SlideShare a Scribd company logo

Secure Cloud Storage

A
ALIN BABU

The document is a seminar report submitted by Alin Babu on the topic of secure cloud storage. It discusses cloud computing models and services, different access control mechanisms like mandatory access control and discretionary access control. It also covers secure data storage using AES encryption and the Disintegration Protocol (DIP) architecture for enhancing cloud security. Proxy re-encryption schemes and their advantages for secure file sharing in cloud applications like Dropbox and SugarSync are also summarized.

Technology
1 of 41
Download to read offline
Secure Cloud Storage SEMINAR REPORT (SEMESTER - VII) SUBMITTED BY ALIN BABU (SCT15CS007) in partial fulfillment for the award of the degree of BACHELOR OF TECHNOLOGY IN COMPUTER SCIENCE AND ENGINEERING SREE CHITRA THIRUNAL COLLEGE OF ENGINEERING, THIRUVANANTHAPURAM - 18 NOVEMBER, 2019
SREE CHITRA THIRUNAL COLLEGE OF ENGINEERING, THIRUVANATHAPURAM - 695018 DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CERTIFICATE Certified that seminar work entitled “Secure Cloud Storage” is a bonafide work carried out in the seventh semester by ALIN BABU (SCT15CS007) in partial ful- filment for the award of Bachelor of Technology in COMPUTER SCIENCE AND ENGINEERING from APJ Abdul Kalam Technological University during the year 2020. HEAD OF THE DEPARTMENT Dr.Subu Surendran Head of the Department Department of Computer Science & Engineering SEMINAR GUIDE Smt.Soja Salim Assistant Professor Department of Computer Science & Engineering
ACKNOWLEDGMENT I express my sincere gratitude to all the faculty members of the Department of Computer Science and Engineering, SCT College of Engineering, Thiruvananthapuram for their relentless support and inspiration. I am ever-grateful to my family, friends and well-wishers for their immense goodwill and words of motivation. I would like to express a note of deep obligation to my Guide, Smt. Soja Salim, Assistant Professor, Department of Computer Science and Engineering, SCT College of Engineering, for her excellent guidance and valuable suggestions. It was indeed a privilege to work under her during the entire duration of this study. She has immensely helped me with her knowledge and stimulating suggestions to shape this study, refine arguments and present it to the best of my abilities. I am also indebted to Dr. Subu Surendran,Professor and Head of the Department of Computer Science and Engineering, SCT College of Engineering, for inspiring me to strive for perfection. I am also thankful for the support and encouragement offered by him during the entire course of this study to make this seminar a great success.
ABSTRACT Cloud computing is a set of IT services that are provided to users over a network. It is a shared pool of configurable computing resources. Cloud computing is an emerging technology in now a days. The security is an important aspect of the current scenario and plays an important role in cloud computing. Security is a set of control base technologies and policies designed to regulatory compliance rules and protect information. Methods of cloud computing play a major role as it guaranteed data protection from the cloud service provider, in order to increase security and confidentiality in the cloud. The main focus of the seminar will be cloud computing data encryption methods and mechanisms to achieve it in the cloud. The seminar will be mainly on the Manda- tory Access Control (MAC) mechanism and Disintegration Protocol (DIP). The different encryption for storing data in the cloud should be explained briefly. There will be a brief explanation about the advantages of using Proxy Re-encryption (PRE) in-secure file sharing. The seminar shall be concluded with DIP and advantages of PRE in Dropbox and SugarSync
CONTENTS LIST OF ABBREVIATIONS ii LIST OF FIGURES iv 1 INTRODUCTION 1 2 CLOUD COMPUTING 3 2.1 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Services offered by Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3 ACCESS CONTROL 7 3.1 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Discretionary access control . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.3 Role Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4 Rule Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4 Secure Data Storage using AES 11 4.1 AES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5 Disintegration Protocol (DIP) 16 5.1 Architecture of DIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.2 Multi- housed DIP architecture . . . . . . . . . . . . . . . . . . . . . . . . 18 6 Access Control Implementation on DIP 21 i
7 Proxy Re Encryption Scheme (PRE) 25 8 Advantages of Using PRE for Secure Sharing 28 9 Conclusion 29 REFERENCES 30 ii
LIST OF ABBREVIATIONS CSP Cloud Service Provider SaaS Software as a Service PaaS Platform as a Service IaaS Infrastructure as a Service MAC Mandatory Access Control DIP Disintegration Protocol OS Operating System ACL Access Control List DAC Discretionary Access Control RBAC Rule/Role Based Access Control AES Advanced Encryption Standard DES Data Encryption Standard TLS Transport Layer Protocol SSH Secure Sockets Layer HTTP HyperText Transfer Protocol iii
TCP Transmission Control Protocol DS Data Server CS Connection Server RA Resource Allocator NIC Network Interface Card NAT Network Address Translation NOBE Nth Order Binary Encoding DNS Domain Name Server ACK Acknowledgement VM Virtual Machine SSH Secure Shell iv
LIST OF FIGURES 2.1 Private Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Public Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Hybrid Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4 Examples of Different form of service in cloud . . . . . . . . . . . . . . . . 6 4.1 Encryption and decryption in AES . . . . . . . . . . . . . . . . . . . . . . 12 4.2 Byte Substitution (SubBytes) . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3 ShiftRows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.4 Mix Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.5 AddRoundkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1 The architecture of the DIP. . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2 Multi- housed DIP architecture. . . . . . . . . . . . . . . . . . . . . . . . . 19 5.3 DIP in the cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.1 Proxy Re-Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 v
CHAPTER 1 INTRODUCTION Cloud platform services, concepts, and applications such as storage, processing power, virtualization, and connectivity allow the use of sharing data. Ensuring user’s privacy and security of data are the most concerned challenges. However, the integrity of knowledge, knowledge transfer, knowledge of the location and features such as optional backup and recovery are the additional problems associated with cloud computing. Users presume that cloud service suppliers (CSP) provide an assurance that the while data is in transit from the user’s establishments to the cloud servers, its confidentiality and integrity would not be negotiated and their data can get transferred securely to confirm such high level of data security. CSPs serve to the users over the internet on demand. Elasticity and service upon request are essential characteristics of cloud computing as it permits the user to deter- mine the appropriate resources whereas excluding the unnecessary ones. Today there are many CSPs such as Microsoft, Oracle Corporation, Google, IBM, Apple, Amazon and CenturyLink. There are so many studies on cloud performance based on various metrics, such as price and VM performance. CSPs provide the users with different options of cloud placement models (private, public, hybrid or community) and services (IaaS, PaaS, and SaaS). 1
An increasing important priority for the broad selection and receipt of cloud com- puting is the capability of data owners and users to have imposed and assessed security guarantees. Guaranteeing security means ensuring confidentiality and integrity of data, accesses, and computations on them as well as providing availability of data and services to authorized users and in agreement with compliance with the providers. The lucrative benefit of scalability and elasticity, with cloud computing, comes at the expense of impair- ment of control of the owner’s data, with the high risk of security threat. It is assumed that the CSPs should provide sufficient protection mechanisms for data in warehouses, pro- cessing and communicating over the Internet. Researchers and CSPs have introduced various protocols, but they offer little or no security assurance to the end users. How- ever, organizations are still reluctant to implement cloud services because of reliability, security and privacy issues concerning delivery of cloud services as well as fears about the credibility of their cloud service supplier. 2
CHAPTER 2 CLOUD COMPUTING Cloud Computing is a set of IT Services that are provided to a customer over a network and these services are delivered by third party provider who owns the infrastructure. It is often provided "as a service" over the Internet, typically in the form of infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Cloud computing is the broader concept of infrastructure convergence [1]. This type of data centre environment allows enterprises to get their applications up and running faster, with easier manageability, and less maintenance to meet business demands. For example, we can manage and store all smartphones or tablets apps at one location i.e. cloud. So we do not require any memory space at our end. This also gives the security of data and applications in case device is damaged or lost. Based on a deployment model, we can classify cloud as: • Private Cloud • Public Cloud • Hybrid Cloud Based on a service the cloud model is offering, it is classified into three: • Platform as a Service (PaaS) • Software as a Service (SaaS) 3
• Infrastructure as a Service (IaaS) 2.1 Cloud Deployment Models 2.1.1 Private Cloud A private cloud is extensively used in single organizations for offering services to internal users. A private cloud could be used to maintain the security of a city or to provide privacy to organizational data. Figure 2.1: Private Cloud 2.1.2 Public Cloud Public cloud infrastructure allows all services to be publicly accessible. Sometimes these services are free to the public. External enterprises can use resources offered by the cloud at free of cost. 4
Figure 2.2: Public Cloud 2.1.3 Hybrid Cloud A hybrid cloud offers best of both a private and public cloud structures. This delivers an infrastructure for a public cloud while continuing control over vital data using the private cloud. These models differ on features like control, flexibility, and management. This model is also termed as a cloud-computing stack. Figure 2.3: Hybrid Cloud 5
2.2 Services offered by Cloud 2.2.1 Platform as a Service (PaaS) It allows organizations to supply on demand resources for developing, testing, delivering and managing their software applications. PaaS eliminates the burden of infrastructure and operating systems and in that way, they can concentrate on deploying their applica- tion. 2.2.2 Software as a Service (SaaS) It is the method of offering software applications and services over the internet. Software applications are delivered with the on-demand ability. These software services are man- aged and maintained by the CSP. This eliminates the need for the user to worry about software updates and upgrade. 2.2.3 Infrastructure as a Service (IaaS) On the contrary, IaaS is at the other end of the cloud spectrum. In this type cloud service, users want to keep control of their software environment, but they do not have to buy and maintain any infrastructure equipment. Instead, they can request an IaaS provider a virtual machine. Figure 2.4: Examples of Different form of service in cloud 6
CHAPTER 3 ACCESS CONTROL Access control is a way of limiting access to a system or to physical or virtual resources. In computing, access control is a process by which users are granted access and certain priv- ileges to systems, resources or information.In access control systems, users must present credentials before they can be granted access. In physical systems, these credentials may come in many forms, but credentials that can’t be transferred provide the most secu- rity.For example, a key card may act as an access control and grant the bearer access to a classified area. Because this credential can be transferred or even stolen, it is not a secure way of handling access control. There are various access control methods used limit the access to a system or resources. 3.1 Mandatory Access Control Mandatory access control(MAC) is a system controlled approach limiting access to source entities,constructed on the level of approval or permission of the accessing entity, be it a person, a process, or a device.MAC norms are defined by the system administrator,strictly enforced by the operating system (OS) or security kernel, and are unable to be altered by end users.Mandatory Access Control (MAC) is the strictest of all levels of control. The design of MAC was defined, and is primarily used by the government. MAC takes a hier- archical approach to controlling access to resources. Under a MAC enforced environment 7
