Using Location Based Encryption to Improve the ... - IEEE Xplore

Using Location Based Encryption to Improve the Security of Data Access in Cloud Computing Meer Soheil Abolghasemi, Mahdi Mokarrami Sefidab, Reza Ebrahimi Atani Department of Information Technology International Campus, University of Guilan Rasht, Iran [email protected], [email protected], [email protected]

Abstract— Cloud computing is a new approach in the field of information technology and development of computer technologies based on the World Wide Web. One of the most important challenges in this area is the security of cloud computing. On the other hand the security of access to critical and confidential information in banks, institutions and etc is extremely essential. Sometimes even with the enormous costs, it is not fully guaranteed and it is compromised by the attackers. In this paper by providing a novel method, we improve the security of data access in cloud computing for a company or any other specific locations using the location-based encryption. Keywords—cloud computing; cryptography; location-based

I.

security;

geo-encryption;

INTRODUCTION

Security has always been an integral part of human life. From ancient times to the present people have been looking for physical and financial security. With the advancement of human knowledge and getting into the new era the need of information security were added to human security concerns. Nowadays with the advancement of technology, information security and data security are needed more than any other types of the security. Some types of information and data are crucial such as companies' confidential information, banks' information, even the military intelligence and the like. On the other hand with the increasing and scattering data, users need powerful tools to process and store their data. In recent years a new technology for this purpose has been proposed which is called cloud computing. This technology enables individuals, companies and etc. To store their data and information on the cloud and they can access their own data at any time, from any place and using any computer through the internet. It is even possible to deploy a platform in a cloud and use it (instead of installing software on a personal computer). This technology is certainly a big advantage and always beside the advantages, there are disadvantages. Regarding the current structure of cloud computing, this method is considered not fully developed and gradually progresses toward evolution. The biggest challenge raised about cloud computing and many researchers are working on it, is “security”. Users (people, companies, institutions and etc.) do not know what will happen to their data and information in the cloud and whether other people can gain access to their data and so on. In This paper, first we have briefly explained cloud computing, its types and services. We

c 978-1-4673-6217-7/13/$31.00 2013 IEEE

have also discussed Some of security challenges faced in cloud computing. Then we have explained “location based cryptography” and “Geo-Encryption” algorithm. Finally using “Geo-Encryption” we have proposed a novel model for enhancing the security of data access control in cloud computing. II.

CLOUD COMPUTING

A. Definition of Cloud Computing Cloud computing is a model to access information and services using existing technology and Internet infrastructures that allows establishing communication between clients and the server [1,2]. We can imagine cloud computing as the ability of sharing computational resources among many different users [3]. In fact it is a platform or infrastructure that runs codes in a managerial and extensible model. Customers do not have the actual physical infrastructure and they just pay a subscription fee to the cloud provider and gain access to resources and infrastructure clouds with minimal effort or interaction with the service provider. B. The Architecture of the Service Models The architecture of the service model includes three types of service (Fig. 1) [1,4,5]: • Software as a service (SaaS): Is a fully operational environment for user interface and program

Figure 1. The architecture of the service models

management. In this service through an interface (browser), service is provided to the customer and the

261

responsibility of the customer starts with data entry and ends with data management and user interactions [1,4]. • Platform as a Service (PaaS): This service provides a platform that enables software developers to create applications on it [1,4]. • Infrastructure as a Service (IaaS): This service provides virtual machines, virtual storage and other applied hardware as resources for customers. IaaS service provider manages all infrastructures [1,4].

