Research article Special Issues

Improved cloud storage auditing scheme with deduplication

  • Cloud storage has become a crucial service for many users who deal with big data. The auditing scheme for cloud storage is a mechanism that checks the integrity of outsourced data. Cloud storage deduplication is a technique that helps cloud service providers save on storage costs by storing only one copy of a file when multiple users outsource the same file to cloud servers. However, combining storage auditing and deduplication techniques can be challenging. To address this challenge, in 2019 Hou et al. proposed a cloud storage auditing scheme with deduplication that supports different security levels of data popularity. This proposal is interesting and has practical applications. However, in this paper, we show that their proposal has a flaw: the cloud or other adversaries can easily forge the data block's authenticators, which means the cloud can delete all the outsourced encrypted data blocks but still provide correct storage proof for the third-party auditor. Based on Hou et al.'s scheme, we propose an improved cloud storage auditing scheme with deduplication and analyze its security. The results show that the proposed scheme is more secure.

    Citation: Jindan Zhang, Urszula Ogiela, David Taniar, Nadia Nedjah. Improved cloud storage auditing scheme with deduplication[J]. Mathematical Biosciences and Engineering, 2023, 20(5): 7905-7921. doi: 10.3934/mbe.2023342

    Related Papers:

    [1] Dengzhi Liu, Zhimin Li, Chen Wang, Yongjun Ren . Enabling secure mutual authentication and storage checking in cloud-assisted IoT. Mathematical Biosciences and Engineering, 2022, 19(11): 11034-11046. doi: 10.3934/mbe.2022514
    [2] Yongjun Ren, Yan Leng, Yaping Cheng, Jin Wang . Secure data storage based on blockchain and coding in edge computing. Mathematical Biosciences and Engineering, 2019, 16(4): 1874-1892. doi: 10.3934/mbe.2019091
    [3] Yang Zhao, Xin Xie, Xing Zhang, Yi Ding . A revocable storage CP-ABE scheme with constant ciphertext length in cloud storage. Mathematical Biosciences and Engineering, 2019, 16(5): 4229-4249. doi: 10.3934/mbe.2019211
    [4] Fawza A. Al-Zumia, Yuan Tian, Mznah Al-Rodhaan . A novel fault-tolerant privacy-preserving cloud-based data aggregation scheme for lightweight health data. Mathematical Biosciences and Engineering, 2021, 18(6): 7539-7560. doi: 10.3934/mbe.2021373
    [5] Yiqin Bao, Qiang Zhao, Jie Sun, Wenbin Xu, Hongbing Lu . An edge cloud and Fibonacci-Diffie-Hellman encryption scheme for secure printer data transmission. Mathematical Biosciences and Engineering, 2024, 21(1): 96-115. doi: 10.3934/mbe.2024005
    [6] Xingxing Jia, Yixuan Song, Daoshun Wang, Daxin Nie, Jinzhao Wu . A collaborative secret sharing scheme based on the Chinese Remainder Theorem. Mathematical Biosciences and Engineering, 2019, 16(3): 1280-1299. doi: 10.3934/mbe.2019062
    [7] Te-Wei Chiang, Dai-Lun Chiang, Tzer-Shyong Chen, Frank Yeong-Sung Lin, Victor R. L. Shen, Min-Chien Wang . Novel Lagrange interpolation polynomials for dynamic access control in a healthcare cloud system. Mathematical Biosciences and Engineering, 2022, 19(9): 9200-9219. doi: 10.3934/mbe.2022427
    [8] Fangrong Zhou, Gang Wen, Yi Ma, Yutang Ma, Hao Pan, Hao Geng, Jun Cao, Yitong Fu, Shunzhen Zhou, Kaizheng Wang . A two-branch cloud detection algorithm based on the fusion of a feature enhancement module and Gaussian mixture model. Mathematical Biosciences and Engineering, 2023, 20(12): 21588-21610. doi: 10.3934/mbe.2023955
    [9] Lihong Guo, Jian Wang, Haitao Wu, Najla Al-Nabhan . XML security protection scheme based on Kerberos authentication and polynomials authorization. Mathematical Biosciences and Engineering, 2020, 17(5): 4609-4630. doi: 10.3934/mbe.2020254
    [10] Hossein Habibi, Abbas Rasoolzadegan, Amir Mashmool, Shahab S. Band, Anthony Theodore Chronopoulos, Amir Mosavi . SaaSRec+: a new context-aware recommendation method for SaaS services. Mathematical Biosciences and Engineering, 2022, 19(2): 1471-1495. doi: 10.3934/mbe.2022068
  • Cloud storage has become a crucial service for many users who deal with big data. The auditing scheme for cloud storage is a mechanism that checks the integrity of outsourced data. Cloud storage deduplication is a technique that helps cloud service providers save on storage costs by storing only one copy of a file when multiple users outsource the same file to cloud servers. However, combining storage auditing and deduplication techniques can be challenging. To address this challenge, in 2019 Hou et al. proposed a cloud storage auditing scheme with deduplication that supports different security levels of data popularity. This proposal is interesting and has practical applications. However, in this paper, we show that their proposal has a flaw: the cloud or other adversaries can easily forge the data block's authenticators, which means the cloud can delete all the outsourced encrypted data blocks but still provide correct storage proof for the third-party auditor. Based on Hou et al.'s scheme, we propose an improved cloud storage auditing scheme with deduplication and analyze its security. The results show that the proposed scheme is more secure.