access to all resource objects (such as data files) is controlled by settings defined by the system administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. It is not possible under MAC enforcement for users to change the access control of a resource. Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc) and a category (which is essentially an indication of the management level, department or project to which the object is available).Similarly, each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user’s classification and categories and compares them to the properties of the object’s security label. If the user’s credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Mandatory Access Control is by far the most secure access control environment but does not come without a price. Firstly, MAC requires a considerable amount of planning before it can be effectively implemented. Once implemented it also imposes a high system management overhead due to the need to constantly update object and account labels to accommodate new data, new users and changes in the categorization and classification of existing users. 8
3.2 Discretionary access control Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems. Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. For example, User A may provide read-only access on one of her files to User B, read and write access on the same file to User C and full control to any user belonging to Group 1. It is important to note that under DAC a user can only set access permissions for resources which they already own. A hypothetical User A cannot, therefore, change the access control for a file that is owned by User B. User A can, however, set access permissions on a file that she owns. Under some operating systems it is also possible for the system or network administrator to dictate which permissions users are allowed to set in the ACLs of their resources. Discretionary Access Control provides a much more flexible environment than Manda- tory Access Control but also increases the risk that data will be made accessible to users that should not necessarily be given access. 9
3.3 Role Based Access Control Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control. Access under RBAC is based on a user’s job function within the organization to which the computer sys- tem belongs.Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the developer role. Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their role. The accountant described above gets the same permissions as all other accountants, nothing more and nothing less. 3.4 Rule Based Access Control Rule Based Access Control (RBAC) introduces acronym ambiguity by using the same four letter abbreviation (RBAC) as Role Based Access Control.Under Rules Based Access Control, access is allowed or denied to resource objects based on a set of rules defined by a system administrator. As with Discretionary Access Control, access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object. 10
Examples of Rules Based Access Control include situations such as permitting access for an account or group to a network connection at certain hours of the day or days of the week. As with MAC, access control cannot be changed by users. All access permissions are controlled solely by the system administrator. 11
CHAPTER 4 Secure Data Storage using AES The security of the data in the cloud database server is the key area of concern in the acceptance of cloud. It requires a very high degree of privacy and authentication. To protect the data in cloud database server cryptography is one of the important methods. Cryptography provides various symmetric and asymmetric algorithms to secure the data. Symmetric algorithms are more preffered as it has the speed and computational efficiency to handle encryption of large volumes of data. In symmetric cryptosystems, the longer the key length, the stronger the encryption. AES [2] is most frequently used encryption algorithm today this algorithm is based on several substitutions, permutations and linear transformations, each executed on data blocks of 16 byte. As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks and high security systems around the world. In, AES data encryption is more scientifically capable and graceful cryptographic algorithm, but its main force rests in the key length. The time necessary to break an encryption algorithm is straight related to the length of the key used to secure the com- munication. AES allows choosing a various type of bits like 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES. 12
4.1 AES Algorithm AES acronym of Advanced Encryption Standard is a symmetric encryption algorithm. The algorithm was developed by two Belgian cryptographers Joan Daemen and Vincent Rijmen. It is useful when we want to encrypt a confidential text into a decryptable format, for example when we need to send sensitive data in e-mail. The decryption of the encrypted text is possible only if we know the right password. AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Figure 4.1: Encryption and decryption in AES 13
Steps in AES : • The First Step – AddRoundKey • The Following Four Functions Are Periodically Repeated – SubByte – ShiftRow – MixColumn – AddRoundKey • Final Step – SubByte – ShiftRow – AddRoundKey Byte Substitution (SubBytes) The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns. Figure 4.2: Byte Substitution (SubBytes) 14
Shift Rows Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on the right side of row. Shift is carried out as follows • First row is not shifted. • Second row is shifted one (byte) position to the left. • Third row is shifted two positions to the left. • Fourth row is shifted three positions to the left. • The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other. Figure 4.3: ShiftRows Mix Columns Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is not performed in the last round. 15
Figure 4.4: Mix Columns AddRoundkey The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round. Figure 4.5: AddRoundkey 16
CHAPTER 5 Disintegration Protocol (DIP) The unidirectional, closed and disintegrated protocol that is used to store data to be securely in the cloud. In general, the server is designed to perform N number of different tasks (function). In Disintegration Protocol (DIP) [3], we disintegrate N various services from one server and distribute them among M homogeneous different servers. The DIP architecture used for the experiments described in this paper is shown in Fig. Although these experiments were conducted in a WAN environment in the private cloud, as noted earlier, the proposed DIP technique does not require that the set of clients CL to be connected to a private cloud (they can be located anywhere on the Internet Below we discuss the only condition in which the server needs to be connected to the private cloud. However, this provision does not limit the scope or scalability of DIP since many real-world Web server clusters are located within the same LAN. 5.1 Architecture of DIP The figure 5.1 shows the basic architecture of the DIP [3]. R0 is a regular firewall that prevents specific types of information from moving between an untrusted network and a trusted network. TLS/SSL or other software service are running on existing router or server. One can implement the firewall in any of processing modes such as packet filtering, application gateways, circuit gateways, MAC layer firewalls or hybrid. Integrity for data 17
in transit is offered by using hashing function and message authentication codes. Every transport protocol (HTTP, TCP, IPC, and MSMQ) has its technique for establishing cre- dentials and handling communication protection. The most popular approach for this is to use Secure Sockets Layer (SSL) for encrypting and confirming the contents of the packets transmitted over Secure HTTP (HTTPS). For the scope of this paper we will restrict our discussion to DIP components i.e. connection server (CS), resource allocator (RA) and data servers (DSs, DSs*) and internal packet filter routers R1 and R2. The clients send requests to a connection server CS, CS sends SYN-ACK, and keep track current request until it receives (HTTP) GET and sends GET ACK to the client. Moreover, at the same time, CS will send an inter-server packet (ISP) of 168 bytes to RA. CS uses two NIC cards on- board transceivers NIC1 and external transceivers NIC2 with two different IP address. In this case, we can decide which transceiver to use and then make the appropriate choice on our card. Figure 5.1: The architecture of the DIP. 18
When data is transmitted on the network cable, they travel as a single stream of bits. When data progresses on a network cable, the cable is treated as a one-lane roadway,and the data perpetually proceeds in one direction only. At given point of time, the server either sending or receiving data, but never performs both. NIC1 is used for communicating with Client, and NIC2 is used to send packets to RA. NIC2 is activated (in UP state) only for the short interval of time when CS is forwarding packets to RA, otherwise, all other time it stays in DOWN state. This mechanism allows turning On/Off the connectivity between CS and RA and controls one-way flow from CS to RA. We control transmitter’s state in the Ethernet object using methods enable Transmit( ) and disable Transmit( ). Similar control can be achieved by disabling the receiver and only allowing the function of the transmitter of NIC2. Furthermore, router R1 (eth0) only accept packet coming from CS and drops all other packets coming from other IP address even from RA through interface eth1. Similar flow control mechanism is enforced for a transmission from DSs to DSs*. After receiving the packet from CS, RA determines to forward the given request (packet) to appropriate data servers DSs. Data are fragmented in a various block on different DSs on the same cloud or geographically distributed clouds. RA will keep TCB records of all connection until it receives FIN-ACK from CS. All ACKs after the GET-ACK are forwarded to RA, and RA will respond all ACKs and Data requests though different DSs. When DS sends the last data packet (with FIN) of data to Client, it also sends one inter server packet to CS (via Ro) telling that it is done with transmitting all data. CS forwards this information to RA. Whenever CS receives FIN-ACK from a Client, it forwards to RA, and now RA will delete the TCB record of a particular connection. RA keeps 100,000 TCB records and can increase based on incoming load. DSs receives client information through TCB record from RA, and directly sends data to the client and in the data packet, it puts SrcIP 19
and SrcMac address of CS. CSs, DSs and RA identical servers they have the same hardware and same software, but perform different tasks. CS* is the backup server for CS if CS fails immediately in few millisecond CS* resumes the role of CS, detail migration and position change over process is describe in our earlier paper a split protocol technique for web server migration. DS*s are data transmission servers, which receives data from DSs, they do not store any information or data, practically they are empty servers In the event of a server compromise, a hacker will only be able to get the last piece of data transmitted from the DS as if the connection is still in the active state. 5.2 Multi- housed DIP architecture DIP architecture is capable of handling massive traffic, and the only bottleneck we have observed is the router. DIP server can be configured as a multi-homed structure. In addi- tion to maintaining a reliable connection, multi homing allows performing load-balancing by lowering the number of client/server connecting to the Internet through any single connection. It also permits the load through multiple connections, enhances the perfor- mance and can considerably decrease wait times. In Multi-homing, if a router fails, all data will be rerouted through the other routers with the help of Network address trans- lation (NAT), by remapping one IP address into a different address by revising network address. Router RO and RA maintain all standard security protocols. RA implements NOBE encoding for data compression and additional privacy of data. DIP can be applied on top of any existing security protocols TLS, IPsec, SSH, Cryptographic protocol and inter-cloud protocols. The format of client request differs broadly by Cloud platform and virtualization layer of the operating system used for the Cloud Computing. Most of the cloud uses general pointers such as MAC and IP addresses [32], and now and then a DNS 20
name specified to the VM. The pairs of RSA keys are used for the credential of the public key and private keys. On that VM, one can boot a system image yielding a running system, and uses it in a similar practice as one would use an operating system in your data center. The figure 5.2 shows the multi- housed DIP architecture. architecture Figure 5.2: Multi- housed DIP architecture. Figure 5.3: DIP in the cloud 21