Figure 2. Deployment models of cloud computing

C. Deployment Models of Cloud Computing Four types of cloud computing have been introduced by NIST (2009): • Public Cloud: Is owned by an organization selling cloud services to the public which is replaced by a big industrial group (Fig. 2). Like “Amazon” and “Google Apps”. • Private Cloud: According to Fig. 2, the cloud infrastructure is owned by or under lease to an organization solely for the operation of that organization. Such clouds can be installed locally or remotely. Like “eBay” [1,4,6]. • Hybrid Cloud: It is a combination of two or more clouds that may have standard or proprietary access to data and possible usages. • Community Cloud: A combination of one or more private clouds, public clouds and hybrid clouds that is shared by many organizations for a specific purpose (mainly security). Infrastructures are shared by several organizations within a specific community with common security and same goals [1,2,4]. D. Cloud Computing Security and some challenges Security is one of the concerns in cloud computing which delays its approval. One of the biggest security concerns is that when you move your information into the cloud, you lose control of it. The cloud gives you access to your data, but you have no way to ensure that someone else does not have access to the data. In a cloud-based software environment, physical security is stronger because loss of client system does not

262

include the data or software. Cloud computing offers some great advantages for communication. The availability of an unparalleled set of software applications, access to lightningquick processing power, unlimited storage and the ability to easily. For this reason security issues are applicable for many of such systems and technologies in cloud computing. For example, a network that is considered for the system connections in a cloud, must be secure. Moreover, the pattern of virtualization in cloud computing causes some security concerns. For example, mapping of virtual machines by physical machines should be done with safety. Data security includes data encryption, ensuring suitable policies for sharing data plus resource allocation and memory management algorithms. Finally, data mining techniques may help in detection of malicious software in the clouds [7]. Below are some of challenges facing cloud computing: • Insider Access: With insider access to data processing or storage outside the organization, despite firewalls and other security controls data is still at risk. Insider security threats is a known issue for most organizations and will emerge more on outsourcing cloud services will emerge [8]. Insider threats may come from current or former employees who are in affiliated organizations, contractors and other parts that gain access to the organization's networks, systems and even occur unintentionally [9]. • Identity Management: Sensitivity of data, confidentiality and unauthorized access to resources in the cloud, has become an increasing concern for organizations. One of the main reasons is that the organization identity issues and authentication framework still have not spread normally within the cloud and may need to try to manipulate the existing framework to support cloud services [9]. • Access Control: In addition to validation, user accessibility and secure access control to resources as a part of identity management is required. Standards similar to “Extensible Access Control Markup Languages” can be used instead of using a dedicated server interface to control access to cloud resources [9]. Access control means keeping the data inaccessible to unauthorized users. Access control is generally based on the identity and leads to user's identity validation [9]. • Data Protection: Data stored in the cloud typically resides in a shared environment and is arranged alongside data from other consumers. So accounts must be controlled in order to enable access data and the data must be kept safe [9,10]. • Cloud Computing Database: Database environments used in cloud computing can be considerably different. For example, some environments support multiparadigm model and some others support multi-tenancy model. A unique database management system is provided to be run on a sample of virtual machine monitor for each user's service, giving full control on defined roles, user permissions, and other administrative

2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI)

tasks related to security, predefined environment for the cloud service user that is participated with other tenants and generally provided through labeling data with a user ID. Labeling gives a unique appearance to the usage of data but maintaining a secure database environment is reliant on the service provider [9]. III.

LOCATION BASED CRYPTOGRAPHY

A. L ocation Based “Identity” In cryptography “identity” Components are important to us. As a typical example we can mention the name and national ID card. So are scans of fingerprints or residential address, work address and so on. Data can be encrypted so that only the person who holds the private key can decrypt it (public key or private key). Here the question arises: can we have other forms of “identity”? What else can be used as an identity? Another question arises (in fact, it is the answer to the previous question): Can we use the place where we have a presence as our “identity”? Is it possible to use it in encryption? Physical presence in a particular location at a specific time, can be our “identity” in cryptography [11]. For example, we know the role of a bank-teller behind a bullet-proof bank window not because she shows us her credentials but by merely knowing her location. Another question arises: for what applications is this method is more suitable? For example, assume military base “A” wants to communicate with military base “B” (obviously military communications must be confidential). In the traditional approach the two bases can communicate by exchanging a secret key. One problem that arises is when an honest officer who carries the key is captured by enemy and he's tortured and he finally reveals the secret key. As a result with the secret key the enemy can decrypt the messages[11]. We trust physical security more. So maybe we're able to guarantee somehow through some physical means that those who were inside a particular geographical region are approved. As a result (in the previous example) those who have physical presence in the military base “B” or get into it, are approved. So the message that is encrypted and sent from military base “A” to military base “B” will only be decrypted by a person or persons who have physical presence in a particular geographical location (military base “B”) and no one else can't decrypt it [11].