    Nowadays, a large amount of data is generated every day. Securely storing and processing such a large amount of data is a significant challenge [1,2,3]. Cloud computing [4], artificial intelligence [5,6,7,8], and big data techniques [9] are promising ways to address this challenge. Among them, cloud storage is essential because it provides a basic way of storing such a vast amount of data. Cloud storage services are becoming increasingly popular, and many people have outsourced their data, including files, movies, and photos, to the cloud. On the one hand, this service is very convenient for users since they do not need to maintain their data locally. Furthermore, they can access it via their mobile devices at any time and from anywhere. For some users, perhaps the most valuable aspect of cloud storage is the assurance that their outsourced data is almost never lost. On the other hand, the security of these outsourced files, movies, and photos cannot be guaranteed by the cloud storage service providers themselves. We need mechanisms to ensure their security, such as encryption, secure search, deduplication, and auditing techniques.

    Due to limited local storage, many data owners want to outsource their files to a cloud server, such as movies, pictures, or music. Before outsourcing the file to the cloud server, the data owners encrypt their files using convergent encryption. Then they outsource the encrypted files to the cloud server. If many data owners (more than the predefined threshold) outsource the same encrypted files to the cloud server, these encrypted files will be the same and denoted as "popular." They will then be deduplicated, and the cloud server will only store one copy for all the data owners. However, if only a few data owners (less than the predefined threshold) outsource the encrypted files to the cloud server, these encrypted files will be denoted as "unpopular, " and they will not be deduplicated. In this way, the cloud server can save on storage costs. The technique of deduplication has been used by many cloud service providers, such as Amazon.

    In this paper, we focus on a recently proposed scheme for cloud storage auditing [10] with deduplication. It supports different security levels and first introduces the concept of different security levels in this context. In this scheme, the outsourced data is categorized as popular or unpopular. If many data users have outsourced the same file to the cloud, this file can be considered popular. Otherwise, if the outsourced file has not been outsourced by many users, it can be categorized as unpopular. For popular files, Hou et al. suggest using convergent encryption to encrypt them, which is better for deduplication. In this way, cloud service providers can greatly reduce storage space. But for unpopular files, they suggest using probabilistic encryption to achieve semantic security, which is more secure than convergent encryption. Due to the unpopularity of these files, deduplication is no longer necessary. Generally speaking, this proposal is very interesting and valuable. However, we will show that it is not as secure as claimed, as there are some flaws in the scheme that invalidate its protocol's security. We also propose an improved scheme to achieve the security goal.

    Our contribution can be summarized is two-fold. First, we focus on and demonstrate that the scheme proposed in [10] is not secure. Although it is the first relevant work on introducing data popularity to cloud auditing, this scheme is not entirely secure. We also analyze why their scheme has this security flaw and show how to avoid it. Then, we present an improved scheme building on the ideas proposed in [10], and provide a thorough analysis of its security. Our scheme addresses the security flaw present in the original proposal, and we explain in detail why it is more resistant to attacks.