CHAPTER 6 Access Control Implementation on DIP In a modern world, where the state sponsored hacking groups have almost unlimited resources; consequently, security of information becomes essential. Secure data storage mechanisms with DIP can be implemented on the cloud servers and secure file sharing among them. To ensure the security of information for the cloud base server with en- crypted storage data, the main issue would appear to be limiting access to unauthorized users. [1] Security of the data should be in a good balance between complete protection and usability. Thus, idea is to use time proven mechanisms while adding additional pro- tection. Cloud service consists of three servers: user input (CSs), data storage (DSs), user output (DSs*) as shown in Fig 1. Each of servers has their own security mechanisms. The separation is done to ensure that if any of servers are compromised, the data will stay intact. User input server can have multiple implementations for access control, depending on the needs of the organization. For example, library articles would not require extra safety measures, however financial or military institutions would demand the highest con- trol possible. Therefore, there will be a choice for the organization to choose a regular access control function or the advanced one. 22
Regular option : Communication with user input server would start with login information. The user can request to enter login and password. To prevent brute force, we are limiting the user to five attempts per fifteen minutes. To ensure additional safety, the system forwards a message to the registered phone number and email address stating that someone is trying to access the account. There is a link provided to give the user an opportunity to lock the account, in case if there is a suspicion of unauthorized action. In this case, the account will freeze until the user communicates with support centre, prove identity, and account ownership. In the case of the correct login and password entered, the system will generate a random entrance code that is provided to the users through email or text. While setting up an account, the user is prompted to enter security answers to seven security questions. Every time that use renters from the unrecognised device (Mac and cookies check); the system will require answering two randomly selected questions out of seven. Failing to answer them would lock the account. Advanced option : Everything regular option provides (notes: the user will not be able to skip security questions. The system does not save cookies on the user’s computer) plus additional options: • Biometrics (optional at the current technology state) - if user’s device provides fingerprints function, it can be used. • Additional possible application - makes the user read the randomly generated para- graph. • Security token authentication: Each user is provided by an organization with the unique security token. The device is connected to the device that is trying to access 23
the database. It will not cancel out any of the previous steps but will serve as additional protection, so only a person with a physical device and knowledge of login, password, access to phone/email and knowledge of security questions can access the database. This type of option is highly recommended for financial institutions and government contractors. Inner server communications have a different structure. Security will start at the point that we limit servers communications to a one-way channel. The receiving server can limit to respond only with a packet acceptance message. All packets are encrypted with Advanced Encryption Standard, which uses Rijndael cipher. Each pair of communicating servers has a private large set of randomly generated numbers. For every fifteen packets, the active server can randomly choose a key from the set, encrypt packet with a set was chosen and will include an index number of current keys. That index number is going to be a single non encrypted data that is transmitted on the network. To ensure safety, pairs of sets are updated according to computational powers of computers that are available at the current time. For examples, if there is a possibility that 256-bit key cipher can be broken using the latest type of super computer within a month, sets are updated in every two weeks. In addition to that, every communication is based on the following assumptions: MAC addresses are the same for both servers. The server will send information to the input server to provide the list of user’s storage information to the output server. The user will see it as a list on the same web page. Once a user selects to download anything, this request is forwarded to the input server. All the data stored on the informational server is archived using NOBE technology. All files are compressed during uploading procedure. A separate index file will store information files stored, original names, their storage indexes, and a list of groups that have access to specific files. Once Server receives a signal that certain user is trying to access it, the reports are generated, showing all the 24
files that accessible to the user. Output server will post that report on the web page for furthers election. According to a selection of a file that the user needs to download, NOBE file is forwarded to output server using inner server communication technology. Output server will send a request to a user’s device to activate the NOBE client. Using the RSA encryption system, output server will encrypt the NOBE file and forward it to the user NOBE client. That will decrypt it using the private key and decompress it for the user. In addition to that, every communication is based on the following assumptions: MAC addresses are the same for both servers. The server will send information to the input server to provide the list of user’s storage information to the output server. The user will see it as a list on the same web page. Once a user selects to download anything, this request is forwarded to the input server.All the data stored on the informational server is archived using NOBE technology. All files are compressed during uploading procedure. A separate index file will store information files stored, original names, their storage indexes, and a list of groups that have access to specific files. Once Server receives a signal that certain user is trying to access it, the reports are generated, showing all the files that accessible to the user. Output server will post that report on the web page for further selection. According to a selection of a file that the user needs to download, NOBE file is forwarded to output server using inner server communication technology. Output server will send a request to a user’s device to activate the NOBE client. Using the RSA encryption system, output server will encrypt the NOBE file and forward it to the user NOBE client. That will decrypt it using the private key and decompress it for the user. 25
CHAPTER 7 Proxy Re Encryption Scheme (PRE) Proxy Re-Encryption (PRE) is a cryptographic primitive, which has a very interesting application in delegating decryption rights. It helps in converting a ciphertext, which is meant for a delegator to be decrypted by a delegate with the help of a semi-trusted party called the proxy. Consider the scenario, in which Alice (the delegator) leaves the country for a vaca- tion, delegates the decryption rights to Bob (the delegatee). Any ciphertext meant for Alice could be converted into a ciphertext of Bob by the semi-trusted proxy, with the help of a Re-Encryption key generated by Alice and handed over to the proxy. A proxy is, in essence, any provider – including a cloud service provider. As shown in the figure above, the proxy or cloud provider never sees the actual secret message. It only ever sees encrypted messages and public keys (elements marked in green above). Private keys remain private to the individual parties, and the secret message only every gets decrypted by the intended recipient, not the proxy. So, the cloud provider never sees the information. Let’s consider this scenario: 26
Figure 7.1: Proxy Re-Encryption. For security reasons, Alice doesn’t trust the cloud provider so Alice encrypts all her data (with her public key) and store her encrypted data into the cloud. Now, Alice data is safe and (theoretically) only she can access it since only Alice knows her private key. A few weeks later, along comes Bob and it turns out, he needs to see Alice data. Alice now has two choices: 1. Get Bob’s public key, decrypt the data, re-encrypt it with Bob’s public key, and send it to him.This is a bit clunky. Alice needs to decrypt her data and then re-encrypt. It may work for one person. . . what if Alice has many Bobs? It would be better to leave this work to her cloud provider if at all possible. . . 2. Use proxy re-encryption!-In this case, Alice retrieves Bob’s public key, and issue a “re-encryption” key. This key represents the trusted relationship Alice would like 27
to build with Bob. Alice sends this key to her cloud provider and they proceed to re-encrypt the already encrypted data they have stored with the key. Bob can now download this re-encrypted data and decrypt it at will In the second scenario, note how the decryption / re-encryption process is sidestepped and Alice doesn’t need to perform this operation on her own devices. Instead, all she needs to do is generate a key which should be quick, and pass the buck to her provider, which at no point can decrypt the original message, making this system very scalable and enables data-sharing apps in a cloud environment. 28
CHAPTER 8 Advantages of Using PRE for Secure Sharing Dropbox [4], SugarSync [5], Box, and Soonr are security black holes, while all user files are encrypted in transit and at rest, the user is not in control of the encryption keys. These keys are managed by the internal key-servers and are not revealed to the user at any point in time. However, they claim that the keys are stored in encrypted form for all other purposes. The advantages of PRE are: 1. The owner of the file has the sole responsibility for providing and revoking access to the files. 2. Sharing is straightforward with no overhead for the file owner. 3. Offers end-to-end security for files while sharing them. 4. Military-grade security could be achieved using the state of the art encryption mech- anism like AES-256. 5. Uses advanced proxy re-encryption with multi-hop so that consecutive sharing is possible. 29
CHAPTER 9 Conclusion Internet-based online cloud services provide enormous volumes of storage space, tailor made computing resources and eradicates the obligation of native machines for data main- tenance as well. Cloud storage service providers claim to offer the ability of secure and elastic data-storage services that can adapt to various storage necessities. Most of the security tools have a finite rate of failure, and intrusion comes with more complex and sophisticated techniques; the security failure rates increasing. Once we upload our data into the cloud, we lose control of our data, which certainly brings new security risks to- ward integrity and confidentiality of our data.The storing data in encrypted format will be able to solve the security issues.The access control mechanisms can be used to limit the unwanted access to the cloud by unauthorised persons. A secure file sharing mecha- nism for the cloud with the disintegration protocol (DIP) can be used for storage and file sharing. The innovative approach to secure storage data on cloud servers through the com- bined use of cryptography and unique network architecture of DIP is highly. It could be seen that DIP techniques can be used to improve the security of any servers or any computer application. The linear behaviour of a number of DIP elements and qualitative improvement in system reliability, integrity and security offer higher throughput. DIP 30
with PRE scheme enables a secure file sharing among the cloud. As a real-world appli- cation, Cloud storage providers such as Dropbox, Sugarsync, Box etc. for a secure file sharing can directly adopt this solution. 31
REFERENCES [1] Bharat S Rawal and S Sree Vivek. “Secure cloud storage and file sharing”. In 2017 IEEE International Conference on Smart Cloud (SmartCloud), pages 78–83. IEEE, 2017. [2] B. Avinash, T. Harish, G. Karthikeyan, and Prof. D. Vinodha. “A Survey on proxy re-encryption method using cloud computing”. International Journal of Research and Engineering, 4(2):57–59, 2017. [3] Bharat S Rawal, Harsha K Kalutarage, S Sree Vivek, and Kamlendu Pandey. “The disintegration protocol: An ultimate technique for cloud data security.”. In 2016 IEEE International Conference on Smart Cloud (SmartCloud), pages 27–34. IEEE, 2016. [4] https://www.cloudwards.net/review/dropbox/. [5] https://www.cloudwards.net/review/sugarsync/. 32

