWD || FN || FS) for i = 1 to t do α [i + 1] ⇐ H (α [i ]) end for Invα ⇐ Inverse(α ) for j = 1 to d do for i = 1 to t do F [i ][ j ] ⇐ Invα [i ] ∗ F ′[ j ]
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
end for end for //combine F[i][j] into F for j = 1 to d do for i = 1 to t − 1 do F [i + 1][ j ] ⇐ Concatenate( F [i ][ j ], F [i + 1][ j ]) end for if j < d then F [1][ j +1] ⇐ Concatenate( F [i +1][ j ], F [1][ j +1]) end if end for F ⇐ F [t , d ] IK ⇐ H (α1 || " || α t ) if ( MAC == H ( F , IK) ) then print “Valid” else print “Invalid” end if Proposition 4 The confidentiality of F can be guaranteed, even if portal CSs are fully distrusted. Proof The confidentiality of F is guaranteed by t F ′[ j ] = ∑ i =1 α i ∗ F [i ][ j ] and thus relies on the se-
crecy of α . Without α , it is computationally infeasible to compute F from F ′ for attackers at CSs . As α1 = H (PWD || FN || FS) , CS will try to compute α by brute force searching of PWD and randomly guessing of FN. If attackers expose the storage of MD, T = 〈FN〉 will be exposed. Nevertheless, FN is still difficult to be revealed due to the disconnection between H (FN + j ). To link all F ′[ j ] for one F , attackers have two approaches: malicious code at CS sends all FNs in T to CS; malicious code can search T to find FN matching H (FN + j ). The former one will induce a large volume of transmission traffic; The latter one will induce an obvious time with processing peak. Both of them may be detected by ordinary intrusion detection system. Thus, even if all CS j (1 j d ) collude, they are still difficult to link H (FN + j ) together to find required F ′[ j ] . Therefore, CS j has to reveal FN only by random guess from H (FN + j ) in M , which can succeed in possibility Pr1 = 1 / 2|FN| . The successful probability for guessing α is Pr2 = 1 / 2min(| H (⋅)|,|PWD|) . The total successful probability to reveal F from F ′ is Pr1Pr2 , which is negligible when | H (∙) |, | PWD | or | FN | is large. ,
525
Proposition 5 The integrity of F can be guaranteed, even if portal CS is fully distrusted. Proof The proof is similar to the above proof. , Proposition 6 The scheme CoS is sufficient and necessary for the confidentiality and integrity of F if portal CSs are distrusted, multiple portal CSs store F ′ , and encryption is not involved. Proof (Sketch) Sufficient direction is proofed above. Next, we proof the necessary direction. Portal CSs are distrusted, F thus has to be transformed into F ′ such that it is computationally infeasible to compute F from F ′ at any CS or even all CSs collude. That is, Pr{F | F ′[ j ], F ′[ j ] ⇐ f ( F ), 1 j d }< ε (n) , where ε (n) is a negligible polynomial related to security parameter n. However, MD can recover F from F ′[ j ] by presenting a secret. That is, Pr{F | F ′[ j ], F ′[ j ] ⇐ f ( F ), secret} = 1. Besides, f is not an encryption function, thus a coding algorithm is required for the transformation f , and “secret” is a , secret in coding (namely, coding vector). One may argue that the receiving of F ′ fragments may result in Denial of Service attack. It depends on a tradeoff between the computation cost of encryption and communication cost of receiving F ′. As the encryption computation is avoided, the transformation of F to F ′ is mandatory. 2.3
Sharing based Scheme (ShS)
To further decrease the computation overhead, we propose a Sharing based Scheme. The scheme applies a simple (n, n) xor-based secret sharing method. That is, for sharing a secret s in n holders such that s can be recovered only when n holders are present, randomly generates n − 1 shares si , (1 i n − 1) n −1 and computes the last share sn = ⊕ i =1 si ⊕ s . The scheme is described as follows: 2.3.1 Uploading process (1) Before uploading file F into CS, MD prompts for asking U to input a password, denoted as PWD. (2) Suppose d portal CSs are available. MD generates integrity key IK = H (FN || PWD || FS). (3) MD randomly generates d − 1 files F ′[i ], d −1 1 i d −1, where | F ′[i ] |=| F | , F ′[d ] = ⊕ i=1 F ′[i ] ⊕ F . MD generates MAC = {H ( F , IK)} . (4) MD sends {F ′[ j ] || H (FN + j )}, 1 j d to portal CS j , 1 j d , in which a certain packet include MAC. MD stores T = 〈FN〉 locally and deletes
526
