Public Data Integrity Verification for Secure Cloud Storage
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
373
Public Data Integrity Verification for Secure Cloud Storage Hongwei Liu College of Information Engineering, Shenzhen University, Shenzhen, China Email: [email protected]
Peng Zhang College of Computer and Software, Shenzhen University, Shenzhen, China Email: [email protected]
Jun Liu College of Information Engineering, Shenzhen University, Shenzhen, China Email: [email protected]
Abstract—Cloud storage can provide a flexible on-demand data storage service to users anywhere and anytime. However, users’ data is owned by cloud service providers physically, and the physical boundary between two users’ data is fuzzy. In this environment not controlled by users, a method to ensure users’ data integrity must be provided. In order to avoid retrieving enormous storage data and users themselves checking, a public auditing protocol was proposed based on the BLS short signature scheme and the homomorphic hash function. The user computed the signatures of the blocks, and moved them to cloud servers to store. Cloud service providers computed the aggregation of the blocks, and the aggregation of signatures. Third party auditor verified whether the aggregate data was consistent with the aggregate signature. If consistent, users’ data integrity was verified. Based on the computational DiffieHellman assumption, the presented protocol is secure against the lost attack and tamper attack from cloud service providers. Based on the stream encryption, the proposed protocol is secure against the curious attack from third party auditor. As the independence among blocks and block signatures, this protocol supports blocks’ update, including insertion, modification and deletion. So, the protocol is secure and efficient, and supports for public verification, dynamic update and privacy preserving. Index Terms—cloud storage, data integrity, public auditing, homomorphic hash
I. INTRODUCTION As the basic service of cloud computing [1], cloud storage service, such as Microsoft’s Azure Storage Service [2] and Amazon Simple Storage Service [3], has been provided to users. Connecting a large number of different types of storage devices to work together through application software, cloud storage provides data storage and business access services to users. By storing their data to the cloud in an on-demand manner, users can use the public infrastructure, so that investment of building and maintaining storage equipments is avoided.
© 2013 ACADEMY PUBLISHER doi:10.4304/jnw.8.2.373-380
Users can rely on the cloud to provide more reliable services, so that they can access data from anywhere and at any time. Cloud storage service has been envisioned as the next generation of storage services. At the same time, cloud storage service also brings new and challenging security issues [4, 5]. Storing the data on personal devices, users have the highest privilege to operate on it and ensure its security. However, once users move their data to the cloud, the data is controlled by cloud service providers (CSP). The cases cited in [6] illustrate that cloud storage service also suffers from internal or external data security threats in spite of the claimed completeness given by CSP. Even for the sake of keeping reputation, CSP may deliberately conceal security accidents. So, users must take the security issues in cloud storage service into account. Even under the internal or external security attacks, users should prevent their data accessed by unauthorized party, and detect their data lost or tampered by adversaries. Specially, there are more worries about rarely accessed data. As Internet security service, if the data integrity is verified, the data lost or tampered can be checked by the users. However, cloud storage service has some special characters [7]. Firstly, as the amount of data stored in cloud is enormous, it is impossible to verify the data integrity after retrieving the data duo to the expensive I/O and transmission cost. Secondly, cloud storage service uses the distributed storage systems, so the data is stored in a set of cloud servers. Data integrity verification measures for Internet are unfit for cloud storage system. There are two kinds of ways to verify data integrity in cloud storage system [8]: owner auditing [9-11] and public auditing [12-15]. With owner auditing, only users check the integrity of their remote stored data, which could introduce heavy overhead and cost. Avoiding any side of CSP or the data owner conducting the auditing, public auditing, transferring the auditing procedure to third party auditor (TPA), is a natural choice.
374
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
Wang et al. [12, 13] firstly study the public auditing measures in cloud storage. In [12], they consider the task of allowing TPA, on behalf of the users, to verify the integrity of the dynamic data stored in the cloud servers. The support for data dynamics via the most general forms of data operation, such as block modification, insertion and deletion, is achieved. Remote data integrity is ensured with the support for both public verifiability and dynamic data operations, but users’ data privacy is not preserved. In [13], they also consider introducing TPA to audit the cloud data storage. They utilize public-key based homomorphic authenticator and uniquely integrate it with random mask technique to achieve a privacy preserving public auditing system. However, the signature scheme used in [13] is insecure. In order to facilitate rapid deployment of cloud data storage service and regain security assurances with outsourced data dependability, Cong Wang et al. [14] emphasize efficient methods that enable on-demand data correctness verification on behalf of cloud data owners have to be designed. They describe approaches and system requirements that should be brought into consideration, and outline challenges that need to be resolved for such a publicly auditable secure cloud storage service to become a reality. Zhu et al. [15] propose a formal framework for interactive provable data possession (IPDP) and a zeroknowledge IPDP solution for private clouds. Their ZKIPDP protocol achieves probabilistic data possession guarantee, supports fully data dynamics, public verifiability and is also private against the verifiers. Furthermore, they propose an efficient construction of cooperative provable data possession, which can be used in hybrid clouds. Hao et al. [16] propose a new remote data integrity checking protocol for cloud storage. The proposed protocol is suitable for providing integrity protection of the users’ important data. The proposed protocol supports data insertion, modification and deletion at the block level, and also supports public verifiability. The proposed protocol is proved to be secure against an untrusted server. It is also private against third party verifiers. The above discussed protocols are compared, and the results are summarized in Table I. TABLE I. COMPARISONS AMONG THE ABOVE DISCUSSED PROTOCOLS
Public verifiability Data dynamics Privacy preserving
The protocol in [12]
The protocol in [13]
The protocol in [15]
The protocol in [16]
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
Yes
Yes
Yes
This paper aims at solving the security problem of the protocol in [13], and presenting a secure and efficient public auditing protocol based on the homomorphism technology, which supports for public verifiability, data dynamics and privacy preserving. The rest of this paper is organized as follows. In section II, technical preliminaries which are needed in this research are presented. The © 2013 ACADEMY PUBLISHER
system model, attack model and verification model of public auditing are introduced in section III. In section IV, a new and secure public auditing protocol is proposed based on the security flaw in [13]. We describe the support for data dynamics of the proposed protocol in section V. In section VI, a formal security analysis of the proposed protocol is presented. In section VII, the protocol’s complexity is analyzed in the aspects of communication, computation and storage costs, and experiments on the personal computer show that the protocol is feasible. Conclusions and possible future work are presented in section VIII. II. PRELIMINARIES A. Bilinear Maps Let 1 and 2 be two groups of order p . g is the generator of 1 . A bilinear mapping e : 1 × 1 → 2 must satisfy the following properties: • Bilinearity. e (u a , v b ) = e (u , v) ab for all u , v ∈ and 1
all a, b ∈ p .
• Non-degeneracy. There are u , v ∈ 1 such that e (u , v) ≠ 1 . • Computability. There is an efficient algorithm to compute e (u , v) for any u , v ∈ 1 . B. BLS Short Signature Scheme The BLS signature scheme [17] comprises three algorithms, KeyGen , Sign , and Verify . It makes use of a full domain hash function H :{0,1}* → 1 . H is viewed as a random oracle. x ← *p • KeyGen . Pick random , and compute v ← g x . The secret key is x . The public key is v . •
Sign . Given a secret key x , and a message m ∈ {0,1}* . Compute σ ← H (m) x ∈ 1 . σ is the signature of message m .
•
Verify . Given a public key v , a message m , and a signature σ , verify e(σ , g ) = e( H (m), v) .
C. Homomorphic Hash Funtion A homomorphic hash function H [18, 19] is a hash function satisfying: • Homomorphism. For any two messages m1 , m2 and scalars β1 , β 2 , it holds
H ( β1m1 + β 2 m2 )= H (m1 ) β1 ⋅ H (m2 ) β2 .
(1)
• Collision Resistance. There is no probabilistic polynomial-time (PPT) adversary capable of forging (m1 , m2 , m3 , β1 , β 2 ) satisfying both
m3 ≠ β1m1 + β 2 m2 ,
(2)
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
375
and .
