Cloud Security Using Third Party Auditing and Encryption Service

Abstract
Cloud Computing is evolving and considered next generation architecture for computing. Typically cloud computing is a combination of computing recourses accessible via inter-net. Historically the client or organisations store data in data centers with rewall and other security techniques used to protect data against intrudes to access the data. Since the data was con ned to data centers in limits of organisation, the control over the data was more and well de ned procedures could be used for accessing its own data. However in cloud computing, since the data is stored anywhere across the globe, the client organ-isation have less control over the stored data. To built the trust for the growth of cloud computing the cloud providers must protect the user data from unauthorised access and disclosure. One technique could be encryting the data on client side before storing it in cloud storage, however this technique has too much burden from client perspective in terms of key management, maintainence perspective etc. Other way could be this kind of security service like computing hash of dat and verifying integrity of data, encryp-tion/decryption service if provided by same cloud storage provider, the data compromise cannot be ruled out since same provider has access to both storage and security service. Divide and rule can be one of the techniques, meaning dividing the responsibilities amongst di erent cloud services providers can bene t the client. A trusted 3rd party cloud provider be used to provide security services, while the other cloud provider would be data storage provider. The trusted 3rd party security service provider would not store any data at its end, and its only con ned to providing security service. The application or software will provide data integrity veri cation by using hashing algorithm like SHA-1, provide encryption/decryption using symmetric algorithm like AES, and de ning band of people who can access the shared data securely can be achieved by de ning access list. The Software is only responsible for encryption/decryption, computing/verifying the hash of the data and does not store any data in trusted 3rd party security system server. The encrypted data along and original data hash are stored in Separate Cloud (Security Cloud), therefore even if the storage cloud system administrator has access user data, since the data is encrypted it will be di cult for the system adminis-trator to understand the encrypted data. While the user downloads the data from Storage Cloud, it is decrypted rst and then new hash is calculated which is then compared with

hash of original data stored in Security Cloud. Finally, this software/application provides the user with the ability to store the encrypted data in Storage cloud and hash and en-cryption/decryption keys in security cloud service, and no single cloud service provider has access to both. Other bene t of delegating responsibility to trusted 3rd party is that it reliefs the client from any kind of key management or over head is maintainance of any key information related to data on it device, because of which it allows the client to use any browser enabled devices to access such service. Keywords - Cloud computing; Hash service; encryption and decryption service; data protection and integrity.

Contents
List of Figures 1 INTRODUCTION 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Problem De nition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Literature Survey 2.1 Overview of cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Overview of working of cloud . . . . . . . . . . . . . . . . . . . . 2.1.2 Cloud Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3 Cloud Service Models . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.4 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . 2.1.5 Security issues in cloud . . . . . . . . . . . . . . . . . . . . . . . . 2.1.6 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 System Design
3.1 Business Model with separate encryption/decryption and hashing service. 11

iii 1 1 2 3 4 4 5 6 6 7 8 9 10 11

3.2 Typical Scenarios In Design . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2.1 Data Upload Scenario . . . . . . . . . . . . . . . . . . . . . . . . 12

3.2.2

User Data Download Scenario . . . . . . . . . . . . . . . . . . . . 14 Group User Data Download Scenario . . . . . . . . . . . . . . . . 15 Selection Of AES . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 18

3.2.3 3.3.1

3.3 Algorithm selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.4 Technologies Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 Implementation 4.1 Outline of the AES Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 20 4.2 Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5 Testing and Result 5.1 Testinng Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion and Future work 6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20

26 27 28 28 28

List of Figures
2.1 Cloud Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 User Data Upload Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.4 User Data Download Scenario . . . . . . . . . . . . . . . . . . . . . . . . 16

7 12 13

3.5 Group User Data Download Scenario . . . . . . . . . . . . . . . . . . . . 17

4.1 ClientApp Login Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.2 New User Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3 User Uploads Con dential File . . . . . . . . . . . . . . . . . . . . . . . . 23

4.4 User Adds Accessor To Con dential File . . . . . . . . . . . . . . . . . . 24

4.5 Accessor Viewing Con dential File . . . . . . . . . . . . . . . . . . . . . 4.6 Owner Viewing Con dential File . . . . . . . . . . . . . . . . . . . . . . 5.1 Sample Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Encrypted Con dential File Stored In Storage Cloud . . . . . . . . . . .

