A Client-Based User Authentication and Encryption ... - IEEE Xplore

2013 IEEE Student Conference on Research and Development (SCOReD), 16 -17 December 2013, Putrajaya, Malaysia

A Client-Based User Authentication and Encryption Algorithm for Secure Accessing to Cloud Servers Based on Modified Diffie-Hellman and RSA Small-e Faraz Fatemi Moghaddam

Iman Ghavam

Faculty of Computer Science and Information Technology U.P.M. University Kuala Lumpur, Malaysia [email protected]

Faculty of Computer Science and Information Technology U.P.M. University Kuala Lumpur, Malaysia [email protected]

Shirin Dabbaghi Varnosfaderani

Soroush Mobedi

Faculty of Computer Science and Information Technology U.P.M. University Kuala Lumpur, Malaysia [email protected]

Faculty of Computer Science and Information Technology U.P.M. University Kuala Lumpur, Malaysia [email protected]

power [1]. Despite the benefits of cloud computing, such as unlimited storage, automatic software integration, quick deployment and being the most cost efficient method to use, maintain and upgrade resources [2], there are some significant concerns for users to use this emerging technology. Security concerns are the most challenging issues in cloud computing environments and have been divided into three main groups [3]: service provider security issues, infrastructure security issues, and end user security issues.

Abstract— Cloud computing is a newfound technology that is still unclear to many security problems and ensuring the security of stored data in cloud servers is one of the most challenging issues. This paper offers a real-time method for maintaining client-based security in cloud computing communications to ensure the establishment of a secure and trust-based access. The proposed model will contain an eligible algorithm to solve data protection and user authentication problems. In the suggested model, an encryption and key exchanging model has been described based on modified Diffie-Hellman and RSA small-e to share an encrypted key between the intended recipients for transparent and secure sharing. Moreover, this client-base system contains user authentication evaluation to validate user’s legal identities and to acquire access control privileges for the resources according to the role information. The proposed algorithm has been tested and evaluated according to four main parameters: time, key size, correctness, and security. In addition, effects of implementing this client-based control system on safe, secure and reliable cloud computing accesses and communications have been investigated. The results suggested that the algorithm is able to carry out the objectives of this research to decrease cloud computing security concerns such as data protection, authentication, and securing data in transmission.

End user security issues contain browser security, authentication, loss of governance, and data protection. Due to lack of security in these areas, reliability of cloud computing will be decreased considerably between users and also enterprises. According to the importance of security in cloud computing environments, many security models were described to increase the reliability of cloud computing environments. This paper tries to investigate the strengths and weaknesses of previous researches and manufactured products to propose an efficient security model to decrease the security concerns in cloud computing environments.

II.

Keywords— Cloud Computing; Security; Encryption; Sharing; User Authentication;

I.

When users outsource sensitive data shared on cloud servers, many challenges crop up on data security and access control. Applying cryptographic methods for authorized users in servers are the most popular existing solution for access control [4] but Yu et al. [5] noted that it’s not secure because all the keys are stored in the cloud servers and with the same security level of data and when a cloud server is attacked seriously, all the keys could be stolen by attackers and the reliability of the cloud server will be decreased.

INTRODUCTION

Cloud computing is a modern and unprecedented service that store resources such as data and applications, and share them between various devices via a network by using the concepts of virtualization, storage, connectivity, and processing This work was supported in part by University Putra Malaysia (U.P.M.) and Meta Soft co. (Medica Tak Sdn. Bhd).

978-1-4799-2656-5/13/$31.00 ©2013 IEEE

PROBLEM BACKGROUND

175

2.4. Determine d as ݀ ‫ି ݁  ؠ‬ଵ ൫‘†ɔሺ݊ሻ൯ 2.5. Public key will contain (n , e) and private key will contain (n , d).

Kulkarni et al. [3] suggested cloud computing model is based on separate encryption and decryption services from the storage service. This model needs a Secure Socket Layer (SSL) for communication and transferring keys between users for decrypting the uploading data. In this model, all the keys are still stored in a cloud server and the security of the encrypted data will be affected by losing private keys in an attack. Furthermore, Zhang et al. [6] proposed a model with multi-dimension architecture of three layers defence. These three layers are: user authentication layer, encryption layer, and quick regeneration layer.