    In section 1, we provide the background, paper contribution, and organization. In section 2, we discuss related work. In section 3, we review the scheme proposed by Hou et al. In section 4, we present the attack. In section 5, we provide an improved proposal and briefly analyze its security. Finally, in section 6, we conclude the paper.

    There is a large body of research in this context, and we have included the most relevant works to the one presented in this paper. This includes related work on encryption and deduplication techniques, as well as auditing schemes.

    1. Encryption and deduplication are important techniques for ensuring the confidentiality and efficient management of outsourced data. While traditional encryption techniques, such as probabilistic public key encryption or symmetric encryption like AES, can achieve semantic security, they are not suitable for implementing functionality such as searching and deduplication. Therefore, novel encryption techniques have been developed specifically for use in cloud computing, including encryption with keyword search [11,12,13,14], encryption with access control [15,16], convergent encryption with deduplication [17,18], and others [19].

    2. Auditing is an important way to ensure the integrity of the outsourced data. In 2007, Ateneo et al. [20] proposed the concept of provable data possession, which aims to allow the cloud servers to provide proof that they have stored the outsourced data well to the cloud users. Furthermore, the proof is very compact and the probability of cheating by the cloud servers is very low. This interesting primitive is actually a new auditing method for cloud storage. Since then, many cloud auditing schemes following this paradigm have been proposed, such as dynamic provable data possession [21], proof of retrievability [22,23], compact proof of retrievability [24], publicly verifiable auditing [25,26].

    3. In 2016, Yu proposed a cloud data integrity checking scheme with an identity-based auditing mechanism from RSA [27]. Later, they proposed identity-based [28], attribute-based [29], and blockchain-based [30] cloud auditing schemes with different properties, and these are very interesting results in this field. Sometimes, the cloud service provider needs to use both auditing and deduplication techniques simultaneously. This way, the cloud service provider can reduce its costs when many users are outsourcing the same file, like popular movies, popular music, etc., and at the same time, the cloud users can ensure that their outsourced data, like files and photos, have not been lost or tampered with.

    The system model of Hou et al.'s cloud auditing scheme with deduplication [10] is shown in Figure 1. There are three roles in the system: the data owners, the cloud server, and the TPA (third-party auditor). The system operates as follows:

    Figure 1.  System model of Hou et al's cloud auditing scheme with deduplication.

    1. To check the integrity of the outsourced files, the data owners, cloud server, and TPA (third party auditor) run the auditing scheme proposed by Hou et al. In this scheme, the data owners compute the authenticators for the data blocks of the files and outsource both the files and the authenticators to the cloud server. When the data owners want to check the integrity of the outsourced files, they delegate this task to the TPA. The TPA launches a challenge-proof game with the cloud server. First, the TPA sends a challenge to the cloud server requesting the server to return the aggregated data blocks and the corresponding aggregated authenticators as proof for the integrity of the outsourced file. Then, the cloud server returns the proof to the TPA, who checks the correctness of the proof using verification equations.

    2. However, in the auditing process described above, the cloud server may be malicious. In an effort to reduce storage space, it may delete or modify some outsourced files without being detected by the data owners or the TPA. This means that the malicious cloud server has a strong incentive to delete the outsourced files. In the following section, we will demonstrate an attack on Hou et al's auditing scheme. In this attack, the malicious cloud server is able to forge the authenticator for any data block, which in turn invalidates their auditing scheme.

    We will now review Hou et al.'s scheme [10]. The core data flow between the data owner and cloud storage server, between the IS and cloud storage server, and between the TPA and cloud storage server can be seen in Figures 2, 3, and 4.

    Figure 2.  The core data flow between data owner and cloud storage server.
    Figure 3.  The core data flow between IS and cloud storage server.
    Figure 4.  The core data flow between TPA and cloud storage server.
    Figure 5.  The attack.

    Notations: Assume the file outsourced to the cloud by the data owner is F={m1,m2,,mn}. Each mi={mi1,mi2,,mis}, here 1in. The file has its unique file identifier, it is signed with signature SSig to prevent the attackers to modify it. The user (data owner) keeps his secret key for generating SSig and publish the public key for signature.