IK. 2.3.2 Downloading process (1) When MD wants to fetch F with the name FN, it sends H (FN + j ) to CS j , where 1 j d . CS j searches in its storage {F ′[ j ] || H (FN + j )} according to H (FN + j ) and sends back F ′[ j ] to MD, in which a packet includes MAC. (2) MD prompts for asking U to input corresponding PWD for the FN. d (3) MD recovers F by F = ⊕ i =1 F ′[i ]. (4) MD generates integrity key IK = H (FN|| PWD || FS). MD checks whether MAC = H ( F , IK) is held. Besides, the preparation stage for a cooperator is the same with that in the previous section. We thus propose Algorithm 5 and Algorithm 6. Algorithm 5 MD Uploading Function Require F , d Ensure T = 〈FN〉, M = {F ′[ j ](|| MAC)} FN ⇐ GetFileName( F ) FS ⇐ GetFileSize( F ) PWD ⇐ PromptToGetPWD(FN) for j = 1 to d − 1 do F ′[ j ] ⇐ Random()%(2FS ) for j = 1 to d − 1 do F ′[d ] ⇐ F ′[d ] ⊕ F ′[ j ] end for F ′[d ] ⇐ F ′[d ] ⊕ F MAC ⇐ H ( F , IK) j ′ ⇐ Random()%d //randomly select a block for j = 1 to d do if ( j == j ′ ) then Send(CS j ′ , M = {F ′[ j ′] || H (FN + j ′) || MAC}) // MD → CS j ′ : {F ′[ j ′] || H (FN + j ′) || MAC} end if Send(CS j , M = {F ′[ j ] || H (FN + j )}) // MD → CS j : {F ′[ j ] || H (FN + j )} end for T = 〈FN〉 ⇐ Store(FN) Delete(IK) Algorithm 6 MD Downloading Function Require FN Ensure F, Valid, Invalid for j = 1 to d do M = {F ′[ j ](|| MAC)} ⇐ Retrieve(CS j , H (FN + j )) // MD → CS j :{H (FN + j )}, // CS j → MD:{F ′[ j ]}, (1 j d , j <> j ′)
Tsinghua Science and Technology, October 2011, 16(5): 520-528
// MD → CS j ′ :{H (FN + j ′)}, // CS j ′ → MD:{F ′[ j ′] || MAC} F ′[ j ] ⇐ GetF ′( M ) if ( j == j ′ ) then MAC ⇐ GetMAC( M ) end if end for FS ⇐ GetFileSize( F ′[1]) PWD ⇐ PromptToGetPWD(FN) F ⇐ F ′[1] for j = 2 to d do F ⇐ F ⊕ F ′[ j ] //reconstruction of F IK ⇐ H (FN || PWD || FS) if MAC == H ( F , IK) then print “Valid” else print “Invalid” end if Proposition 7 The confidentiality of F can be guaranteed, even if all portal CSs are fully distrusted. Proof The confidentiality of F is guaranteed by d F = ⊕ i =1 F ′[i ] . Next, we proof that it is difficult to find all F ′[i ] for attackers. The essential reason is the disconnection between H (FN + j ), (1 j d ) . The proof is similar to Proposition 5, so here we omit it. CS j has to reveal FN by random guess from H (FN + j ) in M, which succeeds with probability 1/2|FN| . The successful probability for finding all F ′[ j ] and so as to reveal F from F ′[ j ] is also 1 / 2|FN| , which is negligible when | FN | is large. , Proposition 8 The integrity of F can be guaranteed, even if portal CS is fully distrusted. Proof The proof is similar to the above proof. , Proposition 9 ShS is more lightweight than CoS in terms of computation overhead. Proof Roughly speaking, ShS is a special case of CoS in which αˆ is randomly generated. The advantages has two folders: (1) The generation of F ′[ j ], 1 j d in ShS is more lightweight than that in CoS. That is, in ShS, the generation of F ′[ j ], 1 j d − 1 is randomly generated, and the generation of F [d ] only relies on exclusive-or (XOR) operations. (2) The recovery of F from F ′[ j ] is again more lightweight in ShS than that in CoS. That is, in ShS, only XOR operations are required; In CoS, matrix computations are required. Thus, ShS is lightweight in terms of , computation overhead.
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
3
Related Work
Liu et al.[13] proposed to use hierarchical identity-based encryption algorithm providing an efficient sharing of the secure storage services in cloud computing. The encryption is conducted only once and only one copy of the corresponding ciphertext needs to be stored. It requires mobile devices have higher computation ability. Wei et al.[14] proposed SecCloud, an auditing scheme, to secure cloud computing based on probabilistic sampling technique. It aims to consider secure data storage, computation and privacy preserving together. The result may not be deterministic. Itani et al.[7] proposed an energy-efficient protocol for ensuring the integrity of storage services in mobile cloud computing. The proposed protocol applies incremental cryptography and trusted computing to design secure integrity data structures. Ye et al.[8] developed an access protocol following the requirements to achieve correct and efficient data accesses. They utilized regular semantics instead of atomic semantics to improve access efficiency. Park et al.[10] proposed a secure storage BLAST, which is enhanced by a stream cipher rather than a block cipher with a novel block accessible encryption mechanism based on streaming ciphers. Feng et al.[15] proposed an encryption method D-DOG (Data Division and Out-of-order keystream Generation) to protect data in the distributed storage environments. Itani et al.[11] proposed a PasS (Privacy as a Service), a set of security protocols for ensuring the privacy and legal compliance of customer data in cloud computing architectures. PasS provides a privacy feedback process which informs users of the different privacy operations and makes them aware of any potential risks that may jeopardize the confidentiality of their sensitive information. Xu et al.[12] presented a mobile cloud data processing framework through trust management and private data isolation to protect user’s privacy in the cloud.
