A Protected Cloud Storage System with Safe Information Forwarding

A Protected Cloud Storage System with Safe Information Forwarding

C. Kavinilavu,

Computer Science and Engineering, PRIST University, Trichy.

Abstract

In cloud storage system provide several storage services over the internet. Datas are stored in third partys cloud storage system. It causes over data confidentiality. Encryption schemes to protect the data confidentiality but also the functionality to be limited in storage system because few operations only supported over encrypted data. In this paper, propose a threshold proxy re-encryption scheme and integrate a erasure code such that distributed storage system. In this storage system not only support secure and robust data it also support forwarding data from one user to another user without retrieving the data .In proposed system support encoding operation as well as forwarding over encoded and encrypted messages. In this system support encryption, encoding and ffpforwarding operations. .To analyzes and suggests suitable parameters for the number of copies of a message dispatched to storage servers and the number of storage servers queried by a key server. These parameters allow more flexible adjustment between the number of storage servers and robustness.

Index TermsDecentralized erasure code, proxy re-encryption, threshold cryptography, secure storage system.

1. Introduction

   Data robustness is a major requirement for storage systems. There have been many proposals of storing data over storage servers. One way to provide data robustness is to replicate a message such that each storage server stores a copy of the message. It is very robust because the message can be retrieved as long as one storage server survives. Another way is to encode a message of k symbols into a codeword of n symbols by erasure coding. To store a message, each of its codeword symbols is stored in a different storage server. A storage server provides a tradeoff between the storage size and the tolerance threshold of failure servers. A decentralized erasure code is an erasure code that independently computes each

   codeword symbol for a message. A decentralized erasure code is suitable for use in a distributed storage system. After the message symbols are sent to storage servers, each storage server independently computes a codeword symbol for the received message symbols and stores it. This finishes the encoding and storing process. The recovery process is the same. Storing data in a third partys cloud system causes serious concern on data confidentiality. In order to provide strong confidentiality for messages in storage servers, a user can encrypt messages by a cryptographic method before applying an erasure code method to encode and store messages. When he wants to use a message, he needs to retrieve the codeword symbols from storage servers, decode them, and then decrypt them by using cryptographic keys. There are three problems in the above straightforward integration of encryption and encoding. First, the user has to do most computation and the communication traffic between the user and storage servers is high. Second, the user has to manage his cryptographic keys. If the users device of storing the keys is lost or compromised, the security is broken. Finally, besides data storing and retrieving, it is hard for storage servers to directly support other functions. For example, storage servers cannot directly forward a users messages to another one. The owner of messages has to retrieve, decode, decrypt and then forward them to another user. In this paper, address the problem of forwarding data to another user by storage servers directly under the command of the data owner. With this consideration, to propose a new threshold proxy re-encryption scheme and integrate it with a secure decentralized code to form a secure distributed storage system. The encryption scheme supports encoding operations over encrypted messages and forwarding operations over encrypted and encoded messages. The tight integration of encoding, encryption, and forwarding makes the Storage system efficiently meet the requirements of data robustness, data confidentiality, and data forwarding. Accomplishing the integration with consideration of a distributed structure is challenging. Our system meets the requirements that storage servers independently perform Encoding and re- encryption and key servers independently perform partial decryption. Moreover, we consider the system

   in a more general setting than previous works. This setting allows more flexible adjustment between the number of storage servers and robustness.