Recommended

Project final report
Project final reportProject final report
Project final report
ALIN BABU
 
Secure cloud storage
Secure cloud storageSecure cloud storage
Secure cloud storage
ALIN BABU
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
SECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptographySECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptography
ALIN BABU
 
Cloud Encryption
Cloud EncryptionCloud Encryption
Cloud Encryption
RituparnaNag
 
Blockchain for Media & Entertainment
Blockchain for Media & EntertainmentBlockchain for Media & Entertainment
Blockchain for Media & Entertainment
accenture
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
Blockchain Technology for Patients Medical Records
Blockchain Technology for Patients Medical RecordsBlockchain Technology for Patients Medical Records
Blockchain Technology for Patients Medical Records
eHealth Forum
 

Recommended

Project final report
Project final reportProject final report
Project final report
ALIN BABU
 
Secure cloud storage
Secure cloud storageSecure cloud storage
Secure cloud storage
ALIN BABU
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
SECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptographySECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptography
ALIN BABU
 
Cloud Encryption
Cloud EncryptionCloud Encryption
Cloud Encryption
RituparnaNag
 
Blockchain for Media & Entertainment
Blockchain for Media & EntertainmentBlockchain for Media & Entertainment
Blockchain for Media & Entertainment
accenture
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
Blockchain Technology for Patients Medical Records
Blockchain Technology for Patients Medical RecordsBlockchain Technology for Patients Medical Records
Blockchain Technology for Patients Medical Records
eHealth Forum
 
SRS Doc
SRS DocSRS Doc
SRS Doc
sanjeev085
 
secure file storage on cloud using hybrid Cryptography ppt.pptx
secure file storage on cloud using hybrid Cryptography ppt.pptxsecure file storage on cloud using hybrid Cryptography ppt.pptx
secure file storage on cloud using hybrid Cryptography ppt.pptx
NishmithaHc
 
The Impact and Potential of Blockchain on the Banking Sector
The Impact and Potential of Blockchain on the Banking SectorThe Impact and Potential of Blockchain on the Banking Sector
The Impact and Potential of Blockchain on the Banking Sector
PECB
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
Swathy T
 
Ignou MCA mini project report
Ignou MCA mini project reportIgnou MCA mini project report
Ignou MCA mini project report
Hitesh Jangid
 
Blockchain and banking
Blockchain and bankingBlockchain and banking
Blockchain and banking
Anisha Sachit
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
Cade Zvavanjanja
 
Block Chain Cloud Technology
Block Chain Cloud TechnologyBlock Chain Cloud Technology
Block Chain Cloud Technology
Vedant Mane
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Hybrid Cloud and Its Implementation
Hybrid Cloud and Its ImplementationHybrid Cloud and Its Implementation
Hybrid Cloud and Its Implementation
Sai P Mishra
 
Blockchain based certificate verification
Blockchain based certificate verificationBlockchain based certificate verification
Blockchain based certificate verification
Md. Mahfujur Rahman
 
Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?
Fermat Jade
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Ninh Nguyen
 
Mini Project on Data Encryption & Decryption in JAVA
Mini Project on Data Encryption & Decryption in JAVAMini Project on Data Encryption & Decryption in JAVA
Mini Project on Data Encryption & Decryption in JAVA
chovatiyabhautik
 
Srs of bms
Srs of bmsSrs of bms
Srs of bms
Zohaib Hussain
 
Blockchain in scm
Blockchain in scmBlockchain in scm
Blockchain in scm
zaarahary
 
Digital Certificate Verification based on blockchain ethereum
Digital Certificate Verification based on blockchain ethereumDigital Certificate Verification based on blockchain ethereum
Digital Certificate Verification based on blockchain ethereum
nurhaniffah1
 
Developing a Healthcare Blockchain Solution
Developing a Healthcare Blockchain SolutionDeveloping a Healthcare Blockchain Solution
Developing a Healthcare Blockchain Solution
LeewayHertz
 
Blockchain
BlockchainBlockchain
Blockchain
PedramDehghanpour
 
Ensuring data storage security in cloud computing
Ensuring data storage security in cloud computingEnsuring data storage security in cloud computing
Ensuring data storage security in cloud computing
Uday Wankar
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Ashutosh Anshu
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud Computing
Hitachi ID Systems, Inc.
 

More Related Content

What's hot

SRS Doc
SRS DocSRS Doc
SRS Doc
sanjeev085
 
secure file storage on cloud using hybrid Cryptography ppt.pptx
secure file storage on cloud using hybrid Cryptography ppt.pptxsecure file storage on cloud using hybrid Cryptography ppt.pptx
secure file storage on cloud using hybrid Cryptography ppt.pptx
NishmithaHc
 
The Impact and Potential of Blockchain on the Banking Sector
The Impact and Potential of Blockchain on the Banking SectorThe Impact and Potential of Blockchain on the Banking Sector
The Impact and Potential of Blockchain on the Banking Sector
PECB
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
Swathy T
 
Ignou MCA mini project report
Ignou MCA mini project reportIgnou MCA mini project report
Ignou MCA mini project report
Hitesh Jangid
 
Blockchain and banking
Blockchain and bankingBlockchain and banking
Blockchain and banking
Anisha Sachit
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
Cade Zvavanjanja
 
Block Chain Cloud Technology
Block Chain Cloud TechnologyBlock Chain Cloud Technology
Block Chain Cloud Technology
Vedant Mane
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Hybrid Cloud and Its Implementation
Hybrid Cloud and Its ImplementationHybrid Cloud and Its Implementation
Hybrid Cloud and Its Implementation
Sai P Mishra
 
Blockchain based certificate verification
Blockchain based certificate verificationBlockchain based certificate verification
Blockchain based certificate verification
Md. Mahfujur Rahman
 
Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?
Fermat Jade
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Ninh Nguyen
 
Mini Project on Data Encryption & Decryption in JAVA
Mini Project on Data Encryption & Decryption in JAVAMini Project on Data Encryption & Decryption in JAVA
Mini Project on Data Encryption & Decryption in JAVA
chovatiyabhautik
 
Srs of bms
Srs of bmsSrs of bms
Srs of bms
Zohaib Hussain
 
Blockchain in scm
Blockchain in scmBlockchain in scm
Blockchain in scm
zaarahary
 
Digital Certificate Verification based on blockchain ethereum
Digital Certificate Verification based on blockchain ethereumDigital Certificate Verification based on blockchain ethereum
Digital Certificate Verification based on blockchain ethereum
nurhaniffah1
 
Developing a Healthcare Blockchain Solution
Developing a Healthcare Blockchain SolutionDeveloping a Healthcare Blockchain Solution
Developing a Healthcare Blockchain Solution
LeewayHertz
 
Blockchain
BlockchainBlockchain
Blockchain
PedramDehghanpour
 
Ensuring data storage security in cloud computing
Ensuring data storage security in cloud computingEnsuring data storage security in cloud computing
Ensuring data storage security in cloud computing
Uday Wankar
 

What's hot (20)

SRS Doc
SRS DocSRS Doc
SRS Doc
 
secure file storage on cloud using hybrid Cryptography ppt.pptx
secure file storage on cloud using hybrid Cryptography ppt.pptxsecure file storage on cloud using hybrid Cryptography ppt.pptx
secure file storage on cloud using hybrid Cryptography ppt.pptx
 
The Impact and Potential of Blockchain on the Banking Sector
The Impact and Potential of Blockchain on the Banking SectorThe Impact and Potential of Blockchain on the Banking Sector
The Impact and Potential of Blockchain on the Banking Sector
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
 