    1. Setup: With parameter k as the input,

    (a) Running IG(1k) to generate G1 and G2, which are two cyclic multiplicative groups of large prime order p. There exists a e:G1×G1G2 which is a bilinear pairing.

    (b) We denote h:{0,1}{0,1} as an indexing function, ϕ:Zp×ZpZp and π:Zp×{1,2,,n} as a PRF and a PRP, denote H1:{0,1}G1, H2:G2{0,1}l, H3:{0,1}G1 as three cryptographic hash functions.

    (c) Run εμ.Setup(k,n,t)(pk,sk,S) where pk={p,G1,G2,e,H1,H2,H3,h,g,gpub}, n key shares {xi}n1i=0 also generated.

    2. Join: this algorithm is not directly related with the attack.

    3. Upload: this algorithm is not directly related with the attack.

    4. AuthGen: With a ciphertext of file C={c1,c2,,cn} (specially C is Cϵμ or Cϵ) and a secret key ktagZp, the key vgktag is computed and published by the user. For each ciphertext block ci(1in), the authenticator Ti is generated by Ui and uploaded to the cloud.

    (a) u1,u2,,us are s generators of G1, which are chosen by Ui, rZp is also randomly chosen by Ui.

    (b) Denote τ0=name||n||vr||u1||u2||||us. Let sskZp be signing key and Psskgssk the corresponding verification key. These are randomly generated by the user. The file tag is ττ0||SSigssk(τ0).

    (c) For each data block the authenticator is computed by Ui as

    Ti=(H3(name||i)sj=1ucijj)ktag.

    (d)

    {uktag(r(Cϵμ)i,1(Cϵ)i,1)1,uktag(r(Cϵμ)i,2(Cϵ)i,2)2,,uktag(r(Cϵμ)i,s(Cϵ)i,s)s}

    are computed by Ui and sent to IS.

    (e) The file tag and {Ti}1in are sent by Ui to the cloud.

    5. PopulartityChange: For the popularity threshold t, the algorithm is executed whenever the users' number that are submitting the same index is higer than it. The file F is not needed to upload to cloud again by the user Ui. IS sends the set index to the cloud, and Ui sends it to the cloud. For all those users with file index in the set index, the storage cloud collects decryption shares of them. Then the ciphertext Cϵμ uploaded by these users can be decrypted by the storage cloud. Then, the ciphertext FC encrypted by the convergent encryption can be obtained by the storage cloud. Thus, as the ciphertext FC coincides with that for file F, the deduplication can be achieved. Finally, {uktag(r(Cϵμ)i,1(Cϵ)i,1)1,uktag(r(Cϵμ)i,2(Cϵ)i,2)2,,uktag(r(Cϵμ)i,s(Cϵ)i,s)s} are sent to the cloud by the IS. The new data block authenticator*

    * In [10], Ti=Tisj=1uktag(rcϵμijcϵij)j, but we think it should be Ti=Tisj=1uktag(r(Cϵμ)i,j(Cϵ)i,j)j.

    Ti=Tisj=1uktag(rcϵμijcϵij)j

    for each user are created by the clouds.

    6. ProofGen: With the {ci}1in, {Ti}1in as the input,

    ● The auditing challenge is generated by TPA as the following:

    (a) The file tag gained by the TPA from the cloud and using the key Pssk it checks whether the correctness of signature on τ0. TPA rejects and halts if the signature is not correct.

    (b) Otherwise, filename name, n, vr and {u1,u2,,us} are recovered by the TPA. Then c, with 1cn is chosen by him.

    (c) Parameters k1Zp, k2Zp are randomly selected by the TPA.

    (d) The challenge chal=(c,k1,k2) is sent by the TPA to the cloud.

    ● The cloud yields lt=πk1(t) and at=ϕk2(t) wherein 1tc after receiving chal from the TPA. And then the proof T=ct=1Tatlt, ηj=ct=1atclt,j,1js is computed.

    7. ProofVerify: With the proof P=(T,η) and the challenge massage chal=(c,k1,k2), TPA computes lt=πk1(t) together with at=ϕk2(t) wherein 1tc. Subsequently, the below verification equations are checked

    e(T,g)=e(ct=1(H3(name||lt)atsj=1uηjj),v),
    e(T,g)=e(ct=1(H3(name||lt)atsj=1uηjj),vr).