(3)
III THE PUBLIC AUDITING MODEL A. System Model A representative system model for the public auditing is illustrated in Figure 1. There are three different entities in the system model of public auditing: User: an entity, which has large data files to be stored in the cloud and relies on the cloud for data maintenance and computation, can be either individual consumers or organizations. Cloud service providers (CSP): an entity, which is the manager of cloud servers, has significant storage space and computation resource to maintain and compute the users’ data. Third party auditor (TPA): an entity, which has expertise and capabilities that users do not have, is trusted to assess and expose risk of cloud storage service on behalf of the users upon request.
Figure 1. System Model of public auditing.
In the cloud paradigm, by putting the large data files on the remote servers, users can be relieved of the burden of storage and computation. Firstly, users compute the signature of their data, and send the data and signature to CSP. In cloud storage system, users store their data into a set of cloud servers through CSP, which run in a cooperated and distributed manner. Then, users no longer possess their data locally. If users want to check whether the data exists indeed in the cloud servers, auditing work starts, as shown in Figure 1. • Setup. The user negotiates the cryptographic keys with CSP and TPA. • Challenge. After receiving the auditing request from users, TPA generates and sends a challenge to CSP. • Proof. On receiving the challenge from TPA, CSP generates a proof of data storage and sends it to TPA. • Verification. Using some public parameters, TPA verifies the correctness of the proof from CSP, and returns TRUE/FALSE. B. Attack Model In cloud storage system, TPA is considered to be honest and curious. It performs honestly during the whole
© 2013 ACADEMY PUBLISHER
auditing procedure, but it is curious about the received data. CSP is considered to be dishonest. Some attacks against this system exist. • Curiosity attack. TPA tries to read user’s data by analyzing the public parameters and the proof from CSP. • Loss attack. After losing the user’s data, CSP tries to keep the truth from auditing from TPA. • Tamper attack. CSP may tamper the user’s data to other legal or illegal data, and try to keep the truth from auditing from TPA. C.
Verification Model In the public auditing system, with the curiosity attack, loss attack and tamper attack from the adversary, the verification model consists of four algorithms .
•
. The user can run this key generation algorithm to generate the secret parameters and public parameters. • . Using the data and the secret parameters, the user can run this signature generation algorithm to generate the signature of the data. • . Using the data and signatures stored in cloud servers, and the challenge from TPA, CSP can run this proof generation algorithm to generate the proof. • . On receiving the proof from CSP, with public parameters, TPA can run this proof verification algorithm to check whether the data exists indeed in the cloud servers. D. Design Goals With the system model, attack model and the verification model, the design goals of the public auditing protocol can be summarized as the following: • Public verifiability: to allow anyone, not just the users who originally stored the file on cloud servers, to have the capability to verify the integrity of the stored data on demand. • Data dynamics: to allow the users to perform blocklevel operations on the data files while maintaining the same level of data integrity verification. • Privacy preserving: no blocks cloud be retrieved by the verifier TPA during verification process. • Secure and efficient. The design should be as secure and efficient as possible so as to ensure the public auditing process running. IV. THE PUBLIC AUDITING PROTOCOL A. Wang et al.’s Protocol As described in the verification model, the public auditing protocol proposed by Wang et al. [13] is a collection of four polynomial time algorithms , which are described as follows:
376
•
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
KeyGen . The cloud user chooses a random x ← *p
and a random element u ← 1 , and then compute
v ← g x and w ← u x . The secret key for this user is
sk = {x} and the public keys for this user are pk = {g , u , v, w} . • SigGen . The cloud user is in possession of the data file F = {m1 , , mn } . He runs SigGen to generate the signature for each block mi (i = 1, , n) by computing
σ i ← ( H (i ) ⋅ u m ) x ∈ 1 . i
(4)
B. The Proposed Protocol To solve the security problem of the protocol in [13], the BLS short signature scheme proposed in [17] is used directly. Homomorphic hash function presented in [19] is utilized to achieve the support for public auditing. Based on the system model and the verification model, a new and secure public auditing protocol is described as following: • Setup. Cloud storage service runs in a cooperated and distributed manner. To store user’s data file F in a set of cloud servers, F needs to be divided into n blocks m1 , , mn , mi ∈ *p .
H :{0,1}* → 1 is a secure map-to-point hash function. Then the user sends {F , σ 1 , , σ n } to CSP and deletes them from his local storage. • Pr oofGen . It is assumed that= I {s j }(1 ≤ j ≤ c) and
KeyGen(1λ ) : Input a security parameter λ . Choose a large prime p randomly. Define 1 and 2 to be multiplicative cyclic groups with order p . Let g be a
s1 ≤ ≤ sc . For each element i ∈ I , TPA chooses a
function defined in [19]. Mapping e : 1 × 1 → 2 is a
random number yi ← . Then TPA sends the * p
chal ={i, yi }i∈I as the challenge to CSP. The blocks with positions specified by chal are required to be checked. Upon receiving the challenge chal ={i, yi }i∈I , CSP runs Pr oofGen to generate a proof of possession. Firstly, CSP chooses
r ← *p
randomly.
Then,
CSP
computes
sc
r µ ' rh( R) ∈ p = R w= u xr ∈ 1 , µ ' = ∑ yi mi , µ =+
i = s1
and = σ
sc
∏σ i = s1
yi i
∈ 1 . Hash function h : 1 → p maps
group element of 1 uniformly to p . Finally, CSP sends {µ , σ , R} to TPA as the response to chal ={i, yi }i∈I . • Pr oofVer . Upon receiving the response {µ , σ , R} , TPA runs Pr oofVer to validate the response by checking the verification equation sc
) e (∏ H (i ) yi ⋅ u µ , v) . e (σ ⋅ R h ( R ) , g=
(5)
i = s1
If CSP verifies (5) equal, the cloud servers possess the outsourced data. Wang et al. [13] argued that this protocol can resist against various known attacks. However, this public auditing protocol is vulnerable to the attacks from a malicious CSP or an outside adversary. In fact, SigGen algorithm is insecure. In this protocol, the signature σ i = ( H (i ) ⋅ u mi ) x ∈ 1 for mi is proposed by (4). Only known the public parameter u x , a malicious CSP or an outside adversary can forge signature
= σ i* σ i (u x ) mi
*
− mi
∈ 1 for any data mi* successfully. If
the malicious CSP tampers mi to mi* , and σ i to σ i* , the response forged with mi* and σ i* can pass the verification of (5). © 2013 ACADEMY PUBLISHER
generator of 1 . H : *p → 1 is a homomorphic hash bilinear mapping. The user chooses x ← *p randomly,
and computes v ← g x ∈ 1 . The secret key for this user is sk = {x} . The public keys for this user are pk = {g , v} . SigGen( F , sk ) . Given a data file F = {m1 , , mn } and the secret key sk = {x} . Define the identity of the file F to be id ∈ *p . For each i ∈ {1, , n} , the user computes the signature
σ i ← ( H (id || i ) H (mi )) x ∈ 1 .
