[ProQuest: [...] denotes non US-ASCII text; see PDF]
Baoyuan Kang 1 and Jiaqiang Wang 1 and Dongyang Shao 1
Academic Editor:Emilio Insfran
School of Computer Science and Software, Tianjin Polytechnic University, Tianjin 300387, China
Received 9 December 2016; Accepted 19 April 2017; 11 May 2017
This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
1. Introduction
With the development of Internet, cloud computing has emerged. Cloud computing is a new model of computing in contrast to conventional computing. This new paradigm allows data users to outsource their data to a cloud service provider. The term cloud refers to a thousand of virtualized servers distributed over a set of data centers with different geographical locations connected together through telecommunication links [1]. The services on the cloud are delivered to the users as pay-as-you-go pricing model.
Although cloud computing offers various advantages to both users and the cloud service provider, and is envisioned as a promising service platform for the next generation Internet, security and privacy are the major challenges which inhibit the cloud computing wide acceptance in practice. Once data users transfer their data to the cloud, users lose their physical control over data. The outsourced data on the cloud are at risk from internal and external threats. The first threat is that the cloud service provider might delete less frequently accessed data. So, users need to make sure their data remain intact after uploading to the cloud, and data integrity check is becoming vital. As data users no longer physically possess the storage of their data and are confined by resource capability, traditional integrity checking technologies are not well suited for the cloud environment. Data users hope one-third party on their behalf to verify their data integrity. The issue of public auditing for data integrity check is proposed.
After Ateniese et al.'s first work [2], people proposed many public auditing schemes [3-16] for data integrity check. In a typical public auditing scheme, there are three characters, one data user, one cloud server, and one auditor. The data user transfers his data to the cloud for storage and computing. On behalf of the user the auditor, who has experience and capability, is responsible for the data integrity check. Before sending data to the cloud, the user divides a data file into many data blocks. Then, using signature technology the user generates an authentication tag for each block. These tags are sent to the cloud server with data blocks. To check the integrity of the outsourced data file, using sampling test idea, the auditor sends challenging information to the cloud server. Upon receiving the challenging information the cloud server generates a response by the data blocks and corresponding block tags and sends the response to the auditor. Then, the auditor verifies the validity of the response. If the response is valid, the auditor and the user believe the outsourced data file remain intact.
In the security model of public auditing schemes, the user is honest. But the cloud server is a semitrusted party. As mentioned earlier, the cloud server might delete less frequently accessed data for his benefit. The auditor is honest but curious. The auditor might obtain some information of the data in auditing process. So, secure public auditing scheme should also satisfy the privacy-preserving requirement. In fact, in many existing schemes, the linear combinations of data blocks are needed for verification without data privacy guarantee against the auditor. The users, who rely on the auditor just for the storage security of their data, do not want the auditing process leaking any information of their data. But, based on collected linear combinations of the same data blocks in times of check, the auditor might derive these data blocks.
Recently, some public auditing schemes [17-21] concerning privacy-preserving are proposed. In [21], Li et al. proposed a privacy-preserving cloud data auditing scheme with efficient key update and claimed their scheme is proved secure in the random oracle model. The difference between Li et al.'s scheme and other existing schemes is that in Li et al.'s scheme each block is further fragmented into a certain number of sectors, and the authenticator for each block is related to its each sector. In [19], Wang et al. proposed a privacy-preserving public auditing scheme for secure cloud storage and claimed that their scheme is provably secure and highly efficient. In [17], Wang et al. proposed a privacy-preserving public auditing scheme. But, in [18] Worku et al. showed that in Wang et al.'s scheme [17] the malicious cloud server can forge a signature for his any selected block. So, once the server possesses data from users, he can modify the data as he wants. Worku et al. also proposed an efficient privacy-preserving public auditing scheme and claimed that the proposed scheme is proved secure in the random oracle model. However, in this paper, we will point that these schemes [18, 19, 21] are insecure. The malicious cloud server against these schemes can break the data integrity without being found by the auditor.