2. Related Work

   Briefly review distributed storage systems, proxy re-encryption schemes, and integrity checking mechanisms. [1] A decentralized architecture for storage systems offers good scalability, because a storage server can join or leave without control of a central authority. To provide robustness against server failures, a simple method is to make replicas of each message and store them in different servers. However, this method is expensive as z replicas result in z times of expansion. The server does not know the plaintext during transformation. Storage server failure is modeled as an erasure error of the stored codeword symbol. Random linear codes support distributed encoding, that is, each codeword symbol is independently computed. To store a message of k blocks, each storage server linearly combines the blocks with randomly chosen coefficients and stores the codeword symbol and coefficients. To retrieve the message, a user queries k storage servers for the stored codeword symbols and coefficients and solves the linear system. [2] Proposed some proxy re-encryption schemes and applied them to the sharing function of secure storage systems. In their work, messages are first encrypted by the owner and then stored in a storage server. When a user wants to share his messages, he sends a re-encryption key to the storage server. The storage server re-encrypts the encrypted messages for the authorized user. Thus, their system has data confidentiality and supports the data forwarding function. Our work further integrates encryption, re- encryption, and encoding such that storage robustness is strengthened. A user can decide which type of messages and with whom he wants to share in this kind of proxy re-encryption schemes. In a key-private proxy re-encryption scheme, given a re-encryption key, a proxy server cannot determine the identity of the recipient. This kind of proxy re-encryption schemes provides higher privacy guarantee against proxy servers. Although most proxy re-encryption schemes use pairing operations, there exist proxy re- encryption schemes without pairing [4]. Another important functionality about cloud storage is the function of integrity checking. After a user stores data into the storage system, he no longer possesses the data at hand. The user may want to check whether the data are properly stored in storage servers. The concept of provable data possession [3], later, public auditability of stored data is addressed in [5].

   Nevertheless all of them consider the messages in the clear text form.

3. System Model

   Figure 1. General system model

   As shown in Fig. 1,our system model consists of users, n storage servers SS1 ; SS2 ;

   . . . ; SSn , and m key servers KS1 ; KS2 ; . . . ; KSm . Storage servers provide storage services and key servers provide key management services. They work independently. Our distributed storage system consists of four phases: system setup, data storage, data forwarding, and data retrieval. These four phases are describd as follows.

   1. System Setup

      In the system setup phase, the system manager chooses system parameters and publishes them. Each user A is assigned a public-secret key pair (PKA; SKA) and ShareKeyGen (). User A distributes his secret key SKA to key servers such that each key server KSi holds a key share SKA; and the public key is kept by user.

   2. Data Storage

      In the data storage phase, user A encrypts his message M and dispatches it to storage servers. A message M is decomposed i n t o k blocks m1; m2; . . .; mk and has an identifier ID. User A encrypts each block mi into a ciphertext Ci and sends it to v randomly chosen storage

      servers. Upon receiving ciphertexts from a user, each storage server linearly combines them with randomly chosen coefficients into a codeword symbol and stores it. Note that a storage server may receive less than k message blocks and assume that all storage servers know the value k in advance.

   3. Proxy Re-encryption Scheme

      The proxy re-encryption scheme supports encoding, forwarding, and partial decryption operations in a distributed way. By using the threshold proxy re-encryption scheme, we present a secure cloud storage system that provides secure data storage and secure data forwarding functionality in a decentralized structure. Messages are first encrypted by the owner and then stored in a storage server. When a user wants to share his messages, he sends a re-encryption key to the storage server. The storage server re-encrypts the encrypted messages for the authorized user. Proxy re-encryption schemes can significantly decrease communication and computation cost of the owner. Proxy re-encryption schemes significantly reduce the overhead of the data forwarding function in a secure storage system.

   4. Data Forwarding

      A secure cloud storage system that supports the function of secure data forwarding by using a proxy re-encryption scheme. In the data forwarding phase, a user runs Key Recover() and Re Key Gen() send to storage server, and each storage server performs Re Enc().In the data forwarding phase, user A forwards his encrypted message with an identifier ID stored in storage servers to user B such that B can decrypt the forwarded message by his secret key. To do so, A uses his secret key SKA and Bs public key PKB to

      compute a re-encryption key RKIDAB and then sends

      RKIDAB to all storage servers. Each storage server uses the re-encryption key to re-encrypt its codeword symbol for later retrieval requests by B. The re- encrypted codeword symbol is the combination of cipher texts under Bs public key. In order to distinguish re-encrypted codeword symbols from intact ones, we call them original codeword symbols

      and re-encrypted codeword symbols, respectively.