(6)
Then, the user sends the files {m1 , , mn } and the corresponding signatures {σ 1 , , σ n } to CSP. Finally, the user deletes the data file F = {m1 , , mn } from local storage. • Challenge. To verify that F = {m1 , , mn } exist indeed in the cloud servers, the user sends an auditing request to TPA. Subsequently, TPA defines the subset of set [1, n] to be= I {s j }(1 ≤ j ≤ c) and s1 ≤ ≤ sc . For each element i ∈ I , TPA chooses a random yi ← *p , and generates chal ={i, yi }i∈I as the challenge. Then, TPA sends chal ={i, yi }i∈I to CSP. The blocks with positions specified by chal are required to be checked. • Proof. Pr oofGen({mi }i∈I ,{σ i }i∈I , chal , pk ) . Upon receiving the chal ={i, yi }i∈I , CSP chooses the data {mi }i∈I and the signatures {σ i }i∈I whose positions are I = {s1 , , sc } . If the linear combination of sampled blocks specified in chal can pass the verification from TPA, the blocks specified exist indeed in the cloud servers because of the randomness of the subset I = {s1 , , sc } . So, one verification operation for the linear combination of blocks can replace multi verification operations for blocks. To avoid TPA obtains any information about the data file
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
377
F = {m1 , , mn } , the stream encryption is used, and CSP computes ζ =
sc
∑ym +r i
i
. r ← *p is the randomly
sc
e (σ , g ) = e (∏ σ i yi , g ) i = s1
sc
= e (∏ ( H (id || i ) H (mi )) yi , g x ) chosen stream encryption key by CSP for each auditing. i = s1 ψ = H (r ) is the assistant verification information. sc sc = e (∏ H (id || i ) yi ⋅ ∏ H (mi ) yi , v) Meanwhile, CSP also calculates an aggregated signature i = s1
= σ
=i s1=i s1
sc
∏ σ i y ∈ 1 . i
sc
sc
= e (∏ H (id || i ) yi ⋅ H (∑ yi mi ) ⋅ H (r ) ⋅ H (r ) −1 , v)
i = s1
i = s1 i = s1 Next, CSP sends Pr oof = {σ , ζ ,ψ } to TPA. sc sc • Verification. = e (∏ H (id || i ) yi ⋅ H (∑ yi mi + r ) ⋅ H (r ) −1 , v) . Upon receiving Pr oofVer (Pr oof , pk ) i = s1 i = s1 sc Pr oof = {σ , ζ ,ψ } from CSP, TPA checks the = e (∏ H (id || i ) yi ⋅ H (ζ ) ⋅ψ −1 , v) verification equation: i = s1 sc
= e (σ , g ) e (∏ H (id || i ) yi ⋅ H (ζ ) ⋅ψ −1 , v) .
(7)
i = s1
If the above equation holds, TPA returns TRUE, and CSP indeed processes the data file {mi }i∈I . Otherwise, return FALSE. The homomorphism of signature generated by (6) is elaborated as follows: • The aggregation of signatures {σ s1 , , σ sc } : sc
σ = ∏σ i y
i
i = s1 sc
= ∏ ( H (id || i ) H (mi )) xyi
.
(8)
i = s1 sc
sc
= ∏ H (id || i ) xyi ∏ H (mi ) xyi
=i s1=i s1
• The signature of aggregate data
sc
∑ym i = s1
i
i
:
In this protocol, I = {s1 , , sc } is a subset of [1, n] , so | I =| c ≤ n . If c = n , the verification for the data file F = {m1 , , mn } is determinate. If c < n , the verification for the data file F = {m1 , , mn } is probabilistic. The c can be decided according to the security level of the cloud storage system. V. DYNAMIC UPDATE The user may need to conduct various operations on blocks (e.g. insertion, modification, deletion). The mechanisms to handle these changes are as the following. Note that in the following descriptions, we assume that the data file F = {m1 , , mn } and the signature
{σ 1 , , σ n } have already been generated and properly stored at cloud servers. • Block Insertion. Block insertion, a general form of data operation, refers to inserting new blocks on some specified position in the data file F . As described in Figure 2, the user needs to insert mx between mi −1 and mi . Firstly, the user
(9)
computes the signature σ x of mx by SigGen . Then, the user sends i , mx and σ x to CSP. Upon receiving these,
Based on (1), the aggregation of signatures {σ s1 , , σ sc } generated by (8) is equal to the signature of
CSP verify the signature σ x . Next, CSP stores mx and σ x on the position i , and moves all the latter blocks one block backward. Finally, both the user and CSP update the data index numbers.
sc
sc
σ = (∏ H (id || i ) y H (∑ yi mi ) x . i
i = s1
i = s1
sc
aggregate data
∑ym i = s1
i
i
computed by (9), so the
signatures generated by (6) are homomorphic. Based on the homomorphism of the signature, the correctness of the verification equation (7) is elaborated as follows:
No. 1
Block
No. 1
Signature
Block
Signature
Insert
Figure 2. Inserting mx between mi −1 and mi .
• Block Modification. Compared to block insertion, block modification does not change the logic structure of the data file F . It refers to the replacement of specified blocks with new ones. As
© 2013 ACADEMY PUBLISHER
378
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
described in Figure 3, the user needs to modify the i − th block mi to mi* . Firstly, the user computes the signature
σ i* of mi* by SigGen . Then, the user sends i , mi* and σ i* to CSP. Upon receiving these, CSP verify the signature σ i* . Finally, CSP replaces mi , σ i with mi* ,
Through (7), the following equation holds. y e (σ *σ j j , g )
= e (∏ H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 ⋅ H ( y j m j ), v) No. 1
Signature
Block
i = s1
sc
σ i* respectively. No. 1
sc
e= (σ * , g ) e (∏ H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 , v) . (10)
Block
(11)
i = s1
Signature
Comparing (10) and (11), we have:
Modify
y e (σ j j , g ) = e ( H ( y j m j ), v) .
(12)
Because σ j includes H (id || j ) , it is impossible that (12) holds. Suppose there are tamper attacks in the cloud storage system. CSP tampers the user’s data m j to m j * , the
Figure 3. Modifying mi to mi* .
• Block Deletion. user’s signature σ j to σ j * , and tries to keep the truth Block deletion is the opposite operation of data insertion. It refers to deleting the specified block and from auditing from TPA. So, CSP outputs sc sc moving all the latter blocks one block forward. As y , ζ* yi mi + r * + y j m j * , σ * ∏ σ i yi ⋅ (σ j * ) j = ∑ described in Figure 4, the user needs to delete the i − th= =i s1 , i ≠ j =i s1 , i ≠ j block mi . Firstly, the user sends the index number of the ψ * = H (r * ) . Assume that {σ * , ζ * ,ψ * } are successful block i to CSP. Then, CSP deletes the corresponding forgeries. Then, the following equation holds. block mi and signature σ i , and moves the latter blocks sc one block forward. Finally, both the user and CSP update * = ( H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 , v) . (13) ( , ) e σ g e ∏ the data index numbers. i = s1
No. 1
Block
Signature
No. 1
Block
Signature
Through (7), the following equation holds.
Delete
y e (σ * (σ jσ j *−1 ) j , g ) sc
= e (∏ H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 ⋅ H ( y j m j ) ⋅ H ( y j m j * ) −1 , v) i = s1
(14)
Figure 4. Deleting mi from F .
Comparing (13) and (14), we have: Of course, the signature technology should be used for all kinds of operation requests, so that the operations run by CSP under these requests cannot be denied by the user.
y y *−1 e (σ jσ j= , g ) j e ( H (m j ) ⋅ H (m j * ) −1 , v) j .
(15)
If (15) is true, there is a way to compute H (id || i ) x in
forged signature σ j * . With the x unknown, it is inconsistent with the computational Diffie-Hellman Under the attacks described in section III, the security assumption. of the proposed protocol is analyzed. So, if there are loss attacks or tamper attacks, the • If the Pr oof = {σ , ζ ,ψ } from CSP can pass the attacks must be recognized by Pr oofVer run by TPA verification of (7), CSP must indeed possess the file as upon the computational Diffie-Hellman assumption. it is. Suppose there are loss attacks in the cloud storage • Based on the Pr oof = {σ , ζ ,ψ } from CSP, it is system. CSP losses the user’s data m j , and tries to keep impossible to recover any block in {m1 , , mn } . VI. SECURITY ANALYSIS
the truth from auditing from TPA. So, CSP outputs
σ* =
sc
∏
=i s1 , i ≠ j
y , ζ* σ i=
sc
∑
i
=i s1 , i ≠ j
yi mi + r * , ψ * = H (r * ) .
Assume that {σ , ζ ,ψ } are successful forgeries. Then, the following equation holds. *
*
*
© 2013 ACADEMY PUBLISHER
Suppose there are curiosity attacks in the cloud storage system. TPA tries to recover any block in {m1 , , mn } . The data mi is hashed in σ i , so TPA cannot recover it from σ . The data r is a random number, and is hashed in ψ , so TPA cannot recover mi or r from ψ .
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
As r
= ζ
is a random number chosen by CSP,
sc
∑ym +r i = s1
i
i
means stream encryption is used. So,
TPA cannot recover mi from ζ without the key r . So, if there are curiosity attacks from TPA, it is impossible to recover any block in {m1 , , mn } only with
379
Let | p |= 160 , mi ∈ *p , c= n= 64 . Computation costs of the protocol in [13] and the proposed protocol are shown in Table IV. TABLE IV. COMPUTATION COST FOR EACH STEP OF THE PROTOCOL IN [13] AND THE PROPOSED PROTOCOL WITH 64 BLOCKS.
