By:- Kan Yang, Xiaohua Jia AN EFFICIENT AND SECURE DYNAMIC AUDITING PROTOCOL FOR DATA STORAGE IN CLOUD COMPUTING By:- Kan Yang, Xiaohua Jia Presented by:- DEEPAK BEGRAJKA

Preliminaries and definitions CONTENT Introduction Preliminaries and definitions Efficient and privacy preserving auditing protocol Secure dynamic auditing Batch auditing for multi-owner and multi-cloud Performance analysis of auditing protocol Related works Conclusion

What is Cloud Computing? The illusion of infinite computing resources… The elimination of an up-front commitment by cloud users… The ability to pay for use…as needed…”

Where is My Data on Cloud? Data resides on servers that the customer cannot physically access. Vendors may store data anywhere at lowest cost if not restrained by agreement

CLOUD STORAGE Important service of cloud. Allow owner to move data from their local computing system to cloud. Owner start to store data on cloud

New Challenges Data could be lost in cloud. Cloud service provider might be dishonest.

Third Party Auditing Protocol Requirements Confidentiality Dynamic Auditing Batch Auditing

PRELIMINARIES AND DEFINITIONS

SYSTEM MODEL OF DATA STORING AND AUDITING

KEY NOTATIONS

STORAGE AUDITING PROTOCOL VERIFY(C, P, sKh, pKt, Minfo)0/1 PROVE (M, T, Challenge) Proof CHALLENGE (Minfo) Challenge TAG GENERATION (M, sKt, sKh)  (T) KEY GENERATION (λ.) (sKh, sKt, pKt )

ATTACKS BY SERVER REPLACE ATTACK Server may choose another valid and uncorrupted pair of data block and data tag to replace challenged pair of data block and data tag. FORGE ATTACK Server may forge data tag & data block and deceive the auditor, if same secret tag key of owner is used in different version. REPLAY ATTACK Server may generate proof from the previous proof or other information, without retrieving the actual owner’s data

Efficient and Privacy-Preserving Auditing Protocol

OVERVIEW OF THE SOLUTION The main challenge to design data storage auditing protocol is the data privacy problem For public data, the auditor may obtain data information by recovering data blocks from data proof. For encrypted data, auditor may obtain content keys somehow through any special channels and could be able to decrypt data. To solve data privacy problem, Generate Encrypted proof with the help of challenge stamp by using bilinearity property of bilinear pairing. Auditor verify proof without decrypting.

OVERVIEW OF THE SOLUTION In this method server compute the proof as intermediate value of verification. Auditor use intermediate value to verify proof. (Reduce Computing loads as auditor is moved to server.) To Improve performance of auditing system, author apply Data Fragmentation and Homomorphic Verifiable Tags. Data Fragmentation technique reduces no. of data tags, Hence reduce storage overhead and improve system performance. Using Homomorphic tags, no matter what how many data blocks are challenged server response to sum of data block and product of tags whose size is constant and is one data block.

Algorithm For Auditing Protocol File F (m data components) F= (F1, F2,… Fm) Data component has its physical meaning and updated dynamically. Data Component Fk divided into nk data blocks, Fk = (mk1, mk2,..mknk) Data Fragmentation, Data block  Sectors. For the algorithm we consider no. of sectors to be constant. For data back with different no. of sectors. Smax Max no of sector, Si variable no of sector. For each data block mi (Si< Smax) P  Security Parameters, n  no of data blocks = n = sizeof (M) / s·log p .

Algorithm For Auditing Protocol Encrypted data component M= {mi,j} i∈[1,n], j∈[1,s]. G1, G2 and GT be the multiplicative groups with the same prime order p e : G1 × G2 → GT be the bilinear map g1 and g2 be the generators of G1 and G2 respectively Let h : {0,1}∗ →G1 be a keyed secure hash function that maps the Minfo to a point in G1.

Key Generation Algorithm Input (λ) “Implicit Security Parameter” Choose two random number sKt, sKh ∈ Zp Output pKt  pkt = g2 ^ sKt ∈ G2, secret tag key sKt and secret hash key sKh.

Tag Generation Algorithm Input  M “data component”, sKt “Secret Tag Key”, sKh “Secret Hash Key” Chooses s random values x1, x2, · · · , xs ∈ Zp and computes uj = g1 ^ xj ∈ G1 for all j ∈ [1, s]. For each data block mi(i ∈ [1,n]) calculate data tag  ti = (h(skh,Wi) · s Π j=1 uj^mi j )skt Wi = FID||i, FID identifier of the data, i  block number of mi Output  set of data tags T = {ti} i∈[1,n].

Challenge Algorithm outputs  “challenge” C = ({i, vi} i ∈ Q, R). Input  Minfo “Abstract information of the data” Construct Challenge Set Q, generates a random number vi ∈ Z∗p Compute challenge stamp R = (pkt)^r by randomly choosing a number r ∈Z∗p. outputs  “challenge” C = ({i, vi} i ∈ Q, R).

“Data proof” Dp Prove Algorithm Input  M, Challenge. Output  Tag proof , Data Proof. “Tag Proof” For data proof first compute M Pj j ∈ [1, s] “Data proof” Dp

Verification Algorithm Input  Challenge, Proof, Secret hash key “sKh”, Public tag key “pKt”, and Abstract information of data component. Compute Identifier hash value h(skh,Wi), and computes “Challenge Hash” Verifies the proof from the server by the following verification equation: If above equation holds, Output  1 else it is 0.