Server-based solutions will not resolve cloud computing security issues completely and users expect a security model with self-handling methods, so they can handle their security by themselves. Tewari [7] noted that server-based solutions are not enough to achieve maximum reliability in cloud computing communications because storing keys on same or separate cloud servers will make data approximately visible for anyone who has or obtains the right level of access. According to this investigation, the described models could not do away all the users concerns about their data in cloud computing environments. Dependency of encryption keys on cloud servers and user authentication concerns are still considered by users and service providers to increase the reliability of cloud computing. Therefore, an efficient clientbased encryption key between the intended recipients could be a solution for transparent and secure sharing.

PROPSED MODEL

Alice (User A) has a file (File.txt) and wants to upload in a cloud server.

2.

Alice and Bob (User B) generate their public and private key via RSA Small-e:

4.

Alice needs to identify Bob. For the authentication process Alice and Bob use Modified Diffie-Hellman algorithm:

5.

Alice lets Bob send his public key.

6.

Bob encrypts his public key via the secret key (‫ܭ‬஻௢௕ ሻ and sends it to Alice.

7.

Alice decrypts Bob public key via the secret key (‫ܭ‬஺௟௜௖௘ ).

8.

Alice encrypts File.txt with Bob’s public key and uploads it in cloud server.

9.

Bob downloads the encrypted File.txt and decrypts it with his private key and via RSA Small-e.

10. Now Bob has the original File.txt.

The proposed model has been described according to two main steps: client-based encryption algorithm for encrypting data before uploading to cloud servers, and user authentication and secure key exchanging algorithm for validating user legal identities and acquiring their access control privileges. The following steps show the suggested algorithm in details: 1.

Now Alice wants to share the file with Bob and Bob needs to decrypt the encrypted File.txt.

4.1. Alice and Bob choose two large prime ‫݌‬ǡ ݃ such as ݃ ൏ ‫݌‬Ǥ 4.2. Alice chooses a large random number ‫ݔ‬ଵ (Ͳ ൏ ‫ݔ‬ଵ ൏ ‫ )݌‬and computes ܴଵ ൌ  ݃ ௫భ ‘†‫݌‬Ǥ 4.3. Alice sends ܴଵ to Bob. 4.4. Bob chooses a large random number ‫ݔ‬ଶ (Ͳ ൏ ‫ݔ‬ଶ ൏ ‫ )݌‬and computes ܴଶ ൌ  ݃ ௫మ ‘†‫݌‬Ǥ and 4.5. Bob computes ‫ܭ‬஻௢௕ ൌ  ܴଵ ௫మ ‘†‫݌‬ ‫ܧ‬ଵ ൌ ‫ݐ݌ݕݎܿ݊ܧ‬ሺܴଶ ǡ ‫ܭ‬஻௢௕ ሻ. 4.6. Bob sends ܴଶ ǡ ‫ܧ‬ଵ to Alice. 4.7. Alice computes ‫ܭ‬஺௟௜௖௘ ൌ  ܴଶ ௫భ ‘†‫݌‬and ܴԢଶ ൌ ‫ݐ݌ݕݎܿ݁ܦ‬ሺ‫ܧ‬ଵ ǡ ‫ܭ‬஺௟௜௖௘ ሻ. 4.8. If ܴଶ ൌ  ܴԢଶ she proceeds; otherwise the verifier is dishonest.

Preliminary privacy protection is the most important advantage of this model. In Zhang’s model, there is no need for super users to maintain it if there are N file blocks in the cloud computing system as it functions well. However, this model needs more memory, time and budget for implementation and maintenance compared with similar models.

III.

3.

