Trust delegation-based secure mobile cloud ...

Int. J. Information and Computer Security, Vol. X, No. Y, xxxx

Trust delegation-based secure mobile cloud computing framework Lo’ai A. Tawalbeh* Computer Engineering Department, Umm-AlQura University, Makkah, Saudi Arabia and Faculty of Computer and Information Technology, Jordan University of Science and Technology, Irbid, Jordan Email: [email protected] *Corresponding author

Fadi Ababneh and Yaser Jararweh Faculty of Computer and Information Technology, Jordan University of Science and Technology, Irbid, Jordan Email: [email protected] Email: [email protected]

Fahd AlDosari Computer Engineering Department, Umm-AlQura University, Makkah, Saudi Arabia Email: [email protected] Abstract: Mobile devices are used to perform many useful tasks in our daily life. All around the world, many people are using their smart phones to communicate with others, identify their location, and do online shopping. These useful applications involve sharing personal and sensitive information. Also, the smart devices have many weaknesses, such as: limited battery life time, limited processing capacity and security issues. The mobile cloud computing (MCC) can be used to overcome these limitations. Using MCC improved the performance of many applications by conducting the processing at the cloud and sending back the results to the mobile device. But there are still many issues need to be addressed and considered when using MCC specially when dealing with applications that need live interaction and protecting the privacy. In this paper, we will study the main issues associated with mobile cloud computing models that include: security, performance, and quality of service. Then, we will present secure implementation of the cloudlet-based mobile cloud computing framework with its prototype that uses trust delegation technique to provide better security/performance tradeoffs. Keywords: mobile cloud computing; MCC; cloudlet; security; mobile devices; trust delegation. Copyright © 20XX Inderscience Enterprises Ltd.

1

2

L. Tawalbeh et al. Reference to this paper should be made as follows: Tawalbeh, L., Ababneh, F., Jararweh, Y. and AlDosari, F. (xxxx) ‘Trust delegation-based secure mobile cloud computing framework’, Int. J. Information and Computer Security, Vol. X, No. Y, pp.xxx–xxx. Biographical notes: Lo’ai A. Tawalbeh received his MSc and PhD degrees in Computer Engineering from Oregon State University, USA in 2002 and 2004 respectively. He is a Tenure Associate Professor at the Computer Engineering Department at Jordan University of Science and Technology (JUST), Jordan, and the Director of the Cryptographic Hardware and Information Security (CHiS) lab at (JUST). Since 2013 and till now, he is a Visiting Professor at Umm AlQura University, Mecca, KSA. He worked in many universities between 2005 and 2012 including: New York Institute of Technology (NYIT) and DePaul’s University. He has over 70+ publications in well established international journals and conferences in the areas of cyber security and cryptography, cloud and mobile cloud computing and Big Data privacy. He is a co-founding chair of many IEEE workshops/conferences about cloud/mobile cloud security such as MCSMS, IoTNAT, and BIGDATA4HEALTH. Fadi Ababneh received his MSc in Computer Engineering from Jordan University of Science and Technology, Jordan in 2013. His research interests include: cloud computing, data security, and cryptographic functions. He co-authored many papers in recognised international journals and conference worldwide. He is now IT administrator in a leading organisation in Jordan. Yaser Jararweh received his PhD in Computer Engineering from University of Arizona in 2010. He is currently an assistant professor of Computer Science at Jordan University of Science and Technology, Jordan. He has co-authored about 70 technical papers in established journals and conferences in fields related to cloud computing, HPC, SDN and Big Data. He was one of the TPC Co-Chair, IEEE Globecom 2013 International Workshop on Cloud Computing Systems, and Networks, and Applications (CCSNA). He is the General Co-Chair in IEEE International Workshop on Software Defined Systems SDS-2014 and SDS 2015. He is also chairing many IEEE events such as ICICS, SNAMS, BDSN and IoTSMS. Fahd AlDosari received his PhD in 2010 from Bradford University, Bradford, UK. He is currently the Dean of College of Computer and Information Systems, Umm Al-Qura University, Makkah, Saudi Arabia. He has many publications in the areas of cloud computing, quality of service routing, simulation and modelling and adhoc networking. He is also a founder of expert houses in computing and higher education at Umm AlQura University. He is IEEE member.