Pr oof = {σ , ζ ,ψ } .
KeyGen (ms)
SigGen
Pr oofGen
(ms)
(ms)
Pr oofVer (ms)
VII. EFFICIENCY ANALYSIS
The protocol in [13]
110
8
520
540
Define the computation cost of multiplication operation on 1 to be Mul . Let Exp be the computation
The proposed protocol
110
8
510
530
cost of exponent operation on 1 . Let Pairs be the computation cost of the bilinear pair. Define the computation cost of hash function to be H . The length of signature in SigGen algorithm and proof in Pr oofGen algorithm may influence the communication of the cloud storage system. The computation cost of Pr oofGen algorithm and Pr oofVer algorithm may influence the efficiency of the cloud storage system. In these aspects, performance comparisons between the protocol in [13] and the proposed protocol are described in Table II. TABLE II. PERFORMANCE COMPARISONS BETWEEN THE PROTOCOL IN [13] AND THE PROPOSED PROTOCOL. The protocol in [13]
The proposed protocol
Single signature length
1
1
Proof length
21 + p
21 + p
Computation cost of Pr oofGen
1H + (c − 1) Mul
Computation cost of Pr oofVer
(c + 1) H + (c + 1) Mul
+(c + 1) Exp
+(c + 2) Exp + 2 Pairs
VIII. CONCLUSION To provide security cloud storage service to users, public auditing system to verify data integrity must be considered. The public auditing protocol was proposed in this paper. Without retrieving the data, we can check whether the data in cloud is lost or tampered by this proposed protocol, and there is no new computation cost for users. The presented protocol is secure against the curiosity attack, loss attack and tamper attack. Efficiency analyses show the proposed protocol can solve the security flaw in [13] without more cost. Further, the comparability between the public auditing model for cloud storage and the model against the pollution attacks for linear network coding should be studied ACKNOWLEDGMENT
1H + (c − 1) Mul + cExp (c + 1) H + (c + 1) Mul +(c + 1) Exp + 2 Pairs
To validate the effectiveness and efficiency of our proposed protocol for public auditing, we simulate the public auditing service by using a personal computer with Intel Pentium processor at 2.93 GHz and 1.24GB RAM running Ubantu 10.10. The cryptographic library MIRACL is used. Let | p |= 160 , mi ∈ *p , c= n= 32 . Computation costs of the protocol in [13] and the proposed protocol are shown in Table III. TABLE III. COMPUTATION COST FOR EACH STEP OF THE PROTOCOL IN [13] AND THE PROPOSED PROTOCOL WITH 32 BLOCKS. KeyGen (ms)
SigGen
Pr oofGen
(ms)
(ms)
Pr oofVer (ms)
The protocol in [13]
90
8
270
290
The proposed protocol
90
8
260
280
© 2013 ACADEMY PUBLISHER
From above analyses and experiment data, the computation and communication cost of the proposed protocol is almost as much as the protocol in [13]. At the same time, the security flaw in [13] is solved.
This research was supported by the National Natural Science Foundation of China under Grant No. 61001058 and No. 61171072, and Projects in the National Science & Technology Pillar Program under Grant No. 2011BAH20B02, and No. 2011BAH20B03. REFERENCES [1] P. Mell and T. Grance. Draft NIST Working Definition of Cloud Computing. Online at http: //csrc.nist.gov/groups/SNS/cloudcomputing/index.html, referenced on Jan. 3rd, 2012. [2] Microsoft. Microsoft’s Azure Storage Service. Online at http: //www.windowsazure.com/enus/home/features/storage/, referenced on Feb. 27th, 2012. [3] Amazon. Amazon Simple Storage Service. Online at http: //aws.amazon.com/s3/, referenced on Feb. 27th, 2012. [4] H. Zhu, Z. Cao, W. Jia, and A.V. Vasilakos. SecCloud: Bridging Secure Storage and Computation in Cloud. 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 52-61, 2010. [5] Mahima Joshi and Yudhveer Singh Moudgil. Secure Cloud Storage. International Journal of Computer Science & Communication Networks, Vol. 1 (2), pp. 171-175, 2011.
380
[6] Amazon. Amazon s3 Availability Event: July 20, 2008. Online at http: //status.aws.amazon.com/s3-20080720.html, July 2008. [7] W. Zeng, Y Zhao, K. Ou, and W. Song. Research on Cloud Storage Architecture and Key Technologies. Proceedings of the Second International Conference on Interaction Science (ICIS), pp. 1044-1048, 2009. [8] K. Yang and X. Jia. Data Storage Auditing Service in Cloud Computing: Challenge, Methods and Opportunities. World Wide Web, pp. 409-428, 2012. [9] C. Wang, Q. Wang, K. Ren, and W. Lou. Ensuring Data Storage Security in Cloud Computing. IWQoS’09, Charleston, South Carolina, USA, 2009. [10] Lanxiang Chen. A Homomorphic Hashing based Provable Data Possession. Journal of Electronics and Information Technology, vol. 33 (9), pp. 2199-2204, 2011. [11] Lanxiang Chen. Using Algebraic Signatures to Check Data Possession in Cloud Storage. Future Generation Computer Systems, 2012. [12] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou. Enabling Public Verifiability and Data Dynamics for Storage Security in Cloud Computing. 14th European Symposium on Research in Computer Security, Springer Berlin/Heidelberg, pp. 355-370, 2009. [13] C. Wang, Q. Wang, K. Ren, and W. Lou. Privacypreserving Public Auditing for Data Storage Security in Cloud Computing. IEEE InfoCom2010, 2010. [14] Cong Wang, Kui Ren, Wenjing Lou, and Jin Li. Toward Publicly Auditable Secure Cloud Data Storage Service. IEEE Network, July/August 2010. [15] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S. Yau. Cooperative Provable Data Possession. Cryptology ePrint Archive, Report 2010/234, 2010. [16] Zhuo Hao, Sheng Zhong, and Nenghai Yu. A PrivacyPreserving Remote Data Integrity Checking Protocol with Data Dynamics and Public Verifiability. IEEE Transactions on Knowledge and Data Engineering, vol. 23 (9), pp. 1432-1437, 2011. [17] D. Boneh, B. Lynn, and H. Shacham. Short Signatures from the Weil Pairing. ASIACRYPT 2001, LNCS 2248, pp.514-532, 2001.
© 2013 ACADEMY PUBLISHER
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
[18] M. N. Krohn, M. J. Freedman, and D. Mazières. On-the-fly Verification of Rateless Erasure Codes for Efficient Content Distribution. Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, California, May 9-12pp. 226-240, 2004,. [19] R. Gennaro, J. Katz, H. Krawczyk, and T. Rabin. Secure Network Coding Over the Integers. Public Key Cryptography PKC ’10, Springer LNCS 6056, pp. 142-160, 2010.
Hongwei Liu was born in Henan province, China in 1975. In 2009, he received his Ph.D. degree on signal and information processing from Xidian University in Xi’an, China. Currently he is an associate professor in the college of information engineering, Shenzhen University, Shenzhen, China. His research interests include cryptography and information security. As the principal, Dr. Liu has taken charge of one National Natural Science Foundation of China, one Project in the National Science & Technology Pillar Program and two Science and Technology Projects of Shenzhen. As the main participant, Dr. Liu has finished several national, provincial and ministerial level research projects of China.
Peng Zhang was born in Hubei province, China in 1984. In 2011, she received her Ph.D. degree on signal and information processing from Shenzhen University in Shenzhen, China. Currently she is a lecturer in the college of computer and software, Shenzhen University, Shenzhen, China. Her research interests include cryptography and information security.
Jun Liu was born in Hunan province, China in 1987. In 2010, he got bachelor’s degree on electronic information engineering from Xiangtan University. Now he is a master candidate in Shenzhen University, Shenzhen, China. His research interests include network and information security.