Ignou MCA mini project report
Ignou MCA mini project reportIgnou MCA mini project report
Ignou MCA mini project report
 
Blockchain and banking
Blockchain and bankingBlockchain and banking
Blockchain and banking
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
 
Block Chain Cloud Technology
Block Chain Cloud TechnologyBlock Chain Cloud Technology
Block Chain Cloud Technology
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Hybrid Cloud and Its Implementation
Hybrid Cloud and Its ImplementationHybrid Cloud and Its Implementation
Hybrid Cloud and Its Implementation
 
Blockchain based certificate verification
Blockchain based certificate verificationBlockchain based certificate verification
Blockchain based certificate verification
 
Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Mini Project on Data Encryption & Decryption in JAVA
Mini Project on Data Encryption & Decryption in JAVAMini Project on Data Encryption & Decryption in JAVA
Mini Project on Data Encryption & Decryption in JAVA
 
Srs of bms
Srs of bmsSrs of bms
Srs of bms
 
Blockchain in scm
Blockchain in scmBlockchain in scm
Blockchain in scm
 
Digital Certificate Verification based on blockchain ethereum
Digital Certificate Verification based on blockchain ethereumDigital Certificate Verification based on blockchain ethereum
Digital Certificate Verification based on blockchain ethereum
 
Developing a Healthcare Blockchain Solution
Developing a Healthcare Blockchain SolutionDeveloping a Healthcare Blockchain Solution
Developing a Healthcare Blockchain Solution
 
Blockchain
BlockchainBlockchain
Blockchain
 
Ensuring data storage security in cloud computing
Ensuring data storage security in cloud computingEnsuring data storage security in cloud computing
Ensuring data storage security in cloud computing
 

Similar to Secure Cloud Storage

Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Ashutosh Anshu
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud Computing
Hitachi ID Systems, Inc.
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudIntegrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudJohn Atchison
 
Seminor Documentation
Seminor DocumentationSeminor Documentation
Seminor Documentation
Thirupathi Peraboina
 
IBM Point of View: Security and Cloud Computing
IBM Point of View: Security and Cloud ComputingIBM Point of View: Security and Cloud Computing
IBM Point of View: Security and Cloud Computing
IBM India Smarter Computing
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM Point of view -- Security and Cloud Computing (Tivoli)IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM Point of view -- Security and Cloud Computing (Tivoli)IBM India Smarter Computing
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher model
ijcsit
 
Mohan_Dissertation (1)
Mohan_Dissertation (1)Mohan_Dissertation (1)
Mohan_Dissertation (1)Mohan Bhargav
 
Two competing approaches to hybrid cloud
Two competing approaches to hybrid cloudTwo competing approaches to hybrid cloud
Two competing approaches to hybrid cloud
Principled Technologies
 
Fs2510501055
Fs2510501055Fs2510501055
Fs2510501055
IJERA Editor
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud ComputingAbdul Aslam
 
Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...
Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...
Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...
Dr. Richard Otieno
 
security in cloud computing
security in cloud computingsecurity in cloud computing
security in cloud computing
Er. Saba karim
 
Seminar Report - Managing the Cloud with Open Source Tools
Seminar Report - Managing the Cloud with Open Source ToolsSeminar Report - Managing the Cloud with Open Source Tools
Seminar Report - Managing the Cloud with Open Source ToolsNakul Ezhuthupally
 
cloud computing
cloud computingcloud computing
cloud computing
newme19
 
SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...
SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...
SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...
IRJET Journal
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
Editor IJMTER
 
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
IJET - International Journal of Engineering and Techniques
 
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREA SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
IJNSA Journal
 
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREA SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
IJNSA Journal
 

Similar to Secure Cloud Storage (20)

Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud Computing
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloudIntegrated-Security-Solution-for-the-virtual-data-center-and-cloud
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
 
Seminor Documentation
Seminor DocumentationSeminor Documentation
Seminor Documentation
 
IBM Point of View: Security and Cloud Computing
IBM Point of View: Security and Cloud ComputingIBM Point of View: Security and Cloud Computing
IBM Point of View: Security and Cloud Computing
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM Point of view -- Security and Cloud Computing (Tivoli)IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM Point of view -- Security and Cloud Computing (Tivoli)
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher model
 
Mohan_Dissertation (1)
Mohan_Dissertation (1)Mohan_Dissertation (1)
Mohan_Dissertation (1)
 
Two competing approaches to hybrid cloud
Two competing approaches to hybrid cloudTwo competing approaches to hybrid cloud
Two competing approaches to hybrid cloud
 
Fs2510501055
Fs2510501055Fs2510501055
Fs2510501055
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud Computing
 
Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...
Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...
Enhancing Data Security in Cloud Computation Using Addition-Composition Fully...
 
security in cloud computing
security in cloud computingsecurity in cloud computing
security in cloud computing
 
Seminar Report - Managing the Cloud with Open Source Tools
Seminar Report - Managing the Cloud with Open Source ToolsSeminar Report - Managing the Cloud with Open Source Tools
Seminar Report - Managing the Cloud with Open Source Tools
 
cloud computing
cloud computingcloud computing
cloud computing
 
SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...
SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...
SECURITY IN COULD DATA STORAGE USING SOFT COMPUTING TECHNIQUES AND ELGAMAL CR...
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
 
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
 
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREA SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
 
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREA SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
 

More from ALIN BABU

Secry poster
Secry posterSecry poster
Secry poster
ALIN BABU
 
Prediciting restaurant and popularity based on Yelp Dataset project report
Prediciting restaurant and popularity based on Yelp Dataset project reportPrediciting restaurant and popularity based on Yelp Dataset project report
Prediciting restaurant and popularity based on Yelp Dataset project report
ALIN BABU
 
Prediciting restaurant and popularity based on Yelp Dataset - 2
Prediciting restaurant and popularity based on Yelp Dataset - 2Prediciting restaurant and popularity based on Yelp Dataset - 2
Prediciting restaurant and popularity based on Yelp Dataset - 2
ALIN BABU
 
Prediciting restaurant and popularity based on Yelp Dataset - 1
Prediciting restaurant and popularity based on Yelp Dataset - 1Prediciting restaurant and popularity based on Yelp Dataset - 1
Prediciting restaurant and popularity based on Yelp Dataset - 1
ALIN BABU
 
iPhone
iPhoneiPhone
iPhone
ALIN BABU
 
Report
ReportReport
Report
ALIN BABU
 

More from ALIN BABU (6)

Secry poster
Secry posterSecry poster
Secry poster
 
Prediciting restaurant and popularity based on Yelp Dataset project report
Prediciting restaurant and popularity based on Yelp Dataset project reportPrediciting restaurant and popularity based on Yelp Dataset project report
Prediciting restaurant and popularity based on Yelp Dataset project report
 
Prediciting restaurant and popularity based on Yelp Dataset - 2
Prediciting restaurant and popularity based on Yelp Dataset - 2Prediciting restaurant and popularity based on Yelp Dataset - 2
Prediciting restaurant and popularity based on Yelp Dataset - 2
 
Prediciting restaurant and popularity based on Yelp Dataset - 1
Prediciting restaurant and popularity based on Yelp Dataset - 1Prediciting restaurant and popularity based on Yelp Dataset - 1
Prediciting restaurant and popularity based on Yelp Dataset - 1
 