    If one of them passed, the proof is valid.

    The attack is executed according to the following steps:

    1. The attacker can be the IS or the cloud. Note here the IS or the cloud can obtain

    {uktag(r(Cϵμ)i,1(Cϵ)i,1)1,uktag(r(Cϵμ)i,2(Cϵ)i,2)2,,uktag(r(Cϵμ)i,s(Cϵ)i,s)s},1in

    from Ui by running algorithm AuthGen. Concretely the IS or the cloud can obtain

    {uktag(r(Cϵμ)1,1(Cϵ)1,1)1,uktag(r(Cϵμ)1,2(Cϵ)1,2)2,,uktag(r(Cϵμ)1,s(Cϵ)1,s)s},{uktag(r(Cϵμ)2,1(Cϵ)2,1)1,uktag(r(Cϵμ)2,2(Cϵ)2,2)2,,uktag(r(Cϵμ)2,s(Cϵ)2,s)s},{uktag(r(Cϵμ)3,1(Cϵ)3,1)1,uktag(r(Cϵμ)3,2(Cϵ)3,2)2,,uktag(r(Cϵμ)3,s(Cϵ)3,s)s},,{uktag(r(Cϵμ)n,1(Cϵ)n,1)1,uktag(r(Cϵμ)n,2(Cϵ)n,2)2,,uktag(r(Cϵμ)n,s(Cϵ)n,s)s}.

    2. Let A1=urktag1, B1=uktag1, A2=urktag2, B2=uktag2, ,,, As=urktags, Bs=uktags then

    {uktag(r(Cϵμ)1,1(Cϵ)1,1)1,uktag(r(Cϵμ)1,2(Cϵ)1,2)2,,uktag(r(Cϵμ)1,s(Cϵ)1,s)s},{uktag(r(Cϵμ)2,1(Cϵ)2,1)1,uktag(r(Cϵμ)2,2(Cϵ)2,2)2,,uktag(r(Cϵμ)2,s(Cϵ)2,s)s},{uktag(r(Cϵμ)3,1(Cϵ)3,1)1,uktag(r(Cϵμ)3,2(Cϵ)3,2)2,,uktag(r(Cϵμ)3,s(Cϵ)3,s)s},,{uktag(r(Cϵμ)n,1(Cϵ)n,1)1,uktag(r(Cϵμ)n,2(Cϵ)n,2)2,,uktag(r(Cϵμ)n,s(Cϵ)n,s)s}

    can be rewritten as

    {A(Cϵμ)1,11B(Cϵ)1,11,A(Cϵμ)1,22B(Cϵ)1,22,,A(Cϵμ)1,ssB(Cϵ)1,ss},{A(Cϵμ)2,11B(Cϵ)2,11,A(Cϵμ)2,22B(Cϵ)2,22,,A(Cϵμ)2,ssB(Cϵ)2,ss},{A(Cϵμ)3,11B(Cϵ)3,11,A(Cϵμ)3,22B(Cϵ)3,22,,A(Cϵμ)3,ssB(Cϵ)3,ss},,{A(Cϵμ)n,11B(Cϵ)n,11,A(Cϵμ)n,22B(Cϵ)n,22,,A(Cϵμ)n,ssB(Cϵ)n,ss}.

    3. With

    {A(Cϵμ)1,11B(Cϵ)1,11,A(Cϵμ)1,22B(Cϵ)1,22,,A(Cϵμ)1,ssB(Cϵ)1,ss},{A(Cϵμ)2,11B(Cϵ)2,11,A(Cϵμ)2,22B(Cϵ)2,22,,A(Cϵμ)2,ssB(Cϵ)2,ss},

    the attacker can compute A1, B1, ,,, As, Bs as following. First let X1=A(Cϵμ)1,11B(Cϵ)1,11,X2=A(Cϵμ)1,22B(Cϵ)1,22,,Xs=A(Cϵμ)1,ssB(Cϵ)1,ss, Y1=A(Cϵμ)2,11B(Cϵ)2,11,Y2=A(Cϵμ)2,22B(Cϵ)2,22,,Ys=A(Cϵμ)2,ssB(Cϵ)2,ss then the above can be rewritten as

    {X1,X2,,Xs},{Y1,Y2,,Ys}.