373
Public Data Integrity Verification for Secure Cloud Storage Hongwei Liu College of Information Engineering, Shenzhen University, Shenzhen, China Email: [email protected]
Peng Zhang College of Computer and Software, Shenzhen University, Shenzhen, China Email: [email protected]
Jun Liu College of Information Engineering, Shenzhen University, Shenzhen, China Email: [email protected]
Abstract—Cloud storage can provide a flexible on-demand data storage service to users anywhere and anytime. However, users’ data is owned by cloud service providers physically, and the physical boundary between two users’ data is fuzzy. In this environment not controlled by users, a method to ensure users’ data integrity must be provided. In order to avoid retrieving enormous storage data and users themselves checking, a public auditing protocol was proposed based on the BLS short signature scheme and the homomorphic hash function. The user computed the signatures of the blocks, and moved them to cloud servers to store. Cloud service providers computed the aggregation of the blocks, and the aggregation of signatures. Third party auditor verified whether the aggregate data was consistent with the aggregate signature. If consistent, users’ data integrity was verified. Based on the computational DiffieHellman assumption, the presented protocol is secure against the lost attack and tamper attack from cloud service providers. Based on the stream encryption, the proposed protocol is secure against the curious attack from third party auditor. As the independence among blocks and block signatures, this protocol supports blocks’ update, including insertion, modification and deletion. So, the protocol is secure and efficient, and supports for public verification, dynamic update and privacy preserving. Index Terms—cloud storage, data integrity, public auditing, homomorphic hash
I. INTRODUCTION As the basic service of cloud computing [1], cloud storage service, such as Microsoft’s Azure Storage Service [2] and Amazon Simple Storage Service [3], has been provided to users. Connecting a large number of different types of storage devices to work together through application software, cloud storage provides data storage and business access services to users. By storing their data to the cloud in an on-demand manner, users can use the public infrastructure, so that investment of building and maintaining storage equipments is avoided.
© 2013 ACADEMY PUBLISHER doi:10.4304/jnw.8.2.373-380
Users can rely on the cloud to provide more reliable services, so that they can access data from anywhere and at any time. Cloud storage service has been envisioned as the next generation of storage services. At the same time, cloud storage service also brings new and challenging security issues [4, 5]. Storing the data on personal devices, users have the highest privilege to operate on it and ensure its security. However, once users move their data to the cloud, the data is controlled by cloud service providers (CSP). The cases cited in [6] illustrate that cloud storage service also suffers from internal or external data security threats in spite of the claimed completeness given by CSP. Even for the sake of keeping reputation, CSP may deliberately conceal security accidents. So, users must take the security issues in cloud storage service into account. Even under the internal or external security attacks, users should prevent their data accessed by unauthorized party, and detect their data lost or tampered by adversaries. Specially, there are more worries about rarely accessed data. As Internet security service, if the data integrity is verified, the data lost or tampered can be checked by the users. However, cloud storage service has some special characters [7]. Firstly, as the amount of data stored in cloud is enormous, it is impossible to verify the data integrity after retrieving the data duo to the expensive I/O and transmission cost. Secondly, cloud storage service uses the distributed storage systems, so the data is stored in a set of cloud servers. Data integrity verification measures for Internet are unfit for cloud storage system. There are two kinds of ways to verify data integrity in cloud storage system [8]: owner auditing [9-11] and public auditing [12-15]. With owner auditing, only users check the integrity of their remote stored data, which could introduce heavy overhead and cost. Avoiding any side of CSP or the data owner conducting the auditing, public auditing, transferring the auditing procedure to third party auditor (TPA), is a natural choice.
374
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
Wang et al. [12, 13] firstly study the public auditing measures in cloud storage. In [12], they consider the task of allowing TPA, on behalf of the users, to verify the integrity of the dynamic data stored in the cloud servers. The support for data dynamics via the most general forms of data operation, such as block modification, insertion and deletion, is achieved. Remote data integrity is ensured with the support for both public verifiability and dynamic data operations, but users’ data privacy is not preserved. In [13], they also consider introducing TPA to audit the cloud data storage. They utilize public-key based homomorphic authenticator and uniquely integrate it with random mask technique to achieve a privacy preserving public auditing system. However, the signature scheme used in [13] is insecure. In order to facilitate rapid deployment of cloud data storage service and regain security assurances with outsourced data dependability, Cong Wang et al. [14] emphasize efficient methods that enable on-demand data correctness verification on behalf of cloud data owners have to be designed. They describe approaches and system requirements that should be brought into consideration, and outline challenges that need to be resolved for such a publicly auditable secure cloud storage service to become a reality. Zhu et al. [15] propose a formal framework for interactive provable data possession (IPDP) and a zeroknowledge IPDP solution for private clouds. Their ZKIPDP protocol achieves probabilistic data possession guarantee, supports fully data dynamics, public verifiability and is also private against the verifiers. Furthermore, they propose an efficient construction of cooperative provable data possession, which can be used in hybrid clouds. Hao et al. [16] propose a new remote data integrity checking protocol for cloud storage. The proposed protocol is suitable for providing integrity protection of the users’ important data. The proposed protocol supports data insertion, modification and deletion at the block level, and also supports public verifiability. The proposed protocol is proved to be secure against an untrusted server. It is also private against third party verifiers. The above discussed protocols are compared, and the results are summarized in Table I. TABLE I. COMPARISONS AMONG THE ABOVE DISCUSSED PROTOCOLS
Public verifiability Data dynamics Privacy preserving
The protocol in [12]
The protocol in [13]
The protocol in [15]
The protocol in [16]
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
Yes
Yes
Yes
This paper aims at solving the security problem of the protocol in [13], and presenting a secure and efficient public auditing protocol based on the homomorphism technology, which supports for public verifiability, data dynamics and privacy preserving. The rest of this paper is organized as follows. In section II, technical preliminaries which are needed in this research are presented. The © 2013 ACADEMY PUBLISHER
system model, attack model and verification model of public auditing are introduced in section III. In section IV, a new and secure public auditing protocol is proposed based on the security flaw in [13]. We describe the support for data dynamics of the proposed protocol in section V. In section VI, a formal security analysis of the proposed protocol is presented. In section VII, the protocol’s complexity is analyzed in the aspects of communication, computation and storage costs, and experiments on the personal computer show that the protocol is feasible. Conclusions and possible future work are presented in section VIII. II. PRELIMINARIES A. Bilinear Maps Let 1 and 2 be two groups of order p . g is the generator of 1 . A bilinear mapping e : 1 × 1 → 2 must satisfy the following properties: • Bilinearity. e (u a , v b ) = e (u , v) ab for all u , v ∈ and 1
all a, b ∈ p .
• Non-degeneracy. There are u , v ∈ 1 such that e (u , v) ≠ 1 . • Computability. There is an efficient algorithm to compute e (u , v) for any u , v ∈ 1 . B. BLS Short Signature Scheme The BLS signature scheme [17] comprises three algorithms, KeyGen , Sign , and Verify . It makes use of a full domain hash function H :{0,1}* → 1 . H is viewed as a random oracle. x ← *p • KeyGen . Pick random , and compute v ← g x . The secret key is x . The public key is v . •
Sign . Given a secret key x , and a message m ∈ {0,1}* . Compute σ ← H (m) x ∈ 1 . σ is the signature of message m .
•
Verify . Given a public key v , a message m , and a signature σ , verify e(σ , g ) = e( H (m), v) .
C. Homomorphic Hash Funtion A homomorphic hash function H [18, 19] is a hash function satisfying: • Homomorphism. For any two messages m1 , m2 and scalars β1 , β 2 , it holds
H ( β1m1 + β 2 m2 )= H (m1 ) β1 ⋅ H (m2 ) β2 .
(1)
• Collision Resistance. There is no probabilistic polynomial-time (PPT) adversary capable of forging (m1 , m2 , m3 , β1 , β 2 ) satisfying both
m3 ≠ β1m1 + β 2 m2 ,
(2)
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
375
and .