25 25 26 27

iii

Chapter 1

INTRODUCTION
1.1 Motivation

With evolution of computers the life of people became more and more easily. They where able to keep there data on there devices, and started nding ways to make them acces-sible to others, for example say by using oppy, writable disks, which was followed by portable hard-disk, all these where expensive in there own way during there time. The data was very much private on personal devices like PC,laptops, mobile phones etc, there-fore sharing data with others was considered to be expensive. As the world of computing got more advanced the ways for sharing data started becoming cheaper and cheaper. In recent years a new term has evolved call "Cloud" which is provided by di erent provides, and which is nothing but facility or service of di erent resources or components like hard-ware, platform, storage's, software etc, and it is gaining importance because it frees the user from maintenance perspective on a investment of some money for the use of these services provided by cloud service providers.

Now to provide such service to the client, naturally the provider's must have and rather can have access to resources which are used by the people/clients. Among the reasons these access are greatly required are for maintenance perspective. And de - nitely since billions of clients will be thinking about using such service, the infrastructure ought to be capable enough to support them, and these resources ought to be shared between billions of client's. Service availability, data syncronization between di erent devices, availability of data via any devices which includes browser facility make cloud more attractive. Now since the info gets shared or stored in providers area, the client

gets worried about privacy of its data, although there are certain agreements and SLA which are agreed by cloud provider and client. Now although client have a platform to generally share the info, the expense of securing his/her data or in a nutshell making its data private gets costlier.
The cloud term is of interest not just to the patient clients but to organizations as well. With organization as a consumer the concern of data security becomes multifold. Consider a typical example of small scale business that has di erent departments like HR, Finance, etc. We will focus on nance department since nance details of any business/company/organization is considered to be very sensitive and must be con dential. Therefore if the little scale company thinks of using the cloud services like storage. Storing all account/ nance related information in cloud stored makes it prone to leakage of sensitive information tell un-authorized users. Therefore securing this nance data is vital before it gets uploaded to the storage cloud, and just in case the data stored in cloud storage gets tampered there should be a method to verify the integrity of the data, moving futher speci c band of people should have access to this data which may be folks from nance deparment of client company or special auditors. Simply speaking the client must have the ability to store the data securely, verify the integrity of the data, share the data securely with speci c band of people.

1.2

Problem De nition

The clients concern about data security, data integrity, and sharing data with speci c band of men and women must be addressed. You can nd multiple means of achieving this, example encryting data on client machine and then storing the information to cloud storage server, computing hash of the information on client machine and storing hash of data in client machine, client trying out the responsibility of sharing the trick key about encryption with speci c band of people. Therefore it becomes more tedious for client to keep these information and share such information, more over in the event the device which stores such information is lost or stolen it pose a threat to the total data. Another way could be same storage cloud provider providing the service for secured sharing, hash-ing,

encryption/decryption, but since administratives can have use of both services for maintainance, the security service provided by the cloud storage provider, the informa-tion might be compromised. The aforementioned approches burdens the client by which

makes it additionally accountable for securing it data before storing it to the cloud storage.

1.3

Objectives

Our objective is to build a security service which will be provided with a trusted 3rd party, and would lead to providing only security services and wouldn't store any data in its system. Detailing it further. 1. To construct Web service system which would provide data integrity veri cation, provide encryption/decryption of the consumer data. 2. De ning access list for sharing data securely with speci c band of individuals. 3. To construct thin client application which would call this web service before upload-ing/downloading the data to and from cloud.

Chapter 2

Literature Survey
The analysis behind this topic could be subdivided into 3 di erent sub- elds:
1. Study of cloud computing and various cloud computing models IaaS, PaaS, SaaS etc, study of di erent business models, and study of service level agreements.

2. Study of security issues in cloud. 3. Study of Cryptography.

2.1

Overview of cloud

Cloud computing describes the combination of logical entities like data, software which are accessible via internet. Client data is generallly stored in banks of servers spread across the globe. Historically, each software like a phrase processor or paint brush required a license to be installed on clients machine. However with this is of workgroup becoming more highlighting, the client-server model arrived to existence, which provided large storing capabilities allowing users to host applications with data for workgroup. The client machine would demand a browser to get into these server functionality, and would use client CPU and memory for processing.
Cloud computing will vary from traditional client-server model by providing applications from the server which are executed and managed by a client's internet browser, with no installed client version of a credit card application require. Cloud providers frees the client from software license management etc, since the services are accessible via internet. Software as a Service (SaaS), given by cloud company, require
4

browser enabled devices like personal computers, laptops, and latest devices like smartphone, tablets etc, to access these services once an individual is registered in cloud. For instance, in case an individual opts for storage service from the cloud provider, then she or he can upload personal information, code, music, movies, songs, photographs, which are stored anywhere across the planet in the server bank under cloud company, the geographic storage location is generally kept unknown to the user. Since only browser enabled device are su cient to access these les, di erent devices could be kept in sync.

