Architecture to Implement Secure Cloud Computing with Elliptic Curve ...

Smart Computing Review, vol. 5, no. 3, June 2015

201

Smart Computing Review

Architecture to Implement Secure Cloud Computing with Elliptic Curve Cryptography Debajyoti Mukhopadhyay, Abhay kawade, Akash Thakur, Nikhilesh Chaudhari, and Sani Nanekar Maharashtra Institute of Technology, Pune 411038, India / {debajyoti.mukhopadhyay, kawadeabhay25, akashthakur007, nik29ch, saninanekar001}@ gmail.com *Corresponding Author: Debajyoti Mukhopadhyay

Received April 10, 2015; Revised May 15, 2015; Accepted May 28, 2015; Published June 30, 2015

Abstract: Cloud computing is an emerging domain that enables the deployment of a new IT service paradigm. Cloud providers offer a wide range of services which are charged per unit basis. The major challenge facing clouds is security. It includes ensuring the safety of the infrastructure as well as protection against unauthorized access. In this paper, we deal with cloud security services, including key agreements and authentication. By employing Elliptic Curve Cryptography for client authentication process and data storage, we design the Multi-Server Cloud Computing system. Our scheme chooses not to store encryption keys anywhere in the cloud because of the secret isolation guideline. A request counter is used at the time of the client authentication process to prevent replay attacks. To aid in controlled access, a mandatory access control model is preferred. We split the encrypted data and store it on different clouds, which provides security against attacks on the storage server. Restrictions are imposed to ensure only selected employees (administrators) have authority to handle the encrypted data. Our Multi-Server Cloud Computing system is used to fit an environment in which each cloud contains multiple servers that collaborate in serving applications. One cloud is used for client authentication and key agreement, and another cloud for data splitting and combining. Due to strong security and operation efficiency, the proposed secure cloud computing should be most suitable for use in a cloud computing environment.

Keywords: Cloud computing; Elliptic Curve Cryptography; Multi Server Cloud Computing; Data Splitting; Data Combining

DOI: 10.6029/smartcr.2015.03.008


202

Introduction

N

owadays the view on cloud computing has changed. It is seen as a new, promising, revolutionary technology with a low cost for development and maintenance while still providing highly-reliable and elastic services. Cloud technology is evolving and undergoing lots of experiments. The usage of the cloud promises huge cost benefits, agility, and scalability for businesses. Data storage is one popular cloud-based service. In traditional data management, data was only protected by data owners, but in cloud, it is protected by other service providers as well. All data and software are stored at a remote location referred to as a data center. Data centers allow enterprises to run applications faster with easier manageability and low maintenance effort, as well as enjoy the rapid scaling of resources (e.g. servers, storage, and networking) to meet many business requirements. A data center contains information that traditional users store on their computer. This raises the question of user privacy protection, as the data needs to be outsourced to the data centers. The movement of data could breach data security. The world of cloud computing offers various benefits, considering that the privacy and security risks are effectively minimized. More and more people are starting to reap the benefits of the cloud. The transfer of data to centralized services could affect privacy and security while a user interacts with the files stored in cloud storage space. The major concern is data security. Although outsourcing data into the cloud is economically beneficial in terms of the cost and complexity of long-term large-scale data storage, it might give rise to problems in the field of data security. Any attacker could try accessing the data. The cloud service provider could accidentally or deliberately alter or delete some information from the cloud server. Hence, the system must implement some sort of security mechanism to ensure data privacy. The current cloud security model is based on the assumption that the user/client should trust the service provider. This is typically governed by a Service Level Agreement (SLA). To ensure the security and availability of data in the cloud and to maintain the quality of data, we need to develop efficient techniques to enable data encryption and the splitting of data. In other words, we need to apply cryptographic methods for the encryption of data and logical techniques to split the data. It is important to support the integration of this dynamic feature into multi-cloud storage and encryption, which makes the system design even more challenging.

Related Work and Novelty of Approach Cloud computing has a wide scope for data storage and data maintenance. People are trying to use cloud computing services over the Internet, but some issues related to security persist. If a user’s confidential data gets revealed, it may adversely affect business. There exist a few systems to maintain the confidentiality of data, but with some flaws. One of the systems is the Protecting Data Privacy by Authentication and Secret Sharing (PASS) scheme. In this system, the data is encrypted and stored in the same cloud, but it has a limitation in that the keys are available in the same cloud where the data exists [2] [3], which provides easy access to an intruder. Another existing system is the business model for cloud computing that uses separate servers for encryption/decryption and for data storage [1]. The main disadvantage of this system is that the failure of a server results in loss of data. To overcome the limitations of these systems, a new system was designed [4] [5] [6] [7] [8] [9]. Even when it uses the data distribution scheme in which data is stored on different cloud servers, protection from an inside intruder is not completely achieved. To overcome all the flaws in existing systems, we have proposed an architecture for secure cloud computing.