   5. Data Retrieval

      In the data retrieval phase, user A requests to retrieve a message from storage servers. The message is either stored by him or forwarded to him. User A sends a retrieval request to key servers. Upon

      receiving the retrieval request and executing a proper authentication process with user A, each key server KSi requests u randomly chosen storage servers to get codeword symbols and does partial decryption on the received codeword symbols by using the key share SKA; I. Finally, user A combines the partially decrypted codeword symbols to obtain the original message M.

4. Construction of Secure Cloud Storage System

   Before presenting our storage system, briefly introduce the algebraic setting, the hardness assumption, an erasure code over exponents, and our approach.

   Bilinear map:

   Let G1 and G2 be cyclic multiplicative groups with a prime order p and g G1 be a generator. A map is a bilinear map :G1xG1G2 is efficiently computable and has the properties of bilinearity and Nondegeneracy: for any x,yz*p ,

   2

   2

   (gx,gy) = (g¸ g)xy and (g¸g) is not the identity element in G . Let Gen (1) be an algorithm

   generating (g,,G1,G2,p) where is the length of p. Let xR X denote that x is randomly chosen from the set X.

   Decisional bilinear Diffie-Hellman assumption:

   This assumption is that it is is computationally infeasible to distinguish the distributions (g, gx , gy , gz ,(g¸g)xyz and (g, gx , gy, gz(g¸g)r) ewhere x; y; z; rRZ*p probabilistic polynomial time algorithm A, the following is negligible (in ).

   p, 0 1

   p, 0 1

   |pr[A(g,gx,gy,gz,,Qb)=b:x,y,z,rRZ* Q =(g,g)xyz;Q = (g,g)r;bR{0,1}]-½|.

   Erasure coding over exponents:

   Consider that the message domain is the cyclic multiplicative group G2 described above. An encoder generates a generator matrix G=[gi,j] for 1ik,1jn as follows: for each row, the encoder randomly selects an entry and randomly sets a value from Z*p to the entry. The encoder repeats this step v times with replacement for each row. An entry of a row can be

   selected multiple times but only set to one value. The values of the rest entries are set to 0. Let the message be (m1,m2,…mk)Gk2. The encoding process is to

   2

   2

   generate(w1,w2…wn)Gn . Where wj=m1g1jm2g2j…mkgkj for 1jn. The first step of the decoding process is to

   d2,i

   d2,i

   compute the inverse of a kxk submatrix k of G. Let k be [gi,ji] for 1i,jik. Let k-1=[di,j]i1,jk. The final step of the decoding process is to compute mi=wj1d1,iwj2

   for 1ik.

   Our approach:

   A threshold proxy re-encryption scheme with multiplicative homomorphic property. An encryption scheme is multiplicative homomorphic if it supports a group operation on encrypted plaintexts without decryption

   D(SK,E(PK,m1) E(PK,m1)) = m1 · m2,

   Where E is the encryption function, D is the decryption function, and(Pk,Sk) is a pair of public key and secret key. Given two coefficients g1 and g2, two

   message symbols m1 and m2 can be encoded to a codeword symbol m1g1m2g2 in the encrypted form

   C=E(PK,m1)g1E(PK,m2)g2=E(PK,m1g1·m2g2)

   Thus, a multiplicative homomorphic encryption scheme supports the encoding operation over encrypted messages. To convert a proxy re- encryption scheme with multiplicative homomorphic property into a threshold version. A secret key is shared to key servers with a threshold value t via the Shamir secret sharing scheme [26], where t k. In

   where v1, v2… vt-1RZp*.The key share of the secret key SKA to the key server KSi is SKA,i=( fA,1(i), fA,2(i)),where 1im. Next to compute the identity token and performs the encryption algorithm Enc(·) and encoding operation.

   Enc(PKA,,m1,m2mk): For 1ik, this algorithm computes

   Ci=(0,i,,i)=0,gri,,mi,(g1,ri)),

   Where riRZp*, 1ik and 0 is the leading bit indicating an original cipertext.