2.1.1 Overview of working of cloud

Generally the cloud services are browser based, therefore any browser enabled device such as for instance laptop, desktop, smartphone, tablets can used to gain access to these services, the services at providers end may be hosted on any platform, from windows, linux, etc, which are accessible via internet. As an example consider a regular income and expenditure application which gives di erent analysis on expenditure by a person, this application could be executing on cloud providers server, whilst the client browser will allow client to feed in the inputs and visualize the analysis prepared for the inputs provided, these analysis computation is completed at server side. Suppose this application can futher create documentation on monthly bases which often can be stored in cloud storage once again relieving the client from storing or processing the le on its side. Because the cloud services are o ered via internet, a signi cant factors which play a important role in performance are speed of internet, processing power of the individual.

While the cloud providers have server banks, to boost the processing power, multi-ple server are often used internally by the cloud service provides. This pooling is invisible to the client. On another hand if these heavy tasks were to be executed on client side, it would require investment in hardware, time. Due to cloud, it frees the client from buying expensive hardware and investing his/her valuable time, since time is money. Having studied the overview of working cloud, let's now understand some of the essential characteristics On-the- y service
A consumer can require more capabilities at any movement of time, example processing power for huge task, and these requirement must of ful lled without human

intervention and be invisible to client [4]. Wide Accessibility Generally the cloud service are available via standard network protocols, it promotes di erent types of clients platforms (like, smart phones, laptops etc) for accessing these services [4]. Pooling Of Resources
The pooling of the resources at cloud providers end is invisible to the end client, and resource assignment is done dynamically depending the need of the client [4].

Measured service Cloud has enough resources, and amount used by each client is measured by metering capability, and controlled at some level, for optimized resource usage, (like storage) [4]. 2.1.2 Cloud Layers At high level, cloud computing architecture can be partitioned into 1. Client or front end platform (thin or thick client). 2. Back-end platform (storage server etc). 3. The network (Internet etc) These client platforms communicate with the cloud data storage via an application (hosted on middleware), accessible via a browser. 2.1.3 Cloud Service Models In this section let's understand di erent service models of cloud. SaaS Software as a Service (SaaS) also known as \on-demand software", as it name says allows client to use software services supplied by cloud provider via web browser. The management of server, internal cloud network, operating system, application con guration on middleware are responsibilities of cloud provider. SalesForce is among SaaS company which supplies di erent software services.
6

Figure 2.1: Cloud Layers

PaaS Platform as a Service (PaaS) as the names suggests, cloud provider provides plat-form for deployment of user application, but doesn't give control of underlying hardware or infrastructure (storage, network). IaaS
Infrastructure as a Service (IaaS) wherein limited accessibility for group of infrastructure is provided to the client for storage, network, processing etc. The client can deploy and execute is application using these infrastructure, the key advantage is frees the client on buys or purchasing top end servers, softwares, data-center space, network infrastructure etc. The clients are charged on per-use basis [4].

2.1.4 Cloud Deployment Models In this section we focus our attention to some of the primary cloud models Public Cloud

Public cloud is a couple of resources such as for instance storage or application, are made available to the general public online by the cloud provider. The client is is billed based on the usage or the service may be free. Community Cloud
7

