Elsevier

Expert Systems with Applications

Volume 41, Issue 17, 1 December 2014, Pages 7789-7796
Expert Systems with Applications

Improved security of a dynamic remote data possession checking protocol for cloud storage

https://doi.org/10.1016/j.eswa.2014.06.027Get rights and content

Highlights

  • Identify security flaws of a RDPC protocol and show two attacks.

  • Describe an improved protocol which preserves all the desirable properties.

  • Prove the security of the improvement under a well-known security model.

Abstract

Cloud storage offers the users with high quality and on-demand data storage services and frees them from the burden of maintenance. However, the cloud servers are not fully trusted. Whether the data stored on cloud are intact or not becomes a major concern of the users. Recently, Chen et al. proposed a remote data possession checking protocol to address this issue. One distinctive feature of their protocol support data dynamics, meaning that users are allowed to modify, insert and delete their outsourced data without the need to re-run the whole protocol. Unfortunately, in this paper, we find that this protocol fails to achieve its purpose since it is vulnerable to forgery attack and replace attack launched by a malicious server. Specifically, we show how a malicious cloud server can deceive the user to believe that the entire file is well-maintained by using the meta-data related to the file alone, or with only part of the file and its meta-data. Then, we propose an improved protocol to fix the security flaws and formally proved that our proposal is secure under a well-known security model. In addition, our improvement keeps all the desirable features of the original protocol.

Introduction

Cloud storage provides a novel service model (Wu, 2011) in which data are maintained, managed and backed up remotely and accessed by cloud users over the network at anytime and from anywhere (Jula, Sundararajan, & Othman, 2014). Nowadays, an increasing number of organizations and individuals would like to outsource their data to cloud to enjoy appealing advantages of cloud storage. However, once a data owner uploads his/her data to cloud and delete the local copy of the files, the owner loses physical control over the outsourced data.

Naturally, integrity and confidentiality of the data are of prime concern in this scenario. Indeed, in the white paper entitled “Cloud Computing Vulnerability Incidents: A Statistical Overview”1 by the Cloud Vulnerabilities Working Group of the cloud security alliance (CSA), Data Loss & Leakage is the second most frequent incident types in the seven threat types defined by CSA. Some examples are from the prominent providers (e.g. Amazon,2 Evernote3). The same white paper stated that “…the data collected is the result of a best effort attempt.” since it is not mandatory for the providers to report these incidents. On the contrary, the cloud providers are not fully trusted (Wang, Zeng, & Yao, 2012) and it might be of their interest to hide data loss incidents in order to maintain their reputation.

To improve accountability of the cloud server, it is therefore desirable to have the cloud server provide evidence to convince its users that their data are not tempered with nor discarded periodically (Lin & Chang, 2011). The major research problem in this setting is that the users do not have a local copy of the data, meaning that traditional integrity mechanism (e.g. digital signature) is not suitable as it requires the user to download the data from the cloud, which is costly or sometimes infeasible.

To check the integrity of remote data, in 2007, Ateniese et al., 2007, Ateniese et al., 2011 presented the notion of provable data possession (PDP) and constructed two efficient and provably secure PDP schemes based on homomorphic verifiable tags. In their protocols, cloud users are allowed to verify data integrity (Kamel, 1995) without retrieving the entire file. At the same time, Juels, Burton, and Kaliski (2007) defined the model of proof of retrievability (PoR) which allows the server to construct a concise proof to convice the cloud user that their data can be retrieved, and proposed a sentinel-based PoR construction utilizing error-correcting code. In 2008, Shacham and Waters, 2008, Shacham and Waters, 2013 described two efficient and compact PoR schemes. The first one is a public verifiable PoR scheme built from the signature algorithm due to Boneh, Lynn and Shacham (referred to as BLS signature hereafter) (Boneh, Lynn, & Shacham, 2001), and the other one is a private verifiable PoR scheme based on the pseudo-random function. In 2009, Ateniese, Kamara, and Katz (2009) put forward a framework for building publicly-verifiable PDP scheme with an unbounded number of verifications from public-key homomorphic linear authenticator which can be generated from any identification protocol. In the following, we use the term remote data possession checking (RDPC) protocol to refer to any protocol (including PDP and PoR) that aims to solve the integrity of remote data.