There are two main steps in the suggested algorithm: user authentication and encryption. These steps have been shown in Fig. 1:

2.1. Choose two distinct prime numbers s and r. 2.2. Compute ݊ ൌ ‫ݎݏ‬and ɔሺ݊ሻ ൌ  ൫‫ݏ‬ԜȂ Ԝͳ൯൫‫ݎ‬ԜȂ Ԝͳ൯ 2.3. Choose an integer e such that ͳ ൏ ݁ ൏ ߮ሺ݊ሻsuch that ‰…†൫݁ǡ ɔሺ݊ሻ൯ ൌ ͳ

176

key has solved the Boneh and Durfee’s considerations [13] about the insecurity of exponents that are less than ݊଴Ǥଶଽଶ . In addition, according to the analysis results, it is expected that the encryption time in RSA Small-e is lesser than original RSA due to the size of exponent e. B. User Authentication and Key Ex-Changing Process Using Zero Knowledge Proof (ZKP) Modified DiffieHellman [14] solves the authentication problems and lets the file owner to upload a shared data in cloud server without any concerns about the authentication of the sharer while the original Diffie-Hallman [15] is not appropriate in this model and has serious weaknesses as it faces Discrete Logarithm attack and Man in the Middle attack. However, in the proposed model, Man in the Middle and Discrete Logarithm attacks is prevented using ZKP algorithm. In the suggested model, the third key (Secret Key) has helped to solve the key exchanging problems and has resistance against Cycle, Brute Force, and Timing attacks.

IV.

TIME AND KEY SIZE ANALYSIS

The simulation result of the proposed algorithm was acquired using Microsoft C# .net framework 4.0, a 2.40 GHz Intel® Core ™ i5 CPU with 4.00 GB RAM in Microsoft Windows 8 platform.

Fig. 1. Client Based User Authentication and Encryption Algorithm.

Moreover, the message that was used during the analysis procedure had 20000, 40000, 80000, and 160000 characters. Time analysis was carried out according to the different size of exponents (512, 1024, 2048 and 4096 bits) and defined parameters (key generation time, encryption time, decryption time, and total execution time). Effect of changing the exponent sizes from 512 (bits) to 4096 (bits) on key generation, encryption, decryption, and total execution time according to 20000 characters message size has been shown in Table I.

A. Cryptography Process According to the nature of this research that is based on sharing concepts, asymmetric cryptography models (public key algorithms) are more appropriate than symmetric models for client-based cryptographic system. It’s because sharing the public key is more reliable with establishment of data security at the same time. For this reason, six of the most popular public key algorithms [8]-[12] and the strengths and weaknesses of each model were reviewed.

Furthermore, Table II shows the effect of changing message sizes from 20000 to 160000 characters on encryption, decryption and total execution time according to 2048 bits key size.

According to the investigation, RSA, RSA Small-e, RSA Small-d, EAMRSA, Efficient RSA, and MREA were observed and reviewed. In the proposed model, RSA Small-e algorithm has been chosen for the encryption process by using the public exponent that is much smaller than ɔሺ݊ሻ. Using a small public exponent in RSA Small-e will decrease the encryption costs considerably. Moreover, it is expected with high probability that ݀ as private exponent will be the same size as ɔሺ݊ሻ.

TABLE I: EFFECT OF CHANGING THE EXPONENT SIZES FROM 512 (BITS) TO 4096 (BITS) ON KEY GENERATION, ENCRYPTION, DECRYPTION, AND TOTAL EXECUTION TIME IN PROPOSED MODEL ACCORDING TO 20000 CHARACTERS MESSAGE SIZE Size of (bits)

Key Generation Time (ms)

Encryption Time (ms)

Decryption Time (ms)

Total Execution Time (ms)

512 1024 2048 4096

110 160 456 1919

649 698 940 1623

978 1023 1839 4806

1737 1881 3235 8348

Exponents

In the suggested model, data has been encrypted by the sharer’s (Bob’s) public key after authentication validation. According to this, the encryption process has been reduced to a few modular multiplications and the cost of encryption process has been decreased significantly. Furthermore, the encryption of the sharer’s public key with the generated secret

177

TABLE II: EFFECT OF CHANGING MESSAGE SIZES FROM 20000 TO 160000 (CHAR) ON ENCRYPTION, DECRYPTION, AND TOTAL EXECUTION TIME IN THE PROPOSED ALGORITHM ACCORDING TO 2048 (BITS) KEY SIZE

Message (char)

Encryption Time (ms)

Decryption Time (ms)

Total Execution Time (ms)

20000 40000 80000 160000

940 1107 1409 2007

1839 2379 3001 5211

2779 3486 4410 7218

Size of

keys are the most appropriate size for the process of cryptography in more powerful computers (e.g. PCs and laptops), and 1024 bits keys are the best key size for devices with lower memory (e.g. smart phones and tablets). V.