The rest of the paper is organized as follows. In Section 2, we review bilinear pairing and computational Diffie-Hellman problem relevant to the security of the discussed schemes. In Section 3, we review Li et al.'s scheme. We show an attack on Li et al.'s scheme in Section 4. In Section 5, we review Worku et al.'s scheme. We demonstrate that Worku et al.'s scheme and Wang et al.'s scheme are subjected to the same attack In Sections 6 and 7, respectively. Conclusion is given in Section 8.
2. Preliminary
2.1. The Bilinear Pairing
Let G1 be a cyclic additive group generated by P, whose order is a prime q, and G2 be a cyclic multiplicative group of the same order. Let e:G1 ×G1 [arrow right]G2 be a pairing map which satisfies the following conditions:
(1) Bilinearity: for any P,Q,R∈G1 , then [figure omitted; refer to PDF] In particular, for any a,b∈Zq , e(aP,bP)=e(P,abP)=e(abP,P)=e(P,P)ab .
(2) Nondegeneracy: there exists P,Q∈G1 , such that e(P,Q)≠1.
(3) Computability: there is an efficient algorithm to compute e(P,Q) for all P,Q∈G1 .
2.2. Computational Diffie-Hellman (CDH) Problem
Given a generator P of an additive cyclic group G with order q and given (aP,bP) for unknown a,b∈Zq[low *] , one computes abP.
3. Brief Review of Li et al.'s Scheme
In [21], Li et al. proposed a privacy-preserving cloud data auditing scheme with key update. Here we review it but omit the content related to key update.
CrsGen . On input of a security parameter λ, this algorithm outputs a large prime p and G, GT , two multiplicative cyclic groups of the same order p. g is a generator of G. e:G×G[arrow right]GT denotes a bilinear map and H0 ,H1 :(0,1)[low *] [arrow right]G represent two collision resistant cryptographic hash functions. In addition, this algorithm picks randomly h,u1 ,u2 ,...,us ∈G and computes η=e(g,h). The common reference string crs is (p,G,GT ,g,e,H0 ,H1 ,h,u1 ,u2 ,...,us ,η).
KeyGen . On input of the common reference string crs, a cloud user generates a signing key pair (spk,ssk), spk=gssk , and another key pair (a,v) for generating authenticators of file blocks, where a∈Zp and v=ga . The secret key of the data user is sk=(a,ssk) and the public key is pk=(spk,v). For convenience, Let ηi =e(ui ,v), i=1,...,s.
AuthGen . Given a file F, the data owner firstly applies erasure codes such as RS code to obtain a processed file F[variant prime] and splits F[variant prime] into n blocks. Each block is further fragmented into s sectors {mij}1<=i<=n,1<=j<=s , which is an element of Zp . The data user selects a file name Fn from a sufficiently large domain. Let t0 =Fn||n. The data user computes t=(H0 (t0 ))ssk1 and denotes the file tag ft=t0 ||t. Then, for each i, 1<=i<=n, the user computes an authenticator σi for block i as [figure omitted; refer to PDF] Finally, the data owner stores [figure omitted; refer to PDF] to the cloud, where Metadata=(σi )1<=i<=n .
Proof.
This is a 5-move interactive proof protocol executed between the cloud server and the auditor (TPA) as follows.
(1) The TPA picks a random integer c and k,[straight phi]∈Zp , computing ψ=gkh[straight phi] . For 1<=i<=c, the TPA selects a random vi ∈Zp . The commitment ψ and the challenge chal={i,vI}1<=i<=c , which locates the positions of the challenged blocks in this auditing process, are sent to the cloud server.
(2) Upon receiving (chal,ψ), the cloud server firstly chooses r,ρr ,ρ1 ,...,ρs ∈Zp randomly and then computes [figure omitted; refer to PDF] and forwards (T,ω) to the TPA.
(3) The TPA sends (k,[straight phi]) to the server.