Proposed Work We present a scheme that involves the encryption of all data. First, we encrypt the data given by the client, then we split that encrypted data into multiple blocks. We then store those blocks on various random clouds. Hence, our scheme is wellsuited for clients with the need to store highly-confidential data. In our data security protocol, we use an elliptic curve cryptography (public key cryptography) algorithm for the encryption of data. Then we pass the data to a remote server. On that server, we split the encrypted data into multiple blocks of data. We then store these blocks on random clouds. We use a second server separately for splitting the data. If an insider using the first server gets unauthorized access to the data, he or she can track the data and alter or misuse it. To provide more data security and limit unauthorized insider access, we use the concept of data splitting and storage on multiple servers. This mechanism involves two major steps that are explained below:

203 Mukhopadhyay et al.: Architecture to Implement Secure Cloud Computing with Elliptic Curve Cryptography

Figure 1. Working architecture

■ Architecture Architecture for storage of split encrypted file: 1) Authentication: When a client logs in for the first time, his profile is created after successful registration. If the client is already registered, authentication takes place directly. 2) Encryption: a) Upload file to encryption server: The clients file is uploaded to the encryption server. b) Encryption of file: Uploaded file is then encrypted using an ECC algorithm. c) Return encrypted file: Encrypted file is sent back to client. 3) Uploading and Splitting: a) Upload file to splitter server: Encrypted file is uploaded to splitter server. b) Splitting: The encrypted file is split into multiple blocks of data. 4) Storage of encrypted file: Split encrypted files are stored on multiple storage servers.


204

Architecture for retrieval of split encrypted file 1) Request for encrypted file to splitter server: When a client wants his file back, client requests splitter server for encrypted file. 2) Retrieval of encrypted file from splitter server: a) Request for encrypted file: Splitter requests multiple storage servers for the file. b) Retrieval of encrypted file: All the split encrypted files are retrieved back at the splitter server. c) Integrate encrypted file: Split encrypted files are re-ordered and integrated as a single encrypted file. 3) Return encrypted file: Encrypted file is sent back to client. 4) Authentication: Authentication takes place to identify valid client. 5) Decryption: a) Upload file to decryption server: The clients file is uploaded to the encryption server. b) Decryption of file: ECC decryption algorithm is used to decrypt uploaded file c) Return decrypted file: Decrypted file is sent back to client.

Understanding Pre-requisites ■ Elliptic Curve Cryptography A very well-known algorithm used extensively for key exchange and agreement is Rivest, Shamir, Adleman (RSA). It involves huge numbers, hence the need for new methods. The forte of RSA lies in integer factorization [4]. We first need to find the prime factors of a number, but when we start working with large numbers, finding it becomes complex and the strength becomes a limitation. If we want a highly-secure RSA mechanism, larger numbers must be used, which increases the key size enormously. As our main motive is to provide the best security possible, we have to use a more efficient method to deal with smaller key size. The cryptography must ensure a similar or even greater level of data security. Based on the results of the comparison, we can verify that ECC is a much better and more efficient method for public key cryptography. A. Elliptic Curve

Figure 2. Elliptic curve

205 Mukhopadhyay et al.: Architecture to Implement Secure Cloud Computing with Elliptic Curve Cryptography The curve, which is non-singular projective algebraic over some field k with a point at infinity, is an elliptic curve. We can describe the curve as a set of points satisfying the equation: y2 + axy +by = x3 + cx2 +dx+ e An elliptic curve 'E' is a curve given by the equation (for a cubic or quadratic polynomial f(x)): E: y2 =f(x) (1) The polynomial f(x) with no double roots is required because we want to guarantee that the curve is non-singular. After changing the variables, the equation becomes simpler (cubic): E: y2 = x3 + a x + b To define E as a set, extra point Ɵ "at infinity" is added.

(2)

E = {(x, y): y2 = x3 + a x + b} U {e} (3) If we have a point P1 (x1, y1) on any elliptic curve and we want to find P2(x2, y2) such that P2 = 2P1, this is known as Point Doubling, and the equation is: Let λ = x1 + y1 / x1, then x2 = a + λ + λ2 And y2 = (x1+ x2) λ + x2 + y1

(4)

If we have two points P1(x1, y1) and P2(x2, y2) on any elliptic curve and we want to find P3(x3, y3) such that P3 = P1+ P2, this is known as Point Addition and the equation is: Let λ = (y1+y2)/(x1+x2), Then x3 = a + λ + λ2 + x1 + x2 And y3 = λ (x2 + x3) + x3 + x2

(5)

ECC involves elliptic curves defined over a finite field. There are two fields of interest a) Prime fields GF (p) b) Binary finite fields GF (2 m) In Fig. 3, a point P(x, y) lies on the elliptic curve where x and y are elements of GF (p). The number of bits in the binary representation of the field order gives the elliptic curve domain parameters of the set, commonly denoted as p. The number of bits in the binary representation of the field, commonly denoted as m, is given on the characteristric-2 curve.