SECURITY ANALYSIS

Man in the Middle attack and Discrete Logarithm attacks are the most damaging attacks in key-exchanging process. Furthermore, Cycle attack, Brute Force attack, and Timing attack are the most important attacks during the encryption and decryption process. The following step evaluates the algorithm against these attacks.

According to the results, the key generation time 512 and 1024 bits key are approximately same but when key size has been increased to 2048 and 4096 bits, the key generation time has risen significantly about 185% and 320% in each increase. Moreover, the encryption process in key with 4096 bits size has increased about 58% against the average encryption time in other sizes. As expected, [9] using RSA Small-e in the encryption algorithm has decreased time of encrypting data against the original RSA.

A. Man in the Middle Attack Man in the Middle is an attack that the attacker is able to read and modify all the messages between Alice and Bob [16]. To protect the suggested model from Man in the Middle attack, encrypted replies (ܴଵ ܴܽ݊݀ଶ ) and mutual authentication between Alice (file owner) and Bob (sharer) is required. For this purpose Bob computes ‫ܭ‬஻௢௕ ൌ  ܴଵ ௫మ ‘†‫݌‬ and ‫ܧ‬ଵ ൌ ‫ݐ݌ݕݎܿ݊ܧ‬ሺܴଶ ǡ ‫ܭ‬஻௢௕ ሻ and sends ܴଶ ǡ ‫ܧ‬ଵ to Alice. After that, Alice computes ‫ܭ‬஺௟௜௖௘ ൌ  ܴଶ ௫భ ‘†‫݌‬and ܴԢଶ ൌ ‫ݐ݌ݕݎܿ݁ܦ‬ሺ‫ܧ‬ଵ ǡ ‫ܭ‬஺௟௜௖௘ ሻ.

According to the results and unlike the encryption process, the rate of time growth in decryption process has increased considerably by changing the key size. This rise in 1024, 2048, and 4096 bits key size is 4%, 79%, and 161% respectively in 20000 characters file. According to the results of Table II, by increasing the size of message, the decryption time has risen considerably than encryption time. The following diagram shows this increase:

These processes prevented the Man in the Middle attack and by comparing ܴଶ and ܴԢଶ the attack will be identified. The following figure shows the Man in the Middle attack prevention in the proposed model.

6000 5211

Time (ms)

5000 4000 3000

3001 2379 1839

2000

2007

1000 940

1107

0 20000 40000 Encryption Time

1409 Character

80000 160000 Decryption Time Fig. 3. Man in the Middle Attack Prevention by Proposed Algorithm

Fig. 2. Effects of Changing Message Sizes (from 20000 to 160000 char) on Encryption and Decryption Time

According to the figure, ܴ௠ and ܴԢ௠ are not same for Alice because the keys between users and attackers are different.

As expected, by changing the message size, the increase of encryption time was lesser than decryption time. This happened because the public exponent that was used for the encryption process was lesser than private exponent in RSA Small-e and the encryption process was reduced to a few modular multiplications. In addition, the security of the encryption process will not be affected by the small size of the public exponent because of the key exchanging process with the third key (secret key). In general, evaluation of the algorithm in terms of time and key size showed that 2048 bits

‫ܭ‬஺௟௜௖௘ ൌ  ݃ ௫భ௫೘ ‘†‫݌‬ ‫ܭ‬஻௢௕ ൌ  ݃ ௫మ௫೘ ‘†‫݌‬ ‫ܭ‬ா௩௘ ൌ  ݃ ௫మ ௫೘ ‘†‫݌‬

178

It means ‫ܭ‬஺௟௜௖௘ ്  ‫ܭ‬஻௢௕ ൌ  ‫ܭ‬ா௩௘ and because of that, the Man in the Middle attack was noticed by Alice and the attack was prevented.

VI.