(3)
III THE PUBLIC AUDITING MODEL A. System Model A representative system model for the public auditing is illustrated in Figure 1. There are three different entities in the system model of public auditing: User: an entity, which has large data files to be stored in the cloud and relies on the cloud for data maintenance and computation, can be either individual consumers or organizations. Cloud service providers (CSP): an entity, which is the manager of cloud servers, has significant storage space and computation resource to maintain and compute the users’ data. Third party auditor (TPA): an entity, which has expertise and capabilities that users do not have, is trusted to assess and expose risk of cloud storage service on behalf of the users upon request.
Figure 1. System Model of public auditing.
In the cloud paradigm, by putting the large data files on the remote servers, users can be relieved of the burden of storage and computation. Firstly, users compute the signature of their data, and send the data and signature to CSP. In cloud storage system, users store their data into a set of cloud servers through CSP, which run in a cooperated and distributed manner. Then, users no longer possess their data locally. If users want to check whether the data exists indeed in the cloud servers, auditing work starts, as shown in Figure 1. • Setup. The user negotiates the cryptographic keys with CSP and TPA. • Challenge. After receiving the auditing request from users, TPA generates and sends a challenge to CSP. • Proof. On receiving the challenge from TPA, CSP generates a proof of data storage and sends it to TPA. • Verification. Using some public parameters, TPA verifies the correctness of the proof from CSP, and returns TRUE/FALSE. B. Attack Model In cloud storage system, TPA is considered to be honest and curious. It performs honestly during the whole
© 2013 ACADEMY PUBLISHER
auditing procedure, but it is curious about the received data. CSP is considered to be dishonest. Some attacks against this system exist. • Curiosity attack. TPA tries to read user’s data by analyzing the public parameters and the proof from CSP. • Loss attack. After losing the user’s data, CSP tries to keep the truth from auditing from TPA. • Tamper attack. CSP may tamper the user’s data to other legal or illegal data, and try to keep the truth from auditing from TPA. C.
Verification Model In the public auditing system, with the curiosity attack, loss attack and tamper attack from the adversary, the verification model consists of four algorithms .
•
. The user can run this key generation algorithm to generate the secret parameters and public parameters. • . Using the data and the secret parameters, the user can run this signature generation algorithm to generate the signature of the data. • . Using the data and signatures stored in cloud servers, and the challenge from TPA, CSP can run this proof generation algorithm to generate the proof. • . On receiving the proof from CSP, with public parameters, TPA can run this proof verification algorithm to check whether the data exists indeed in the cloud servers. D. Design Goals With the system model, attack model and the verification model, the design goals of the public auditing protocol can be summarized as the following: • Public verifiability: to allow anyone, not just the users who originally stored the file on cloud servers, to have the capability to verify the integrity of the stored data on demand. • Data dynamics: to allow the users to perform blocklevel operations on the data files while maintaining the same level of data integrity verification. • Privacy preserving: no blocks cloud be retrieved by the verifier TPA during verification process. • Secure and efficient. The design should be as secure and efficient as possible so as to ensure the public auditing process running. IV. THE PUBLIC AUDITING PROTOCOL A. Wang et al.’s Protocol As described in the verification model, the public auditing protocol proposed by Wang et al. [13] is a collection of four polynomial time algorithms , which are described as follows:
376
•
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
KeyGen . The cloud user chooses a random x ← *p
and a random element u ← 1 , and then compute
v ← g x and w ← u x . The secret key for this user is
sk = {x} and the public keys for this user are pk = {g , u , v, w} . • SigGen . The cloud user is in possession of the data file F = {m1 , , mn } . He runs SigGen to generate the signature for each block mi (i = 1, , n) by computing
σ i ← ( H (i ) ⋅ u m ) x ∈ 1 . i
(4)
B. The Proposed Protocol To solve the security problem of the protocol in [13], the BLS short signature scheme proposed in [17] is used directly. Homomorphic hash function presented in [19] is utilized to achieve the support for public auditing. Based on the system model and the verification model, a new and secure public auditing protocol is described as following: • Setup. Cloud storage service runs in a cooperated and distributed manner. To store user’s data file F in a set of cloud servers, F needs to be divided into n blocks m1 , , mn , mi ∈ *p .
H :{0,1}* → 1 is a secure map-to-point hash function. Then the user sends {F , σ 1 , , σ n } to CSP and deletes them from his local storage. • Pr oofGen . It is assumed that= I {s j }(1 ≤ j ≤ c) and
KeyGen(1λ ) : Input a security parameter λ . Choose a large prime p randomly. Define 1 and 2 to be multiplicative cyclic groups with order p . Let g be a
s1 ≤ ≤ sc . For each element i ∈ I , TPA chooses a
function defined in [19]. Mapping e : 1 × 1 → 2 is a
random number yi ← . Then TPA sends the * p
chal ={i, yi }i∈I as the challenge to CSP. The blocks with positions specified by chal are required to be checked. Upon receiving the challenge chal ={i, yi }i∈I , CSP runs Pr oofGen to generate a proof of possession. Firstly, CSP chooses
r ← *p
randomly.
Then,
CSP
computes
sc
r µ ' rh( R) ∈ p = R w= u xr ∈ 1 , µ ' = ∑ yi mi , µ =+
i = s1
and = σ
sc
∏σ i = s1
yi i
∈ 1 . Hash function h : 1 → p maps
group element of 1 uniformly to p . Finally, CSP sends {µ , σ , R} to TPA as the response to chal ={i, yi }i∈I . • Pr oofVer . Upon receiving the response {µ , σ , R} , TPA runs Pr oofVer to validate the response by checking the verification equation sc
) e (∏ H (i ) yi ⋅ u µ , v) . e (σ ⋅ R h ( R ) , g=
(5)
i = s1
If CSP verifies (5) equal, the cloud servers possess the outsourced data. Wang et al. [13] argued that this protocol can resist against various known attacks. However, this public auditing protocol is vulnerable to the attacks from a malicious CSP or an outside adversary. In fact, SigGen algorithm is insecure. In this protocol, the signature σ i = ( H (i ) ⋅ u mi ) x ∈ 1 for mi is proposed by (4). Only known the public parameter u x , a malicious CSP or an outside adversary can forge signature
= σ i* σ i (u x ) mi
*
− mi
∈ 1 for any data mi* successfully. If
the malicious CSP tampers mi to mi* , and σ i to σ i* , the response forged with mi* and σ i* can pass the verification of (5). © 2013 ACADEMY PUBLISHER
generator of 1 . H : *p → 1 is a homomorphic hash bilinear mapping. The user chooses x ← *p randomly,
and computes v ← g x ∈ 1 . The secret key for this user is sk = {x} . The public keys for this user are pk = {g , v} . SigGen( F , sk ) . Given a data file F = {m1 , , mn } and the secret key sk = {x} . Define the identity of the file F to be id ∈ *p . For each i ∈ {1, , n} , the user computes the signature
σ i ← ( H (id || i ) H (mi )) x ∈ 1 .
(6)
Then, the user sends the files {m1 , , mn } and the corresponding signatures {σ 1 , , σ n } to CSP. Finally, the user deletes the data file F = {m1 , , mn } from local storage. • Challenge. To verify that F = {m1 , , mn } exist indeed in the cloud servers, the user sends an auditing request to TPA. Subsequently, TPA defines the subset of set [1, n] to be= I {s j }(1 ≤ j ≤ c) and s1 ≤ ≤ sc . For each element i ∈ I , TPA chooses a random yi ← *p , and generates chal ={i, yi }i∈I as the challenge. Then, TPA sends chal ={i, yi }i∈I to CSP. The blocks with positions specified by chal are required to be checked. • Proof. Pr oofGen({mi }i∈I ,{σ i }i∈I , chal , pk ) . Upon receiving the chal ={i, yi }i∈I , CSP chooses the data {mi }i∈I and the signatures {σ i }i∈I whose positions are I = {s1 , , sc } . If the linear combination of sampled blocks specified in chal can pass the verification from TPA, the blocks specified exist indeed in the cloud servers because of the randomness of the subset I = {s1 , , sc } . So, one verification operation for the linear combination of blocks can replace multi verification operations for blocks. To avoid TPA obtains any information about the data file
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
377
F = {m1 , , mn } , the stream encryption is used, and CSP computes ζ =
sc
∑ym +r i
i
. r ← *p is the randomly
sc
e (σ , g ) = e (∏ σ i yi , g ) i = s1
sc
= e (∏ ( H (id || i ) H (mi )) yi , g x ) chosen stream encryption key by CSP for each auditing. i = s1 ψ = H (r ) is the assistant verification information. sc sc = e (∏ H (id || i ) yi ⋅ ∏ H (mi ) yi , v) Meanwhile, CSP also calculates an aggregated signature i = s1
= σ
=i s1=i s1
sc
∏ σ i y ∈ 1 . i
sc
sc
= e (∏ H (id || i ) yi ⋅ H (∑ yi mi ) ⋅ H (r ) ⋅ H (r ) −1 , v)
i = s1
i = s1 i = s1 Next, CSP sends Pr oof = {σ , ζ ,ψ } to TPA. sc sc • Verification. = e (∏ H (id || i ) yi ⋅ H (∑ yi mi + r ) ⋅ H (r ) −1 , v) . Upon receiving Pr oofVer (Pr oof , pk ) i = s1 i = s1 sc Pr oof = {σ , ζ ,ψ } from CSP, TPA checks the = e (∏ H (id || i ) yi ⋅ H (ζ ) ⋅ψ −1 , v) verification equation: i = s1 sc
= e (σ , g ) e (∏ H (id || i ) yi ⋅ H (ζ ) ⋅ψ −1 , v) .