iPhone
iPhoneiPhone
iPhone
 
Report
ReportReport
Report
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

Secure Cloud Storage

  • 1. Secure Cloud Storage SEMINAR REPORT (SEMESTER - VII) SUBMITTED BY ALIN BABU (SCT15CS007) in partial fulfillment for the award of the degree of BACHELOR OF TECHNOLOGY IN COMPUTER SCIENCE AND ENGINEERING SREE CHITRA THIRUNAL COLLEGE OF ENGINEERING, THIRUVANANTHAPURAM - 18 NOVEMBER, 2019
  • 2. SREE CHITRA THIRUNAL COLLEGE OF ENGINEERING, THIRUVANATHAPURAM - 695018 DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CERTIFICATE Certified that seminar work entitled “Secure Cloud Storage” is a bonafide work carried out in the seventh semester by ALIN BABU (SCT15CS007) in partial ful- filment for the award of Bachelor of Technology in COMPUTER SCIENCE AND ENGINEERING from APJ Abdul Kalam Technological University during the year 2020. HEAD OF THE DEPARTMENT Dr.Subu Surendran Head of the Department Department of Computer Science & Engineering SEMINAR GUIDE Smt.Soja Salim Assistant Professor Department of Computer Science & Engineering
  • 3. ACKNOWLEDGMENT I express my sincere gratitude to all the faculty members of the Department of Computer Science and Engineering, SCT College of Engineering, Thiruvananthapuram for their relentless support and inspiration. I am ever-grateful to my family, friends and well-wishers for their immense goodwill and words of motivation. I would like to express a note of deep obligation to my Guide, Smt. Soja Salim, Assistant Professor, Department of Computer Science and Engineering, SCT College of Engineering, for her excellent guidance and valuable suggestions. It was indeed a privilege to work under her during the entire duration of this study. She has immensely helped me with her knowledge and stimulating suggestions to shape this study, refine arguments and present it to the best of my abilities. I am also indebted to Dr. Subu Surendran,Professor and Head of the Department of Computer Science and Engineering, SCT College of Engineering, for inspiring me to strive for perfection. I am also thankful for the support and encouragement offered by him during the entire course of this study to make this seminar a great success.
  • 4. ABSTRACT Cloud computing is a set of IT services that are provided to users over a network. It is a shared pool of configurable computing resources. Cloud computing is an emerging technology in now a days. The security is an important aspect of the current scenario and plays an important role in cloud computing. Security is a set of control base technologies and policies designed to regulatory compliance rules and protect information. Methods of cloud computing play a major role as it guaranteed data protection from the cloud service provider, in order to increase security and confidentiality in the cloud. The main focus of the seminar will be cloud computing data encryption methods and mechanisms to achieve it in the cloud. The seminar will be mainly on the Manda- tory Access Control (MAC) mechanism and Disintegration Protocol (DIP). The different encryption for storing data in the cloud should be explained briefly. There will be a brief explanation about the advantages of using Proxy Re-encryption (PRE) in-secure file sharing. The seminar shall be concluded with DIP and advantages of PRE in Dropbox and SugarSync
  • 5. CONTENTS LIST OF ABBREVIATIONS ii LIST OF FIGURES iv 1 INTRODUCTION 1 2 CLOUD COMPUTING 3 2.1 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Services offered by Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3 ACCESS CONTROL 7 3.1 Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Discretionary access control . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.3 Role Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4 Rule Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4 Secure Data Storage using AES 11 4.1 AES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5 Disintegration Protocol (DIP) 16 5.1 Architecture of DIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.2 Multi- housed DIP architecture . . . . . . . . . . . . . . . . . . . . . . . . 18 6 Access Control Implementation on DIP 21 i
  • 6. 7 Proxy Re Encryption Scheme (PRE) 25 8 Advantages of Using PRE for Secure Sharing 28 9 Conclusion 29 REFERENCES 30 ii
  • 7. LIST OF ABBREVIATIONS CSP Cloud Service Provider SaaS Software as a Service PaaS Platform as a Service IaaS Infrastructure as a Service MAC Mandatory Access Control DIP Disintegration Protocol OS Operating System ACL Access Control List DAC Discretionary Access Control RBAC Rule/Role Based Access Control AES Advanced Encryption Standard DES Data Encryption Standard TLS Transport Layer Protocol SSH Secure Sockets Layer HTTP HyperText Transfer Protocol iii
  • 8. TCP Transmission Control Protocol DS Data Server CS Connection Server RA Resource Allocator NIC Network Interface Card NAT Network Address Translation NOBE Nth Order Binary Encoding DNS Domain Name Server ACK Acknowledgement VM Virtual Machine SSH Secure Shell iv
  • 9. LIST OF FIGURES 2.1 Private Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Public Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Hybrid Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4 Examples of Different form of service in cloud . . . . . . . . . . . . . . . . 6 4.1 Encryption and decryption in AES . . . . . . . . . . . . . . . . . . . . . . 12 4.2 Byte Substitution (SubBytes) . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3 ShiftRows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.4 Mix Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.5 AddRoundkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1 The architecture of the DIP. . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2 Multi- housed DIP architecture. . . . . . . . . . . . . . . . . . . . . . . . . 19 5.3 DIP in the cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.1 Proxy Re-Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 v
  • 10. CHAPTER 1 INTRODUCTION Cloud platform services, concepts, and applications such as storage, processing power, virtualization, and connectivity allow the use of sharing data. Ensuring user’s privacy and security of data are the most concerned challenges. However, the integrity of knowledge, knowledge transfer, knowledge of the location and features such as optional backup and recovery are the additional problems associated with cloud computing. Users presume that cloud service suppliers (CSP) provide an assurance that the while data is in transit from the user’s establishments to the cloud servers, its confidentiality and integrity would not be negotiated and their data can get transferred securely to confirm such high level of data security. CSPs serve to the users over the internet on demand. Elasticity and service upon request are essential characteristics of cloud computing as it permits the user to deter- mine the appropriate resources whereas excluding the unnecessary ones. Today there are many CSPs such as Microsoft, Oracle Corporation, Google, IBM, Apple, Amazon and CenturyLink. There are so many studies on cloud performance based on various metrics, such as price and VM performance. CSPs provide the users with different options of cloud placement models (private, public, hybrid or community) and services (IaaS, PaaS, and SaaS). 1
  • 11. An increasing important priority for the broad selection and receipt of cloud com- puting is the capability of data owners and users to have imposed and assessed security guarantees. Guaranteeing security means ensuring confidentiality and integrity of data, accesses, and computations on them as well as providing availability of data and services to authorized users and in agreement with compliance with the providers. The lucrative benefit of scalability and elasticity, with cloud computing, comes at the expense of impair- ment of control of the owner’s data, with the high risk of security threat. It is assumed that the CSPs should provide sufficient protection mechanisms for data in warehouses, pro- cessing and communicating over the Internet. Researchers and CSPs have introduced various protocols, but they offer little or no security assurance to the end users. How- ever, organizations are still reluctant to implement cloud services because of reliability, security and privacy issues concerning delivery of cloud services as well as fears about the credibility of their cloud service supplier. 2
  • 12. CHAPTER 2 CLOUD COMPUTING Cloud Computing is a set of IT Services that are provided to a customer over a network and these services are delivered by third party provider who owns the infrastructure. It is often provided "as a service" over the Internet, typically in the form of infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Cloud computing is the broader concept of infrastructure convergence [1]. This type of data centre environment allows enterprises to get their applications up and running faster, with easier manageability, and less maintenance to meet business demands. For example, we can manage and store all smartphones or tablets apps at one location i.e. cloud. So we do not require any memory space at our end. This also gives the security of data and applications in case device is damaged or lost. Based on a deployment model, we can classify cloud as: • Private Cloud • Public Cloud • Hybrid Cloud Based on a service the cloud model is offering, it is classified into three: • Platform as a Service (PaaS) • Software as a Service (SaaS) 3
  • 13. • Infrastructure as a Service (IaaS) 2.1 Cloud Deployment Models 2.1.1 Private Cloud A private cloud is extensively used in single organizations for offering services to internal users. A private cloud could be used to maintain the security of a city or to provide privacy to organizational data. Figure 2.1: Private Cloud 2.1.2 Public Cloud Public cloud infrastructure allows all services to be publicly accessible. Sometimes these services are free to the public. External enterprises can use resources offered by the cloud at free of cost. 4
  • 14. Figure 2.2: Public Cloud 2.1.3 Hybrid Cloud A hybrid cloud offers best of both a private and public cloud structures. This delivers an infrastructure for a public cloud while continuing control over vital data using the private cloud. These models differ on features like control, flexibility, and management. This model is also termed as a cloud-computing stack. Figure 2.3: Hybrid Cloud 5
  • 15. 2.2 Services offered by Cloud 2.2.1 Platform as a Service (PaaS) It allows organizations to supply on demand resources for developing, testing, delivering and managing their software applications. PaaS eliminates the burden of infrastructure and operating systems and in that way, they can concentrate on deploying their applica- tion. 2.2.2 Software as a Service (SaaS) It is the method of offering software applications and services over the internet. Software applications are delivered with the on-demand ability. These software services are man- aged and maintained by the CSP. This eliminates the need for the user to worry about software updates and upgrade. 2.2.3 Infrastructure as a Service (IaaS) On the contrary, IaaS is at the other end of the cloud spectrum. In this type cloud service, users want to keep control of their software environment, but they do not have to buy and maintain any infrastructure equipment. Instead, they can request an IaaS provider a virtual machine. Figure 2.4: Examples of Different form of service in cloud 6
  • 16. CHAPTER 3 ACCESS CONTROL Access control is a way of limiting access to a system or to physical or virtual resources. In computing, access control is a process by which users are granted access and certain priv- ileges to systems, resources or information.In access control systems, users must present credentials before they can be granted access. In physical systems, these credentials may come in many forms, but credentials that can’t be transferred provide the most secu- rity.For example, a key card may act as an access control and grant the bearer access to a classified area. Because this credential can be transferred or even stolen, it is not a secure way of handling access control. There are various access control methods used limit the access to a system or resources. 3.1 Mandatory Access Control Mandatory access control(MAC) is a system controlled approach limiting access to source entities,constructed on the level of approval or permission of the accessing entity, be it a person, a process, or a device.MAC norms are defined by the system administrator,strictly enforced by the operating system (OS) or security kernel, and are unable to be altered by end users.Mandatory Access Control (MAC) is the strictest of all levels of control. The design of MAC was defined, and is primarily used by the government. MAC takes a hier- archical approach to controlling access to resources. Under a MAC enforced environment 7
