Modern Encryption Techniques for Cloud Computing Randomness ...

Modern Encryption Techniques for Cloud Computing Randomness and Performance Testing Sherif El-etriby

Eman M. Mohamed

Computer Science Dept., Al-lieth University College, Umm Al-Qura University, KSA [email protected]

Computer Science Dept., Faculty of computers and information, Menoufia University, Egypt [email protected]

Hatem S. Abdul-kader Information system dept., Faculty of computers and information, Menoufia University, Egypt [email protected] to security as well as all aspects of Cloud computing. Cloud typically has single security architecture but have many customers with different demands. The challenge of security issues arising due to the fact that both customer data and program are residing in Provider Premises [1]-[3].

Abstract—Cloud computing has to become the next-generation architecture of IT Enterprise. Clouds are massively complex systems. They can be reduced to simple primitives, that are replicated thousands of times, and common functional units. The complexity of cloud computing create many issues related to security as well as all aspects of Cloud computing. One of the most important issues is data security. Since Clouds typically have single security architecture but has many customers with different demands. The main focus of the proposed work is the data storage security in the cloud and the desktop. Generally, Data security is an important factor for both cloud computing and traditional desktop applications. This is to obtain the highest possible level of privacy. Modern Encryption algorithms play the main role in data security of cloud computing. We present an evaluation for selected eight modern encryption techniques namely: RC4, RC6, MARS, AES, DES, 3DES, Two-Fish, and Blow-Fish at two independent platforms namely; desktop computer and Amazon EC2 Micro Instance cloud computing environment. The evaluation has been performed for those encryption algorithms according to randomness testing by using NIST statistical testing in cloud computing environment. This evaluation uses Pseudo Random Number Generator (PRNG) to determine the most suitable technique and analysis the performance for selected modern encryption techniques. Cryptography algorithms are implemented using Java Cryptography Extensions (JCE). Simulation results are shown to demonstrate the effectiveness of each algorithm.

This paper develops an evaluation for selected eight modern encryption techniques namely RC4, RC6, MARS, AES, DES, 3DES, Two-Fish, and Blow-Fish. This evaluation has been performed for those encryption algorithms according to randomness testing and using the NIST statistical testing in both cloud computing and traditional desktop environments. The evaluation performed according to NIST statistical testing [9]. The performance of evaluation is tested by measure encryption speed for those encryption algorithms in both cloud computing and traditional desktop environments. The selected eight modern encryption techniques [13-17] use a random number generator to get some critical data similar to keys and initial vectors. The main objective of this paper is to evaluate eight modern encryption algorithms namely. This evaluation is implemented as Pseudo Random Number Generator (PRNG). This evaluation is used to determine the most suitable technique. In addition this evaluation analysis the performance for selected modern encryption techniques. II.

Keywords-Amazon EC2; cloud computing Architecture; NIST statistical test suite; Modern encryption techniques

I.

This section gives an overview of cloud computing, Cloud Computing Architecture, and data security in cloud computing. There are many definitions that attempt to address cloud from the perspective of academicians, architects, engineers, developers, managers, and consumers [1]-[2]. The simplest definition of cloud computing is "moving computing from single desktop pc/data-centre to the internet".

INTRODUCTION

Cloud computing refers to the use of the networked infrastructure software and the capacity that provides resources to the on-demand environment. Information is stored in centralized servers and cached temporarily on clients that can include desktop computers, notebooks, handhelds, and other devices. The complexity of cloud can be reduced by simply reducing it into replicated thousands of primitives and common functional units. These complexities create many issues related

© ICCIT 2012

CLOUD COMPUTING

Cloud computing is based on five attributes: 

800

Multi-tenancy (shared resources): Cloud computing is based on a business model in which resources are

shared (i.e., multiple users use the same resource) at the network level, host level, and application level. 

Massive scalability: Cloud computing provides the ability to scale to tens of thousands of systems, as well as the ability to massively scale bandwidth and storage space.