Figure 3. Diffie - Hellman key exchange


206

Table 1. Key size of ECC VS RSA ECC(bits)

RSA(bits)

KEY size ratio

160

1024

1:6

256

3024

1:12

384

7680

1:20

512

16360

1:30

B. Implementation of ECC ECC can be done with at least two types of arithmetic, each of which gives different definitions of multiplication. The two types of arithmetic are 1) Zp arithmetic 2) GF (2n) arithmetic Consider the equation Q = KP, where Q, P ϵ Ep(a, b) and K < P. It is relatively easy to calculate Q given K and P, but it is relatively hard to determine K given Q and P. This is called the discrete logarithm problem in elliptic curves (ECDLP). 1) Key generation (Diffie-Hellman): A key exchange between user Alice and Bob can be done as follows: i. Alice selects an integer dA, this is A¡¦s private key ii. Alice then generates a public key PA= dA*B iii. Bob similarly selects a private key dB and computes a public key PB= dB*B iv. Alice generates the security key K= dA*PB. Bob generates the secrete key K= dB*PA 2) Encryption algorithm: Suppose A wants to send B an encrypted message. i. A takes plaintext message M, and encodes it onto a point, PM, from the elliptic group. ii. A chooses another random integer, k, from the interval [1, p-1]. iii. The ciphered text is a pair of points PC = [ (kB), (PM + kPB) ] iv. Send ciphered text from PC to Cloud B. 3) Decryption algorithm: Cloud B will take the following steps to decrypt ciphered text PC. i. B computes the product of the first point from PC and his private key, i.e., dB, dB * (kB) ii. B then takes this product and subtracts it from the second point from PC, (PM + kPB) – [dB(kB)] = PM + k(dBB) – dB(kB) = PM C. Why ECC? A few reasons as to why we preferred ECC over RSA are given below: 1) Small Key Size ECC requires a fewer number of bits to work, when compared to RSA, but still provides the same level of security. Table 1 shows the results of a comparison between ECC and RSA. 2) Fast Processing As the key size is small, the memory required is also less, and so the processing takes less time. 3) Efficiency

207 Mukhopadhyay et al.: Architecture to Implement Secure Cloud Computing with Elliptic Curve Cryptography ECC uses scalar multiplication. Therefore, it is computationally more efficient when compared to RSA. All of the above advantages prove that ECC is faster and stronger when compared to present techniques.

Conclusion This system will facilitate the cloud client to get a proof of integrity and security of the data which the client wishes to store in the storage servers. The scheme is developed to store data securely and access data remotely. The system ensures its ability to stand against network attacks, unauthorized access, and insider attacks. Therefore, overall integrity and reliability of the system is confirmed.

References [1] Jing-Jang Hwang, Hung-Kai Chuang, Yi-Chang Hsu, and Chien-Hsing Wu, “A Business Model for Cloud Computing Based on a Separate Encryption and Decryption Service,” 978-1-4244-9224-4/11 2011, IEEE. Article (CrossRef Link) [2] Ching-Nung Yang,Jia-Bin Lai, “Protecting Data Privacy and Security for Cloud Computing Based on Secret Sharing,” 978-0-7695-5010-7/13, International Symposium on Biometrics and Security Technologies, Article (CrossRef Link) [3] Jyh-haw Yeh, “A PASS Scheme in Cloud Computing – Protecting Data Privacy by Authentication and Secret Sharing” [4] Yashaswi Singh, Farah Kandah, and Weiyi Zhang, “A Secured Cost-effective Multi-Cloud Storage in Cloud Computing,” IEEE 978-1-4244-9920-5/11, IEEE INFOCOM 2011 Workshop on Cloud Computing. Article (CrossRef Link) [5] K.Rajasekar and C. Kamalanathan, “Towards of secured cost-effective multi-cloud storage in cloud computing,” Undergraduate Academic Research Journal (UARJ), ISSN : 2278 – 1129, Volume-1, Issue-2, 2012 [6] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, Vol. 48, pp. 203-209, 1987. Article (CrossRef Link) [7] V. S. Miller, “Use of Elliptic Curves in Cryptography,” Advances in Cryptology, Vol. 218, pp. 417-426 ,1985. [8] Muhammad Yasir Malik, “Efficient Implementation of Elliptic Curve Cryptography Using Low power Digital Signal Processing,” ICACT ISBN 97889 -5519-146-2, pp. 7-10, Feb. 2010. [9] Debajyoti Mukhopadhyay, Ashay Shirwadkar, Pratik Gaikar, and Tanmay Agrawal, Securing the Data in Clouds with Hyperelliptic Curve Cryptography, 13th International Conference on Information Technology, ICIT 2014 Proceedings; Bhubaneswar, India; IEEE Computer Society Press, California, USA; 22-24, pp 201-205; ISBN 978-14799-8084-0, Dec .2014. Article (CrossRef Link) Abhay Kawade has completed his B.E. in Information Technology from Maharashtra Institute of Technology, affiliated with the University of Pune, India in 2015. He has done his B.E. Final Year Project under the guidance of Prof. Debajyoti Mukhopodhyay, entitled “An Architecture for secure cloud computing using Elliptic Curve Cryptography.” He will be working as an Associate Software Engineer in CognizantTechnology Solutions Pvt. Ltd., Pune, India from October 2015.