    4. With X1, Y1, the adversary can compute A1,B1 as following:

    X(Cϵμ)2,11=A(Cϵμ)1,1(Cϵμ)2,11B(Cϵ)1,1(Cϵμ)2,11,Y(Cϵμ)1,11=A(Cϵμ)2,1(Cϵμ)1,11B(Cϵ)2,1(Cϵμ)1,11,

    then

    X(Cϵμ)2,11Y(Cϵμ)1,11=A(Cϵμ)1,1(Cϵμ)2,11B(Cϵ)1,1(Cϵμ)2,11A(Cϵμ)2,1(Cϵμ)1,11B(Cϵ)2,1(Cϵμ)1,11=B(Cϵ)1,1(Cϵμ)2,11B(Cϵ)2,1(Cϵμ)1,11=B(Cϵ)1,1(Cϵμ)2,1(Cϵ)2,1(Cϵμ)1,11.

    5.Due to the group order p is publicly known and thus the following holds. Let Z1=X(Cϵμ)2,11Y(Cϵμ)1,11 then B1=Z((Cϵ)1,1(Cϵμ)2,1(Cϵ)2,1(Cϵμ)1,1)1modp1.

    6. Similarly

    X(Cϵ)2,11=A(Cϵμ)1,1(Cϵ)2,11B(Cϵ)1,1(Cϵ)2,11,Y(Cϵ)1,11=A(Cϵμ)2,1((Cϵ)1,11B(Cϵ)2,1(Cϵ)1,11,

    then

    X(Cϵ)2,11Y(Cϵ)1,11=A(Cϵμ)1,1(Cϵ)2,11B(Cϵ)1,1(Cϵ)2,11A(Cϵμ)2,1((Cϵ)1,11B(Cϵ)2,1(Cϵ)1,11=A(Cϵμ)1,1(Cϵ)2,1(Cϵμ)2,1(Cϵ)1,11.

    7. Due to the group order p is publicly known and thus the following holds. Let

    W1=X(Cϵ)2,11Y(Cϵ)1,11,

    then

    A1=W((Cϵ)2,1(Cϵ)1,1)1modp1.

    8. By using the above same method, the adversary can compute A2, B2, , , As, Bs.

    With A1, B1, A2, B2, , , As, Bs, the adversary can forge any data block's authenticator as the following.

    1. First the adversary (the IS or the cloud) can obtain

    Ti=(H3(name||i)sj=1ucijj)ktag(1in).

    Note here cij is public known to all.

    2. With

    Ti=(H3(name||i)sj=1ucijj)ktag,

    and A1, B1, A2, B2, , , As, Bs, the adversary can compute

    TiBci11Bci22Bci23Bci2n=(H3(name||i)sj=1ucijj)ktagBci11Bci22Bci23Bci2n=(H3(name||i)sj=1ucijj)ktag(uktag1)ci1(uktag2)ci2(uktag3)ci2(uktagn)ci2=(H3(name||i))ktag.

    Then it forges any data block's authenticator as following

    3. Let ^cij be the forged encrypted j-th sector of the i-th data block, then the adversary compute the following:

    (H3(name||i))ktag(B^ci11B^ci22B^ci23B^ci2n)=(H3(name||i)sj=1u^cijj)ktag,

    which is a valid authenticator for the any forged encrypted sector.

    4. This means that the cloud can modify the outsouced encrypted data block and its corresponding authenticator to be any other one, which obviously breaks the security of cloud auditing protocols.

    First, we will review the core idea for updating the authenticator in [10]. Next, we will analyze why this core idea is not secure. Finally, we will present an improved method.