Elasticity: Users can rapidly increase and decrease their computing resources as needed.



Pay as you used: Users pay for only the resources they actually use and for only the time they require them.



Self-provisioning of resources: Users self-provision resources, such as additional systems (processing capability, software, storage) and network resources

a) Cloud Software as a Service (SaaS): The capability provided to the consumer is to use the provider‟s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. b) Cloud Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud computing eliminates the costs and the complexity of buying, configuring, and managing the hardware and software needed to build and deploy applications; these applications are delivered as a service over the Internet.

c) Cloud Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). 2) Cloud Deployment Models: Regardless of the service model utilized (SaaS, PaaS, or IaaS), there are four deployment models for cloud services, with derivative variations that address specific requirements[4]:

Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches [3] such as (1) On-demand self-service, (2) Broad network access, (3) Resource pooling, (4) Rapid elasticity, and (5) Measured service . Cloud computing often leverages Massive scale, Homogeneity, Virtualization, Resilient computing (no stop computing), Low cost/free software, Geographic distribution, Service orientation Software and Advanced security technologies. Cloud computing combines a number of computing concepts and technologies for Service Oriented Architecture (SOA), which may include Web 2.0 and the virtualization of services and communication infrastructure. These technologies have allowed cloud customer organizations to achieve improved utilization and efficiency of their service providers‟ infrastructure through the controlled sharing of computing resources with other customers (multi-tenancy); and, greater flexibility to scale up and down IT services. In some respects, cloud computing represents the maturing of these technologies and is a marketing term to represent that maturity and the cloud services they provide.

a) Public Cloud: The cloud infrastructure is made available to the public or a large industry group and is owned by an organization selling cloud services. b) Private Cloud: The cloud infrastructure operated solely for a single organization. c) Community Cloud: The cloud infrastructure is share by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations).. d) Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) .

A. Cloud Computing Architecture Clouds are commonly described in terms of the functionality offered. The main types of cloud service models and deployment models are:

TABLE I.

EXAMPLES OF CLOUD PROVIDERS WITH CLOUD SERVICE SAAS

1) Cloud service (delivery) models Cloud service (delivery) model divided among three archetypal models and various derivative combinations. The three fundamental classifications often referred to as the “SPI Model,” where „SPI‟ refers to Software, Platform or Infrastructure [4].

Zoho, Salesforce.com, Google Apps

B.

PAAs

IAAS

Windows Azure, Google App Engine, Aptana Cloud

Dropbox, Amazon Web Services, Mozy,Akamai

Security Concerns of Cloud Computing While cost and ease of use are two great benefits of cloud computing, there are significant security concerns that need to be addressed when considering moving critical applications

801

and sensitive data to public and shared cloud environments. To address these concerns, the cloud provider must develop sufficient controls to provide the same or a greater level of security than the organization would have if the cloud were not used. III.

to get ciphers text, so we have 128 sequence (128 cipher text) for each eight encryption algorithm Finally connect to Amazon EC2 Ubuntu Linux Micro instance, run NIST statistical tests for each sequence to eight encryption algorithms to get Pvalue, Compare P-value with 0.01, if P-value less than 0.01 the reject the sequence.

DISCRIBTION OF NIST STATISTICAL TESTS

The P-value obtained from a test represents the probability of obtaining a result further than the test statistic lies from that expected, if the algorithm produces a random stream. Very small P-values would support non-randomness for the given measure that less than 0.01.

The NIST Test Suite is a statistical package consisting of 15 tests that are developed to test the randomness of binary sequences produced by either hardware or software. These tests focus on a variety of different types of non-randomness that could exist in a sequence. Some tests are decomposable into a variety of subtests. The 15 tests are showing in Table 2.