Community cloud share the underlying infrastructure with other organization which share common interest like security etc. It's not completely public and the fee is shared by community members. Neither it is totally public not fully private. Private Cloud Private cloud as it name says, is internal to an organization. It can either be managed internally or by trusted 3rd party. The cloud is only accessible to internal organization or say designated employee of the organization. 2.1.5 Security issues in cloud Every coin has 2 side, and cloud computing is no exception. There is criticism about privacy in cloud model, because of the fact that administrator have access to data stored in the cloud. They can unintentionally or intentionally access the client data. Traditional security or protection techniques need a reconsideration for cloud. Except for private cloud where organization does not have control over the equipment, the progress of cloud is seems little slow, because organizations think instead of compromising on the security of the data, they are still willing to invest in buying private equipment to setup there own infrastructure. Security issues which are of concern to the client can be classi ed into sensitive data access, data segregation, bug exploitation, recovery, accountability, malicious insiders, account control issues. Like di erent disease have di erent medicines, di erent cloud security issues have di erent solutions, like cryptography, use of more than one cloud provider, strong service level agreement between client and cloud service provider. Heavy investment is needed to secure the compromising data in cloud. Cloud can grow only if it is possible to build a trust in client, and which can be built only if security concerns are being addressed. Following are some of the concerns, 1. System Complexity
Compared to traditional data center the cloud architecture is much more complex. Therefore while considering security, security of all these components and interaction of these components with each other needs to be addressed [13].

2. Shared Multi-tenant Environment Since the cloud need to provide service to millions of client, a logical separation of data is done at di erent level of the application stack [13]. Because of which a
8

attacker in the face o client can exploit the bugs gaining access to data from other

organizations [13]. 3. Internet-facing Services The cloud service which is accessed over the internet via browser, the quality of service delivered on the network is another concern [13]. 4. Loss of control As the data of client is stored anywhere across the world control loss over physical, logical of system,and alternative control to clients assets, mismanagement of assets are some additional concerns [13]. 2.1.6 Cryptography
Cryptography is a eld of computer science & mathematics which deals with information security and related issues, in particular encryption and authentication. In greek the word kryptos mean "hidden" while the word graphein mean "to write". During encryption a plain-text is converted into cipher text, while the reverse process termed as decryption converts the cipher text into plain-text. The cipher is in unreadable format.

AES
The Advanced Encryption Standard (AES) is a symmetric key encryption/decryption algorithm for converting plain-text to cipher text and vice-versa. Since the same key or master key is used, the must be kept secret or with trusted 3rd party, because compromise of this key would mean compromise to the data.

De e Hellman Di e Hellman key exchange is a technique to exchange cryptographic keys between 2 parties with no prior knowledge of each other. It allows the 2 parties to establish a secret key which can be used for further secured communication. SHA-1
SHA stands for "Secure Hash Algorithm", SHA-1 is a cryptographic hash function technique where hash of data is computed. As compared to SHA-0, SHA-1 is widely used because it corrects errors in SHA hash speci cation, which led to weakness.
9

2.2

Summary

The literature survey helped us gain a better insight with reference to cloud computing, di erent models of cloud computing, current security issue. Understanding di erent encryption/decryption algorithms like AES, SHA-1, De e Hellman. During the survey it is noted that lot of research is going on in cloud computing security issues and how to overcome the security issues and to gain cloud users con dence.

10

Chapter 3

System Design
In the proposed design, a hash service data integrity veri cation, encryption/decryption service, and provision for de ning list of people which can access data securely, is provided by a trusted 3rd party which is separate from the storage cloud provider.

3.1

Business

Model

with

separate

encryption/decryption

and

hashing service.
The system provides hash, accessl list, encryption/decryption by a trusted 3rd party over the network in the form of "Software as a Service" (SaaS)[1]. The system has a separate storage service which is also provided as a SaaS. The data storage for each client is done in database in the form of "BLOB". The trusted 3rd party which provides these securty services does not store any data at its ends, and stores only master key for each client for data encryption and decryption, and hash of the data which is calculated on client side. To enhance the security, the communication between client and security server is secured using Di e Hellmen key, which is used as a input for AES. This division of responsibility has big e ect, as no single provider has access to other data and security key, hash at the same time.

Figure 3.1. is an overview of the architecture where storage and encryption/decryption/hash services (security services) are separated. For example (as described in chapter 1, Motivation) a small or medium scale business who wish to store all its account related data in cloud storage, will rst calculate the hash of the data, encrypt the data using encryption
11

Figure 3.1: System Architecture

service and then store the data in storage provided by separate provider. The system also provides functionality where other users from small scale business Company will be able to access data which is stored in cloud storage. The sessions between client and security server is secured using Di e Hellmen Key and AES as the encryption algorithm. SHA-1 is used for calculating the hash of the data, and AES is used a encryption/decryption algorithm for computing cipher at security server end. Figure 3.2 show the use case diagram of the system.