  • 17. access to all resource objects (such as data files) is controlled by settings defined by the system administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. It is not possible under MAC enforcement for users to change the access control of a resource. Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc) and a category (which is essentially an indication of the management level, department or project to which the object is available).Similarly, each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user’s classification and categories and compares them to the properties of the object’s security label. If the user’s credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Mandatory Access Control is by far the most secure access control environment but does not come without a price. Firstly, MAC requires a considerable amount of planning before it can be effectively implemented. Once implemented it also imposes a high system management overhead due to the need to constantly update object and account labels to accommodate new data, new users and changes in the categorization and classification of existing users. 8
  • 18. 3.2 Discretionary access control Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems. Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. For example, User A may provide read-only access on one of her files to User B, read and write access on the same file to User C and full control to any user belonging to Group 1. It is important to note that under DAC a user can only set access permissions for resources which they already own. A hypothetical User A cannot, therefore, change the access control for a file that is owned by User B. User A can, however, set access permissions on a file that she owns. Under some operating systems it is also possible for the system or network administrator to dictate which permissions users are allowed to set in the ACLs of their resources. Discretionary Access Control provides a much more flexible environment than Manda- tory Access Control but also increases the risk that data will be made accessible to users that should not necessarily be given access. 9
  • 19. 3.3 Role Based Access Control Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control. Access under RBAC is based on a user’s job function within the organization to which the computer sys- tem belongs.Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the developer role. Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their role. The accountant described above gets the same permissions as all other accountants, nothing more and nothing less. 3.4 Rule Based Access Control Rule Based Access Control (RBAC) introduces acronym ambiguity by using the same four letter abbreviation (RBAC) as Role Based Access Control.Under Rules Based Access Control, access is allowed or denied to resource objects based on a set of rules defined by a system administrator. As with Discretionary Access Control, access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object. 10
  • 20. Examples of Rules Based Access Control include situations such as permitting access for an account or group to a network connection at certain hours of the day or days of the week. As with MAC, access control cannot be changed by users. All access permissions are controlled solely by the system administrator. 11
  • 21. CHAPTER 4 Secure Data Storage using AES The security of the data in the cloud database server is the key area of concern in the acceptance of cloud. It requires a very high degree of privacy and authentication. To protect the data in cloud database server cryptography is one of the important methods. Cryptography provides various symmetric and asymmetric algorithms to secure the data. Symmetric algorithms are more preffered as it has the speed and computational efficiency to handle encryption of large volumes of data. In symmetric cryptosystems, the longer the key length, the stronger the encryption. AES [2] is most frequently used encryption algorithm today this algorithm is based on several substitutions, permutations and linear transformations, each executed on data blocks of 16 byte. As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks and high security systems around the world. In, AES data encryption is more scientifically capable and graceful cryptographic algorithm, but its main force rests in the key length. The time necessary to break an encryption algorithm is straight related to the length of the key used to secure the com- munication. AES allows choosing a various type of bits like 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES. 12
  • 22. 4.1 AES Algorithm AES acronym of Advanced Encryption Standard is a symmetric encryption algorithm. The algorithm was developed by two Belgian cryptographers Joan Daemen and Vincent Rijmen. It is useful when we want to encrypt a confidential text into a decryptable format, for example when we need to send sensitive data in e-mail. The decryption of the encrypted text is possible only if we know the right password. AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Figure 4.1: Encryption and decryption in AES 13
  • 23. Steps in AES : • The First Step – AddRoundKey • The Following Four Functions Are Periodically Repeated – SubByte – ShiftRow – MixColumn – AddRoundKey • Final Step – SubByte – ShiftRow – AddRoundKey Byte Substitution (SubBytes) The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns. Figure 4.2: Byte Substitution (SubBytes) 14
  • 24. Shift Rows Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on the right side of row. Shift is carried out as follows • First row is not shifted. • Second row is shifted one (byte) position to the left. • Third row is shifted two positions to the left. • Fourth row is shifted three positions to the left. • The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other. Figure 4.3: ShiftRows Mix Columns Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is not performed in the last round. 15
  • 25. Figure 4.4: Mix Columns AddRoundkey The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round. Figure 4.5: AddRoundkey 16
  • 26. CHAPTER 5 Disintegration Protocol (DIP) The unidirectional, closed and disintegrated protocol that is used to store data to be securely in the cloud. In general, the server is designed to perform N number of different tasks (function). In Disintegration Protocol (DIP) [3], we disintegrate N various services from one server and distribute them among M homogeneous different servers. The DIP architecture used for the experiments described in this paper is shown in Fig. Although these experiments were conducted in a WAN environment in the private cloud, as noted earlier, the proposed DIP technique does not require that the set of clients CL to be connected to a private cloud (they can be located anywhere on the Internet Below we discuss the only condition in which the server needs to be connected to the private cloud. However, this provision does not limit the scope or scalability of DIP since many real-world Web server clusters are located within the same LAN. 5.1 Architecture of DIP The figure 5.1 shows the basic architecture of the DIP [3]. R0 is a regular firewall that prevents specific types of information from moving between an untrusted network and a trusted network. TLS/SSL or other software service are running on existing router or server. One can implement the firewall in any of processing modes such as packet filtering, application gateways, circuit gateways, MAC layer firewalls or hybrid. Integrity for data 17
  • 27. in transit is offered by using hashing function and message authentication codes. Every transport protocol (HTTP, TCP, IPC, and MSMQ) has its technique for establishing cre- dentials and handling communication protection. The most popular approach for this is to use Secure Sockets Layer (SSL) for encrypting and confirming the contents of the packets transmitted over Secure HTTP (HTTPS). For the scope of this paper we will restrict our discussion to DIP components i.e. connection server (CS), resource allocator (RA) and data servers (DSs, DSs*) and internal packet filter routers R1 and R2. The clients send requests to a connection server CS, CS sends SYN-ACK, and keep track current request until it receives (HTTP) GET and sends GET ACK to the client. Moreover, at the same time, CS will send an inter-server packet (ISP) of 168 bytes to RA. CS uses two NIC cards on- board transceivers NIC1 and external transceivers NIC2 with two different IP address. In this case, we can decide which transceiver to use and then make the appropriate choice on our card. Figure 5.1: The architecture of the DIP. 18
  • 28. When data is transmitted on the network cable, they travel as a single stream of bits. When data progresses on a network cable, the cable is treated as a one-lane roadway,and the data perpetually proceeds in one direction only. At given point of time, the server either sending or receiving data, but never performs both. NIC1 is used for communicating with Client, and NIC2 is used to send packets to RA. NIC2 is activated (in UP state) only for the short interval of time when CS is forwarding packets to RA, otherwise, all other time it stays in DOWN state. This mechanism allows turning On/Off the connectivity between CS and RA and controls one-way flow from CS to RA. We control transmitter’s state in the Ethernet object using methods enable Transmit( ) and disable Transmit( ). Similar control can be achieved by disabling the receiver and only allowing the function of the transmitter of NIC2. Furthermore, router R1 (eth0) only accept packet coming from CS and drops all other packets coming from other IP address even from RA through interface eth1. Similar flow control mechanism is enforced for a transmission from DSs to DSs*. After receiving the packet from CS, RA determines to forward the given request (packet) to appropriate data servers DSs. Data are fragmented in a various block on different DSs on the same cloud or geographically distributed clouds. RA will keep TCB records of all connection until it receives FIN-ACK from CS. All ACKs after the GET-ACK are forwarded to RA, and RA will respond all ACKs and Data requests though different DSs. When DS sends the last data packet (with FIN) of data to Client, it also sends one inter server packet to CS (via Ro) telling that it is done with transmitting all data. CS forwards this information to RA. Whenever CS receives FIN-ACK from a Client, it forwards to RA, and now RA will delete the TCB record of a particular connection. RA keeps 100,000 TCB records and can increase based on incoming load. DSs receives client information through TCB record from RA, and directly sends data to the client and in the data packet, it puts SrcIP 19
  • 29. and SrcMac address of CS. CSs, DSs and RA identical servers they have the same hardware and same software, but perform different tasks. CS* is the backup server for CS if CS fails immediately in few millisecond CS* resumes the role of CS, detail migration and position change over process is describe in our earlier paper a split protocol technique for web server migration. DS*s are data transmission servers, which receives data from DSs, they do not store any information or data, practically they are empty servers In the event of a server compromise, a hacker will only be able to get the last piece of data transmitted from the DS as if the connection is still in the active state. 5.2 Multi- housed DIP architecture DIP architecture is capable of handling massive traffic, and the only bottleneck we have observed is the router. DIP server can be configured as a multi-homed structure. In addi- tion to maintaining a reliable connection, multi homing allows performing load-balancing by lowering the number of client/server connecting to the Internet through any single connection. It also permits the load through multiple connections, enhances the perfor- mance and can considerably decrease wait times. In Multi-homing, if a router fails, all data will be rerouted through the other routers with the help of Network address trans- lation (NAT), by remapping one IP address into a different address by revising network address. Router RO and RA maintain all standard security protocols. RA implements NOBE encoding for data compression and additional privacy of data. DIP can be applied on top of any existing security protocols TLS, IPsec, SSH, Cryptographic protocol and inter-cloud protocols. The format of client request differs broadly by Cloud platform and virtualization layer of the operating system used for the Cloud Computing. Most of the cloud uses general pointers such as MAC and IP addresses [32], and now and then a DNS 20
  • 30. name specified to the VM. The pairs of RSA keys are used for the credential of the public key and private keys. On that VM, one can boot a system image yielding a running system, and uses it in a similar practice as one would use an operating system in your data center. The figure 5.2 shows the multi- housed DIP architecture. architecture Figure 5.2: Multi- housed DIP architecture. Figure 5.3: DIP in the cloud 21