4
Conclusions
In this paper, we proposed a family of schemes for protecting the confidentiality and integrity of uploading files or data in mobile storage cloud. The scheme EnS tackles the situation where only one cloud server exists. We proofed that it guarantees the security goal and is the necessary condition for this situation. The
527
scheme CoS can avoid the computation of encryption algorithm in the situation of multiple cloud servers exit by applying linear coding. The scheme ShS can further decrease the computation overhead by relying only on exclusive-or operations. All proposed schemes are resilient to the storage compromise on mobile devices, and all assume that the cloud servers are distrusted. Thus, they provide a stronger protection for more general and realistic application scenarios comparing with the previous work. References [1] Kumar K, Lu Y. Cloud computing for mobile users: Can offloading computation save energy? Computer, 2010, 43(4): 51-56. [2] Lin Y, Shao L, Zhu Z, et al. Wireless network cloud: Architecture and system requirements. IBM Journal of Research and Development, 2010, 54(1): 4:1-4:12. [3] Pendyala V S, Shim S S Y. The web as the ubiquitous computer. Computer, 2009, 42(9): 90-92. [4] Manjunatha A, Ranabahu A, Sheth A, et al. Power of clouds in your pocket: An efficient approach for cloud mobile hybrid application development. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom10). Indianapolis, IN, USA, 2010: 496-503. [5] Nkosi M T, Mekuria F. Cloud computing for enhanced mobile health applications. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom10). Indianapolis, IN, USA, 2010: 629-633. [6] Lagesse B. Challenges in securing the interface between the cloud and pervasive systems. In: 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops11). Seattle, USA, 2011: 106-110. [7] Itani W, Kayssi A, Chehab A. Privacy as a service: Privacy-aware data storage and processing in cloud computing architectures. In: Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC09). Chengdu, China, 2009: 711-716. [8] Ye Y, Xiao L, Yen I-L, et al. Secure, dependable, and high performance cloud storage. In: 2010 29th IEEE International Symposium on Reliable Distributed Systems. New Delhi, India, 2010: 194-203. [9] Ahmed M, Yang X, Ali S. Above the trust and security in cloud computing: A notion towards innovation. In: 2010
Tsinghua Science and Technology, October 2011, 16(5): 520-528
528 IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC10). Hong Kong, China, 2010:
(INFOCOMW11). Shanghai, China, 2011: 711-716. [13] Liu Q, Wang G, Wu J. Efficient sharing of secure cloud storage services. In: 2010 IEEE 10th International Confer-
723-730. [10] Park K W, Kim C, Park K H. Blast: Applying streaming ciphers into outsourced cloud storage. In: 2010 IEEE 16th International Conference on Parallel and Distributed Systems (ICPADS10). Shanghai, China, 2010: 431-437. [11] Itani W, Kayssi A, Chehab A. Energy-efficient incremental
ence on Computer and Information Technology (CIT10). Bradford, West Yorkshire, UK, 2010: 922-929. [14] Wei L, Zhu H, Cao Z, et al. Seccloud: Bridging secure storage and computation in cloud. In: 2010 IEEE 30th International Conference on Distributed Computing Systems
integrity for securing storage in mobile cloud computing.
Workshops (ICDCSW10). Genoa, Italy, 2010: 52-61.
In: 2010 International Conference on Energy Aware Com-
[15] Feng J, Chen Y, Ku W S, et al. D-dog: Securing sensitive data in distributed storage space by data division and
puting (ICEAC10). Cairo, Egypt, 2010: 1-2. [12] Xu L, Xing T, Zhong Y, et al. Secure data processing
out-of-order keystream generation. In: 2010 IEEE Interna-
framework for mobile cloud computing. In: IEEE
tional Conference on Communications (ICC10). Cape
INFOCOM
Town, South Africa, 2010: 1-6.
2011
Workshop
on
Cloud
Computing
Lightweight and Compromise Resilient Storage Outsourcing with Distributed Secure Accessibility in Mobile Cloud Computing* Wei Ren1,**, Linchen Yu1, Ren Gao2, Feng Xiong3 1. School of Computer Science, China University of Geosciences, Wuhan 430074, China; 2. Department of Electronic Engineering, Hubei University of Economics, Wuhan 430205, China; 3. Department of Management Science and Engineering, Ningbo University, Ningbo 315211, China Abstract: Mobile Cloud Computing usually consists of front-end users who possess mobile devices and back-end cloud servers. This paradigm empowers users to pervasively access a large volume of storage resources with portable devices in a distributed and cooperative manner. During the period between uploading and downloading files (data), the privacy and integrity of files need to be guaranteed. To this end, a family of schemes are proposed for different situations. All schemes are lightweight in terms of computational overhead, resilient to storage compromise on mobile devices, and do not assume that trusted cloud servers are present. Corresponding algorithms are proposed in detail for guiding off-the-shelf implementation. The evaluation of security and performance is also extensively analyzed, justifying the applicability of the proposed schemes. Key words: mobile cloud computing; privacy; integrity; storage security
Introduction Mobile Cloud Computing (MCC) is an emerging computational paradigm with fast penetration of lightweight Mobile Devices (MDs) to end users and rapid deployment of Cloud Servers (CSs)[1-3]. MCC not only takes the advantages of CSs that provide resilient capabilities in terms of computation and storage at back-end, but also takes the advantages of MDs that provide pervasive accessing and ubiquitous computing at front-end. The marriage of CSs and MDs not only balances the tradeoff between resource requirement Received: 2011-06-22; revised: 2011-08-26
** Supported by the Special Fund for Basic Scientific Research of Central Colleges, China University of Geosciences (Wuhan) (No. 090109), the National Natural Science Foundation of China (No. 61170217), and the Scientific Research Fund of Zhejiang Provincial Education Department (No. 20070952)
** To whom correspondence should be addressed. E-mail: [email protected]
and mobility demand for a single mobile user, but also constructs a cooperative connection between multiple mobile users. It broadly enlarges the computing power of individual mobile users and seamlessly links multiple cooperators in a mobile group[4,5]. In MCC, MDs inherently need to migrate some computation and storage tasks to CSs. If CSs are trusted, it would be perfect for the migration; but if CSs are distrusted, there will arise a critical problem. That is, how to maintain the outsourced computation and storage being trusted[6]. In this paper, we focus on the storage outsourcing in distrusted CSs (computation outsourcing is usually conducted in trusted CSs). After a MD creates a file and processes it, it may upload it into a CS or multiple CSs. Host user or other cooperators may access it in the future distributedly. Obviously, the privacy and integrity of the file must be maintained in the storage of CSs during the period between uploading and accessing[7,8].