3.2

Typical Scenarios In Design

Typical 3 basic scenarios are, user data upload, user data download, group user access. In this section we discuss the each of these scenarios. 3.2.1 Data Upload Scenario 1. The end user login to the system with his/her username & password.
12

Figure 3.2: Use Case 2. Once the user is authenticated, the De e Hellman key is exchanged for the session.

3. Now a user can select the les which he/she wants to upload it to storage cloud. 4. The user can also select is he/she wants to share the le with speci c users. 5. The hash of the data in le is calculated, using SHA-1 ( original hash ). 6. The data in le is now encrypted using DH keys. 7. The complete encrypted le and original hash of le data, are now transferred to Security Cloud. 8. At Security Cloud, encrypted les is decrypted back using DH key, while the hash is sorted in security cloud database. 9. The decrypted le is now encrypted with Symmetric Algorithm namely AES, using the Master Key generated for each user during user creation. 10. File ID, original hash ( le/data hash ), master key for each user are stored in Security Cloud database.
13

11. The Security Cloud now discards any contents of the les from its system, and does not store any le contents in its system. 12. The Encrypted le is sent back to user, to be uploaded to Storage Cloud. 13. The user now can upload the encrypted le to Storage Cloud.

Figure 3.3: User Data Upload Scenario

3.2.2 User Data Download Scenario 1. The end user login to the system with his/her username & password.
2. Once the user is authenticated, the De e Hellman key is exchanged for the session.

3. Now a user can select the les which he/she wants to download it from storage cloud.
14

4. The encrypted le is now downloaded from storage cloud to users mach in. 5. The complete encrypted le is now transferred to Security Cloud. 6. The data in le is now encrypted using DH keys. 7. The complete encrypted le and original hash of le data, are now transferred to Security Cloud. 8. At Security Cloud, decrypted les with Symmetric Algorithm namely AES using Master Key stored in security cloud database for each user. 9. The decrypted le is now encrypted with DH key.
10. The DH encrypted le and hash of the corresponding le is now passed to the users.

11. At user end, on receiving the encrypted le, it is decrypted with DH keys.
12. The hash of decrypted le is calculated using SHA-1 and original hash are now compared to see if they match, and accordingly appropriate message like, File tampered or File is intact are ashed on user screen. Thus the integrity of the data is veri ed.

3.2.3 Group User Data Download Scenario 1. The end user login to the system with his/her username & password.
2. Once the user is authenticated, the De e Hellman key is exchanged for the session.

3. Now a user can select the les which are shared by other user. 4. The encrypted le is now downloaded from storage cloud to users machine. 5. The complete encrypted le is now transferred to Security Cloud. 6. At Security Cloud, decrypted les with Symmetric Algorithm namely AES using Master Key stored in security cloud database for each user. 7. The decrypted le is now encrypted with DH key. 8. The DH encrypted le is now passed to the group users. 9. At user end, on receiving the encrypted le, it is decrypted with DH key.
15

Figure 3.4: User Data Download Scenario

10. The group user can now view the le; & the data integrity is also veri ed at group users end.

Since the responsibility is divided between 2 providers, Storage Cloud provider and Security Cloud provider are di erent, the Storage Cloud provider although has access to le/data, it is in encrypted format, and it has no access to any kind of encryption/decryption keys. Second, as the Security Cloud only stores users master key and encrypted data hash, and does not store any data/ le, therefore it has no use of the keys. In case the data/ le is tampered anywhere it will be caught during the integrity veri cation. Third, while the session keys are established during the user login, all the cascading data transfer is secured. This allows the user to access its data from any machine, which is one of the de nite of cloud services. Thus the user data transferred

16

Figure 3.5: Group User Data Download Scenario

and stored in secured manner in storage cloud. Fourth it is possible to share data with preferred band of people securely.

