Secure and Accountable Data Sharing In the Cloud

International Journal of Computer Trends and Technology (IJCTT) – volume 4 Issue 7–July 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 2044

Secure and Accountable Data Sharing In the Cloud

T.Praveenkumar1, K.Narsimhulu2 1M.Tech(ComputerScience&Engineering), RajeevGandhiMemorialCollege of Engineering and Technology,

Nandyal, AndhraPradesh, India 2AssistantProfessor(Dept. Of CSE), RajeevGandhiMemorialCollege of Engineering and Technology,

Nandyal, AndhraPradesh, India

Abstract—Cloud computing is a technology that offers hardware and software resources as services over a network. Cloud Computing provides wide range of services that are easily used over a network. One of the major characteristics of the cloud services is that users’ data are processed on unknown remote severs that users do not operate, then it will be a considerable roadblock in using all available cloud services. To avoid this problem, we propose a highly decentralized framework to monitor the actual usage of the user’s data available on the cloud. The Cloud Information Accountability (CIA) framework proposed in this work performs automated logging and distributed auditing of relevant access performed by other entity, carried out at any point of time at any cloud service provider (CSP). It comprises of two major components: logger and log harmonizer. The proposed methodologies will also takes the responsibility of the JAR file by converting the JAR into obfuscated code which will adds an additional layer of security to the infrastructure. Apart from this we are going to extend the security of user’s data by provable data possessions for integrity verification.

Keywords-- Cloud computing, data sharing, Cloud Information Accountability framework (CIA), Cloud Service Provider (CSP), Provable data possession

I.INTRODUCTION

The Cloud Information Accountability framework proposed in this work conducts automated logging and distributed auditing of relevant access performed by any other entity, carried out at any point of time at any cloud service provider. It consists of two major components: logger and log harmonizer. The JAR file includes a set of access control rules specifying whether and how the cloud servers and possibly other data stakeholders are authorized to access the content itself. Apart

from these we are going to check the integrity of the JRE on the systems on which the logger components is initiated. This integrity checks are carried out by using oblivious hashing. The proposed methodologies will also takes responsibility of the JAR file by converting the JAR into obfuscated code which will adds an additional layer of security to the infrastructure. Apart from this we are going to extend the security for user’s data by Provable Data Possessions (PDP) for integrity verification. Based on the configuration settings defined at the time of creation, the JAR will provide usage control to perform logging. Logging indicates each time there is an access to the data; the JAR will automatically generates a log record.

II PROBLEM STATEMENT

In this section by considering an illustrative example which serves as the basis of our problem statement and will be used throughout the paper to demonstrate the main features of our system.

In this example, multiple Cloud Service Providers (CSP) are available in the Internet. A customer uses the services supplied by a specific CSP like access online travelling, printing, office applications, etc. In order to use these services, customers have to register and disclose personal data, including address, financial details, etc. In order to provide the required functionalities, a CSP might need to interact with other CSPs and share relevant data to enable the business transaction. For example, a travelling service might need to interact with an external billing service and flight reservation service in order to supply the required service to the customer.

From Fig.1, all these interactions requires user`s personal and confidential data needs to be collected; it can potentially be analysed, processed and exchanged with other third parties. A



key issue highlighted by this scenario is that both the customer and CSPs might quickly lose control on data when this data is exchanged between different parties in chains of interactions. Customers might desire to retain control about:

Fig.1: Data sharing in cloud

How their data should be used; who can access it, etc. They might want to: dictate the purposes for which data can be disclosed to third parties; impose constraints on the retention time, notifications, etc. Similar comments apply to a service provider disclosing information to third parties. In other words, the entities that disclose information would like to express preferences (including privacy preferences) on how their personal and confidential data should be handled along with access control and obligation constraints. Some specific examples of authorization policies for access control and obligation policies follow: • Authorization Policies for controlling access

Customer credit card data can be accessed by CSP1 for Business Transaction purposes only ;

Customer email address can be shared with CSP2 and CSP3 only for business transactions and goods delivery.