In desktop randomness testing, some procedure is followed as in cloud test except that all the work run in traditional desktop. We compare between eight encryption methods based on P-value, Rejection rate and finally based on time consuming for each method. Based on the current version of the statistical tests, each of the algorithms was evaluated on desktop environment and cloud environment by using encryption algorithms , Such as RC4, RC6, AES, DES, 3DES, MARS, Two-Fish, and Blow-Fish. We produce P-value, which small Pvalue(less than 0.01) support non-randomness. For example, if the sample consists of 128 sequences, the rejection rate should not exceed 4.657, or simply expressed 4 sequences with α=0.01, the maximum number of rejections was computed using the formula:

This evaluation is performed according to NIST statistical testing namely; Frequency The Frequency (Mon-obit) Test, Frequency Test within a Block, The Runs Test, Tests for the Longest-Run-of-Ones in a Block, The Binary Matrix Rank Test, The Discrete Fourier Transform (Spectral) Test, The Non-overlapping Template Matching Test, The Overlapping Template Matching Test, Maurer's "Universal Statistical" Test, The Linear Complexity Test, The Serial Test, The Approximate Entropy Test, The Cumulative Sums (Cusums) Test, The Random Excursions Test, and The Random Excursions Variant Test [9]orderly from 1 to 16. The Block Frequency, Non-overlapping Template Matching, Overlapping Template Matching, Approximate Entropy, Serial, and Linear Complexity tests require user prescribed input parameters. The exact values used in these examples have been included in parenthesis beside the name of the statistical test as shown in Table 2. Each sample is 7,929,856 bits in length (991232 bytes in length). Additionally, the P-values reported in the tables can found in the results.txt files for each of the individual test – not in the finalAnalysisReport.txt file in NIST package. TABLE II.

Approximate Entropy Block Frequency Linear Complexity Non-overlapping Templates Overlapping Templates Random Excursions Random Excursions Variant Serial

(1)

Where s is the sample size and  is the significance level equal 0.01. This task done in different platforms to identify the best encryption algorithms for data security, the task done in traditional desktop and Amazon EC2 cloud computing. For our experiment, we use a laptop Intel core™ 2.13 GHz CPU, in which performance data is collected in traditional desktop environment. For our experiment in cloud computing environment, we use Micro Instances of this Amazon EC2 family provide a small amount of consistent CPU resources and allow you to burst CPU capacity when additional cycles are available. They are well suited for lower throughput applications and web sites that consume significant compute cycles periodically(613 MB memory, Up to 2 EC2 Compute Units (for short periodic bursts), EBS storage only, 32-bit or 64-bit platform, I/O Performance: Low, API name: t1.micro), and use Ubuntu Linux to run NIST Statistical test package.

NIST STATISTICAL TESTS

Statistical test

IV.

  (1   )  s   3  s  

user input parameter (m = 10) (m = 128) (M = 500) (m = 9, B = 000000001) (m = 9) (x = +1) (x = -1) (m = 16)

V.

METHODOLOGY

EXPERIMENTS (TESTS RESULTS)

To realize the experiments we have developed the program that implements the methodology in java language. The experiments were performed on traditional desktop (laptop Intel core™ 2.13 GHz CPU, 3 GB RAM and 64 bit operating system). We used in cloud computing, Amazon EC2 micro instance (613 MB RAM, 64 bit operating system, 2 virtual core CPU).

In cloud computing randomness testing, we sign up for Amazon web service to create account. Then, we lunch Amazon EC2 windows and Ubuntu Linux Micro Instances, connect to Amazon EC2 windows Micro Instance, generate 128 plain stream sequences as PRNG, each sequence is 7,929,856 bits in length (991232 bytes in length) and key stream (length of key 128 bit), apply cryptography algorithms

802

Rejection rate is expressed of number of rejected sequence from 128 sequences we have (small P-value expressed not random sequence). We provide the summary of the experiment results in Tables 3 for Amazon EC2 based on rejection rate, and table 4 for desktop based on rejection rate. Each table has been containing eight modern encryption techniques and the rejection number of sequence for each test in NIST statistical test suite. Rejection rate that shown in table 3 and 4 given for each sequence of eight encryption techniques subjected to 16 NIST statistical test that shown in table 2. Simulation results are given in table 3 and 4 for the selected eight encryption algorithms rejection rate in both Amazon EC2 and desktop environment. Table 3 shows the rejection rate results at Amazon EC2 while Table 4 gives the rejection rate results at desktop environment. We can notice that there is significant difference at both environments.