With the proliferation of cloud storage, a number of data auditing protocols such as Chen, 2013, Wang et al., 2010, Wang et al., 2013 and Zhu et al., 2012a, Zhu and Hu et al., 2012b, Zhu and Wang et al., 2012 were proposed to ensure the integrity of the outsourced data. The aforementioned research focus on static data in which the outsourced data are not going to be modified. Recently, several PDP or PoR schemes (Ateniese et al., 2008, Erway et al., 2009, Wang et al., 2009, Wang et al., 2012, Yang and Jia, 2013) supporting dynamic data operations were proposed as well. In particular, a recent scheme by Chen, Zhou, Huang, and Xu (2013) supports the most general forms of data operation, such as block modification, insertion and deletion. This protocol is based on a homomorphic hash algorithm, in which the hash value of the sum of two blocks is equal to the product of two hash values. To support data updating, the Merkle Hash Tree (MHT) is employed to record the location for each data operation. Chen et al. also demonstrated their proposal compares favourbly with the state-of-the-art protocols and they concluded that the performance is limited by network bandwidth rather than cryptographic operations.

Our contribution. The contributions of this paper are threefold.

  • (1)

    We identify several security flaws in the dynamic RDPC protocol in Chen et al. (2013). As long as the authenticated data structure, Merkle Hash Tree, is well maintained, the server can always generate a valid proof by using forgery attack or replace attack to cheat the user that the data are well accommodated in cloud, while actually some data blocks may have been corrupted. This means the protocol cannot achieve its design goals and cannot be adopted in real-world applications.

  • (2)

    We propose an improved dynamic RDPC protocol to mend these security weaknesses by making use of some techniques including modifying the homomorphic hash functions to be cryptographically secure, involving the hash value of the data block in generating each tag, and the random sampling trick to improve the efficiency of the protocol.

  • (3)

    We prove the security of the fixed protocol in the well-known security model due to Ateniese et al. (2007), and show the improvement maintains all the desirable features of the original protocol.

Organization: The rest of the paper is organized in the following way. Section 2 gives some preliminaries used in this paper. Section 3 reviews the dynamic RDPC protocol in Chen et al. (2013) and presents our security analysis on the protocol. Section 4 comes up with our improved protocol and its performance. Section 5 describes the security proof of the new protocol, and Section 6 concludes the paper.

Section snippets

Preliminaries

In this section, we review some preliminary knowledge used in this paper, including the homomorphic hash functions and Merkle Hash Tree.

Security analysis of the dynamic RDPC protocols

In this section, we review the components, security requirements and the construction of the dynamic RDPC protocol in Chen et al. (2013) and show that it is vulnerable to forgery attack and replace attack.

Our dynamic RDPC protocol

In this section, we firstly describe our enhanced dynamic RDPC protocol and show how to update data blocks stored in the cloud server. Then, we report the performance assessment of the improved protocol.

Security proofs

In this section, we prove the new RDPC protocol is secure under the security model due to Ateniese et al. (2007) by employing the proof tricks described by Shacham and Waters, 2008, Shacham and Waters, 2013. Intuitively, an adversary is unable to generate a valid response to a challenge without possessing the entire file, at least the challenged file blocks. That is, we will prove that the ProofVerify algorithm will output FLASE except when the prover’s μj are computed correctly, i.e. are such

Conclusion

Currently, an increasing number of individuals and organizations prefer to outsource their data to remote cloud servers to relieve the local burden of data management and maintenance. In this paper, we investigated the techniques of validating the data integrity over the cloud servers, the security issue and designing methods of remote data possession checking protocol.

We demonstrated that the RDPC protocol in Chen et al. (2013) is vulnerable to forgery attack and replace attack. Concretely,

Acknowledgement

This work is supported by the NSFC under Grant No. 61370203.

References (29)

  • Ateniese, G., Pietro, R. D., Mancini, L. V., & Tsudik, G. (2008). Scalable and efficient provable data possession. In...
  • G. Ateniese et al.

    Proofs of storage from homomorphic identification protocols

  • Boneh, D., Lynn, B., & Shacham, H. (2001). Short signatures from the weil pairing. In Asiacrypt 2001 (pp....
  • Erway, C., Kupcu, A., Papamanthou, C., & Tamassia, R. (2009). Dynamic provable data possession. In ACM CCS’09 (pp....
  • Cited by (0)

    View full text