SSTreasury+: A Secure and Elastic Cloud Data Encryption System

8 downloads 7755 Views 439KB Size Report
service named SSTreasury+ which includes encryption application and ... end storages we use existing cloud storage as a backup storage in order to reduce ...
2012 Sixth International Conference on Genetic and Evolutionary Computing

SSTreasury+: A Secure and Elastic Cloud Data Encryption System

Kuan-Ying Huang

Guo-Heng Luo

Shyan-Ming Yuan

Institute of Network Engineering National Chiao-Tung University Hsinchu, Taiwan [email protected]

Institute of Computer Science and Engineering National Chiao-Tung University Hsinchu, Taiwan [email protected]

Institute of Computer Science and Engineering National Chiao-Tung University Hsinchu, Taiwan [email protected]

the form of QR code so that could take a photograph by smart phone or store in the flash drive as a image. In such a manner, it could increase flexible and solve the problem that the decryption key only has to save in the computer. The application also provided an interface that let the users could manage their uploaded file in convenient way, easy upload and download files without occupying the local disk space.

Abstract—“Cloud computing” has been popular in recent years, more and more service provider proposed cloud services especially cloud storage service. However, one of the worrying problems is data security. In this paper, we proposed a whole service named SSTreasury+ which includes encryption application and cloud storage service. The user's data before uploading to the cloud could be encrypted first to prevent the data to be stolen during transmission or in the cloud storage. In addition, the decryption key which generated by our system can be portable to increase flexibility and convenience. In the backend storages we use existing cloud storage as a backup storage in order to reduce constructing costs. We expected by the above methods to achieve a safe and flexible cloud storage service. Keywords-Cloud storage; Security; Cryptography; Encryption system

I.

Cloud

II.

Nowadays most of cloud storage practices are to let user upload the file to the server and then encrypt it through server, but it makes so many people feel not peace of mind. Some user may use third-party encryption system to encrypt the data before uploading. In this phase, we choose three famous cloud storage services to describe the security in their storage space. These cloud storage services we choose in this phase are Dropbox, Sugarsync and ASUS Webstorage. Dropbox [4] is the most famous cloud storage service and it uses Amazon S3 for data storage. They encrypted the files by using AES 256 bits after files are uploaded, and the encryption keys are managed by them. Dropbox also against network security issues such as Distributed Denial of Service attacks (DDoS)[5], Man-in-the-Middle attacks (MITM)[6], and sniffing [7]. The user sends files from client to server are using 256 bits SSL encryption. Most employees in the Dropbox are prohibited from viewing the contents of the files, they are only permitted to view file metadata, only a small number of employees could access the file for the reason which stated in their privacy policy. Sugarsync [8] is the support of the most complete cloud storage because it supports many mobile devices for using. The file sends between client and server are using TLS (Transport Layer Security) encryption. TLS is the successor to SSL v3.0 and both industry standard cryptographic protocols for secure Web communications. The file which storage in the SugarSync is encrypted with AES 128 bits encryption. They not only just provide backup the file but also sync the file between the different devices, and they also use Amazon S3 for data storage. The file which stored in ASUS WebStorage [9] encrypted with AES to protect the file, and they also provide SSL encryption to protect user’s information. In addition, they use One-Time-Password (OTP) [10] mechanism for paid user to strengthen of logging. The user who is eligible to

service;

INTRODUCTION

In recent years, the term "cloud computing" had been intensive discussion many times, more and more cloud services had been introduced especially cloud storage. The cloud storage brought convenient and reliability and most of them are cross-devices. We could upload files without carrying any extra storage devices such as flash drives. One of the most worrying issues that we use cloud storage is data security [1]. The security which we mentioned here is when the file is uploaded during transmission or is stored in the cloud then it may be stolen by somebody. Most of the encryption systems could only save the decryption key in the computer [2][3], these consequences increased the risk that a decryption key may be stolen if the computer is public. It also became inelastic because the user had to use the same computer to decrypt the file and it had to install the same decryption key if he/she wants to decrypt the file by using different computers. In this paper, we proposed a whole service named SSTreasury+ (Double S means Secure and Shareable, notation + means Scalable) which included encryption system and cloud storage service. The focus of the encryption is that prevented the risk of the data be eavesdropped by the attacker during transmission and avoided be stolen by the hacker or unscrupulous employees who in the cloud service provider. Hence, the user who uses our service not only has to register an account but also takes care of a decryption key, the decryption key we made it into 978-0-7695-4763-3/12 $26.00 © 2012 IEEE DOI 10.1109/ICGEC.2012.132

RELATED WORK

518

use OTP authentication could download the application in mobile phone. The OTP authentication is activated through mobile phone without the need of a computer. It randomly generated 6-digit dynamic security code every 30 seconds and can only be used once making it impossible for hackers to steal any personal data stored within the cloud service. Unfortunately, some of the cloud storage service do not proposed any encryption way to protect the file, so it could produce significant harm of data security. What we can do is to encrypt data with third-party encryption system. III.