   Encode(C1, C2.,Ck): For each cipertext Ci, the algorithm randomly selects a coefficient gi. If some cipertext Ci is (0,1,,1),the coefficient gi is set to 0. Let Ci=(0, i,,i) the encoding process is to compute an original codeword symbol C'.

   i i i

   i i i

   C'= (0,ki=1( gi),,k =1( gi))

   = (0,gr1,,W(g,)a1r')

   our system, to decrypt for a set of k message

   Where W=k m gi and r'=k g r . The encoded

   i=1 i i=1 i i

   symbols, each key server independently queries 2 storage servers and partially decrypts two encrypted codeword symbols. As long as t key servers are available, k codeword symbols are obtained from the partially decrypted ciphertexts.

5. Secure Data Forwarding Algorithm

The algorithm SetUp(1) generates the parameter

µ. First, the user locally stores the secret key.

SetUp(1): Run Gen(1) to obtain

result is (C',g1,g2,gk). If user A to forward a message to another user to perform KeyRecover(),ReKeyGen(), and ReEnc().

KeyRecover(SKA,i1,SKA,i2,.,SKA,it): Let T={i1,i2,it}.This algorithm recovers a1 is lagrange interpolation as follows.

a1 =sT(fA,1(s)s'T/{s}-s'/s-s')mod p.

ReKeyGe(PKA, SKA,ID, PKB): This algorithm selects eRZp* and computes

(g,h,,G1,G2,p),where : G1x G1 G2 is a bilinear map, g and h are generators of G1.Both G1 and G2 have the prime order P.Set µ=( g,h,,G1,G2,p,f),

RKID

AB

=((hb2)a1(f(a3,ID)+e),ha1,e).

ID

where f: Zp*x{0,1}*Zp* is a one way hash function. KeyGen(µ): For a user A, the algorithm selects a1,a2,a3RZp* and sets

PKA = (ga1, ha2)¸ SKA = (a1; a2; a3);

ShareKeyGen(SKA,t,m): This algorithm shares the secret key SKA of a user A to a set m key servers by using two polynomials fA,1(z) and fA,2(z) of degree (t-

1) over the finite field GF(p)

fA,1(z)=a1+v1z+v2z2+…+vt-1zt-1(modp), fA,2(z)=a2-1+v1z+v2z2+…+vt-1zt-1(modp),

ReEnc(RK AB,C'): In this algorithm to shares the

codeword symbol let C'=(0,,,)=(0,gr',,W(ga1,r')) for some r' and some W, and RKIDAB=((hb2)a1(f(a3,ID)+e),ha1,e) for some e. The re- encrypted codeword symbol is computed as follows:

C'=(1,, hb2,a1(f(a3,ID)+e),.(, ha1,e))

=(1,gr',hb2,a1(f(a3,ID)+e),W(g,h)a1r'(f(a3,ID)+e)).

The leading bit indicates C' is a re-encrypted cipertext. If user A retrieves his own Message to perform ShareDec() and combine() operation.

ShareDec(SKj,Xi): Xi is a codeword symbol, where Xi= (b,,,) and b is the indicator for original and re- encrypted codeword symbols. SKj is a key share, where SKj=(sk0,sk1). By using the key share SKj, the

partially decrypted codeword symbol i,j of Xi is generated as follows:

i,j=( b,,,skb,).

Combine(i1,j1,i2j2, . . . it,jt): Let a partially decrypted c symbol j be (b, , ,' , ).

7. Conclusion

In this paper, consider a cloud storage system consists of storage servers and key servers. To integrate a newly proposed threshold proxy re-

encryption scheme and erasure codes over exponents.

odeword

i, i,j

i,j

i,j

i,j

The threshold proxy re-encryption scheme supports

This algorithm combines t partially decrypted codeword symbols, where i1,j1=i2,2=···=it,jt=, j1j2····jt and there are at least k distinct values in

{i1,i2,.it}. Let Sj={ j1, j2, .jt} and S={(i1,j1),(i2,j2)(it,jt)} Without loss of generality, let S1={i1,i2,.ik} be k distinct values in {i1,i2,.it}.