Construction of Privacy-Preserving Auditing Protocol Owner Initialization Owner generates the keys and the tags for the data, and store data on server. Confirmation Auditing  Check data correctly store on server or not. Sampling Auditing  Check data integrity, periodically.

Owner Initialization Run TagGen to compute data tags. Owners run KeyGen to generate sKh, sKt, pKt. Run TagGen to compute data tags. Owners send data component M={mi}i∈[1,n] & its corresponding data tags T = {ti}i∈[1,n] to server with set of parameters {uj}j∈[1,s]. Owner send pKt, sKh and Minfo to auditor, including data indentifier FID, total no of block n.

CONFIRMATION AUDITING Two way communication. Check owners data correctly stored on the server. Auditor Runs Challenge algorithm and send C = ({i,vi}i∈Q,R) to server. Server Runs prove Algorithm & generate P = (TP,DP) send it to Auditor. Auditor Runs Verify algorithm, check correctness of P, extract auditing result.

SAMPLING AUDITING Auditor conduct this algorithm periodically. Similar to Confirmation Auditing. For t challenged data blocks Probability of detection of corrupted data is Pr(t, s) = 1−(1−ρ)^t·s.

SECURE DYNAMIC AUDITING

Data owners dynamically update data. Auditing protocol should be design to support static as well as dynamic update. Dynamic update may make auditing protocol insecure prone to following attacks: Replay attacks Forge attacks.

PROPOSED SOLUTION Replay Attack Prevented by Index Table Forge Attack Prevented by modifying TagGen Algorithm. While generating data tag ti of data block mi, insert all abstract information into ti by setting Wi= FID||i||Bi||Vi||Ti, hence server does not get enough information for forge attack.

INDEX TABLE ITable Record abstract information of data. 4 Components: Index:- current block number of data block mi in data component M. Bi:- original block number of mi. Vi:- current version. Ti:- Time stamp used for generating data tag. ITable created by owner during owner initialization, managed by auditor. Owner send update msg to auditor. After confirmation auditing auditor result to owner.

Three Steps : DYNAMIC AUDITING Data Update Index Update Update Confirmation

DATA UPDATE 3 types of operations: Modify “Vi Vi*, Ti Ti*”. Insert  “Bi Bi*, Vi Vi*, Ti Ti*”. Delete

INDEX UPDATE 3 types: IModify “Vi Vi*, Ti Ti*”. IInsert  “Bi Bi*, Vi Vi*, Ti Ti*”. IDelete

UPDATE CONFORMATION Auditor updates the ITable, conducts confirmation auditing & sends result to owner. Owner can choose to delete the local version of data according to the update confirmation auditing result.

BATCH AUDITING FOR MULTI-OWNER AND MULTI-CLOUD

Large numbers of Owners  Many auditing Request to Auditor. Auditor Combine Auditing Request Conduct Batch Auditing for all Owners. Author apply the encryption method with the Bilinearity property of the bilinear pairing to ensure the data privacy. Hence In the multi-cloud batch auditing protocol does not have any commitment phase. This method does not require any additional trusted organizer.

Algorithm for Batch Auditing for Multi owner and Multi Cloud. O  Set owners, S Set of cloud Servers. Phase 1: Owner Initialization. Each owner apply KeyGen and TagGen algorithm, and send abstract information to the auditor. Three Steps Batch Challenge ({Minfo,kl}k∈O,l∈S) → C. Batch Proof ({Mkl} k ∈ Ochal , {Tkl} k∈ Ochal , Cl,{Rk} k∈ Ochal ) → Pl. Pl = (TPl ,DPl). Batch Verify (C,{Pl},{skh, lk},{pkt, k},{Minfo, kl}) → 0/1. Phase 2: Batch Auditing

PERFORMANCE ANALYSIS OF AUDITING PROTOCOLS

Computation Complexity Performance Analysis Communication Cost Computation Complexity

Communication Cost

Computation Cost of Auditor Computation Cost of Server

Computation Cost of Auditor Wang’s scheme requires data blocks more than Zhu’s 7 proposed scheme, computation time is almost s times. (not comparable).

Computation Cost of Server

Erway et al Extended PDP model  Cost heavy computation burden Related Work Ateniese et al. –Developed Dynamic provable data possession protocol –Based on Cryptographic Hash Function and Hash Function –ProblemsEach update requires recreating all the remaining metadata &cannot perform block insertions anywhere Erway et al Extended PDP model  Cost heavy computation burden Zhu et al –Proposed cooperative provable data possession scheme – support batch auditing for multiple clouds and also extend it to support the dynamic auditing -Not Support Batch Auditing for multiple owners. Also requires additional trusted organizer. Wang’s schemes and Zhu’s schemes incur heavy computation cost of the auditor, which makes the auditing system inefficient.

Conclusion Paper discusses an efficient and inherently secure dynamic auditing protocol. Protocol Protects data privacy against the auditor by combining the cryptography method with the bilinearity property of bilinear paring, rather than using the mask technique. Proposed Multi-cloud batch auditing protocol does not require any additional organizer. Batch auditing protocol can also support the batch auditing for multiple owners. Auditing scheme incurs less communication cost and less computation cost of the auditor by moving the computing loads of auditing from the auditor to the server can be applied to large scale cloud storage systems.

QUESTIONS ???? Thank you