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
Although there exists some papers addressing related or similar problems in storage Cloud[9-12], subtle design for secure outsourcing storage in MCC has not been extensively explored. Some solutions assume CSs are trusted, which may be a too strong (unrealistic) assumption to constrain the applicability. Besides, the mobility of MDs and cooperative accessibility of files on CSs are not yet carefully considered. Moreover, as MDs may be lost incidently, the storage of MDs are vulnerable to exposure, which is inappropriately ignored. Thus, all above situations are tackled in the design of this paper, and our schemes can guarantee the privacy and integrity of outsourcing files or data but maintain lightweight in terms of computation. We firstly propose an encryption based scheme for the situation of single accessible CS. Next, we propose a coding based scheme for the situation that multiple CSs are available without relying on encryption. We finally propose a sharing based scheme to further decrease the computation overhead by only relying on exclusive-or operation. The contributions of the paper are listed as follows: (1) we propose a family of secure storage schemes for MCC even if all CSs are distrusted; (2) our scheme can support secure accessibility from multiple users, even if storage of MDs is exposed; (3) our scheme is lightweight in that it only relies on exclusive-or operation and hash function. The rest of the paper is organized as follows. In Section 1 we discuss the basic assumption and models used throughout the paper. Section 2 provides the detailed description of our proposed schemes and extensive analysis. Section 3 gives an overview on relevant prior work. Finally, Section 4 concludes the paper.
1
Problem Formation
1.1
Network model and operation model
In typical MCC scenarios, we specify three major operators or entities in discussion. (1) MD: Mobile Device. It is a device equipped with capabilities such as computing, storage and wireless communication. For example, smart phone, tablet PC, or wireless sensor node. (2) CS: Cloud Server. It is a service provider in cloud computing, which usually provides storage or computing service. Only storage service is considered
521
in this paper. It can be further divided into two categories: portal CS and back-end CS. The former one is accessed by MD directly; The latter one is accessed by portal CS. (3) U: User. It is a person who manipulates MD. Multiple users may exist who want to access the same file or data in CS. The operated object is a file or data, both denoted as F . It is a file to be uploaded (downloaded) into (from) CS. Two basic operation models are as follows. (1) Storing as a Service. CS works as a storage service provider. F is created and operated at MD. U uploads F into CS. Upon retrieval of file F , U downloads F from CS. U may modify local F and update the remote F by re-uploading modified version into CS. (2) Computing as a Service. CS works as a computing platform. F is created at CS and operated at CS. We only discuss the first operation model in this paper. In the second one, CS needs to be fully trusted, so the security problem is trivial. Figure 1 depicts related entities in MCC. 1.2
Trust model
We assume MD is semi-trusted. The computation in MD is trusted, as it is usually difficult for attackers to change the implementation code in installed functions. The storage in MD is distrusted, as attackers may steal some data in MD by installing malicious software. Or, MD may be lost incidently and all storage is exposed. In summary, we assume MD follows the specification in proposed scheme but stored data may be lost, which keeps trust assumption for MD to the
Fig. 1
Entities in mobile cloud computing
Tsinghua Science and Technology, October 2011, 16(5): 520-528
522
minimum. CS is assumed distrusted. Its attack model comprises of total loss of data, malfunctioned in computing, data modification, and data exposure. Links between MD and portal CS consist of one or more hops, wireless and/or wired channels. However, link security such as privacy and integrity is inherently provided by media access layer protocols such as IEEE 802.11, or IP layer protocols such as IPSec. Thus, we assume the links are trusted and focus on the centric issue (such as distrusted cloud servers) in this paper. As we clearly define the trust model, we can compare the security of proposed schemes when the same security goals are achieved. That is, the proposed scheme is more secure if the assumption of its underlying trust model is weaker (e.g., semi-trust is weaker than trust, distrust is weaker than semi-trust). The security requirement fulfilled in this paper is data confidentiality and data integrity of user’s files in MCC, underlying respective trust models.
2
Proposed Schemes
In this section, we propose a family of schemes to solve the security requirement. We list all major notations used in the remainder of the paper in Table 1. 2.1
Encryption based Scheme (EnS)
We firstly propose an Encryption based Scheme called EnS to illustrate our motivation. In this scheme, file encryption and integrity checking are conducted by MD itself, as called. The scheme EnS is described as Table 1 Notations F FN
File (or Data) to be uploaded into Cloud side
FS
File Size of F
File Name of F
Mobile Device MD CS Cloud Server ENC(∙,∙) Symmetric Key Encryption function DEC(∙,∙) Symmetric Key Decryption function H (∙)
Hash function
MAC
File Integrity Authentication Code
EnS
Encryption based Scheme
CoS
Coding based Scheme
ShS
Sharing based Scheme