1

Introduction

Due to the huge developments in technology in today’s world, mobile device has become an essential component of our life. Most of us use their smart mobile devices to check email, communicate via social media, online shopping, education, and perform many other important tasks. On the other hand, we should admit that our smart devices have limited resources (storage, battery life, and bandwidth). Here comes the benefit of cloud computing (CC) which is a wide spread technology that provides convenient services in

Trust delegation-based secure mobile cloud computing framework

3

easy accessible manner (Mell and Grance, 2011). Furthermore, CC helps companies to improve the IT services, develops applications to achieve unlimited scalability, automated on demand services of the IT infrastructure. Cloud computing services include: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). Clients of CC might be organisations, enterprises, or a single user. There are several examples for emerging cloud computing infrastructures/platforms such as Microsoft Azure (Rindos et al., 2014) and Amazon EC2. Mobile cloud computing (MCC) utilises the mobile technology and the cloud computing. The use of cloud computing solved many problems of mobile devices such as processing speed and storage space. But, there are still existing issues need to be addressed, such as the battery short life time, performance and security. The use of 3G/LTE resulted in high latency in the communication between the mobile devices and the cloud due to far-away datacentres that might be thousands of miles away from the user. This has an impact on real-time interactive applications that cannot handle delay due to offloading the tasks to the cloud and waiting to get the results back. Another issue with using 3G/LTE is the increased power consumption from the mobile device battery which is proportional to the time delay spent in accessing the service and conducting the task. Here comes the need for more efficient cloud-accessing solution that provides the service in minimum delay and less power consumption. The other two issues are security and performance which cannot be separated. The decision to use more secure encryption algorithms that contains more complex arithmetic operations is determined by the performance level desired by the users. Moreover, more security requirements imply using more complex encryption algorithms and computations that dissipate more power. One solution for the above mentioned challenges and issues is to use the cloudlet-based MCC model. The cloudlet is a small cloud that is placed closer to the user and operates in the same way as cloud but with better performance. The use of cloudlet MCC model improves the performance for real time interactive applications by reducing the communication latency. But there is the concern of information security and how to protect the user’s data. In this paper, we are presenting cloudlet MCC model and investigating the quality of service (QoS) parameters that can be provided by this cloudlet model. Moreover, a secure implementation of the proposed MCC cloudlet-based model is introduced based on trust delegation aiming to provide high level of privacy to the user’s data. The rest of this paper is organised as follows: Section 2 presents related previous work. Section 3 presents the cloudlet MCC model with discussion of QoS and performance issues. Section 4 presents the secure implementation of the cloudlet infrastructure based on trust delegation, and Section 5 concludes this work.

2

Related work

This section presents some previous work related to MCC and the cloudlet architecture and related implementation issues and applications. The work in Tawalbeh et al. (2015a) addresses the MCC technology that combines the use of mobile device (mobility feature) to benefit from the cloud services to overcoming the mobile devices limitations. There is an increasing interest in using MCC to perform intensive mobile devices jobs such as computer vision and multimedia

4

L. Tawalbeh et al.

applications through offloading these tasks to the cloud within the cloud system coverage area. The authors presented a large scale cloudlet (smaller cloud system) model for MCC deployment, in which the mobile user can connect to the cloudlet using WiFi instead of using 3G/LTE. Another related work to cloudlet is shown in Li and Wang (2014). The authors designed cloudlet-based applications showing creation and execution processes along with the architecture. An efficient MCC model based on the cloudlet concept is proposed in Jararweh et al. (2013). The model shows how to use MCC for data collection in large scale networks. The work in Jararweh et al. (2014) is an extension to Jararweh et al. (2013) where a new scalable cloudlet framework for the MCC model is proposed. The aim of the proposed scalable system is to reduce the power consumption and the network delay of multimedia applications while using MCC. On the other hand, the performance issue is as important as security and power saving in mobile computing. The effect of using the cloudlet model on the performance of interactive mobile cloud applications is studied in Fesehaye et al. (2012). Their results showed that the latency is decreased and the throughput is increased when using the cloudlet mobile cloud system. Among the important challenges that face the cloud computing and mobile cloud industry is the data security. The data owners want to make sure that their important and essential information stay private and protected from un authorised access (Tawalbeh et al., 2015b). The research in Tawalbeh et al. (2015c) presents data confidentiality framework for cloud computing based on data classification. In other words, important data get more protection using stronger and more secure encryption algorithms. An efficient and secure software defined MCC infrastructures are presented in Tawalbeh et al. (2015d, 2016a). The proposed designs utilise the strength aspects of the provable data possession design built for resource constrained mobile devices and it uses the advantage of trusted computing technology. The proposed framework is a software defined system, encompassing software defined storage (SDStore) and software defined security (SDSec) to gain better performance and maintain comparable security. On the other hand, energy consumption in MCC is a challenge since the mobile devices suffer from short life battery time due to energy drain (Tawalbeh et al., 2016b). Based on that, we can say that energy optimisation in mobile cloud systems is an essential need to obtain green MCC, and affects the performance and security of the stored data on those systems. There are many efficient techniques to reduce the power consumed by smart devices in mobile cloud environments presented in Bahwaireth et al. (2015). In the same context, and to save energy in MCC, the authors in Al-Ayyoub et al. (2015) proposed mathematical model for power consumption optimisation in large scale cloudlet-based mobile cloud systems.