Customer email address details must not be shared with CSP4.

• Obligation Policies Customer has to be notified by email every time my

data is accessed; Customer has to be notified every time my credit card

is disclosed to another CSP; Customer can have full control of their data and can

be able to delete their data, if it is not accessed /used for long time period.

Interestingly, the above stated constraints might need to be enforced by all the entities involved disclosing data like, in the example, by the Travelling Service, the Flight Booking Service, and the Printing Service etc.

Furthermore, the customer might change their mind and modify some of their preferences and constraints. These changes should be distributed through the chain of disclosures. With this scenario in mind, we identify the common requirements and developed several guidelines to achieve data accountability in the cloud. A user, who subscribed to a certain CSP, usually needs to send his/her data as well as associated access control policies (if any) to the CSP. After the data are received by the CSP, the CSP will have granted access rights such as read, write, and copy on the data. By using conventional access control techniques, once the access rights are granted, then CSP can have entire data access rights.

III SYSTEM DESIGN

3.1 JAR Generation

The JAR file includes a set of access control rules specifying whether and how the CSPs and possibly other data stakeholders (users, companies) are authorized to access the content. Based on the configuration settings defined at the time of creation, the JAR will provide usage control to perform logging.

3.2 Obfuscation

In software development, obfuscation is the act of creating obfuscated code deliberately, i.e. machine code that is difficult for humans to read and understand. Programmers may obfuscate code deliberately to conceal its purpose (security through obscurity) in order to avoid tampering and deter reverse engineering, or recreational challenges for someone reading the source code. Obfuscators are programs that transform readable code into obfuscated code by using various techniques.

Source Code

var a="Hello World!"; function MsgBox(msg) { alert(msg+"\n"+a); } MsgBox("OK");

Obfuscated code

var _0xdcf3=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A","\x4F\x4B"];var a=_0xdcf3[0];function MsgBox(_0x709bx3){alert(_0x709bx3+_0xdcf3[1]+a);} ;MsgBox(_0xdcf3[2]);

Table.1: Example of obfuscated code

However, a byte code disassemble would still work even if we are using a code obfuscator that will make all decompilers fail completely. Remember that JVM instruction set contains high-level Instructions, as incompatible to real CPUs such as x86,



so it is easy to understand disassembled Java than disassembled C++. It would therefore make sense to also "collapse" the entire structure of the program. The advanced obfuscation techniques include class hierarchy changes, array folding/flattening, method inlining and outlining, loop unrolling, etc.

3.3 The Logging Mechanism

The main responsibility of the JAR is to handle authentication of entities which are in need to access the data stored in the JAR file. In this scenario, the data owners may not know the exact CSPs where the data is handled/processed. Hence, servers’ functionality will specify the authentication (which we assume to be known through a lookup service), but not the server’s URL.

3.4. Log Record Generation

Log records are generated by the component called “logger”. Logging occurs for every access to the data in the JAR, and generated new log entries are appended sequentially, in the order of creation LR = (r1; . . . ; rk). Each record ri is encrypted individually and appended to the log file. In particular, a log record contains the following information: Here, ri indicates that an action on the user’s data by an entity identified by ID at time T at location Loc. 3.5 PDP (PROVABLE DATA POSSESSION)

3.5.1 Verify data possession

• C sends a challenge – chal: a challenge with random value • S process V from chal and F – V: a proof – return V • C checks V

Fig. 2: Verify data possession

A PDP system can be constructed from PDP scheme in two phases: Setup • C runs KeyGen, TagBlock and sends pk,F,Σ to S Challenge • C sends chal to S • S runs GenProof and sends V to C • C check V with Check Proof We also showed that our PDP scheme provided all security properties required by zero knowledge interactive proof system, so that it can resist various kinds of attacks even though it is deployed as a public audit service in clouds. 3.6 Auditing Mechanism