3.3

Algorithm selection

In this section we discuss some of the advantages of selection of particular algorithms over the other. We begin with discussion of AES. 3.3.1 Selection Of AES
Broadly speaking the encryption/decryption can be done via symmetric key or asym-metric key.In symmetric algorithms, both parties share the secret key for both encryp-tion/decryption, and from privacy perceptive it is important that this key is not compro-mised, because cascading data will then be compromised. Symmetric encryption/decryption require less power for computation. On the other hand asymmetric algorithms use pairs of keys, of which one key is used for encryption while other key is used for decryption.
17

Generally the private key is kept secret and generally held with the owner of data or trusted 3rd party for the data, while the public key can be distributed to others for encryption. The secret key can't be obtained from the public key. In our case since the encryption/decryption is performed on trusted 3rd party server, symmetric key is used, and it delegates the burden of key management to the trusted 3rd party. If key management where to be done at clients end it would mean, 1. either they have to remember the big key 2. store the key in all devices/machine which will be used to access the cloud services, which make user device a bottleneck. 3. individual owner has to take the responsibility of sharing the key with speci c authorized group of user which he/she de ne. While on the other hand using symmetric key encryption the master key or private key usage which would be stored in security cloud provider per user gives the client the advantage like, 1. freedom from remembering any key. 2. Client can use any device/machine to access the data stored in cloud. 3. the client need not worry as to how the data will be shared securely, the client just need to de ne the individual whom he/she wants to share the data with.

3.4

Technologies Used

In order to implement a cloud architecture or a Software As A Service (SaaS architecture)

we need 1. WebService { Need to implement a web service. 2. GlassFish Server { to host web service 3. SOAP API { to be able to call web service at client side we need to use SOAP API or even XML. version 3.2. 4. Java 1.6.

18

5. Operating System Windows 7.

6. MySQL 5.2.

19

Chapter 4

Implementation
In previous sections we have discussed about the system architecture, di erent scenarios and algorithms that we will be using to implement them.

4.1

Outline of the AES Algorithm

Constants: int Nb = 4; // but it might change someday int Nr = 10, 12, or 14; // rounds, for Nk = 4, 6, or 8 Inputs: array in of 4*Nb bytes // input plaintext array out of 4*Nb bytes // output ciphertext array w of 4*Nb*(Nr+1) bytes // expanded key Internal work array: state, 2-dim array of 4*Nb bytes, 4 rows and Nb cols Algorithm: void Cipher(byte[ ] in, byte[ ] out, byte[ ] w) f byte[ ][ ] state = new byte[4][Nb]; state = in; // actual component-wise copy AddRoundKey(state, w, 0, Nb - 1); // see Section 4 below for (int round = 1; round < Nr; round++) f
SubBytes(state); // see Section 3 below ShiftRows(state); // see Section 5 below MixColumns(state); // see Section 5 below

AddRoundKey(state, w, round*Nb, (round+1)*Nb - 1); // Section 4 g SubBytes(state); // see Section 3 below ShiftRows(state); // see Section 5 below

20

AddRoundKey(state, w, Nr*Nb, (Nr+1)*Nb - 1); // Section 4 out = state; // component-wise copy g

4.2

Implementation Details

In this section we discuss some the important implementation details. The overall project was divided into 2 components, namely, ClientApp,Encryption/Decryption Service, Stor-age Service
ClientApp

The ClientApp is java web startup application. The Client Login Form is shown in Figure 4.1.

Figure 4.1: ClientApp Login Form

21

Web Start has an advantage over applets in that it overcomes many compatibility problems with browsers' Java plugins and di erent JVM versions. On the other hand, Web Start programs are no longer part of the web page. They are independent applications that run in a separate frame For a new user, the client/user has to register, by click on "Register" in Login Form, and then login with its own user, as shown in Figure 4.2.

Figure 4.2: New User Registration

Let us re-visit the example discussed in chapter 1. The head of the account department nalizes the "YDT Summary" report for the small scale business. He/She then wants to upload the document to cloud storage. The user click's on "Upload Data" button, it then click's on "Upload File", and selects the le to be uploaded from its device/machine. The user now select if he/she wants to make the le as private which will be only accessible to itself or it wants to make it shared with others as well, suppose it make its shared and click's on "UPLOAD", while uploading the le it shows appropriate messages wherever necessary.
22

Figure 4.3: User Uploads Con dential File

Since the user has select shared, it now needs to de ne the list of people who will be able to access the le, for this it click's on "Access List" button, followed by "Add Accessor" button, and search for the person who will be able to access the data, and click on "DONE", Figure 4.4.

This accessor list is de ned in accesslist table de ned at storage cloud. The accessor will now be able to view this le securedly. One more advantage is, when the accessor downloads the le by click on "View Other'S DATA", the accessor can see list of all people and the data shared by these people with him/her, it veri es the integrity of the data on selection of particular data for view, and can report to the head of department if the data is tampered, Figure 4.5.