Ae(f, ax): AES encrypting processing function to encrypt file f by key ax Ad(f, ax): AES decrypting processing function to decrypt file f by key ax Re(ax ,x): RSA encrypting processing function to encrypt AES key ax by key x Rd(ax ,x): RSA decrypting processing function to decrypt AES key ax by key x Qe(m): QR Code Encoding processing function to encode message m Qd(i): QR Code Decoding processing function to decode a QR Code image i to a text

OUR PROPOSED SCHEME

A. Main Idea In this paper we propose a whole service to let users can protect their data and upload to the reliable storage space. In order to protect the data to be secure, we provide an encryption system to encrypt data before uploading the file and it also has an interface for user to manage the files in convenient way; to enhance the decryption key to be portable and flexible, we encode it to be a QR Code, it can be a photo to store in smartphone or as an image in flash drive; the upload file stored in the back-end storage servers and every servers combines the other cloud storage as a backup storage to let our service be reliable. Our services divided by three parts: client-side application named SSGuard, processing server named SSManager and many storage servers named SSCoffers. The SSGuard provides the user to encrypt file before uploading, an interface to manage uploaded files and sharing secure files to other users or groups. The SSManager is in charge of storing user’s information which included user account, public key and so on to record the uploaded file’s information such as timestamp, stored storage IP and encrypted AES key, and also processed the requests which the users send. It also can encryption file before uploading to the Storage server, it will describe in 3.3.5. The SSCoffers are in charge of storing encrypted files, the way how the file to be stored will describe in 3.2.Maintaining the Integrity of the Specifications In this section, we introduce the functions of SSGuard application. We divided the functions into three phases. The first phase is to register an account and create user’s public/private key; the second phase is to introduce how the user to encrypt and upload the file. The goal of the third phase is to let user downloads and decrypts the encrypted file to get original contents.

IV.

OUR PROPOSED SCHEME

A. Overview

Figure 1.

Figure 1 Overview of SSTreasury+

The figure 1 is an overview of our service. Every file could use SSGuard to be encrypted before uploading and be decrypted after downloading to get original contents. The file is encrypted by random AES file encryption key and stored in one of the SSCoffers in randomly, and then the file encryption key is encrypted by user’s public key and stored it to the SSManager. The user could store their decryption private key in smart phone or flash drive because it exchanges to be a QR Code. The user shows QR Code to SSGuard to decrypt the file encryption key, and then the key could decrypt file to get contents. In this way we proposed every storage server consisted many cloud storages, the consideration is cost (shown in figure 2). The cost of adding a virtual machine such as Amazon EC2 is still expensive nowadays, so the providers may only have fewer funds to purchase virtual machines which have low power and small storage space, and they have no extra funds to purchase extra cloud storages for backup. The solution that we proposed is using all cloud storages free space and consisting all of them to reach a big free space. For example, the Dropbox provides 2 GB for free and Sugarsync provides 5GB for free, combining these two storages we can get 7GB space for free, so it could reduce the cost at the initial stage. When providers have sufficient funds in future then they could purchase the powerful machines and extra cloud storage spaces for backup.

B. Definition and Notation Before introducing the functions, the notations are summarized as following: U: User Pid: User account Pwd: User password Eu: public key of user Du: private key of the user Rx : random number ax: random AES key to encrypt file MD5(m): message digest to hash message m

519

his/her smart phone to take photograph of QR Code for storing it as the photo, another method is that the user could click the button to download the QR Code image then stores in the computer or flash drives to carry.

Figure 2.

C. Encryption & Upload Phase In this phase we introduced how to encrypt files before uploading to the SSCoffers by using SSGuard, and also described how the file store to which one SSCoffers. The user’s dedicated folder in every SSCoffers contains two child folders: “secret_upload” and “web_upoad”. The file which stored in the “secret_upload” or child folder which created by user under “secret_upload” will be encrypted before uploading.

Overview of Storage Server with Cloud Storages

In this paper, we use three cloud storages (Dropbox, Webstorage and Sugarsync) to construct our back-end storage for backup. B. Registration Phase In this phase, we introduce how the user to register an account for service and create the public/private key to the user. The private key will be encoded into QR Code for user to store in other storage devices such as smartphone or flash drive. The graph showing at figure 3 gives the main structure of this phase:

Figure 4.

Figure 3.