Data owners are frequently and accurately notified about the access to their data, our logging mechanism is formulated by an innovative auditing mechanism in distributed environment. We support two auditing techniques: 1) push mode 2) pull mode. 3.6.1 Push mode:

The logs are frequently pushed to the data owner by the Log Harmonizer. The push action will trigger anyone from following two events: one event is that the elapsed time for a particular period according to the temporal timer inserted as part of the JAR file. The other event is that if JAR file creation exceeds the specified size by the data owner. After the log files are forwarded to the data owner, the log files can be deleted in order to have free space for future logs. Deletion of logs also dumps relevant log information like error correcting etc. This mode is the basic mode which is compatible for both the Pure Logs and the Access Logs, anyway whether the data



owner request for the log files. Push mode serves to fulfill two purposes in the architecture of logging: 1) it assures that the log file size does not exceed and 2) it performs timely detection and correction of any damage or loss to the log files. Concerning the latter purpose, we notice that the data owner, upon receiving the log file, will check its cryptographic guarantees, by verifying integrity and authenticity of the records. By construction of the records, the data owner will be able to quickly detect for forgery entries, by using the checksum appended for every record.

3.6.2 Pull mode:

This mode allows data owners to retrieve the logs anytime when they want to check the recent access to their own data. The pull message comprise simply of an FTP pull command, which can be issued from the command line. The request will be sent to the log harmonizer, and the user will be informed of the data locations and obtain an integrated copy of the authentic and sealed log file.

3.7 Accountability Mechanism

In Fig 3 working of accountability mechanism in cloud is given in this when user will access data then log of each access is created by logger and periodically sent to log harmonizer, log harmonizer send these logs to the data owner and data owner can check logs and take appropriate action if he wants.

Fig 3: Accountability Mechanism in cloud

IV. SECURITY ANALYSIS

4.1 Copying Attack

The most intuitive attack is that the attacker copies entire JAR files. The adversary may assume that doing so allows accessing the data in the JAR file without being noticed by the data owner. However, such attacks are going to be detected by our auditing mechanism. Recall that every JAR file must send log records to the log harmonizer.

In particular, with the push mode, the log harmonizer will send the logs to data owners frequently. That is, even if the data owner is not aware of the existence of the additional copies of its JAR files, he can still be able to receive log files from all existing copies. If attackers move additional copies of JARs to places where the log harmonizer cannot connect, the additional copies of JARs will soon become inaccessible.

4.2 Data Leakage Attack

An Attack by which an adversary can easily obtain the stored data through verification process after running or wire tapping sufficient verification communications. An attacker will use well-formed requests for an application, service, or device that may result in the inadvertent disclosure of sensitive data by handling weaknesses in the configuration of the target results in that target reveals more details to an attacker than expected. The attacker might collect all this information through different methods like active querying and passive observation. Information may contain details relevant to the capabilities or configuration of the target, clues as to the temporal arrangement or nature of activities, or otherwise sensitive data. Often this kind of attack is overlooked in preparation for some other attacks, although the gathering of information may end goal of attacker in some cases. Retrieved information may used by the attacker in making assumptions about vulnerabilities, potential weaknesses or techniques that helps in achieving the attacker's objectives. Leakage of data may come various forms such as confidential information stored in insecure directories, or services that provide diagnostic messages in response to normal queries. 4.3 Disassembling Attack

Another possible next attack is to disassemble JAR file relevant to the logger and then attempt for extracting useful information out of it. Once the JAR file is disassembled, the attacker is having the public IBE key which is used for encrypting the log files. Therefore, the attacker has to depend on learning the private key or subverting the encryption to



read the log records. To accord confidentiality of log files, attacker will attempt to determine which relevant encrypted log records to his/her actions by mounting selected plaintext attack to derive plain texts and pairs of encrypted log records.