follows: 2.1.1 Uploading process (1) Before uploading file F into CS, MD prompts for asking U to input a password, denoted as PWD. (2) MD generates encryption key EK = H (PWD) || FN || FS) and integrity key IK = H (FN) || PWD || FS) , where FN is the name of the file F (character string will be changed to bit string), and FS is the size of the file F . (3) MD encrypts F with EK as F ′ = ENC( F , EK). MD generates file integrity authentication code, denoted as MAC = {H ( F , IK)}. (4) MD sends {F ′ || H (FN) || MAC} to portal CS. MD stores T = 〈FN〉 locally and deletes EK and IK. 2.1.2 Downloading process (1) Suppose MD wants to fetch F with the name FN, MD then sends H (FN) to CS. CS searches in 〈 F ′, H (FN),MAC〉 sends back {F ′ || MAC} that matches H (FN) to MD. (2) MD prompts for asking U to input corresponding PWD for the FN. (3) MD generates encryption key EK = H (PWD || FN || FS) and integrity key IK = H (FN || PWD || FS), where FS is the size of F ′, which has | F ′ | = | F |= FS . (4) MD decrypts out F = DEC( F ′, EK), and checks whether MAC = H ( F , IK) is held. Note that, downloading process for a cooperator (instead of U ) requires a preparation stage. That is, suppose a cooperator wants to fetch F , she will consult from U for FN and PWD off-line, e.g., via a mobile phone call. We thus propose Algorithm 1 and Algorithm 2. “//” is comment mark. All functions are conducted at MD except that Retrieve() is revoked at CS. Here, “Require” means input and “Ensure” means output. Algorithm 1 MD Uploading Function Require F Ensure T = 〈FN〉, M = {F ′ || H (FN) || MAC} FN ⇐ GetFileName( F ) FS ⇐ GetFileSize( F ) PWD ⇐ PromptToGetPWD(FN) EK ⇐ H (PWD || FN || FS) IK ⇐ H (FN || PWD || FS) F ′ ⇐ ENC( F , EK)
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
MAC ⇐ H ( F , IK) Send(CS, M = {F ′ || H (FN) || MAC}) //i.e., MD → CS:{F ′ || H (FN) || MAC} T = 〈FN〉 ⇐ Store(FN) //T is a table for storing FN Delete(EK,IK) Algorithm 2 MD Downloading Function Require FN Ensure F , Valid,Invalid M = {F ′ || MAC} ⇐ Retrieve(CS, H (FN)) //i.e., MD → CS:{H (FN)}, CS → MD:{F ′ || MAC} F ′ ⇐ GetF ′( M ) FS ⇐ GetFileSize( F ′) MAC ⇐ GetMAC( M ) PWD ⇐ PromptToGetPWD(FN) EK ⇐ H (PWD || FN || FS) IK ⇐ H (FN || PWD || FS) F ⇐ DEC( F ′, EK) if ( MAC == H ( F , IK) ) then print “Valid” else print “Invalid” end if
As MD is semi-trusted (storage may be exposed but computation is usually properly conducted), PWD is not stored at MD. As PWD is memorable by U , the length is limited. To extend password entropy for defending brute force searching of PWD at CS, FN is included in the generation of EK and IK. FS is included for distinguishing each modification of file F with the same FN. EK and IK are distinct, for further improving the security. We state the analysis in detail in the following propositions. Proposition 1 The confidentiality of F can be guaranteed, even if portal CS is fully distrusted. Proof The confidentiality of F is guaranteed by F ′ = ENC(F , EK) and thus relies on the secrecy of EK. Without EK, it is computationally infeasible to compute F from F ′. As EK = H (PWD || FN || FS), CS usually computes EK by brute force searching of PWD and randomly guessing of FN. If storage on MD may be compromised, e.g., T = 〈FN〉 may be exposed, attackers at CS side are still difficult to reveal FN due to the one-wayness of H (FN), as attackers at CS only possess H (FN) ( CS is fully distrusted). To reveal F ′, attackers have to install malicious code at MD to send all FN in T to CS; Or, have to install malicious code that can
523
search T to find FN matching H (FN) . Either will induce a large volume of transmission traffic, or will induce an obvious time with processing peak. Both of them may be detected by ordinary intrusion detection system at MD. Therefore, CS has to reveal FN from H (FN) in M by random guess, which has only Pr1 = 1 / 2|FN| possibility to succeed. The successful probability for guessing EK is Pr2 = 1 / 2min(| H (⋅)|,|PWD|). Thus the probability to reveal F from F ′ is Pr1Pr2 , which is negligible when | H (∙) |, | PWD | or | FN | is large. , Proposition 2 The integrity of F can be guaranteed, even if portal CS is fully distrusted. Proof The proof is similar to the above proof. , Proposition 3 The scheme EnS is sufficient and necessary for the confidentiality and integrity of F if portal CS is remote and only one portal CS stores F′ . Proof (Sketch) Sufficient direction is proofed above. Next, we proof the necessary direction. Portal CS is remote, F thus has to be transformed into F ′ such that it is computationally infeasible to compute F from F ′ at CS. That is, Pr{F | F ′, F ′⇐ f ( F )}< ε (n) , where ε (n) is a negligible polynomial related to security parameter n. However, MD can recover F from F ′ by presenting a secret. That is, Pr{F | F ′, F ′⇐ f ( F ), secret} = 1 . The secret itself is required in f . Thus, Pr{F | F ′, F ′ ⇐ f ( F ,secret),secret} = 1 . The transformation function f indeed works as an en, cryption function. 2.2
Coding based Scheme (CoS)
We observe that under some situations multiple CSs may be presented. To further decrease the computation overhead of encryption function in power consumption, we propose a Coding based Scheme called CoS without encryption function but maintaining the secrecy of F as follows. 2.2.1 Uploading process (1) Before uploading file F into CS, MD prompts for asking U to input a password, denoted as PWD. (2) MD divides F into d = R | F | / (n ∗ t )X parts, denoted as F [i ][ j ], 1 j d , 1 i t ; Each one thus has n ∗ t bits. Suppose d portal CSs are available.
Tsinghua Science and Technology, October 2011, 16(5): 520-528
524
(3) MD generates coding vector αˆ = [α1 ," , α t ]
by computing α i = H i (PWD || FN || FS),| H (∙) |= n,1
t, t ∈ Z,
i
i −1
where H (∙) = H (∙), H (∙) = H ( H (∙)), 2 i MD generates integrity key IK = H (α1 || " || α t ). (4) MD codes one part by using vector αˆ as 1
i
t
F ′[ j ] = ∑ α i ∗ F [i ][ j ], 1
j
t.
d.
i =1
MD generates MAC = {H ( F , IK)} . (5) MD sends {F ′[ j ] || H (FN + j )}, 1 j d to portal CS j , 1 j d . Randomly selects a j ′ ∈ d to inclose MAC in the packet. That is, MD → CS j′ : {F ′[ j ′] || H (FN + j ′) || MAC}. MD stores T = 〈FN〉 locally and deletes vector αˆ and IK. 2.2.2 Downloading process (1) When MD wants to fetch F with the name FN, it sends H (FN + j ) to CS j , where 1 j d . CS j retrieves its storage 〈F ′[ j ], H (FN + j )〉 according to H (FN + j ) and sends back F ′[ j ] to MD. In them, the packet from CS j′ includes MAC. It can be easily differentiated from the packet length, as the length of packet including MAC will be larger. (2) MD prompts for asking U to input corresponding PWD for the FN. (3) MD recovers αˆ by using αˆ = [α1 ,", α t ], α i = H i (PWD || FN || FS), 1 i t , where FS = | F ′ | .