(7)
i = s1
If the above equation holds, TPA returns TRUE, and CSP indeed processes the data file {mi }i∈I . Otherwise, return FALSE. The homomorphism of signature generated by (6) is elaborated as follows: • The aggregation of signatures {σ s1 , , σ sc } : sc
σ = ∏σ i y
i
i = s1 sc
= ∏ ( H (id || i ) H (mi )) xyi
.
(8)
i = s1 sc
sc
= ∏ H (id || i ) xyi ∏ H (mi ) xyi
=i s1=i s1
• The signature of aggregate data
sc
∑ym i = s1
i
i
:
In this protocol, I = {s1 , , sc } is a subset of [1, n] , so | I =| c ≤ n . If c = n , the verification for the data file F = {m1 , , mn } is determinate. If c < n , the verification for the data file F = {m1 , , mn } is probabilistic. The c can be decided according to the security level of the cloud storage system. V. DYNAMIC UPDATE The user may need to conduct various operations on blocks (e.g. insertion, modification, deletion). The mechanisms to handle these changes are as the following. Note that in the following descriptions, we assume that the data file F = {m1 , , mn } and the signature
{σ 1 , , σ n } have already been generated and properly stored at cloud servers. • Block Insertion. Block insertion, a general form of data operation, refers to inserting new blocks on some specified position in the data file F . As described in Figure 2, the user needs to insert mx between mi −1 and mi . Firstly, the user
(9)
computes the signature σ x of mx by SigGen . Then, the user sends i , mx and σ x to CSP. Upon receiving these,
Based on (1), the aggregation of signatures {σ s1 , , σ sc } generated by (8) is equal to the signature of
CSP verify the signature σ x . Next, CSP stores mx and σ x on the position i , and moves all the latter blocks one block backward. Finally, both the user and CSP update the data index numbers.
sc
sc
σ = (∏ H (id || i ) y H (∑ yi mi ) x . i
i = s1
i = s1
sc
aggregate data
∑ym i = s1
i
i
computed by (9), so the
signatures generated by (6) are homomorphic. Based on the homomorphism of the signature, the correctness of the verification equation (7) is elaborated as follows:
No. 1
Block
No. 1
Signature
Block
Signature
Insert
Figure 2. Inserting mx between mi −1 and mi .
• Block Modification. Compared to block insertion, block modification does not change the logic structure of the data file F . It refers to the replacement of specified blocks with new ones. As
© 2013 ACADEMY PUBLISHER
378
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
described in Figure 3, the user needs to modify the i − th block mi to mi* . Firstly, the user computes the signature
σ i* of mi* by SigGen . Then, the user sends i , mi* and σ i* to CSP. Upon receiving these, CSP verify the signature σ i* . Finally, CSP replaces mi , σ i with mi* ,
Through (7), the following equation holds. y e (σ *σ j j , g )
= e (∏ H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 ⋅ H ( y j m j ), v) No. 1
Signature
Block
i = s1
sc
σ i* respectively. No. 1
sc
e= (σ * , g ) e (∏ H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 , v) . (10)
Block
(11)
i = s1
Signature
Comparing (10) and (11), we have:
Modify
y e (σ j j , g ) = e ( H ( y j m j ), v) .
(12)
Because σ j includes H (id || j ) , it is impossible that (12) holds. Suppose there are tamper attacks in the cloud storage system. CSP tampers the user’s data m j to m j * , the
Figure 3. Modifying mi to mi* .
• Block Deletion. user’s signature σ j to σ j * , and tries to keep the truth Block deletion is the opposite operation of data insertion. It refers to deleting the specified block and from auditing from TPA. So, CSP outputs sc sc moving all the latter blocks one block forward. As y , ζ* yi mi + r * + y j m j * , σ * ∏ σ i yi ⋅ (σ j * ) j = ∑ described in Figure 4, the user needs to delete the i − th= =i s1 , i ≠ j =i s1 , i ≠ j block mi . Firstly, the user sends the index number of the ψ * = H (r * ) . Assume that {σ * , ζ * ,ψ * } are successful block i to CSP. Then, CSP deletes the corresponding forgeries. Then, the following equation holds. block mi and signature σ i , and moves the latter blocks sc one block forward. Finally, both the user and CSP update * = ( H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 , v) . (13) ( , ) e σ g e ∏ the data index numbers. i = s1
No. 1
Block
Signature
No. 1
Block
Signature
Through (7), the following equation holds.
Delete
y e (σ * (σ jσ j *−1 ) j , g ) sc
= e (∏ H (id || i ) yi ⋅ H (ζ * ) ⋅ψ *−1 ⋅ H ( y j m j ) ⋅ H ( y j m j * ) −1 , v) i = s1
(14)
Figure 4. Deleting mi from F .
Comparing (13) and (14), we have: Of course, the signature technology should be used for all kinds of operation requests, so that the operations run by CSP under these requests cannot be denied by the user.
y y *−1 e (σ jσ j= , g ) j e ( H (m j ) ⋅ H (m j * ) −1 , v) j .
(15)
If (15) is true, there is a way to compute H (id || i ) x in
forged signature σ j * . With the x unknown, it is inconsistent with the computational Diffie-Hellman Under the attacks described in section III, the security assumption. of the proposed protocol is analyzed. So, if there are loss attacks or tamper attacks, the • If the Pr oof = {σ , ζ ,ψ } from CSP can pass the attacks must be recognized by Pr oofVer run by TPA verification of (7), CSP must indeed possess the file as upon the computational Diffie-Hellman assumption. it is. Suppose there are loss attacks in the cloud storage • Based on the Pr oof = {σ , ζ ,ψ } from CSP, it is system. CSP losses the user’s data m j , and tries to keep impossible to recover any block in {m1 , , mn } . VI. SECURITY ANALYSIS
the truth from auditing from TPA. So, CSP outputs
σ* =
sc
∏
=i s1 , i ≠ j
y , ζ* σ i=
sc
∑
i
=i s1 , i ≠ j
yi mi + r * , ψ * = H (r * ) .
Assume that {σ , ζ ,ψ } are successful forgeries. Then, the following equation holds. *
*
*
© 2013 ACADEMY PUBLISHER
Suppose there are curiosity attacks in the cloud storage system. TPA tries to recover any block in {m1 , , mn } . The data mi is hashed in σ i , so TPA cannot recover it from σ . The data r is a random number, and is hashed in ψ , so TPA cannot recover mi or r from ψ .
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
As r
= ζ
is a random number chosen by CSP,
sc
∑ym +r i = s1
i
i
means stream encryption is used. So,
TPA cannot recover mi from ζ without the key r . So, if there are curiosity attacks from TPA, it is impossible to recover any block in {m1 , , mn } only with
379
Let | p |= 160 , mi ∈ *p , c= n= 64 . Computation costs of the protocol in [13] and the proposed protocol are shown in Table IV. TABLE IV. COMPUTATION COST FOR EACH STEP OF THE PROTOCOL IN [13] AND THE PROPOSED PROTOCOL WITH 64 BLOCKS.