23

Figure 4.4: User Adds Accessor To Con dential File

Other Scenario will be the user want to download or view the data/ le, for this he/she clicks on "Download Data", followed by "FETCH FILE LIST", and selects the le to be download it, click's on "Save File As", and nally click's on "Download", Figure 4.6

24

Figure 4.5: Accessor Viewing Con dential File

Figure 4.6: Owner Viewing Con dential File

25

Chapter 5

Testing and Result

Till now we have seen the system architecture, its implementation using AES, SHA-1 De e Hellman algorithms. This section gives the results of working model.

5.1

Testing Result

Lets use now take the example of "Yearly Tax Deduction" Excel File which we provide as a input to the system.

Figure 5.1: Sample Input

1. The le is exactly stored in encrypted format. The "userdata" in storage cloud is

26

the table which stores the data for each user, Figure 5.2 shows the encrypted le

which was stored by a user.

Figure 5.2: Encrypted Con dential File Stored In Storage Cloud

2. Secondly, the keys, hash of data are stored in security cloud server in "userkey" table,while the hash of corresponding data is stored in " lehash" table.

5.2

Summary

We have seen how the security service which is provided by trusted third party helps in securing data, it provides the facility of data veri cation and allows data to be shared between designated group of people.
27

Chapter 6

Conclusion and Future work

6.1 Conclusion

We have seen how delegation of responsibility trusted 3rd party which provides security services secures user data. It reliefs the client from maintaining any kind of key infor-mation and allowing the client for using any browser enabled device to access the cloud services. It allows the client to verify the integrity of the data stored on download or retrieval of its own stored data in cloud. The client can share the data securely with speci c band of people without any overhead of key distribution.

6.2

Future Work

1. To enhance the security more, a mechanism to secure the keys in security cloud can be a area of research. 2. To reduce the overhead of network tra c can be another area of research.

28

Bibliography
[1] Jing-Jang Hwang, Hung-Kai Chuang,Yi-Chang Hsu, Chien-Hsing Wu, "A Business Model for Cloud Computing Based on a Separate Encryption and Decryption Ser-vice," Proceedings of the 2011 International Conference on Information Science and Application, April 2011. [2] Qian Wang ,Cong Wang ,Kui Ren ,Wenjing Lou ,Jin Li, "Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing", IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 5, MAY 2011. [3] Balachandra Reddy Kandukuri, Ramakrishna Paturi V, Dr. Atanu Rakshit, "Cloud Security Issues", IEEE International Conference on Services Computing, pp. 517-520, September 2009. [4] Peter Mell, Timothy Grance, "The NIST De nition of Cloud Computing", NIST Special Publication 800-145 [5] Ling Li, Lin Xu, Jing Li, Changchun Zhang,"Study on the Third-party Audit in Cloud Storage Service", 2011 International Conference on Cloud and Service Com-puting [6] L. M. Vaquero,L. Rodero-Merino,J. Caceres, and M. Lindner, "A break in the clouds: towards a cloud de nition", ACM SIGCOMM Computer Communication Review, vol. 39, no. 1, pp. 50-55, January 2009. [7] A. Parakh and S. Kak, "Online data storage using implicit security", Information Sciences, vol. 179, issue 19, pp. 3323-3333 ,September 2009.
[8] C. Weinhardt, A. Anandasivam, B. Blau, N. Borissov, T. Meinl, W.Michalk, and J. Stober, "Cloud computing ? a classi cation, business models, and research di29

rections", Business & Information Systems Engineering (BISE), vol. 1, no. 5, pp.

391-399, 2009. [9] L. Lamport, "Password authentication with insecure communication",

Communi-cations of the ACM, vol. 24, no. 11, pp. 770-772, 1981.
[10] "Announcing the ADVANCED ENCRYPTION STANDARD (AES)", Federal Information Processing Standards Publication 197. United States National Institute of Standards and Technology (NIST). November 26, 2001. Retrieved October 2, 2012.

[11] William Stallings, "Cryptography and Network Security", 2009. [12] Salesforce.com, Inc., "Force.com platform", Retrieved Dec. 2009, from http://www.salesforce.com/tw/. [13] http://www.cs.utsa.edu/ wagner/laws/AESintro.html

30