(c) block length = 128 (d) Note: 0 bits were discarded. ----------------------------------- -------FAILURE P-value = 0.000000 Figure 2. Screen-shot of result file ststs.txt in NIST package for Block frequency at desktop environment. DFT TEST COMPUTATIONAL INFORMATION: (a) Percentile = 91.216991 (b) N_l = 452086.000000 (c) N_o = 470835.200000 (d) d = -172.813743FAILURE P-value = 0.000000 Figure 3. Screen-shot of result file ststs.txt in NIST package for DFT test at desktop environment.

We notice in Amazon EC2 rejection rate results that no strong indications of statistical weaknesses and The rejection rate for selected modern encryption techniques doesn't exceed maximum number of rejection rate (expected 4) in all NIST statistical tests expect test 11: Random Excursions and test 12: Random Excursions Variant, in this two tests the randomness hypothesis is rejected if



J  max 0.005 n ,500



We notice that rejection rate also exceed maximum number of rejection rate with RC4 algorithm by only test 7: Linear Complexity, which there 5 rejections out of 128 sequences processed when expected number should be no more than 3. We can see in Table 5 and 6 the ordering of modern encryption techniques in Amazon EC2 and traditional desktop, this ordering done based on three factors P-Value, Rejection-Rate and finally time consuming. In our opinion, we would prefer AES algorithm to used in Amazon EC2 when the user need high security, and DES or Blow-Fish when the user need fast retrieval of data.

(2)

which J is denoting the total number of cycles in the string and The randomness hypothesis will be rejected when the Pvalue is too small and the result appear in file stats.txt in NIST package for test 11 and test 12 as shown in Fig. 1.

TABLE III.

We notice in desktop rejection rate results that no strong indications of statistical weaknesses and The rejection rate for selected modern encryption techniques doesn't exceed maximum number of rejection rate (expected 4) in all NIST statistical tests expect test 11: Random Excursions, test 12: Random Excursions Variant, test 2: Block Frequency and test 5: Spectral DFT in the first two tests the randomness hypothesis is rejected if the randomness hypothesis will be rejected when the P-value is too small and equation 2 is achieved, while test 2 P-value is small than 0.01 more than 55 once in each algorithm, in test 5 P-value based on this threshold comes from the binomial distribution and P-value is small than 0.01 more than 57 once in each algorithm, the results shown in Fig. 2 and 3.

Amazon EC2 P-Value Rejection-Rate Time consuming TABLE IV. Desktop P-Value Rejection-Rate Time consuming

1 RC6 DES Blow-Fish

2 AES AES DES

3 Blow-Fish Blow-Fish AES

4 DES/RC4 RC6/Rc4 RC4

MODERN ENCRYPTION ALGORITHMS IN DESKTOP 1 RC6 RC6 Blow-Fish

2 AES AES DES

3 Blow-Fish Blow-Fish rc4

4 DES/RC4 RC6/RC4 AES

In order to have a clearer view of the results, we compare between eight encryption algorithms based on P-Value and rejection rate, the higher P-Value the better and vice versa with rejection rate, the lower the better. In Amazon EC2 environment, as shown in Fig. 4 and 5, we can notice that there is no significant difference at both comparison methods.

(a) Number Of Cycles (J) = 0001 (b) Sequence Length (n) = 991232 ----------------------------- ---------------WARNING: TEST NOT APPLICABLE. THERE ARE AN INSUFFICIENT NUMBER OF CYCLES. Figure 1.