using the recipient’s location information. Encrypted data can be decrypted and readout only on a particular geographical point at a specific time [12]. The particular point can be exactly where we want the information to be decrypted, even with a radius of a few centimeters. It can also be within the walls of a room on a particular floor. Next-generation GPS and highly accurate GPS like the military types that are “AntiSpoof”, perform with an accuracy of 1 cm. They have the ability to measure a specific location very accurately with latitude, longitude and height. The idea of using “Geo-Encryption” was proposed and developed by “Logan Scott” and “Dorothy E Denning” for the first time. They used Geo-Encryption to encode files related to films in the manufacturer studios and send them to the cinema theaters through a wide network like the Internet. The sent files could be downloaded in all the areas which were covered. But they could be decrypted only on the location of the considered cinema theater at a specific time. The geographical information of the cinema theater must be matched with the information used in the sender's file [12]. As we know, using symmetric encryption (private key) in terms of computational and implementation is very fast. Asymmetric encryption (public key) method uses both the public and private keys and its security is very high. On the other hand due to the difficulty in computing its performing rate is low. Therefore in the “Geo-Encryption” algorithm a combination of symmetric and asymmetric encryption is used. The public key algorithm is used to secure and distribute session keys and the symmetric encryption algorithm is used to encrypt the information (Fig. 3). The sender uses the session key (which is random) and a symmetric algorithm like “AES” to encrypt the desired data. Then using location information, time and speed of receiver (PVT) and a mapping table makes a certain code named “Geolock” (Fig. 4). Last the session key is encrypted by the certain code (Geolock) and by using an algorithm such as “RSA” the results are encrypted and sent [13]. The receiver using their PVT information obtained via positioning tools (Anti-spoof GPS) and the mapping table, calculates the ĀGeolockā and then: Geolock Ͱ encrypted key = Session key. [13,14]

B. Location Based “Accsess Control” Another usage for the “Location Based Cryptography” is “Access Control”. A person who is physically present in a particular location can make use of the resources. For example, individuals who are physically present in a particular room are able to use the printer. If they leave the room, they will not be allowed to access printers anymore and many such examples [11]. C. Geo-Encryption Principles “Geo-Encryption” is a method based on adding a new security layer on the available encryption protocols structure

Figure 3. GeoCodex GeoEncryption algorithm [13].


263

Figure 4. PVTėGeoLock mapping function [13].

IV.

OUR PROPOSED MODEL

accountant can have access to it. The accountant's room is on the third floor of the bank's building and accountant's working hours are from 8 am to 3 pm. We can make the information inside the cloud available only within the accountant's room and his working hours (in addition to the existing security measures). As mentioned the new generation “Anti-Spoof” GPS is very accurate and can give us the latitude, longitude and altitude accurately. As a result we can limit the data access to the room located on a particular floor of a building and a specified timeframe. Another example: the information that can be available only in the chief's room of different branches of a bank or a company. In the usual method, when users attempt to access the data, they use standard security measures and thus get access to the cloud. In our model in addition to usual measures we also take the following steps (Fig. 6):

As in the previous section mentioned, data security in the cloud is so important. Users (individuals or companies) are concerned about the access to the information by unauthorized users. Now suppose that data is some critical and confidential information from a bank, or a company and etc. Certainly the necessity of access control in the cloud computing is more than ever and is a very important part of data security in cloud. in our method we use the user's location and geographical position and we will add a security layer to the existing security measures. Our solution is more appropriate for banks, big companies, institutions and examples like this. The only thing we need is an Anti-Spoof and accurate GPS that companies can afford to buy. Also implementing the GeoEncryption algorithm on the cloud and the user's computer (which is connected to the GPS) is required. We can label the data (Fig. 5). Label contains name of the company or a person who works in the company (for example the company's boss). These labels are placed in an index table that refer to the user's geographic location and the timeframe considered to access data, in a database. These labels and values of the database can be added manually or automatically. For example, suppose that a bank stores some information in the cloud and only the

Figure 6. The sequence diagram of our proposed model.