(4) The server checks if ψ=gkh[straight phi] . If the equation does not hold, the server aborts. Otherwise, he computes [figure omitted; refer to PDF] and sends (zr ,z1 ,...,zs ) to the TPA.
(5) The TPA verifies the file tag ft firstly by checking if the following equation holds: [figure omitted; refer to PDF] Then, TPA verifies the equation [figure omitted; refer to PDF]
4. Attack on Li et al.'s Scheme
In this section, we show that Li et al.'s scheme is vulnerable to a modifying attack on data integrity check.
In proof phase, the malicious cloud server can change data blocks by modifying blocks sectors. He changes [figure omitted; refer to PDF] into [figure omitted; refer to PDF] respectively, where b∈Zp is randomly selected by the server. Other computations remain unchanged. Now, the forged proof information [figure omitted; refer to PDF] can pass the author's verification.
Theorem 1.
The forged proof information (T,ω,zr ,z-1 ,...,z-s ) produced in the above analysis can pass the auditor's verification.
Proof.
In fact, [figure omitted; refer to PDF] But, [figure omitted; refer to PDF] So, [figure omitted; refer to PDF] (T,ω,zr ,z-1 ,...,z-s ) passes the auditor's verification; it is valid proof information. The malicious cloud server succeeds in modifying attack on data integrity check.
5. Brief Review of Worku et al.'s Scheme
In this section, we give a brief review of Worku et al.'s scheme [18], which is composed of four algorithms.
Let G1 =G2 =G and e:G×G[arrow right]GT be a bilinear map, where G and GT are multiplicative cyclic groups of prime order p. Let g be a generator of G. Let H:{0,1}[low *] [arrow right]G be a hash function, which maps strings to G, and let h(·):G[arrow right]Zp be another hash function which maps group of elements of G uniformly to Zp .
KeyGen . The data user first generates a random signing key pair (ssk,spk) and then chooses x[arrow left]Zp R and u[arrow left]GR and computes v=gx . The user then states sk=(x,ssk) as his/her secret key and pk=(u,v,g,spk) as public parameters.
SigGen . For file naming, the user chooses a random element name in Zp for file F={mi}1<=i<=n and computes the file tag as t=name||Sigssk (name). Next, for each block mi ∈Zp , user generates a signature σi as follows: [figure omitted; refer to PDF] Then, finally, the user sends {F,[varphi]={σi}1<=i<=n ,t} to the cloud server for storage and deletes the file and its corresponding set of signatures from local storage. Any time when the auditor wants to start the auditing protocol, first he retrieves the file tag t for F and checks its validity using spk and quits if failed. If the proof on t is correct, the auditor sends a challenge chal to the server. That is, the auditor picks random elements c,k1 ,k2 in Zp and sends chal=(c,k1 ,k2 ) to the server where k1 and k2 are pseudorandom permutation keys chosen randomly by the auditor for each auditing.
ProofGen . After receiving the challenge, the server first determines the subset I={sj } (1<=j<=c) of set [1,n] using pseudorandom permutation πkey (·) as sj =πk1 (j) and it also determines vsj =fk2 (j) (1<=j<=c) using pseudorandom function fkey (·). Finally, for i∈I, server computes [figure omitted; refer to PDF]
For blinding, the server chooses a random element r[arrow left]Zp , using the same pseudorandom function, as r=fk3 (chal), where k3 is a pseudorandom function key generated by the server for each auditing. The server then calculates R=ur and computes μ=μ[low *] +rh(R) and, then, sends (μ,σ,R) to the auditor.
VerifyProof . Upon receiving the proof (μ,σ,R) TPA computes sj =πk1 (j) and vsj =fk2 (j) (1<=j<=c), where 1<=j<=c. Finally, the auditor verifies the proof by checking the following equation and outputs ''True'' if valid and ''False'' otherwise: [figure omitted; refer to PDF]
6. Attack on Worku et al.'s Scheme
In this section, we demonstrate that the malicious cloud server can break the integrity check by modification attack.