(4) MD decrypts out F by using F [i ][ j ] = αˆ −1[i ] ∗ F ′[ j ], 1 i t , 1
j
d.
(5) MD generates integrity key IK = H (α1 || " || α t ). MD checks whether MAC = H ( F , IK) is held. Besides, the preparation stage for a cooperator is the same with that in the previous section. We thus propose Algorithm 3 and Algorithm 4. Algorithm 3 MD Uploading Function Require F , t , n, d //There are d CSs . F divides d parts. //Each part has t chunks. Each chunk has n bits. Ensure T = 〈FN〉, M [ j ] = {F ′[ j ] || H (FN + j )(|| MAC)} FN ⇐ GetFileName( F ) FS ⇐ n ∗ t ∗ d PWD ⇐ PromptToGetPWD(FN) for j = 1 to d do for i = 1 to t do F [i ][ j ] ⇐ GetChunckfromPoint( F , ( j −1) ∗ n ∗ t + i, n) end for
end for α [1] ⇐ H (PWD || FN || FS) for i = 2 to t do α [i + 1] ⇐ H (α [i ]) end for for j = 1 to d do for i = 1 to t do F ′[ j ] ⇐ F ′[ j ] + α [i] ∗ F [i][ j ] end for end for MAC ⇐ H ( F , IK) j ′ ⇐ Random()%d //Random() is a function return //pseudorandom value. for j = 1 to d do if ( j == j ′ ) then Send(CS j′ , M = {F ′[ j′] || H (FN + j′) || MAC}) // MD → CS j′ : {F ′[ j′] || H (FN + j′) || MAC} end if Send(CS j , M = {F ′[ j ] || H (FN + j )}) // MD → CS j : {F ′[ j ] || H (FN + j )} end if T = 〈FN〉 ⇐ Store(FN) Delete(αˆ , IK) Algorithm 4 MD Downloading Function Require FN Ensure F , Valid, Invalid for j = 1 to d do M = {F ′[ j ](|| MAC)} ⇐ Retrieve(CS j , H (FN + j )) // MD→CS j : {H (FN + j )}, CS j →MD:{F ′[ j ]}, // (1 j d , j <> j ′) // MD → CS j′ : {H (FN + j ′)}, // CS j′ → MD:{F ′[ j′] || MAC} F ′[ j ] ⇐ GetF ′( M ) if ( j == j ′ ) then MAC ⇐ GetMAC( M ) end if end for PWD ⇐ PromptToGetPWD(FN) FS ⇐ d ∗ n ∗ t α [1] ⇐ H (PWD || FN || FS) for i = 1 to t do α [i + 1] ⇐ H (α [i ]) end for Invα ⇐ Inverse(α ) for j = 1 to d do for i = 1 to t do F [i ][ j ] ⇐ Invα [i ] ∗ F ′[ j ]
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
end for end for //combine F[i][j] into F for j = 1 to d do for i = 1 to t − 1 do F [i + 1][ j ] ⇐ Concatenate( F [i ][ j ], F [i + 1][ j ]) end for if j < d then F [1][ j +1] ⇐ Concatenate( F [i +1][ j ], F [1][ j +1]) end if end for F ⇐ F [t , d ] IK ⇐ H (α1 || " || α t ) if ( MAC == H ( F , IK) ) then print “Valid” else print “Invalid” end if Proposition 4 The confidentiality of F can be guaranteed, even if portal CSs are fully distrusted. Proof The confidentiality of F is guaranteed by t F ′[ j ] = ∑ i =1 α i ∗ F [i ][ j ] and thus relies on the se-
crecy of α . Without α , it is computationally infeasible to compute F from F ′ for attackers at CSs . As α1 = H (PWD || FN || FS) , CS will try to compute α by brute force searching of PWD and randomly guessing of FN. If attackers expose the storage of MD, T = 〈FN〉 will be exposed. Nevertheless, FN is still difficult to be revealed due to the disconnection between H (FN + j ). To link all F ′[ j ] for one F , attackers have two approaches: malicious code at CS sends all FNs in T to CS; malicious code can search T to find FN matching H (FN + j ). The former one will induce a large volume of transmission traffic; The latter one will induce an obvious time with processing peak. Both of them may be detected by ordinary intrusion detection system. Thus, even if all CS j (1 j d ) collude, they are still difficult to link H (FN + j ) together to find required F ′[ j ] . Therefore, CS j has to reveal FN only by random guess from H (FN + j ) in M , which can succeed in possibility Pr1 = 1 / 2|FN| . The successful probability for guessing α is Pr2 = 1 / 2min(| H (⋅)|,|PWD|) . The total successful probability to reveal F from F ′ is Pr1Pr2 , which is negligible when | H (∙) |, | PWD | or | FN | is large. ,
525
Proposition 5 The integrity of F can be guaranteed, even if portal CS is fully distrusted. Proof The proof is similar to the above proof. , Proposition 6 The scheme CoS is sufficient and necessary for the confidentiality and integrity of F if portal CSs are distrusted, multiple portal CSs store F ′ , and encryption is not involved. Proof (Sketch) Sufficient direction is proofed above. Next, we proof the necessary direction. Portal CSs are distrusted, F thus has to be transformed into F ′ such that it is computationally infeasible to compute F from F ′ at any CS or even all CSs collude. That is, Pr{F | F ′[ j ], F ′[ j ] ⇐ f ( F ), 1 j d }< ε (n) , where ε (n) is a negligible polynomial related to security parameter n. However, MD can recover F from F ′[ j ] by presenting a secret. That is, Pr{F | F ′[ j ], F ′[ j ] ⇐ f ( F ), secret} = 1. Besides, f is not an encryption function, thus a coding algorithm is required for the transformation f , and “secret” is a , secret in coding (namely, coding vector). One may argue that the receiving of F ′ fragments may result in Denial of Service attack. It depends on a tradeoff between the computation cost of encryption and communication cost of receiving F ′. As the encryption computation is avoided, the transformation of F to F ′ is mandatory. 2.3