One of the most important limitations of the proposed model is compatibility of the system in various situations and platforms. The proposed system should have same performance in different devices (e.g. PCs, desktops, tablets, smart phones, etc.) and platforms (e.g. Windows, iOS, Android, Linux, Mac, etc.). This problem will be more specific in portable devices with limited memory and capacity which results in full performance in encryption, decryption and key generation process [20]. This problem can be solved by decreasing the size of exponents and keys but with this decrease the security of the system will be reduced considerably. Overall, 1024 bits keys are the most appropriate key size in the client-based encryption and control system including both security and compatibility. Furthermore, the role of the file owner in managing the accesses is increased in the proposed model and by this increase the owner should manage all of the accesses by himself [20]. User’s common mistakes in this self-control process may have a significant impact in reducing system security.

B. Discrete Logarithm Attack Discrete Logarithm is an attack where an interceptor can intercept ܴଵ and ܴଶ and Find ‫ݔ‬ଵ from ܴଵ ൌ  ݃ ௫భ ‘†‫ ݌‬and ‫ݔ‬ଶ from ܴଶ ൌ  ݃ ௫మ ‘†‫݌‬ and then can calculate ௫భ ௫మ ‘†‫݌‬. By using the following recommendations ‫ ܭ‬ൌ݃ [17] in the proposed model, the possibility of success in Discrete Logarithm attack will be at the lowest mode: • •

LIMITATIONS

The exponents (‫ݔ‬ଵ ǡ ‫ݔ‬ଶ ሻ should have 100 digits long at least and used only once in key exchanging process. The prime number ݃ should be selected from ൏ ܼ௣ ǡ ‫ ݔ‬൐.

C. Cycle Attack Cycle Attack is an attack where the attacker encrypts the cipher text alternately, until the original text appears. This number of encrypting will decrypt any cipher text. In large key RSA, this attack could not be practical even when a generalisation of the attack allows the modulus to be factored and most of the time it works faster. Moreover, in the proposed model, the attacker will not have access to the public key to re-encrypt the cipher text because the public key has been encrypted by the secret key that was generated in Modified Diffie-Hellman process.

VII. CONCLUSION The main aim of this paper was applying a client-based encryption system and sharing an encrypted key between the intended recipients for transparent and secure sharing. Moreover, a client-based user authentication evaluation to validate user’s legal identities and acquire their access control privileges for the resources according to the role information was applied during this research process. According to the aims of this research, an eligible algorithm was designed with combination of RSA Small-e for encrypting the data in client side and before uploading to the cloud servers, and Modified Diffie-Hellman to generate a secret key with zero knowledge and for key-exchange between users to obtain user authentication evaluation in cloud computing communications.

D. Brute Force Attack All possible combinations to guess the private key have been tried by the attacker during Brute Force attack. In original RSA, the probability of failure against this attack can be decreased considerably by choosing exponents larger than 2048 bits but with the combination of the proposed model, this algorithm has significant resistance towards brute force attack even with 1024 bits exponents because of the encryption of the public key before sending it.

In general, evaluation of the proposed algorithm and the implemented prototype shows that suggested model is able to carry out the objectives of this research and the client based encryption system will decrease cloud computing security concerns such as data protection, authentication, and securing data in transmission.

E. Timing Attack Timing attack is a side channel attack in which the attacker determines private exponent by calculating the time by exploiting the timing variation of the modular exponentiation [18]. Timing attack in original RSA might be prevented by including a random delay to the exponentiation algorithm or multiplying the cipher-text with a random number [19] while the dual encryption (public key encryption by secret key and the file encryption by RSA Small-e) in the suggested model will protect the transferred message from the timing attack and it is not necessary to multiply the cipher-text.

ACKNOWLEDGMENT We acknowledge the assistance and logistical support provided by University Putra Malaysia (U.P.M.), Staffordshire University, Meta Soft Company, Prof. Dr. Simon David Scott, Dr. Maen T. Alrashdan, Dr. Pardis Najafi, and the bright memory of Dr. Enayat Fatemi Moghaddam.

179

Proc. 3rd International Conf. on Convergence and Hybrid Information Technology (ICCIT), Busan, Korea, 2008, pp. 505-510. [20] F. Fatemi Moghaddam, Secure Cloud Computing with Client-Based Control System: Protection of Stored Cloud-Based Data by Increasing End-User’s Role, Chapter 1: Cloud Computing, 1st Edition. Saarbrücken: Lambert Academic Publishing (LAP), 2013, pp. 9-2.