  • 31. CHAPTER 6 Access Control Implementation on DIP In a modern world, where the state sponsored hacking groups have almost unlimited resources; consequently, security of information becomes essential. Secure data storage mechanisms with DIP can be implemented on the cloud servers and secure file sharing among them. To ensure the security of information for the cloud base server with en- crypted storage data, the main issue would appear to be limiting access to unauthorized users. [1] Security of the data should be in a good balance between complete protection and usability. Thus, idea is to use time proven mechanisms while adding additional pro- tection. Cloud service consists of three servers: user input (CSs), data storage (DSs), user output (DSs*) as shown in Fig 1. Each of servers has their own security mechanisms. The separation is done to ensure that if any of servers are compromised, the data will stay intact. User input server can have multiple implementations for access control, depending on the needs of the organization. For example, library articles would not require extra safety measures, however financial or military institutions would demand the highest con- trol possible. Therefore, there will be a choice for the organization to choose a regular access control function or the advanced one. 22
  • 32. Regular option : Communication with user input server would start with login information. The user can request to enter login and password. To prevent brute force, we are limiting the user to five attempts per fifteen minutes. To ensure additional safety, the system forwards a message to the registered phone number and email address stating that someone is trying to access the account. There is a link provided to give the user an opportunity to lock the account, in case if there is a suspicion of unauthorized action. In this case, the account will freeze until the user communicates with support centre, prove identity, and account ownership. In the case of the correct login and password entered, the system will generate a random entrance code that is provided to the users through email or text. While setting up an account, the user is prompted to enter security answers to seven security questions. Every time that use renters from the unrecognised device (Mac and cookies check); the system will require answering two randomly selected questions out of seven. Failing to answer them would lock the account. Advanced option : Everything regular option provides (notes: the user will not be able to skip security questions. The system does not save cookies on the user’s computer) plus additional options: • Biometrics (optional at the current technology state) - if user’s device provides fingerprints function, it can be used. • Additional possible application - makes the user read the randomly generated para- graph. • Security token authentication: Each user is provided by an organization with the unique security token. The device is connected to the device that is trying to access 23
  • 33. the database. It will not cancel out any of the previous steps but will serve as additional protection, so only a person with a physical device and knowledge of login, password, access to phone/email and knowledge of security questions can access the database. This type of option is highly recommended for financial institutions and government contractors. Inner server communications have a different structure. Security will start at the point that we limit servers communications to a one-way channel. The receiving server can limit to respond only with a packet acceptance message. All packets are encrypted with Advanced Encryption Standard, which uses Rijndael cipher. Each pair of communicating servers has a private large set of randomly generated numbers. For every fifteen packets, the active server can randomly choose a key from the set, encrypt packet with a set was chosen and will include an index number of current keys. That index number is going to be a single non encrypted data that is transmitted on the network. To ensure safety, pairs of sets are updated according to computational powers of computers that are available at the current time. For examples, if there is a possibility that 256-bit key cipher can be broken using the latest type of super computer within a month, sets are updated in every two weeks. In addition to that, every communication is based on the following assumptions: MAC addresses are the same for both servers. The server will send information to the input server to provide the list of user’s storage information to the output server. The user will see it as a list on the same web page. Once a user selects to download anything, this request is forwarded to the input server. All the data stored on the informational server is archived using NOBE technology. All files are compressed during uploading procedure. A separate index file will store information files stored, original names, their storage indexes, and a list of groups that have access to specific files. Once Server receives a signal that certain user is trying to access it, the reports are generated, showing all the 24
  • 34. files that accessible to the user. Output server will post that report on the web page for furthers election. According to a selection of a file that the user needs to download, NOBE file is forwarded to output server using inner server communication technology. Output server will send a request to a user’s device to activate the NOBE client. Using the RSA encryption system, output server will encrypt the NOBE file and forward it to the user NOBE client. That will decrypt it using the private key and decompress it for the user. In addition to that, every communication is based on the following assumptions: MAC addresses are the same for both servers. The server will send information to the input server to provide the list of user’s storage information to the output server. The user will see it as a list on the same web page. Once a user selects to download anything, this request is forwarded to the input server.All the data stored on the informational server is archived using NOBE technology. All files are compressed during uploading procedure. A separate index file will store information files stored, original names, their storage indexes, and a list of groups that have access to specific files. Once Server receives a signal that certain user is trying to access it, the reports are generated, showing all the files that accessible to the user. Output server will post that report on the web page for further selection. According to a selection of a file that the user needs to download, NOBE file is forwarded to output server using inner server communication technology. Output server will send a request to a user’s device to activate the NOBE client. Using the RSA encryption system, output server will encrypt the NOBE file and forward it to the user NOBE client. That will decrypt it using the private key and decompress it for the user. 25
  • 35. CHAPTER 7 Proxy Re Encryption Scheme (PRE) Proxy Re-Encryption (PRE) is a cryptographic primitive, which has a very interesting application in delegating decryption rights. It helps in converting a ciphertext, which is meant for a delegator to be decrypted by a delegate with the help of a semi-trusted party called the proxy. Consider the scenario, in which Alice (the delegator) leaves the country for a vaca- tion, delegates the decryption rights to Bob (the delegatee). Any ciphertext meant for Alice could be converted into a ciphertext of Bob by the semi-trusted proxy, with the help of a Re-Encryption key generated by Alice and handed over to the proxy. A proxy is, in essence, any provider – including a cloud service provider. As shown in the figure above, the proxy or cloud provider never sees the actual secret message. It only ever sees encrypted messages and public keys (elements marked in green above). Private keys remain private to the individual parties, and the secret message only every gets decrypted by the intended recipient, not the proxy. So, the cloud provider never sees the information. Let’s consider this scenario: 26
  • 36. Figure 7.1: Proxy Re-Encryption. For security reasons, Alice doesn’t trust the cloud provider so Alice encrypts all her data (with her public key) and store her encrypted data into the cloud. Now, Alice data is safe and (theoretically) only she can access it since only Alice knows her private key. A few weeks later, along comes Bob and it turns out, he needs to see Alice data. Alice now has two choices: 1. Get Bob’s public key, decrypt the data, re-encrypt it with Bob’s public key, and send it to him.This is a bit clunky. Alice needs to decrypt her data and then re-encrypt. It may work for one person. . . what if Alice has many Bobs? It would be better to leave this work to her cloud provider if at all possible. . . 2. Use proxy re-encryption!-In this case, Alice retrieves Bob’s public key, and issue a “re-encryption” key. This key represents the trusted relationship Alice would like 27
  • 37. to build with Bob. Alice sends this key to her cloud provider and they proceed to re-encrypt the already encrypted data they have stored with the key. Bob can now download this re-encrypted data and decrypt it at will In the second scenario, note how the decryption / re-encryption process is sidestepped and Alice doesn’t need to perform this operation on her own devices. Instead, all she needs to do is generate a key which should be quick, and pass the buck to her provider, which at no point can decrypt the original message, making this system very scalable and enables data-sharing apps in a cloud environment. 28
  • 38. CHAPTER 8 Advantages of Using PRE for Secure Sharing Dropbox [4], SugarSync [5], Box, and Soonr are security black holes, while all user files are encrypted in transit and at rest, the user is not in control of the encryption keys. These keys are managed by the internal key-servers and are not revealed to the user at any point in time. However, they claim that the keys are stored in encrypted form for all other purposes. The advantages of PRE are: 1. The owner of the file has the sole responsibility for providing and revoking access to the files. 2. Sharing is straightforward with no overhead for the file owner. 3. Offers end-to-end security for files while sharing them. 4. Military-grade security could be achieved using the state of the art encryption mech- anism like AES-256. 5. Uses advanced proxy re-encryption with multi-hop so that consecutive sharing is possible. 29
  • 39. CHAPTER 9 Conclusion Internet-based online cloud services provide enormous volumes of storage space, tailor made computing resources and eradicates the obligation of native machines for data main- tenance as well. Cloud storage service providers claim to offer the ability of secure and elastic data-storage services that can adapt to various storage necessities. Most of the security tools have a finite rate of failure, and intrusion comes with more complex and sophisticated techniques; the security failure rates increasing. Once we upload our data into the cloud, we lose control of our data, which certainly brings new security risks to- ward integrity and confidentiality of our data.The storing data in encrypted format will be able to solve the security issues.The access control mechanisms can be used to limit the unwanted access to the cloud by unauthorised persons. A secure file sharing mecha- nism for the cloud with the disintegration protocol (DIP) can be used for storage and file sharing. The innovative approach to secure storage data on cloud servers through the com- bined use of cryptography and unique network architecture of DIP is highly. It could be seen that DIP techniques can be used to improve the security of any servers or any computer application. The linear behaviour of a number of DIP elements and qualitative improvement in system reliability, integrity and security offer higher throughput. DIP 30
  • 40. with PRE scheme enables a secure file sharing among the cloud. As a real-world appli- cation, Cloud storage providers such as Dropbox, Sugarsync, Box etc. for a secure file sharing can directly adopt this solution. 31
  • 41. REFERENCES [1] Bharat S Rawal and S Sree Vivek. “Secure cloud storage and file sharing”. In 2017 IEEE International Conference on Smart Cloud (SmartCloud), pages 78–83. IEEE, 2017. [2] B. Avinash, T. Harish, G. Karthikeyan, and Prof. D. Vinodha. “A Survey on proxy re-encryption method using cloud computing”. International Journal of Research and Engineering, 4(2):57–59, 2017. [3] Bharat S Rawal, Harsha K Kalutarage, S Sree Vivek, and Kamlendu Pandey. “The disintegration protocol: An ultimate technique for cloud data security.”. In 2016 IEEE International Conference on Smart Cloud (SmartCloud), pages 27–34. IEEE, 2016. [4] https://www.cloudwards.net/review/dropbox/. [5] https://www.cloudwards.net/review/sugarsync/. 32