Sharing based Scheme (ShS)
To further decrease the computation overhead, we propose a Sharing based Scheme. The scheme applies a simple (n, n) xor-based secret sharing method. That is, for sharing a secret s in n holders such that s can be recovered only when n holders are present, randomly generates n − 1 shares si , (1 i n − 1) n −1 and computes the last share sn = ⊕ i =1 si ⊕ s . The scheme is described as follows: 2.3.1 Uploading process (1) Before uploading file F into CS, MD prompts for asking U to input a password, denoted as PWD. (2) Suppose d portal CSs are available. MD generates integrity key IK = H (FN || PWD || FS). (3) MD randomly generates d − 1 files F ′[i ], d −1 1 i d −1, where | F ′[i ] |=| F | , F ′[d ] = ⊕ i=1 F ′[i ] ⊕ F . MD generates MAC = {H ( F , IK)} . (4) MD sends {F ′[ j ] || H (FN + j )}, 1 j d to portal CS j , 1 j d , in which a certain packet include MAC. MD stores T = 〈FN〉 locally and deletes
526
IK. 2.3.2 Downloading process (1) When MD wants to fetch F with the name FN, it sends H (FN + j ) to CS j , where 1 j d . CS j searches in its storage {F ′[ j ] || H (FN + j )} according to H (FN + j ) and sends back F ′[ j ] to MD, in which a packet includes MAC. (2) MD prompts for asking U to input corresponding PWD for the FN. d (3) MD recovers F by F = ⊕ i =1 F ′[i ]. (4) MD generates integrity key IK = H (FN|| PWD || FS). MD checks whether MAC = H ( F , IK) is held. Besides, the preparation stage for a cooperator is the same with that in the previous section. We thus propose Algorithm 5 and Algorithm 6. Algorithm 5 MD Uploading Function Require F , d Ensure T = 〈FN〉, M = {F ′[ j ](|| MAC)} FN ⇐ GetFileName( F ) FS ⇐ GetFileSize( F ) PWD ⇐ PromptToGetPWD(FN) for j = 1 to d − 1 do F ′[ j ] ⇐ Random()%(2FS ) for j = 1 to d − 1 do F ′[d ] ⇐ F ′[d ] ⊕ F ′[ j ] end for F ′[d ] ⇐ F ′[d ] ⊕ F MAC ⇐ H ( F , IK) j ′ ⇐ Random()%d //randomly select a block for j = 1 to d do if ( j == j ′ ) then Send(CS j ′ , M = {F ′[ j ′] || H (FN + j ′) || MAC}) // MD → CS j ′ : {F ′[ j ′] || H (FN + j ′) || MAC} end if Send(CS j , M = {F ′[ j ] || H (FN + j )}) // MD → CS j : {F ′[ j ] || H (FN + j )} end for T = 〈FN〉 ⇐ Store(FN) Delete(IK) Algorithm 6 MD Downloading Function Require FN Ensure F, Valid, Invalid for j = 1 to d do M = {F ′[ j ](|| MAC)} ⇐ Retrieve(CS j , H (FN + j )) // MD → CS j :{H (FN + j )}, // CS j → MD:{F ′[ j ]}, (1 j d , j <> j ′)
Tsinghua Science and Technology, October 2011, 16(5): 520-528
// MD → CS j ′ :{H (FN + j ′)}, // CS j ′ → MD:{F ′[ j ′] || MAC} F ′[ j ] ⇐ GetF ′( M ) if ( j == j ′ ) then MAC ⇐ GetMAC( M ) end if end for FS ⇐ GetFileSize( F ′[1]) PWD ⇐ PromptToGetPWD(FN) F ⇐ F ′[1] for j = 2 to d do F ⇐ F ⊕ F ′[ j ] //reconstruction of F IK ⇐ H (FN || PWD || FS) if MAC == H ( F , IK) then print “Valid” else print “Invalid” end if Proposition 7 The confidentiality of F can be guaranteed, even if all portal CSs are fully distrusted. Proof The confidentiality of F is guaranteed by d F = ⊕ i =1 F ′[i ] . Next, we proof that it is difficult to find all F ′[i ] for attackers. The essential reason is the disconnection between H (FN + j ), (1 j d ) . The proof is similar to Proposition 5, so here we omit it. CS j has to reveal FN by random guess from H (FN + j ) in M, which succeeds with probability 1/2|FN| . The successful probability for finding all F ′[ j ] and so as to reveal F from F ′[ j ] is also 1 / 2|FN| , which is negligible when | FN | is large. , Proposition 8 The integrity of F can be guaranteed, even if portal CS is fully distrusted. Proof The proof is similar to the above proof. , Proposition 9 ShS is more lightweight than CoS in terms of computation overhead. Proof Roughly speaking, ShS is a special case of CoS in which αˆ is randomly generated. The advantages has two folders: (1) The generation of F ′[ j ], 1 j d in ShS is more lightweight than that in CoS. That is, in ShS, the generation of F ′[ j ], 1 j d − 1 is randomly generated, and the generation of F [d ] only relies on exclusive-or (XOR) operations. (2) The recovery of F from F ′[ j ] is again more lightweight in ShS than that in CoS. That is, in ShS, only XOR operations are required; In CoS, matrix computations are required. Thus, ShS is lightweight in terms of , computation overhead.