3

MCC using cloudlet architecture

In the non-cloudlet MCC model, the mobile devices are connected to the cloud through (3G/4G) to communicate with the enterprise cloud (EC) which results in more latency. This is a serious problem especially in mobile applications that requires real time interaction with short response time. Using the cloudlet MCC model shown in Figure 1, the cloudlet is located closer to the mobile device and connects through cheaper technologies (Wi-Fi or flash with LAN), and can carry out the same tasks in the non-cloud model with higher performance. In addition


5

to that, the use of the cloudlet MCC model aims to facilitate access to data, increase the processing speed, reserve battery life, and obtain better QoS. Figure 1

MCC model using cloudlet (see online version for colours)

The QoS varies according to the application type. Figure 2 shows main categories of QoS that apply to most applications. In this section, we will discuss three of the QoS parameters to be used in the cloudlet model evaluation, those are: availability, performance, and scalability. Availability is considered one of the most important QoS elements in MCC. The cloudlet architecture reduces the congestion that might occur when too many users are trying to access the cloud for a certain service by requesting this service from the cloudlet rather than the enterprise cloud itself. This will reduce the failure chances by distributing the load and speed up the service provisioning. Figure 2

QoS categories (see online version for colours)

6

L. Tawalbeh et al.

Another QoS parameter is the performance which is measured by the time required to accomplish certain task, and it is affected by response time and bandwidth. High delays resulting from accessing the cloud through WAN, and complex management are avoided in the cloudlet model resulting in a better performance. Another important element of QoS is the scalability which is the ability to expand the system without affecting the running applications and degrading the performance. The cloudlet model can be expanded at any time to the maximum number of users with lowest effort and management.

4

Secure implementation of the cloudlet MCC model

In our cloudlet model, the user’s privacy must be protected while accessing the cloudlets or the enterprise cloud (EC) services. This need appears in two cases: First case happen when the cloudlet works as an intermediate node between the mobile and the enterprise cloud. In this case, the cloudlet accesses the EC on behalf the user. So, there should be some techniques used to authenticate the claimed user. And the second case happens when the mobile user moved from cloudlet 1 (CL1) coverage area to cloudlet 2 (CL2) coverage area before completing the running task. Then, the processing of the task is transferred to CL2 which should contact CL1 and request the required data. In this case, we have to make sure that the request from CL2 was initiated upon the request of that mobile user himself. The solution comes through using trust delegation.

4.1 Trust delegation The solution for trust issues mentioned above is by using Trust Delegation security technique (Tawalbeh et al., 2015d) which is used in UNICORE6 (Benedyczak et al., 2011). In this approach, the mobile user delegates the connected CL to do jobs on behalf of him, so that the CL can communicate with other CLs or with the EC as a mobile user and performs the requested job. The trust delegation used in UNICORE 6 is called a dynamic explicit trust delegation (dynamic ETD) which is built using WSDL/SOAPbased web service technology. SOAP protocol divides the message into two parts: the header (optional) which carries the endpoints addresses and other configuration and security information. The second part is the body which encodes the payload of the web service. In UNICORE, the secure data like authentication and authorisation statements are encoded using SAML 2.0 (Cantor, 2009) which is called an assertion. In the dynamic ETD each entity or node (mobile, CL, or EC) will be either a delegation issuer who grants the permissions or the delegation subject who gets these permissions. To certify the trust delegation, a special assertion is used that has the following information: the delegation issuer, subject, assertion validity period, a token to confirm the trust delegation, the trust custodian (the root), issuer’s signature, and other restrictions including maximum trust chain length and type of the permission (read, write, all). Using the above information, dynamic ETD can be chained, i.e., the delegation subjects become an issuer for the next service (the new subject). The chain validation is verified through two steps:


7

1

validation of the individual assertion; by checking the delegation constraints and the entities’ digital signatures

2

validation of the whole chain consistency; by verifying that all chain assertions must have the same custodian (the first issuer), and the first assertion issuer must be the same as the trust custodian.