Suppose a file M from the data user is divided into n blocks; that is, =m1 ||m2 ||[...]||mn . Let σi be mi 's authentication tag. Let A be a malicious cloud server. When A receives the file M, A might replace each file block mi with a·mi . Here a(∈Zp ) is randomly selected by A. Upon receiving the challenge information, in ProofGen phase, A can change [figure omitted; refer to PDF] into [figure omitted; refer to PDF] respectively. Other computations remain unchanged. Then, the forged proof information [figure omitted; refer to PDF] can pass the author's verification.
Theorem 2.
The forged proof information (μ-,σ,R) produced in the above analysis can pass the auditor's verification
Proof.
In fact, based on the equations [figure omitted; refer to PDF] produced by the malicious cloud server, the following derivation is established: [figure omitted; refer to PDF] So, (μ-,σ,R) passes the auditor's verification, and it is valid proof information. The malicious cloud server that modifies the file blocks succeeds in deceiving the auditor.
7. Attack on Wang et al.'s Scheme
To save space we do not review Wang et al.'s scheme. For its detailed description, readers can refer to literature [19]. Due to similarity, Wang et al.'s scheme is subjected to the above attack.
When the malicious cloud server A receives a data file M=m1 ||m2 ||[...]||mn , similarly, A might replace each file block mi with a·mi . Here a(∈Zp ) is selected by A. Upon receiving the challenge information, in ProofGen phase malicious cloud server A can change [figure omitted; refer to PDF] into [figure omitted; refer to PDF] respectively. Other computations remain unchanged. Then, the forged proof information [figure omitted; refer to PDF] can pass the author's verification.
Theorem 3.
The forged proof information (μ-,σ,R) produced in the above analysis can pass the auditor's verification
Proof.
In fact, due to the equations [figure omitted; refer to PDF] produced by the malicious cloud server, the following derivation is established: [figure omitted; refer to PDF]
So, (μ-,σ,R) passes the auditor's verification, it is valid proof information. The malicious cloud server succeeds in deceiving the auditor.
8. Conclusion
In this paper, we analyze three existing privacy-preserving public auditing schemes for secure cloud storage. We demonstrate an attack against them. In the attack, the malicious cloud server that modifies the data blocks succeeds in forging proof information for data integrity check. As far as we know, it is an open problem to propose secure privacy-preserving public auditing schemes.
Acknowledgments
This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).
[1] M. Sookhak, H. Talebian, E. Ahmed, A. Gani, M. K. Khan, "A review on remote data auditing in single cloud server: taxonomy and open issues,", Journal of Network and Computer Applications , vol. 43, pp. 121-141, 2014.
[2] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, D. Song, "Provable data possession at untrusted stores," in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 598-609, Virginia, Va, USA, November 2007.
[3] G. Ateniese, S. Kamara, J. Katz, "Proofs of storage from homomorphic identification protocols," in Proceedings of the International Conference on Theory and Application of Cryptology and Information Security: Advances in Cryptology, vol. 5912, pp. 319-333, 2009.
[4] R. Lu, X. Lin, T. H. Luan, X. Liang, X. Shen, "Pseudonym changing at social spots: an effective strategy for location privacy in VANETs,", IEEE Transactions on Vehicular Technology , vol. 61, no. 1, pp. 86-96, 2012.
[5] N. Kaaniche, A. Boudguiga, M. Laurent, "ID-based cryptography for secure cloud data storage," in Proceedings of the IEEE Sixth International Conference on Cloud Computing, pp. 375-382, 2013.
[6] Q.-A. Wang, C. Wang, K. Ren, W.-J. Lou, J. Li, "Enabling public auditability and data dynamics for storage security in cloud computing,", IEEE Transactions on Parallel and Distributed Systems , vol. 22, no. 5, pp. 847-859, 2011.
[7] J. Yuan, S. Yu, "Public integrity auditing for dynamic data sharing with multiuser modification,", IEEE Transactions on Information Forensics and Security , vol. 10, no. 8, pp. 1717-1726, 2015.