Wei Ren et al.:Lightweight and Compromise Resilient Storage Outsourcing …
3
Related Work
Liu et al.[13] proposed to use hierarchical identity-based encryption algorithm providing an efficient sharing of the secure storage services in cloud computing. The encryption is conducted only once and only one copy of the corresponding ciphertext needs to be stored. It requires mobile devices have higher computation ability. Wei et al.[14] proposed SecCloud, an auditing scheme, to secure cloud computing based on probabilistic sampling technique. It aims to consider secure data storage, computation and privacy preserving together. The result may not be deterministic. Itani et al.[7] proposed an energy-efficient protocol for ensuring the integrity of storage services in mobile cloud computing. The proposed protocol applies incremental cryptography and trusted computing to design secure integrity data structures. Ye et al.[8] developed an access protocol following the requirements to achieve correct and efficient data accesses. They utilized regular semantics instead of atomic semantics to improve access efficiency. Park et al.[10] proposed a secure storage BLAST, which is enhanced by a stream cipher rather than a block cipher with a novel block accessible encryption mechanism based on streaming ciphers. Feng et al.[15] proposed an encryption method D-DOG (Data Division and Out-of-order keystream Generation) to protect data in the distributed storage environments. Itani et al.[11] proposed a PasS (Privacy as a Service), a set of security protocols for ensuring the privacy and legal compliance of customer data in cloud computing architectures. PasS provides a privacy feedback process which informs users of the different privacy operations and makes them aware of any potential risks that may jeopardize the confidentiality of their sensitive information. Xu et al.[12] presented a mobile cloud data processing framework through trust management and private data isolation to protect user’s privacy in the cloud.
4
Conclusions
In this paper, we proposed a family of schemes for protecting the confidentiality and integrity of uploading files or data in mobile storage cloud. The scheme EnS tackles the situation where only one cloud server exists. We proofed that it guarantees the security goal and is the necessary condition for this situation. The
527
scheme CoS can avoid the computation of encryption algorithm in the situation of multiple cloud servers exit by applying linear coding. The scheme ShS can further decrease the computation overhead by relying only on exclusive-or operations. All proposed schemes are resilient to the storage compromise on mobile devices, and all assume that the cloud servers are distrusted. Thus, they provide a stronger protection for more general and realistic application scenarios comparing with the previous work. References [1] Kumar K, Lu Y. Cloud computing for mobile users: Can offloading computation save energy? Computer, 2010, 43(4): 51-56. [2] Lin Y, Shao L, Zhu Z, et al. Wireless network cloud: Architecture and system requirements. IBM Journal of Research and Development, 2010, 54(1): 4:1-4:12. [3] Pendyala V S, Shim S S Y. The web as the ubiquitous computer. Computer, 2009, 42(9): 90-92. [4] Manjunatha A, Ranabahu A, Sheth A, et al. Power of clouds in your pocket: An efficient approach for cloud mobile hybrid application development. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom10). Indianapolis, IN, USA, 2010: 496-503. [5] Nkosi M T, Mekuria F. Cloud computing for enhanced mobile health applications. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom10). Indianapolis, IN, USA, 2010: 629-633. [6] Lagesse B. Challenges in securing the interface between the cloud and pervasive systems. In: 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops11). Seattle, USA, 2011: 106-110. [7] Itani W, Kayssi A, Chehab A. Privacy as a service: Privacy-aware data storage and processing in cloud computing architectures. In: Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC09). Chengdu, China, 2009: 711-716. [8] Ye Y, Xiao L, Yen I-L, et al. Secure, dependable, and high performance cloud storage. In: 2010 29th IEEE International Symposium on Reliable Distributed Systems. New Delhi, India, 2010: 194-203. [9] Ahmed M, Yang X, Ali S. Above the trust and security in cloud computing: A notion towards innovation. In: 2010
Tsinghua Science and Technology, October 2011, 16(5): 520-528
528 IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC10). Hong Kong, China, 2010:
(INFOCOMW11). Shanghai, China, 2011: 711-716. [13] Liu Q, Wang G, Wu J. Efficient sharing of secure cloud storage services. In: 2010 IEEE 10th International Confer-
723-730. [10] Park K W, Kim C, Park K H. Blast: Applying streaming ciphers into outsourced cloud storage. In: 2010 IEEE 16th International Conference on Parallel and Distributed Systems (ICPADS10). Shanghai, China, 2010: 431-437. [11] Itani W, Kayssi A, Chehab A. Energy-efficient incremental
ence on Computer and Information Technology (CIT10). Bradford, West Yorkshire, UK, 2010: 922-929. [14] Wei L, Zhu H, Cao Z, et al. Seccloud: Bridging secure storage and computation in cloud. In: 2010 IEEE 30th International Conference on Distributed Computing Systems
integrity for securing storage in mobile cloud computing.
Workshops (ICDCSW10). Genoa, Italy, 2010: 52-61.
In: 2010 International Conference on Energy Aware Com-
[15] Feng J, Chen Y, Ku W S, et al. D-dog: Securing sensitive data in distributed storage space by data division and
puting (ICEAC10). Cairo, Egypt, 2010: 1-2. [12] Xu L, Xing T, Zhong Y, et al. Secure data processing
out-of-order keystream generation. In: 2010 IEEE Interna-
framework for mobile cloud computing. In: IEEE
tional Conference on Communications (ICC10). Cape
INFOCOM
Town, South Africa, 2010: 1-6.
2011
Workshop
on
Cloud
Computing