MODERN ENCRYPTION ALGORITHMS IN AMAZON EC2

We can also compare between eight algorithms in Amazon EC2 based on time consuming (encryption speed) as shown in Fig. 9. We can order the best four encryption methods in Amazon EC2 based on rejection rate, P-value and time consuming as shown in Table 5. In desktop environment, as shown in Fig. 6 and 7, we can notice that there is no significant difference at both comparison methods. We can also compare

Screen-shot of result file ststs.txt in NIST package for test 11 and 12 at Amazon EC2 cloud environment. BLOCK FREQUENCY TEST COMPUTATIONAL INFORMATION: (a) Chi^2 = 9834.593750 (b) # of substrings = 7744

803

between eight algorithms in desktop based on time consuming (encryption speed) as shown in Fig. 8.

[2]

P. Mell and T. Grance, 'Cloud computing definition," NIST June 2009 http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

[3]

John W. Rittinghouse James F. Ransome "Cloud Computing Implementation, Management, and Security"

Figure 4. Comparison on AmazonEC2 based on rejection rate Figure 6. Comparison on desktop based on rejection rate

Figure 7.

Figure 5. Comparison on Amazon EC2 based on P-value

VI.

CONCLUSION

From simulation results, we can conclude that no strong indications of statistical weaknesses for eight modern encryption algorithms in both environments, but some differences between algorithms appeared. In Amazon EC2, the evaluation of eight modern encryption techniques show that RC6, AES, DES and Blowfish results were slightly better than other-encryption methods, Which the pervious methods have more than P-value in very safe area. Finally, AES encryption method is suitable algorithm for Amazon EC2 environment, but Blow-Fish and DES is more suitable when we focus on time of encryption method. On the selected encryption algorithms, sequence complexity values will exceed its threshold values for randomness only in Random Excursions Variant test and Random Excursions test. These two tests are not applicable, which there is insufficient number of cycles. In traditional desktop, the evaluation of eight modern encryption techniques show that RC6, AES, Blowfish, DES and RC4 results were slightly better than other-encryption methods which the pervious methods have more than P-value in very safe area. Finally, RC6 encryption method is suitable algorithm for traditional PC environment, but Blow-Fish is more suitable when we focus on time of encryption method.

Figure 8. Comparison on desktop based on Time consuming average

Figure 9. Comparison on Amazon EC2 based on Time consuming average [4]

Cloud Security Alliance www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf /

[5]

Cloud Security Alliance "Top Threats to Cloud Computing V1.0" , March 2010.

REFERENCES [1]

Comparison on desktop based on P-value

Luis M. Vaquero1, Luis Rodero-Merino1 , Juan Caceres1, Maik Lindner2 "A Break in the Clouds: Towards a Cloud Definition ", ACM SIGCOMM Computer Communication Review, Vol. 39, No. 1, 2009

804

[6]

Dai Yuefa, Wu Bo, Gu Yaqiang, Zhang Quan, Tang Chaojing,ChangSha,China “Data Security Model for Cloud Computing”

[12]

Amazon Web Services "Amazon Elastic Compute Cloud User Guide API" , 2010-11-15

[7]

Technology Laboratory NIST Group Information" NIST‟s Randomness Testing for Round1 AES Candidates Security Technology"

[13]

Carolynn Burwick c , Don Coppersmith "The MARS Encryption Algorithm "

[8]

Venkata Koonaparaju Generators”

[9]

Andrew Rukhin, Juan Soto, James Nechvatal, Miles Smid,: "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications", April 2010 .

[14] Dawson, Helen Gustafson, Matt Henricksen, Bill Millan. " Evaluation of RC4 Stream Cipher ", July 31, 2002 Information Security Research Centre Queensland University of Technology

“Statistical

Tests

for

Random

Number

[15] W.Stallings," Cryptography and Network Security 4th Ed,'' Prentice Hall , 2005,PP. 58-309 .