• First, the user's label is sent from the computer to the cloud. • In the cloud the similar label will be searched and retrieved. • The retrieved label refers to a row of a database which is on the cloud. • The information corresponding to the label will be retrieved (user's location and timeframe within which data can be accessed). • By using This information and Geo-Encryption algorithm data is encrypted and will be sent to the user. Figure 5. General overview of our proposed model.

264

• User's computer receives the encrypted data and also location information is received by the GPS.


• Then by using the mapping table calculates the Geolock code.

[5]

• Geolock Ͱ encrypted key = Session key • Finally by using the session key decrypts the data. V.

CONCLUSION

One of the most challenging issues in cloud computing is data access control. Because of the benefits of the cloud computing more people and more companies turn to this technology everyday. Like almost every proposed procedure, there are challenges as well as the advantages present in this technology. In this paper, cloud security and its challenges are briefly discussed. Location based encryption and “GeoEncryption” algorithm were also reviewed. Finally a new security level was added to the existing security measures using location-based encryption. This method can be used in several places such as banks, big companies, institutions and have the desired performance. REFERENCES [1] [2] [3] [4]

Barrie Sosinsky, “Cloud Computing Bible,” 1th ed, January 11, 2011. [Weiss, A. (2007) "Computing in the Clouds". Networker, Vol. 11, No. 4, pp: 16-25, December 2007ˬ David S. Linthicum, "Cloud Computing and SOA Convergence in your Enterprise", Pearson, 2010. Rajnish Choubey et al., International Journal on Computer Science and Engineering (IJCSE), 2011.

[6]

[7]

[8]

[9]

[10] [11]

[12]

[13] [14]

R. Buyya, C. S. Yeo, and S. Venugopa, “Marketoriented Cloud Computing: Vision, hype, and reality for delivering it services as computing utilities”, in Proceedings of the 10th IEEE International Conference on High Performance Computing and Communications (HPCC-08, IEEE CS Press, Los Alamitos, CA, USA) 2008. Mehrdad Mahdavi Boroujerdi, Soheil Nazem, "Cloud Computing: Changing Cogitation about Computing", World Academy of Science, Engineering and Technology 2009. Gurudatt Kulkarni 1 et al, "Cloud Security Challenges", 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA),IEEE, 2012. Cloud Hooks: "Security and Privacy Issues in Cloud Computing", Proceedings of the 44th Hawaii International Conference on System Sciences – 2011. Wayne Jansen, Timothy Grance, "Guidelines on Security and Privacy in Public Cloud Computing", Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 January 2011. Ronald L. Krutz, Russell Dean, "Vines Cloud Security A Comprehensive Guide to Secure Cloud Computing", 2010. Nishanth Chandran, Vipul Goyal, Ryan Moriarty, Rafail Ostrovsky, "Advances in Cryptology", CRYPTO 2009 Lecture Notes in Computer Science Volume 5677, pp 391-407, 2009. Logan Scott & Dorothy E. Denning, "Location Based Encryption & Its Role in Digital Cinema Distribution", Proceedings of ION GPS/GNSS 2003, pp 288-297. D. Qiu, "Security Analysis of Geoencryption: A Case Study using Loran", Proceeding of ION GNSS 2007. D. Qiu & Sherman Lo & Per Enge & Dan Boneh, “Geoencryption Using Loran”, Proceeding of ION NTM 2007.


265