Encryption & Upload

The graph showing at figure 4 gives the main structure of this phase: 1. User choose a file to upload and decided the save path. 2. The application randomly generated the AES key ai for the file. 3. SSGuard encrypts the file by using AES key ai to compute Ae(f, ai). 4. The application sends a request to the SSManager to check whether the same file had been saved. If yes, then the SSManager would return the IP which the file deposited in which SSCoffers. Otherwise, the SSManager sends “null” message back and then SSGuard choose one of SSCoffers IP address randomly to upload the file. 5. Before sending the file to the SSCoffers, the SSGuard used user’s public key Eu to encrypt the AES key ai to compute Re(ai, Eu). 6. The SSGuard sends encrypted file to the SSCoffers according to IP address by step (4), and then sends the encrypted AES key and file information to insert or update the record in SSManager database. The file record will be insert included timestamp, creator, storage IP and encrypted AES key into database server directly if the file is first uploaded. Otherwise, it will update only the encrypted AES key and timestamp according to the file id which received form SSManager according by step (4).

Registration

1. The user has to download the SSGuard application to register an account. 2. The user types an account and password to register. 3. The account which the user inputs first would be sends to the server SSManager for checking to prevent the same account. 4. After the server responses the account is eligible then the application uses RSA algorithm to create the user’s public key Eu and private key Du. 5. After creating two keys, the SSGuard sends the public key Eu and registration information to the SSManager database and sends the request to all of the Storage servers to create the user’s dedicated folder. At the same time, SSGuard provides an interface to show a QR Code Qe(Du) which encoded the private key for user to store. 6. The interface shows two methods to let the user store the QR Code. The first method is that the user could use

520

the decrypted file. It’s usually occurring in public computer occasion, so our system help the file to prevent this to happen.

D. Download & Decryption Phase The goal of this phase is to introduce how to download encrypted file and decrypted it to get the original contents. The graph showing at figure 5 gives the main structure of this phase:

Figure 5.

V.

CONCLUSION

The cloud storage bring the convenient way to access in our file, we can edit or sync files through different devices. However, one of the problems that we care about is security because the file which we uploaded could be stole by some bad guys. Although we could use the third-party encryption system to protect our file before uploading the file, but we found that most of encryption systems store the decryption key are not flexible. In this paper, we proposed the whole system named SSTreasury+ which integrates security and storage service. We exploit the application called SSGuard to let user encrypt the file before uploading and the decryption key be encoded into the QR Code so that it can store in smartphone or flash drive for portable. The file information and user’s public key stored into a processing server named SSManager. The backend storage server we proposed three policies for provider to consider. Finally, reliability is preserved by SSCoffers since the storage servers uses different cloud storage to backup data.

Download & Decryption

1. Choose file to download and decide the path to save. 2. According to the file name and storage path to send a request to SSManager for asking the IP address in which SSCoffers and the encrypted AES key Re(ai, Eu). 3. SSGuard downloads the encrypted file Ae(f, ai) by explicit IP. 4. After downloading the encrypted file, the application SSGuard asks the user to upload the decryption key. There are two ways to upload the decryption key: scan QR Code by webcam or upload QR Code image. ¾ If the user chooses webcam to scan the QR Code, SSGuard would open the webcam to detect then the user show the QR Code in front of the webcam to compute Qd(Qe(Du)) to retrieve Du. ¾ If the user chooses upload QR Code image, SSGuard asks the storage path which the QR Code been deposited and then uploads image to compute Qd(Qe(Du)) to retrieve Du SSGuard gets the decryption key Du then it computes Rd(Re(ai, Eu), Du) to get AES key ai. 5. SSGuard uses ai to decrypted file by computing Ad(Ae(f, ai) , ai) to get file and then delete the encrypted file Ae(f, ai). 6. SSGuard sends a request to SSManager to updates the file timestamp record in database. The purpose of deleting encrypted file is to be avoided potential risk from bad guys to get and try to decrypt it if the file owner only deletes the original file and forgets to delete

REFERENCE [1]

Shucheng Y., Cong W., Kui R., Wenjing L., "Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing," INFOCOM, 2010 Proceedings IEEE , vol., no., pp.1-9, 14-19 Mar. 2010 [2] Koletka, R., Hutchison, A., "An architecture for secure searchable cloud storage," Information Security South Africa (ISSA), 2011 , vol., no., pp.1-7, 15-17 Aug. 2011 [3] Seny K. , Kristin L., "Cryptographic cloud storage", Proceedings of the 14th international conference on Financial cryptograpy and data security, p.136-149, January 25-28, 2010 [4] Dropbox (https://www.dropbox.com/dmca#security) [5] Denial-of-service attack (http://en.wikipedia.org/wiki/Denial-ofservice_attack) [6] Man-in-the-middle attack (http://en.wikipedia.org/wiki/Man-in-themiddle_attack) [7] Packet sniffer (http://en.wikipedia.org/wiki/Hacker_(computer_security)) [8] Sugarsync (https://sugarsync.custhelp.com/app/answers/detail/a_id/201/kw/secur ity) [9] ASUS WebStorage (https://sugarsync.custhelp.com/app/answers/detail/a_id/201/kw/secur ity) [10] Neil H., “The s/key(tm) one-time password system”, Symposium on Network and Distributed System Security, pages 151-157, Feb. 1994

521