[10] Affiliation Juan Soto, National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg "Randomness Testing of the Advanced Encryption Standard Candidate Algorithms". [11] Amazon Web Services "Overview "http://aws.amazon.com/ August 2009:

of

TABLE V. RC6

NIST

Security

[16] Daemen, J., and Rijmen, V. "Rijndael: The Advanced Encryption Standard."D r. Dobb's Journal, March 2001,PP. 137-139. [17] Bruce Schneier. "The Blowfish Encryption Algorithm Retrieved ",October 25, 2008,

Processes

AMAZON EC2 REJECTION RATE FOR MODERN ENCRYPTION ALGORITHMS

RC4

AES

MARS

Two-Fish

Blow-Fish

3DES

DES

Tests

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

1

1

127

1

127

1

127

1

127

1

127

1

127

0

128

0

128

2

1

127

2

126

3

125

4

124

1

127

1

127

1

127

2

126

3

1

127

2

126

0

128

1

127

1

127

1

127

2

126

0

128

4

3

125

1

127

1

127

1

127

0

128

2

126

1

127

0

128

5

2

126

0

128

1

127

1

127

3

125

1

127

3

125

1

127

6

1

127

1

127

0

128

1

127

0

128

3

125

1

127

0

128

7

0

128

0

128

1

127

2

126

1

127

1

127

2

126

3

125

8

0

128

1

127

2

126

2

126

2

126

1

127

0

128

1

127

9

1

127

2

126

1

127

1

127

0

128

1

127

1

127

1

127

10

1

127

1

127

2

126

1

127

3

125

2

126

1

127

2

126

11

51

77

51

77

52

76

62

66

50

78

51

77

54

74

48

80

12

53

75

50

78

51

77

59

69

48

80

52

76

56

72

47

81

13

2

126

2

126

0

128

0

128

3

125

0

128

2

126

1

127

14

1

127

2

126

1

127

1

127

3

125

1

127

0

128

2

126

15

0

128

2

126

0

128

1

127

1

127

1

127

2

126

1

127

16

4

124

0

128

1

127

3

125

2

126

2

126

2

126

1

127

TABLE VI. RC6

NIST

DESKTOP REJECTION RATE FOR MODERN ENCRYPTION ALGORITHMS

RC4

AES

MARS

Two-Fish

Blow-Fish

3DES

DES

Tests

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

Reject

Accept

1

1

127

0

128

0

128

2

126

2

126

4

124

0

128

1

127

2

62

66

69

59

62

66

55

73

66

62

61

67

62

66

57

71

3

0

128

3

125

1

127

3

125

1

127

0

128

0

128

1

127

4

0

128

3

125

1

127

2

126

1

127

1

127

0

128

0

128

5

1

127

69

59

62

66

0

128

66

62

62

66

63

65

57

71

6

0

128

3

125

1

127

2

126

2

126

2

126

0

128

0

128

7

3

125

5

123

1

127

1

127

4

124

1

127

4

124

2

126

8

1

127

1

127

2

126

1

127

3

125

0

128

1

127

0

128

9

1

127

3

125

0

128

0

128

0

128

1

127

1

127

2

126

10

1

127

2

126

0

128

1

127

0

128

2

126

1

127

4

124

11

40

88

62

66

68

60

51

77

66

62

60

68

69

59

66

62

12

41

87

62

66

69

59

51

77

65

63

61

67

67

61

64

64

13

1

127

0

128

0

128

5

123

4

124

3

125

2

126

2

126

14

1

127

1

127

2

126

0

128

2

126

1

127

0

128

1

127

15

0

128

3

125

1

127

1

127

1

127

1

127

2

126

4

124

16

1

127

0

128

1

127

1

127

1

127

2

126

1

127

0

128

805