Pr oof = {σ , ζ ,ψ } .
KeyGen (ms)
SigGen
Pr oofGen
(ms)
(ms)
Pr oofVer (ms)
VII. EFFICIENCY ANALYSIS
The protocol in [13]
110
8
520
540
Define the computation cost of multiplication operation on 1 to be Mul . Let Exp be the computation
The proposed protocol
110
8
510
530
cost of exponent operation on 1 . Let Pairs be the computation cost of the bilinear pair. Define the computation cost of hash function to be H . The length of signature in SigGen algorithm and proof in Pr oofGen algorithm may influence the communication of the cloud storage system. The computation cost of Pr oofGen algorithm and Pr oofVer algorithm may influence the efficiency of the cloud storage system. In these aspects, performance comparisons between the protocol in [13] and the proposed protocol are described in Table II. TABLE II. PERFORMANCE COMPARISONS BETWEEN THE PROTOCOL IN [13] AND THE PROPOSED PROTOCOL. The protocol in [13]
The proposed protocol
Single signature length
1
1
Proof length
21 + p
21 + p
Computation cost of Pr oofGen
1H + (c − 1) Mul
Computation cost of Pr oofVer
(c + 1) H + (c + 1) Mul
+(c + 1) Exp
+(c + 2) Exp + 2 Pairs
VIII. CONCLUSION To provide security cloud storage service to users, public auditing system to verify data integrity must be considered. The public auditing protocol was proposed in this paper. Without retrieving the data, we can check whether the data in cloud is lost or tampered by this proposed protocol, and there is no new computation cost for users. The presented protocol is secure against the curiosity attack, loss attack and tamper attack. Efficiency analyses show the proposed protocol can solve the security flaw in [13] without more cost. Further, the comparability between the public auditing model for cloud storage and the model against the pollution attacks for linear network coding should be studied ACKNOWLEDGMENT
1H + (c − 1) Mul + cExp (c + 1) H + (c + 1) Mul +(c + 1) Exp + 2 Pairs
To validate the effectiveness and efficiency of our proposed protocol for public auditing, we simulate the public auditing service by using a personal computer with Intel Pentium processor at 2.93 GHz and 1.24GB RAM running Ubantu 10.10. The cryptographic library MIRACL is used. Let | p |= 160 , mi ∈ *p , c= n= 32 . Computation costs of the protocol in [13] and the proposed protocol are shown in Table III. TABLE III. COMPUTATION COST FOR EACH STEP OF THE PROTOCOL IN [13] AND THE PROPOSED PROTOCOL WITH 32 BLOCKS. KeyGen (ms)
SigGen
Pr oofGen
(ms)
(ms)
Pr oofVer (ms)
The protocol in [13]
90
8
270
290
The proposed protocol
90
8
260
280
© 2013 ACADEMY PUBLISHER
From above analyses and experiment data, the computation and communication cost of the proposed protocol is almost as much as the protocol in [13]. At the same time, the security flaw in [13] is solved.
This research was supported by the National Natural Science Foundation of China under Grant No. 61001058 and No. 61171072, and Projects in the National Science & Technology Pillar Program under Grant No. 2011BAH20B02, and No. 2011BAH20B03. REFERENCES [1] P. Mell and T. Grance. Draft NIST Working Definition of Cloud Computing. Online at http: //csrc.nist.gov/groups/SNS/cloudcomputing/index.html, referenced on Jan. 3rd, 2012. [2] Microsoft. Microsoft’s Azure Storage Service. Online at http: //www.windowsazure.com/enus/home/features/storage/, referenced on Feb. 27th, 2012. [3] Amazon. Amazon Simple Storage Service. Online at http: //aws.amazon.com/s3/, referenced on Feb. 27th, 2012. [4] H. Zhu, Z. Cao, W. Jia, and A.V. Vasilakos. SecCloud: Bridging Secure Storage and Computation in Cloud. 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 52-61, 2010. [5] Mahima Joshi and Yudhveer Singh Moudgil. Secure Cloud Storage. International Journal of Computer Science & Communication Networks, Vol. 1 (2), pp. 171-175, 2011.
380
[6] Amazon. Amazon s3 Availability Event: July 20, 2008. Online at http: //status.aws.amazon.com/s3-20080720.html, July 2008. [7] W. Zeng, Y Zhao, K. Ou, and W. Song. Research on Cloud Storage Architecture and Key Technologies. Proceedings of the Second International Conference on Interaction Science (ICIS), pp. 1044-1048, 2009. [8] K. Yang and X. Jia. Data Storage Auditing Service in Cloud Computing: Challenge, Methods and Opportunities. World Wide Web, pp. 409-428, 2012. [9] C. Wang, Q. Wang, K. Ren, and W. Lou. Ensuring Data Storage Security in Cloud Computing. IWQoS’09, Charleston, South Carolina, USA, 2009. [10] Lanxiang Chen. A Homomorphic Hashing based Provable Data Possession. Journal of Electronics and Information Technology, vol. 33 (9), pp. 2199-2204, 2011. [11] Lanxiang Chen. Using Algebraic Signatures to Check Data Possession in Cloud Storage. Future Generation Computer Systems, 2012. [12] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou. Enabling Public Verifiability and Data Dynamics for Storage Security in Cloud Computing. 14th European Symposium on Research in Computer Security, Springer Berlin/Heidelberg, pp. 355-370, 2009. [13] C. Wang, Q. Wang, K. Ren, and W. Lou. Privacypreserving Public Auditing for Data Storage Security in Cloud Computing. IEEE InfoCom2010, 2010. [14] Cong Wang, Kui Ren, Wenjing Lou, and Jin Li. Toward Publicly Auditable Secure Cloud Data Storage Service. IEEE Network, July/August 2010. [15] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S. Yau. Cooperative Provable Data Possession. Cryptology ePrint Archive, Report 2010/234, 2010. [16] Zhuo Hao, Sheng Zhong, and Nenghai Yu. A PrivacyPreserving Remote Data Integrity Checking Protocol with Data Dynamics and Public Verifiability. IEEE Transactions on Knowledge and Data Engineering, vol. 23 (9), pp. 1432-1437, 2011. [17] D. Boneh, B. Lynn, and H. Shacham. Short Signatures from the Weil Pairing. ASIACRYPT 2001, LNCS 2248, pp.514-532, 2001.
© 2013 ACADEMY PUBLISHER
JOURNAL OF NETWORKS, VOL. 8, NO. 2, FEBRUARY 2013
[18] M. N. Krohn, M. J. Freedman, and D. Mazières. On-the-fly Verification of Rateless Erasure Codes for Efficient Content Distribution. Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, California, May 9-12pp. 226-240, 2004,. [19] R. Gennaro, J. Katz, H. Krawczyk, and T. Rabin. Secure Network Coding Over the Integers. Public Key Cryptography PKC ’10, Springer LNCS 6056, pp. 142-160, 2010.
Hongwei Liu was born in Henan province, China in 1975. In 2009, he received his Ph.D. degree on signal and information processing from Xidian University in Xi’an, China. Currently he is an associate professor in the college of information engineering, Shenzhen University, Shenzhen, China. His research interests include cryptography and information security. As the principal, Dr. Liu has taken charge of one National Natural Science Foundation of China, one Project in the National Science & Technology Pillar Program and two Science and Technology Projects of Shenzhen. As the main participant, Dr. Liu has finished several national, provincial and ministerial level research projects of China.
Peng Zhang was born in Hubei province, China in 1984. In 2011, she received her Ph.D. degree on signal and information processing from Shenzhen University in Shenzhen, China. Currently she is a lecturer in the college of computer and software, Shenzhen University, Shenzhen, China. Her research interests include cryptography and information security.
Jun Liu was born in Hunan province, China in 1987. In 2010, he got bachelor’s degree on electronic information engineering from Xiangtan University. Now he is a master candidate in Shenzhen University, Shenzhen, China. His research interests include network and information security.