Figure 3 represents the scenario where the user initially starts FTP upload process inside CL1. The user uploaded 20% of a file before leaving CL1 and moving to CL2, and continues 30% of the file uploading process in CL2 before he moves to CL3 where the rest 50 % of the file is uploaded. Figure 3

Trust delegation scenario (see online version for colours)

Figure 4 shows the flow of the generated trust delegation assertions to collect the whole file. User delegates CL3 to collect the data from CL1 and CL2. So, in the first step the user delegates CL3 to bring the file part from CL2 in User’s behalf. In turn, CL3 delegates CL2 also to bring the file part inside CL1.

8 Figure 4

L. Tawalbeh et al. Trust delegation assertions flow (see online version for colours)

Another approach for trust delegation problem called trust delegation based on proxy certificate presented by grid security infrastructure (GSI) (Welch et al., 2004; Laccetti and Schmid, 2007). In this approach, the user issues a temporary certificate (proxy certificate), and the real identity of the trust delegation issuer is added to the subject of this certificate. One weakness point of this approach comes from the absence of the subject identity allowing any agent who gets the proxy certificate to easily impersonate the delegation issuer. Moreover, the proxy certificate along with its corresponding private key are stored unencrypted on a disk, and it just protected by the local file system permissions, so the attacker on the local machine can get these objects and operate as the proxy certificate issuer.

4.2 Security implementation As a proof of concept, we implemented a prototype for the proposed model and the trust delegation technique according to the scenario shown in Figure 5. In this scenario, the


9

user initially starts FTP upload process inside the CL1. He uploaded two files before leaving CL1 and moving to CL2. Inside CL2 he uploads another file. To collect all files, the user delegates CL2 to collect the data from CL1 on the user’s behalf. In turn CL2 request the two files from CL1 providing the delegation from the mobile user. Figure 5

Delegation-mobility scenario (see online version for colours)

The prototype environment used is composed of two workstations: CL1 and CL2 which represent two cloudlet systems, and a mobile device. The test bed environment used in the implementation consists of: •

CL1: Lenovo laptop with windows 7, IP address: 10.0.1.1

•

CL2: Toshiba laptop with windows 7, IP address: 10.0.1.2, 192.168.0.5

•

mobile device: Samsung Galaxy Note N7000 (Note I). IP address: 192.168.0.2

•

uploaded files inside CL1 names: c:\fadi\f1.zip, c:\fadi\f3.mp3.

The algorithm flow is shown below in steps and explained in figures: 1

The CL2 listens for a command from the mobile on a predefined port (4003) as shown in Figure 6.

2

Mobile user runs the delegation application (ClientSideAnd).

3

The connection is established between the mobile and CL2 as shown in Figure 7.

4

The mobile user enters the delegation command which has the following format: CL1_IP_Address File_1_location File_2_Location and presses the delegate button. Then the mobile application take this command and encrypts the summation of the last octet of the IP address of CL1 using mobile’s

10

L. Tawalbeh et al. private key, and concatenate the result (cipher) with the original command and sends them to the CL2.

5

CL2 receives this message, and checks the identity of the sender by decrypting the received cipher by the intended mobile public key. Then compare it with the summation of the last two octet of the IP address of CL1. If the results are the same it starts communicating with CL1 to bring the two files.

6

When this process finished, a message sent to the mobile to report that is everything is OK.

Figure 6

CL is listening for a mobile device command (see online version for colours)

Figure 7

The mobile device connected to the CL (see online version for colours)

Trust delegation-based secure mobile cloud computing framework Figure 8

CL checks the mobile identity (see online version for colours)

Figure 9

Process completed (see online version for colours)

11

12

5

L. Tawalbeh et al.

Conclusions

In this paper, we studied the cloudlet architecture for MCC. We found out that using the cloudlet model improved the performance of many applications, and reduces the latency and increase the throughput. Moreover, many elements of QoS are improved when using the cloudlet model over non-cloudlet cloud architecture, including: availability and scalability. Also, we presented secure implementation and prototype for the cloudlet MCC model using the dynamic trust delegation technique to provide better security and privacy for the user’s data in MCC.

Acknowledgements This work is funded by Grant Number (13-ELE2527-10) from the Long-Term National Science Technology and Innovation Plan (LT-NSTIP), the King Abdul-Aziz City for Science and Technology (KACST), Kingdom of Saudi Arabia. We thank the Science and Technology Unit at Umm AL-Qura University for their continued logistics support.