Nikhilesh Chaudhari has completed his B.E. in Information Technology from Maharashtra Institute of Technology, affiliated with the University of Pune, India in 2015. He has done his B.E. Final Year Project under the guidance of Prof. Debajyoti Mukhopodhyay, entitled, “An Architecture for secure cloud computing using Elliptic Curve Cryptography.” He will be working as an Associate Software Engineer in Accenture Services Pvt. Ltd., Pune, India from December 2015.


208

Debajyoti Mukhopadhyay is the Dean (R&D) of the MIT Group of Institutions and Head of Information Technology at Maharashtra Institute of Technology at Pune, India. He is the Founder of the MIT Center of Excellence for Research & Innovation, which is designed to encourage and facilitate R&D activities within the MIT Group. He previously assumed the position of the Director of the Balaji Institute of Telecom & Management in Pune. He is the Founder Director of the Web Intelligence & Distributed Computing Research Lab. During 2008-2010, for almost three years, he was the founding Head and Professor of Information Technology & MIS at Calcutta Business School. He was a Visiting Scholar at George Mason University, Virginia, USA, during June-July 2014. Prof. Mukhopadhyay was a Distinguished Adjunct Professor at Curtin University, Perth, Australia. He had also held Adjunct Professorships at Monarch Business School, Switzerland and Thapar University, Patiala, India. He has worked as a full Professor of Computer Science & Engineering at the West Bengal University of Technology affiliated Engineering Colleges from 2001-2008. He was a Visiting Professor at Chonbuk National University in the Republic of Korea from 2006 to 2007. He also taught at Stevens Institute of Technology, New Jersey, USA (1982-1984) and at Bengal Engineering & Science University (1980-1981). He worked as a Research Fellow at the Indian Statistical Institute, Calcutta (1979-1980). During 1982-1994 and in 1999, he was in the USA. He worked at Bell Communications Research in its Computing Systems and Architecture Lab (1987-1994). He has published over 150 research articles in international journals, conference proceedings, and as research reports. Prof. Mukhopadhyay holds a B.E. (Electronics) from the University of Calcutta (India), a D.C.S. (Computer Science & Applications) from The Queen's University of Belfast (UK), an M.S. (Computer Science) from Stevens Institute of Technology (USA) and a Ph.D. (Engineering) in Computer Science from Jadavpur University (India). Prof. Mukhopadhyay is a SMIEEE (USA), SMACM (USA), FIE (India), FIETE (India), C.Engg., SMCSI, MIMA, and Elected Member of Eta Kappa Nu.

Akash Thakur has completed his B.E. in Information Technology from Maharashtra Institute of Technology, affiliated with the University of Pune, India in 2015. He has done his B.E. Final Year Project under the guidance of Prof. Debajyoti Mukhopodhyay, entitled, “An Architecture for secure cloud computing using Elliptic Curve Cryptography.” He will be working as an Associate Software Engineer in CognizantTechnology Solutions Pvt. Ltd., Pune, India from October 2015.

Sani Nanekar has completed his B.E. in Information Technology from Maharashtra Institute of Technology, affiliated with the University of Pune, India in 2015. He has done his B.E. Final Year Project under the guidance of Prof. Debajyoti Mukhopodhyay, entitled, “An Architecture for secure cloud computing using Elliptic Curve Cryptography.” He will be working as an Associate Software Engineer in IBM India Ltd., Pune, India from October 2015.

Copyrights © 2015 KAIS