6. Analysis of Results

In the data storage phase, a user runs the Enc(·) algorithm and each storage server performs the Encode(·) algorithm. In the Enc(·) algorithm, generating each i requires a Exp1, and generating each i requires a Exp1, a Pairing, and a Mult2. Hence, for k blocks of a message, the cost is (k Pairing + 2k Exp1 + k Mult2). For the Encode(·) algorithm, each storage server encodes k ciphertexts at most. The cost is k Exp1+(k-1) Mult1 for computing and k Exp2+ (k-1) Mult2 for computing .

In the data forwarding phase, a user runs KeyRecover(·) and ReKeyGen(·) and each storage

server performs ReEnc(·). In the KeyRecover(·) algorithm, the computation cost is O(t2) Fp. In the ReKeyGen(·) algorithm, the computation cost is a Exp1. In the ReEnc(·) algorithm, the computation cost is a Pairing and a Mult1.

In the data retrieval phase, each key server runs the ShareDec(·) algorithm and the user performs the Combine(·) algorithm. In the ShareDec(·) algorithm,

each key server performs a Exp1 to get skb for a codeword symbol. For a successful retrieval, t key

servers would be sufficient; hence, for this step, the total cost of t key servers is t Exp1. In the Combine(·) algorithm, it needs the computation of the Lagrange interpolation over exponents in G1, the computation of the encoded blocks wj' from the partially decrypted codeword symbols i,j',s, and the decoding computation which needs to perform the matrix inversion and recovery of blocks mi' from the

encoded blocks wj',s. The Lagrange interpolation over exponents in G1 needs O(t2) Fp, t Exp1, and (t-1) Mult1. Computing an encoded block wj needs one Pairing and one modular division, which takes 2

Mult2. As for the decoding computation, the matrix

inversion takes O(k3) arithmetic operations over GF(p), and the decoding for each block takes k Exp2 and (k-1) Mult2.

encoding, forwarding, and partial decryption operations in a distributed way. To decrypt a message of k blocks that are encrypted and encoded to n codeword symbols, each key server only has to partially decrypt two codeword symbols in our system. By using the threshold proxy re-encryption scheme, to present a secure cloud storage system that provides secure data storage and secure data forwarding functionality in a decentralized structure. Our storage system and some newly proposed file systems and storage system are highly compatible. Our storage servers act as storage nodes in a content addressable storage system for storing content addressable blocks. Our key servers act as access nodes for providing a front-end layer such as a traditional file system interface.

8. References

1. A. Adya, W.J. Bolosky, M. Castro, G. Cermak,

   R. Chaiken, J.R. Douceur, J. Howell, J.R. Lorch, M. Theimer, and R. Wattenhofer,Farsite: Federated, Available, and Reliable Storage for anIncompletely Trusted Environment, Proc. Fifth Symp. Operating System Design and Implementation (OSDI), pp. 1- 14, 2002.

2. G. Ateniese, K. Fu, M. Green, and S. Hohenberger, Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage, ACM Trans. Information and System Security, vol. 9, no. 1, pp. 1-30, 2006.

3. G. Ateniese, R. Burns, R. Curtmola, J. Herring, L.Kissner, Z. Peterson, and D. Song, Provable Data Possession at Untrusted Stores, Proc. 14th ACM Conf. Computer and Comm. Security (CCS), pp. 598-609, 2007.

4. J. Shao and Z. Cao, CCA-Secure Proxy Re- Encryption without Pairings, Proc. 12th Intl Conf. Practice and Theory in Public Key Cryptography (PKC), pp. 357-376, 2009.

5. C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing,Proc. IEEE 29th Intl Conf. Computer Comm. (INFOCOM), pp. 525-533, 2010.