REFERENCES [1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15] [16]

[17]

[18]

[19]

M. Malathi, “Cloud Computing Concepts,” in Proc. 3rd International Conf. on Electronics Computer Technology (ICECT), Kanyakumari, India, 2011, pp. 236-239. P. Viswanathan. (2012). Cloud Computing: Is it Really All That Beneficial? About.com Mobile Devices.[Online]. Available: http://mobiledevices.about.com/ G. Kulkarni, J. Gambhir, T. Patil, and A. Dongare, “Security Aspects in Cloud Computing,” in Proc. IEEE 3rd International Conf. on Software Engineering and Service Science (ICSESS), Beijing, China, 2012, pp. 547-550. F. Fatemi Moghaddam, M. T. Alrashdan, and O. Karimi, “A Hybrid Encryption Algorithm Based on RSA Small-e and Efficient-RSA for Cloud Computing Environments,” Journal of Advances in Computer Networks, vol. 1, no. 3, pp. 238–241, 2013. S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing,” in Proc. IEEE INFOCOM, 2010, San Diego, USA, 2010, pp. 1-9. X. Zhang, S. Q. Lai, and N. W. Liu, “ Research on Cloud Computing Data Security Model Based on Multi-Dimension,” in Proc. International Symposium on Information Technology in Medicine and Education (ITME), Hokkaido, Japan, 2012, vol. 2, pp. 897-900. H. Tewari. (2012). CompSci boffins tout file encryption for Google Docs Enterprise Security. The Register. [Online]. Available: http://www.theregister.co.uk/2012/04/19/cipherdocs_beta/. R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” ACM Trans. On Communications, vol. 21, pp. 120-126, 1978. H. M. Sun, M. E. Wu, W. C. Ting, and M. J. Hinek, “Dual RSA and Its Security Analysis,” IEEE Trans. on Information Theory, vol. 53. pp. 2922-2933, 2007. S.J. Aboud, M. A. Al-Fayoumi, M. Al-Fayoumi, and H. Jabbar, “An Efficient RSA Public Key Encryption Scheme,” in Proc. Fifth International Conf. on Information Technology: New Generations (ITNG), Las Vegas, USA, 2008, pp. 127-130. R.S. Dhakar, A. K. Gupta, and P. Sharma, “Modified RSA Encryption Algorithm (MREA),” in Proc. Second International Conf. on Advanced Computing & Communication Technologies (ACCT), Haryana, India, 2012, pp. 426-429. Q. Liu, Y. Li, L. Hao, and H. Peng, “Two Efficient Variants of the RSA Cryptosystem,” in Proc. International Conf. on Computer Design and Applications (ICCDA), Qinhuangdao, China, 2010, vol. 5, pp. 550-553. D. Boneh, G. Durfee, “Cryptanalysis of RSA with private key d less than n 0.292,” IEEE Trans. on Information Theory. Vol. 46, pp. 1339–1349, 2000. M. K. Ibrahem, “Modification of Diffie-Hellman Key Exchange Algorithm for Zero Knowledge Proof,” in Proc. International Conf. on Future Communication Networks (ICFCN), Baghdad, Iraq, 2012, pp. 147-152. W. Diffie, M. Hellman, “New directions in cryptography,” IEEE Trans. on Information Theory, vol. 22, pp. 644–654, 1976. G. R. Kumar, F. Zeeshan, and M. Shahabuddin, “Discovering Man-inthe-Middle Attacks in Authentication Protocols,” in Proc. IEEE Military Communications Conf. (MILCOM), Orlando, USA, 2007, pp. 1-7 D. Avinash, M. Radhesh, and P. R. Alwyn, “ Throttling DDoS Attacks Using Discrete Logarithm Problem,” in Proc. International Conference on Security and Cryptography (SECRYPT), Athens, Greece, 2010, pp. 1-7. P. C. Kocher, “ Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” in Proc. 16th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO'96), Santa Barbara, USA, 1996, pp. 104-113. A. AlHasib, and A. M. Haque, “A Comparative Study of the Performance and Security Issues of AES and RSA Cryptography,” in

180