However, the usage of the Weil Pairing algorithm assures that the CIA framework has both chosen plain text security and cipher text security in the random oracle model. Therefore, the attacker may not be able to decrypt any other data or log files in the disassembled JAR file. Even though the attacker bypasses authorization, he/she can access the actual content file but he/she will not be able to decrypt any data including the log files that are viewable to the data owner exclusively. Through disassembled JAR files, the attackers are not able to have directed the access control policies as the original source code is not incorporated in the JAR files. If attacker wants to deduce access control policies, the possible way is by analyzing the log file only. This is very hard to achieve, as log records are encrypted and the decryption is computationally hard. Also, the attacker will be not modifying the log files that are extracted from a disassembled JAR. The above specified attacks are more frequent in this distributed environment.

V. ADVANTAGE

The CIA framework ability lies in maintaining lightweight and accountability mechanism that combines aspects of access control, authentication, and usage control. Providing defenses against man in middle attack, dictionary attack, Disassembling Attack, Compromised JVM Attack, Data leakage attack.PDP allows the data owners to remotely verify the integrity of their data it’s Suitable for limited and large number of storages.

VI. CONCLUSION

CIA framework is developed with innovative approach for automatically logging every access to the data available on the cloud together with auditing mechanisms. Our approach permits data owner to not only monitor his/her data but also enforce constraints for strong back-end protection. Apart from that we have enclosed PDP methodology to enhance the integrity of owner’s data. In future, we plan to extend our approach to verify the integrity of JRE. For that we will cross-check whether it is possible to leverage the advantage of secure JVM being developed by IBM and we would like to enhance our PDP architecture from user end which will allow the users to check data remotely in an efficient manner in multi cloud environment.

REFERENCES 1. Conference Proceedings [1] Smitha Sundareswaran, Anna C. Squicciarini, and Dan Lin, “Ensuring Distributed Accountability for Data Sharing in the Cloud”, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 4, JULY/AUGUST 2012

[2] P. Ammann and S. Jajodia, “Distributed Timestamp Generation in Planar Lattice Networks,” ACM Trans. Computer Systems, vol. 11, pp. 205-225, Aug. 1993.

[3] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song, “Provable Data Possession at Untrusted Stores,” Proc. ACM Conf. Computer and Comm. Security, pp. 598-609, 2007.

[4] Provable Data Possession for Integrity Verification in Multi-Cloud Storage Author Van Zhu, Hongxin Hu, Gail-JoonAhn, Senior Member, IEEE, Mengyang Yu

[5] D. Boneh and M.K. Franklin, “Identity-Based Encryption from the Weil Pairing,” Proc. Int’l Cryptology Conf. Advances in Cryp-tology, pp.213-229, 2001.

[6] P. Buneman, A. Chapman, and J. Cheney, “Provenance Manage-ment in Curated Databases,” Proc. ACM SIGMOD Int’l Conf. Management of Data (SIGMOD ’06), pp. 539-550, 2006.

[7] Hsio Ying Lin, Tzeng.W.G, “A Secure Erasure Code-Based Cloud Storage System with Secure Data Forwarding “, IEEE transactions on parallel and distributed systems, 2012.

[8] S. Pearson, Y. Shen, and M. Mowbray," A privacy manager for Cloud Computing," Proc. Int'l Conf. Cloud Computing (cloudcom), pp.90-106, 2009.

[9] S. Pearson and A. Charlesworth, "Accountability as a Way Forward for Privacy Protection in the Cloud, "Proc First Int'l conf. Cloud Computing, 2009.

[10] Ryan K L Ko, Peter Jagadpramana, Miranda Mowbray, Siani Pearson, Markus Kirchberg, Qianhui, “TrustCloud: A Framework for Accountability and Trust in Cloud Computing” HP Laboratories, pp 1 – 7, HPL-2011-38.

[11] Marco Casassa Mont, Ilaria Matteucci, Marinella Petrocchi, Marco Luca Sbodio “Enabling Data Sharing in the Cloud” HP Laboratories, HPL-2012-22

Documents

Secure and Accountable Data Sharing In the Cloud