[8] K. Zeng, "Publicly verifiable remote data integrity,", Proceedings of the 10th International Conference on Information and Communications Security , pp. 419-434, 2008.
[9] Y. Zhu, H. Hu, G.-J. Ahn, M. Yu, "Cooperative provable data possession for integrity verification in multicloud storage,", IEEE Transactions on Parallel and Distributed Systems , vol. 23, no. 12, pp. 2231-2244, 2012.
[10] Y. Zhu, H. Wang, Z. Hu, G. J. Ahn, H. Hu, S. S. Yau, "Dynamic audit services for integrity verification of outsourced storages in clouds," in Proceedings of the 26th Annual ACM Symposium on Applied Computing (SAC '11), pp. 1550-1557, March 2011.
[11] L. Xue, J. Ni, Y. Li, J. Shen, "Provable data transfer from provable data possession and deletion in cloud storage,", Computer Standard & interfaces , March 14, 2016.
[12] H. Jin, K. Zhou, H. Jiang, D. Lei, R. Wei, C. Li, "Full integrity and freshness for cloud data,", Future Generation Computer Systems , 2016.
[13] H. Wang, J. Domingo-Ferrer, Q. Wu, B. Qin, "Identity-based remote data possession checking in public clouds,", IET Information Security , vol. 8, no. 2, pp. 114-121, 2014.
[14] J. Zhang, Q. Dong, "Efficient ID-based public auditing for the outsourced data in cloud storage,", Information Sciences , vol. 343-344, pp. 1-14, 2016.
[15] Y. Yu, L. Xue, M. H. Au, "Cloud data integrity checking with an identity-based auditing mechanism from RSA,", Future Generation Computer Systems , vol. 62, pp. 85-91, 2016.
[16] L. Wei, H. Zhu, Z. Cao, X. Dong, W. Jia, Y. Chen, A. V. Vasilakos, "Security and privacy for storage and computation in cloud computing,", Information Sciences , vol. 258, pp. 371-386, 2014.
[17] C. Wang, Q. Wang, K. Ren, W. Lou, "Privacy-preserving public auditing for data storage security in cloud computing," in Proceedings of the IEEE INFO-COM, pp. 525-533, March 2010.
[18] S. Worku, C. Xu, J. Zhao, X. He, "Secure and efficient privacy-preserving public auditing scheme,", Computer and Electrical Engineering , vol. 40, pp. 1703-1713, 2014.
[19] C. Wang, S. S. Chow, Q. Wang, K. Ren, W. Lou, "Privacy-preserving public auditing for secure cloud storage,", IEEE Transactions on computers , vol. 62, no. 2, pp. 362-375, 2013.
[20] J. Zhang, X. Zhao, "Privacy-preserving public auditing scheme for shared data with supporting multi-function,", Journal of Communications , vol. 10, no. 7, pp. 535-542, 2015.
[21] Y. Li, Y. Yu, B. Yang, G. Min, H. Wu, "Privacy preserving cloud data auditing with efficient key update,", Future Generation Computer Systems , 2016.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Copyright © 2017 Baoyuan Kang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Abstract
With the development of Internet, cloud computing has emerged to provide service to data users. But, it is necessary for an auditor on behalf of users to check the integrity of the data stored in the cloud. The cloud server also must ensure the privacy of the data. In a usual public integrity check scheme, the linear combination of data blocks is needed for verification. But, after times of auditing on the same data blocks, based on collected linear combinations, the auditor might derive these blocks. Recently, a number of public auditing schemes with privacy-preserving are proposed. With blinded linear combinations of data blocks, the authors of these schemes believed that the auditor cannot derive any information about the data blocks and claimed that their schemes are provably secure in the random oracle model. In this paper, with detailed security analysis of these schemes, we show that these schemes are vulnerable to an attack from the malicious cloud server who modifies the data blocks and succeeds in forging proof information for data integrity check.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer