Applying an Agent-Based User Authentication and ... - IEEE Xplore

Applying an Agent-Based User Authentication and Access Control Model for Cloud Servers Mostafa Hajivali

Faraz Fatemi Moghaddam

Faculty of Computer Science Staffordshire University Kuala Lumpur, Malaysia [email protected]

Faculty of Computer Science and Information Technology U.P.M. University Kuala Lumpur, Malaysia [email protected]

Maen T. Alrashdan

Abdualeem Z. M. Alothmani

Faculty of Research Coordinator Asia Pacific University (A.P.U.) Kuala Lumpur, Malaysia [email protected]

Faculty of Information and Communication Technology Asia Pacific University (A.P.U.) Kuala Lumpur, Malaysia [email protected] security concerns to 5 major parts: Security of data in transferring process, security of the software interfaces, security of stored data, user authentication, and user access control. According to this classification, user authentication and access control are two of the most important concerns in cloud-based environments. Accordingly, a reliable and efficient user authentication and access control model has been presented in this paper to decrease the security concerns in cloud computing environments.

Abstract— Cloud computing is an emerging developed technology and the next natural step in the evolution of ondemand information technology services and products that uses concepts of virtualization, storage, processing power, and sharing. According to various researches, access control and user authentication are the most important security concerns and challenging issues in cloud-based environments. Accordingly, this paper offers an agent-based user authentication and access control algorithm based on discretionary and role-based access control model for increasing the reliability and rate of trust in cloud computing environments. The proposed model uses a cloud-based software-as-a-service application with four main agents and a client-based user authentication application. After describing the proposed model, it has been justified and evaluated for identifying the strengths and weaknesses according to defined parameters: Performance, Security, Compatibility, and Power of Intelligence. Moreover, according to the identified limitations, appropriate details have been recommended and further research has been introduced. In overall, the theoretical analysis of the proposed model shows that designing this user authentication and access control model will increase the reliability and rate of trust in cloud computing environments as an emerging and powerful technology in various industries. Keywords—Cloud Computing; Access Authentication; Agents; Software-as-a-Service;

I.

Control;

II.

PROPOSED MODEL

The proposed model was named ACUA (Access Control and User Authentication) model that contains appropriate tools for validating user legal identities and acquiring their access control privileges for the resources according to the role information. In the proposed model, the concepts of agents [4], multi-clouds [5]-[6], and Software-as-a-Service (SaaS) have been considered to establish a secure algorithm during user authentication and access control processes. According to the brief introduction of the proposed model in figure 1, this model uses the concepts of multi-clouds for designing a cloud-based software-as-a-service and managing accesses and user authentication processes to increase the reliability of public of private cloud computing environments. The proposed model uses one client-based agent and four cloud-based agents to establish a secure algorithm during processes, services, and communications. The main aim of these agents is to increase the rate of intelligence and reliability during cloud computing communications. Accordingly, each agent has separate performance and has been connected to other agents with ACUA software-as-a-service application. The responsibilities of each agent and ACUA have been described in following tasks.

User

INTRODUCTION

Cloud computing is an emerging developed technology and the next natural step in the evolution of on-demand information technology services and products [1]. This newfound technology uses various concepts (e.g. virtualization, sharing, storage, etc.) to provide an efficient and flexible environment for storing data and sharing them via a network (i.e. Internet). However, ensuring the security of this powerful service is one of the most challenging issues that decrease the reliability of cloud servers considerably. In fact, applications and information usage of cloud hosting have the risk of loss of data or illegal access [2]. Khan et al. [3] divided cloud computing This work was supported in part by the Asia Pacific University of Technology and Innovation (A.P.U.), Kuala Lumpur, Malaysia and Meta Soft Co. (Medica Tak Company), Seri Kembangan, Selangor, Malaysia.

978-1-4799-0698-7/13/$31.00 ©2013 IEEE

807

ICTC 2013

The device should be registered at ACUA and by registering an access code that will be sent to the device. The access code will be entered during the installation process and will be checked with ACUA database. After confirmation the device will be registered by the MAC ID and the application will be installed. Furthermore, the client-based application should install an extension on the web browser of the registered device for further processes. After registering a device by installing CBUA and confirming it, users can access to their cloud server more securely. The following algorithm shows the performance of CBUA agent in details:

Fig. 1. Proposed Model in Brief

Fig. 3. Performance of CBUA Agent

A. Client-Based User Authentication (CBUA) In current user authentication models, the dependency of this process on cloud server systems is one of the most challenging issues. Accordingly, Client-based user authentication agent is an application that manages the identity of users before accessing to the cloud environment. For this purpose, user’s authorized devices should be registered by installing CBUA. The following figure shows the algorithm of device registration in ACUA:

According to this figure, the performance of CBUA is as follows: 1. Client-based agent sends a request for check authentication to cloud-based agent. 2. Cloud-based agent receives the request and confirms it if the client-based access code is acceptable. 3. Client-based agent sends account detail such as username and password for cloud-based user authentication. 4. After confirmation the user can access to the cloud server. 5. User and cloud server will communicate to each other and appropriate data will be transmitted. B. Cloud User Authentication Agent (CUA) Cloud user authentication agent is an agent that provides a framework of sign-in to cloud servers by strong tools and techniques to increase the reliability of user authentication processes. According to the analysis process of current models, lack of efficiency in user authentication processes is the most important issue in cloud-based environments. Accordingly, a cloud-based user authentication agent has been designed in ACUA with two main tools: 1) User Authorization Code (UAC) User authorization code is the most appropriate solution for accessing to cloud servers by un-authorized devices. Accordingly, a unique code will be sent to the user hand phone number or personal email address to confirm the authentication of the user by un-authorized device. The generation and performance of UAC have been done as follows:

Fig. 2. Algorithm of Device Registration

808

1. A request has been sent to the cloud-based user authentication agent by an un-authorized device for authorization process. 2. Cloud-based user authentication agent will generate the UAC and will send it to the personal email or hand phone of the user. It should be noted that in order to increase the security. the code will be sent to user devices as QR codes. 3. The user will use the received code and will send it to the agent. Fig. 5. Algorithm of Region Detection

4. Cloud-based user authentication agent will confirm the code and let the user to access cloud server.

1. If the region detection tool is enabled by the user previously, user can request to access to cloud server by region detection user authentication.

5. If the received code is wrong for more than two times the account will be locked and inaccessible for the unauthorized device and a notification will be sent to the personal email of the user about the possibility of attack.

2. Cloud-based user authentication agent will request the location of un-authorized device. 3. Cloud-based user authentication agent will request the location of registered smart device. 4. Detected locations will be compared. 5. If both devices are in the same location the cloud-based user authentication agent will confirm the identity of the user for further processes. C. Access Control Agent According to the analysis of performed researches, managing access controls is one of the most important issues that decrease the reliability of cloud computing environments. Due to this, an access control agent is suggested in the proposed model to increase the efficiency of managing accesses in cloud-based environments. In access control agent the dependency of managing accesses to the data will be increased by a unique data header. This means a special data header will be defined for managing accesses and increasing the rate of trust in cloud servers. In the proposed access control model, data will be divided to several parts and each part will be stored in various cloud servers. Accordingly, divided data will be joined at ACUA cloud server for using by users or sharers. The following steps show the performance of access control agent in details:

Fig. 4. Performance of UAC

2) Region Detection Region detection is one of the most popular smart user authentication tools to increase the reliability of this process. This means, when a user wants to sign-in to a web-service with an IP at another area (i.e. country) the user authentication process will be more stringent. According to the analysis in current models, these smart solutions will increase the security and the rate of trust in cloud computing environments. Due to this, in the cloud-based user authentication agent, a smart region IP-detection will be established to decrease the rate of risks in cloud environments. In the proposed region detection, the region detection uses the location of the un-authorized device to compare with the location of the user (e.g. location of his smart phone). This detection can be appropriate with the user using smart phones to detect and compare the location of them with the location of un-authorized device.

809

 1.

Upload Process Data is uploaded to ACUA by the user

2.

In ACUA, data will be divided to several parts and each part has a special header.

3.

Divided parts will be sent to cloud storages for storing processes.



Download Process

1.

Divided data will received by ACUA from cloud storages after requesting from user.

2.

Divided data will be joined in ACUA and will be sent to the user device after removing headers.

For dividing and joining processes, data header should be used for identification and access control. In other words dividing data to several parts and using data header will increase the reliability of access control processes. The following figure shows the data header in proposed model: Data Header

key will not transmit between users and by doing this the rate of trust will be increased. The performance of cryptography agent has been shown in the following diagram:

Main Data

Fig. 6. Divided Data Structure

By using data header, data will be protected after losing one of the servers because of an unpredictable event or attack. Furthermore, the possibility of an illegal Authorization will be decrease considerably. The following table shows the defined and proposed notation of using in data header: TABLE I: DEFINED NOTATION IN DATA HEADER Description

Notation CSI DC DI DU DV ES KI KS PI SRL SUI SUL USK

Cloud Server ID Date Created Data Owner ID Date Updated Data Version Encryption Status Key ID Key Status Parent ID Security Risk Level Sharer User ID System User List User Secret Key

Fig. 7. Cryptography Agent Performance

E. Cloud Manager The rapid growth of using cloud services is an undeniable fact that has happened in the recent years. Accordingly, users and enterprises subscribe various cloud services for different purposes. These cloud servers can be public clouds or private clouds that are used for different purposes. According to the analysis process of current models, managing data in cloud servers is one of the most challenging issues that decrease the rate of efficiency in cloud computing environments. Accordingly, cloud manager agent has been designed and presented in ACUA for managing the relations and communications between private and public clouds. The following diagram shows the performance of this cloud-based management application:

According to table 1, managing accesses will be more secure and the rate of trust will be more increased by dividing data and using data header in cloud computing environments. However, to establish more security in cloud servers to provide a safe place for storing divided data, a cryptography algorithm seems to be essential. Having said, cryptography agent will be presented and described in next task. D. Cryptography Agent Using cryptography algorithms are the most popular solution for establishing security in cloud computing environments. There are many asymmetric keys and symmetric key cryptography methods with various specifications. Cryptography agent use both asymmetric keys and symmetric keys models in various situations. This usage will be described as follows: 



AES-128 for Private Files: AES-128 [7] is a symmetric key cryptography model that is more appropriate in private files that will not be shared. The security of AES-128 will increase the reliability of cloud servers because it needs more time for and unauthorized unlocking.

Fig. 8. Cloud Manager Performance

According to the figure 8, cloud manager agent has been defined as a service in ACUA for managing the relations and communication between various private and public clouds. Due to this cloud-based software-as-a-service application, data are transmitted from various cloud servers to cloud manager agent and by the described user authentication and access control model, the rate of trust during the accessing processes will be increased considerably. It should be noted that cloud manager agent needs appropriate permissions from the user and cloud service providers for accessing to all data.

HE-RSA-1024 for Sharing Files: HE-RSA-1024 [8] is an asymmetric key cryptography model that use private and public key together to increase the security of sharing files by transmitting public key between authorized users. In this algorithm the private

810

III.

EVALUATION OF PROPOSED D MODEL

Accordin ng to figure 9,, considered sp pecifications of o the prop posed model increase thhe rate of security s in cloud c com mputing enviro onments during ng uploads, do ownloads, acceesses, userr authentications, and transm missions. Thiss increase will raise the reliability r of cloud-based c seervices.

The T proposedd model has been evaluatted by five main parameters: Perfoormance, Secuurity, Compatibility, and P Power of In ntelligence. A. Performance P The T expectatioon from the prroposed model and the abiliity of achieeving to thesse expectationns were desccribed in prevvious taskss. The brief performance of proposed d model has been show wn in followinng table:

C. Compatibility C The T proposed d model has two main parts: p cloud-bbased agen nts, and client--based agent.

TABLE II:: BRIEF PERFORM MANCE OF PROPOS SED MODEL Maiin Task Subb Task Exppectation Userr Auth hentication

Clieent-Based Userr Authhentication

Userr Auth hentication

Clouud-Base Userr Authhentication

Userr Auth hentication Acceess Control

Region Deteection Access Control Ageent

Acceess Control

Crypptography Ageent

Acceess Control

Clouud Mannager

Reliiable Authorization in client side. Reggister authorized dev vices. Mannage client-based d user authenttication proccesses. Use confirmation codee for accessing froom unauthhorized device. Mannage cloud-based d user authenttication proccesses. Use location service for user authenttication proccesses. Diviiding data to seveeral parts and storring in various servers. Put data header with h defined notationns for mannaging accesses c for ssharing Use asymmetric key cryptography filess. Use symmetric key cryptography c for pprivate filess. Mannaging data from public p cloud serveers and privvate cloud servers.



Cloud-B Based Agentss: As was deescribed, theree are four clou ud-based agennts in the sofftware-as-a-seervice application. These aggents are com mpletely compaatible with varrious platform ms and devices because of o the structuree of applicatiions that aree based on cloud c computin ng concepts.



Client-B Based Agentt: There is one client-bbased application that shoould be provided in vaarious versions according to different platforms too be ble in all situat ations. According to the natuure of compatib this clien nt-based agennt, there is no ot any probleem to develop different versiions of this ap pplication.

D. Power P of Intellligence The T proposed d model usess several inttelligence toools to increase the efficiiency and the rate of trust in cloud compputing enviironments:

B. Security S The T proposed access controol and user autthentication m model increease the rate oof reliability and a security in n cloud compuuting environment conssiderably. Thhe following figure showss the urity evaluationn of the propoosed model: secu



Region Detection: D Thhis tool can measure the disstance between location of usser and locatio on of un-authoorized u authenticcation device to have a moore reliable user process.



Access Control C Agen ent: Using a smart data header during access a controll processes will w help to handle possible error betterr and more significant. The s log dataa for notationss of data heeaders will save increasin ng the efficien ency of error identificationn and error han ndling during aaccess controll processes.

Client-Based User Authenticaation Agent

• Registeringg Authorized Deevices on User Profile. P • Decrease thhe Dependency of User Authen ntication Processes oon Server Side. Cloud-Based User Authenticaation Agent

• Access to C Cloud Servers w with Un-Authoriized Devices by Special U User Authentication Processess. • Using User Authorization Code for a Reliiable User Authenticattion. • Using Regioon Detection Tool in Increasin ng the Reliability.

IV.

LIM MITATIONS

As A every mod del, the presennted model haas some limitaations duriing developm ment, performaance, mainten nance, usage,, etc. The main limitation of the propposed model is i the compatiibility c managerr agent with vvarious privatee and public cloud c of cloud serv vers. This means communiication betweeen different cloud c serv vers with vario ous structures is a challengin ng issue durinng the deveelopment of the t suggestedd model. Furtthermore, the time conssuming during g diving data iin several partts and joining them to th he main part in n access contrrol agent is another limitatioon for the proposed model. In additiion, changing g the cryptogrraphy orithm after ch hanging the tyype of file is a challenging issue algo in crryptography agent. a For exaamples, when a private dataa that was encrypted by y AES-128 iss changed to a shared dataa, the dataa should be deecrypted and re-encrypted by HE-RSA--1024

Access Controol Agent

• Dividing Daata to Several P Parts and Store in Serveral Servers to R Resist Against P Possible Attack ks and Unpredictabble Events. • Using Smarrt Headers and V Various Notatio ons for Increasing tthe Security of Access Controll Processes Cryptographyy Agent

• Using AES--128 for Privatee Files to Increaase the Security of Stored Parts inn Cloud Servers RSA-1024 for S Sharing Files to o Increase the • Using HE-R Security of Stored Parts inn Cloud Servers Fig. 9.. Security Evaluaation of Proposed Model

811

automatically and the data header should be changed. The last limitation of the proposed model is how to teach users in using the model better and without mistakes. According to the nature of the proposed model, the dependency of user authentication and access control processes on the performance of user is increased considerably. Having said, the ability of handling these processes by various users should be increased for a better and more efficient performance during user authentication and access control processes. V.

investigation the effects of this algorithm on reliable cloud computing environments was done. In addition, the research was reviewed and the limitations of the research were identified. Moreover, according to the limitations, appropriate details were recommended and further research was introduced. In conclusion, the theoretical analysis of the proposed model shows that, designing this user authentication and access control model will increase the reliability and rate of trust in cloud computing environments as an emerging and powerful technology in various industries.

RECOMMENDATIONS

ACKNOWLEDGMENT We acknowledge the assistance and logistical support provided by Asia Pacific University of Technology and Innovation (A.P.U.), Staffordshire University, and Meta Soft Company.

According to the identified limitations of the proposed model, it has been recommended to provide appropriate elearn media files to teach users how to handle their privacy and access control processes more efficient and more secure. Furthermore, it has been recommended to design an automatic re-encryption algorithm for encrypting data that their type has been changed in cryptography agent. The last recommendation contains the process of public and private cloud management. It has been recommended to establish appropriate communications between access control agent, cloud manager agent, and service providers to increase the reliability and security in cloud computing environments. VI.

REFERENCES [1] [2]

FURTHER RESEARCH

[3]

According to the defined limitations of the proposed model, an efficient, smart, and compatible management system for establishing a reliable communication between various public and private cloud servers seems to be essential. Accordingly, research on designing and developing the management system with appropriate tools and techniques such as single sign-on algorithms is the next step for increasing the reliability in cloud computing environments and will be investigated in further research processes.

[4]

[5]

[6]

VII. CONCLUSION [7]

According to the identified problem in cloud computing environments, the main aim of this paper is to design and describe a smart user authentication and access control algorithm based on discretionary and role-based access control models for increasing the reliability and trustiness of cloud computing environments. Due to this aim, methodology of this research was designed and required data were collected by appropriate tool and techniques. According to analysis of collected data, a smart and efficient user authentication and access control model was introduced and presented according to appropriate tools and techniques to increase the reliability and rate of trust in cloud computing environments. The proposed model uses a cloud-based software-as-a-service application with four main agents and a client-based user authentication application. After describing the proposed model, it was justified and evaluated for identifying the strengths and weaknesses according to defined parameters in previous tasks. Moreover, justification of the suggested model was performed by appropriate tools and techniques and

[8]

812

Y. Peng, and F. Wang, “Cloud Computing Model Based on MPI and OpenMP,” in Proc. 2nd International Conf. on Computer Engineering and Technology (ICCET), Chengdu, China, 2010, vol. 7, pp. 85-87. L. Sun, W. Hua, Y. Jianming, W. and Guoxin, “Semantic Access Control for Cloud Computing Based on e-Healthcare,” in Proc. IEEE 16th International Conf. on Computer Supported Cooperative Work in Design (CSCWD), Wuhan, China, 2012, pp. 512-518. A.U. Khan, M. Oriol, M. Kiran, M. Jiang, and K. Djemame, “Security Risks and their Management in Cloud Computing,” in Proc. IEEE 4th International Conf. on Cloud Computing Technology and Science (CloudCom), Taipei, Taiwan, 2012, pp. 121-128. F. Q. Zhang, and D. Y. Han, “Applying Agents to the Data Security in Cloud Computing,” in Proc International Conf. on Computer Science and Information Processing (CSIP), Shaanxi, China, 2012, pp. 11261128. M.A. Alzain, B. Soh, and E. Pardede, “MCDB: Using Multi-Clouds to Ensure Security in Cloud Computing,” in Proc. IEEE Ninth International Conf. on Dependable, Autonomic and Secure Computing (DASC), Sydney, Australia, 2011, pp. 784-791. M.A. AlZain, and E. Pardede, “Cloud Computing Security: From Single to Multi-Clouds,” in Proc. 45th Hawaii International Conf. on System Science (HICSS), Maui, Hawaii, 2012, pp. 5490-5499. J. Daemen, and V. Rijmen, “AES Proposal: Rijndael”. National Institute of Standards and Technology, p. 1-10. Apr 2001. F. Fatemi Moghaddam , M. T. Alrashdan, O. Karimi, “A Hybrid Encryption Algorithm Based on RSA Small-e and Efficient-RSA for Cloud Computing Environments,” Journal of Advances in Computer Networks (JACN), IACSIT Press, vol. 1, no. 3, pp. 238-241, September 2013.