References Al-Ayyoub, M., Jararweh, Y., Tawalbeh, L., Benkhelifa, E. and Basalamah, A. (2015) ‘Power optimization of large scale mobile cloud computing systems’, in the Proceedings of the 3rd IEEE International Conference on Future Internet of Things and Cloud (Fi-Cloud), Rome, Italy, 24–28 August. Bahwaireth, K.S., Tawalbeh, L.A. and Basalamah, A. (2015) ‘Efficient techniques for energy optimization in mobile cloud computing’, in the Proceedings of the 12th ACS/IEEE International Conference on Computer Systems and Applications-AICCSA, Workshop on Internet of Things, Systems, Management and Security (IoTSMS), Morocco, 17–20 November. Benedyczak, K., Bała, P., van den Berghe, S., Menday, R. and Schuller, B. (2011) ‘Key aspects of the UNICORE 6 security model’, Future Generation Computer Systems, February, Vol. 27, No. 2, pp.195–201, ISSN 0167-739X, 10.1016/j.future.2010.08.009. Cantor, S. (Ed.) (2009) Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March [online] http://docs.oasisopen.org/security/saml/v2.0/. Fesehaye, D., Gao, Y., Nahrstedt, K. and Wang, G. (2012) ‘Impact of cloudlets on interactive mobile cloud applications’, IEEE 16th International Enterprise Distributed Object Computing Conference. Jararweh, Y., Tawalbeh, L., Ababneh, F. and Dosari, F. (2013) ‘Resource efficient mobile computing using cloudlet infrastructure’, IEEE Ninth International Conference on Mobile Ad-hoc and Sensor Networks (MSN), 11–13 December, pp.373–377. Jararweh, Y., Tawalbeh, L., Ababneh, F., Khreishah, A. and Dosari, F. (2014) ‘Scalable cloudlet-based mobile computing model’, Procedia Computer Science, Vol. 34, pp.434–441, ISSN 1877-0509 [online] http://dx.doi.org/10.1016/j.procs.2014.07.051. Laccetti, G. and Schmid, G. (2007) ‘A framework model for grid security’, Future Generation Computer Systems, Vol. 23, No. 5, pp.702–713. Li, Y. and Wang, W. (2014) ‘Can mobile cloudlets support mobile applications?’, IEEE Conference on Computer Communications. Mell, P. and Grance, T. (2011) The NIST Definition of Cloud Computing, National Institute of Standards and Technology, Gaithersburg, MD, USA.


13

Rindos, A., Vouk, M. and Jararweh, Y. (2014) ‘The virtual computing lab (VCL): an open source cloud computing solution designed specifically for education and research’, International Journal of Service Science, Management, Engineering, and Technology (IJSSMET), Vol. 5, No. 2, pp.51–63. Tawalbeh, L., Jararweh, Y., Ababneh, F. and Dosari, F. (2015a) ‘Large scale cloudlets deployment for efficient mobile cloud computing’, Journal of Networks, February, Vol. 10, No. 1, pp.70–76. Tawalbeh, L., AlDosari, F. and Bakhader, W. (2015b) ‘Cloud security: challenges and solutions’, in the Proceedings of the 3rd International IBM Cloud Academy Conference, 21–23 May, Budapest, Hungary. Tawalbeh, L., Al-Qassas, R., Darwazeh, N., Jararweh, Y. and AlDosari, F. (2015c) ‘Secure and efficient cloud computing framework’, in the Proceedings of the IEEE International Conference on Cloud and Autonomic Computing (Cloud Cyber Security Workshop), Cambridge, MA, USA, 21–24 September, pp.291–295 [online] http://doi.ieeecomputersociety.org/10.1109/ICCAC.2015.45. Tawalbeh, L., Haddad, Y., Khamis, O., AlDosari, F. and Benkhelifa, E. (2015d) ‘Efficient software-based mobile cloud computing framework’, in the IEEE international conference on Cloud Engineering (IC2E), Arizona, USA, 9–13 March, DOI: 10.1109/IC2E.2015.48. Tawalbeh, L., Haddad, Y., Khamis, O., Benkhelifa, E., Jararweh, Y. and AlDosari, F. (2016a) ‘Efficient and secure software-defined mobile cloud computing infrastructure’, International Journal of High Performance Computing and Networking (IJHPCN), January 2016, Vol. 9, No. 4, pp.328–341, DOI:http://dx.doi.org/10.1504/IJHPCN.2016.077825. Tawalbeh, L., Basalamah, A., Mehmood, R. and Tawalbeh, H. (2016b) ‘Greener and smarter phones for future cities: characterizing the impact of GPS signal strength on power consumption’, IEEE Access Journal, DOI (identifier) 10.1109/ACCESS.2016.2532745, March. Welch, V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S. and Siebenlist, F. (2004) ‘X.509 proxy certificates for dynamic delegation’, in 3rd Annual PKI R&D Workshop [online] http://www.globus.org/alliance/publications/papers/pki04-welchproxycert-final.pdf.