    Now we review the core idea in [10]. In the original proposal, (H(i)uCi)x is the authenticator. Assume σi=(H(i)uCi)x is the original authenticator and σi=(H(i)uCi)x is the new corresponding authenticator. Denote i=σi/σi=(H(i)uCi)x(H(i)uCi)x=(u(CiCi))x=(ux)(CiCi). Thus, σi(ux)(CiCi)=σi. The cloud can compute σi given σi and (ux)(CiCi). However, the inverse of (CiCi) can be calculated by the adversary and thus it is not secure. For example, for Ci, the corresponding authenticator σi=σi(ux)(CiCi)(CiCi)1(CiCi)=σi(ux)(CiCi) can be forged. For safety, a blind factor r is introduced. (ux)(rCiCi) is first computed and then uploaded by the user to the storage cloud. New authenticator σi=σi(ux)(rCiCi) whenever there are changes regarding the data popularity.

    However, the attack above shows that their idea of using (ux)(rCiCi) instead of (ux)(CiCi) is still not secure. The reason is the following: if the cloud knows (ux)(rCiCi) for many such 1in, it can compute (ux)r and (ux) easily. And thus it can forge any authenticator updates (ux)(rCanyCany) easily. Furthermore, it also can forge authenticator σi=(H(i)uCany)x easily for any block Cany, thus their core idea is not secure.

    We improve their core idea by modifying (ux)(rCiCi) to be ((ux)(riCiCi),uri) for many such 1in, in this way, the cloud can not compute (ux)ri(1in) and (ux) easily. And thus it can not forge authenticators any more.

    Building upon the improved core idea, we have developed an improved cloud auditing scheme which is outlined below:

    1. Setup: For the sake of comparison, it is worth noting that this algorithm is identical to the corresponding algorithm presented in [10].

    2. Join: This algorithm is the same as the corresponding algorithm in [10].

    3. Upload: This algorithm is the same as the corresponding algorithm in [10].

    4. AuthGen: With a ciphertext of file C={c1,c2,,cn} (specially C is Cϵμ or Cϵ) and a secret key ktagZp, the key vgktag is computed and published by the user. For each ciphertext block ci(1in), the authenticator Ti is generated by Ui and uploaded to the cloud.

    (a) u1,u2,,us are s generators of G1, which are chosen by Ui, r1,r2,,rnZp are also randomly chosen by Ui.

    (b) Let τ0=name||n||vr1||vr2||||vrn||u1||u2||||us. A signing key sskZp and the corresponding verification key Psskgssk are randomly generated by the user. The file tag is ττ0||SSigssk(τ0).

    (c) For each data block the authenticator is computed by Ui as

    Ti=(H3(name||i)sj=1ucijj)ktag.

    (d)

    {uktag(r1(Cϵμ)1,1(Cϵ)1,1)1,uktag(r1(Cϵμ)1,2(Cϵ)1,2)2,,uktag(r1(Cϵμ)1,s(Cϵ)1,s)s},
    {uktag(r2(Cϵμ)2,1(Cϵ)2,1)1,uktag(r2(Cϵμ)2,2(Cϵ)2,2)2,,uktag(r2(Cϵμ)2,s(Cϵ)2,s)s},
    ,
    {uktag(rn(Cϵμ)n,1(Cϵ)n,1)1,uktag(rn(Cϵμ)n,2(Cϵ)n,2)2,,uktag(rn(Cϵμ)n,s(Cϵ)n,s)s}

    are computed by Ui and sent to IS, we denote them as Upd.

    (e) The file tag and {Ti}1in are sent by Ui to the cloud.

    5. PopulartityChange: This algorithm is the same as the corresponding algorithm in [10] except

    Ti=Tisj=1uktag(ri(Cϵμ)i,j(Cϵ)i,j)j.

    Note here we use ri instead of r in the exponentiation.

    6. ProofGen: With the {ci}1in, {Ti}1in as the input,

    ● the auditing challenge is generated by TPA as the following:

    (a) The file tag gained by the TPA from the cloud and using the key Pssk it checks whether the correctness of signature on τ0. TPA rejects and halts if the signature is not correct.

    (b) Otherwise, filename name, n, vr1,vr2,,,vrn and {u1,u2,,us} are recovered by the TPA. Then c(1cn) is chosen by him, which is the number of the challenged blocks.

    (c) k1Zp, k1Zp are randomly picked by the TPA.

    (d) The challenge chal=(c,k1,k2) is sent by the TPA to the cloud.

    ● The cloud computes lt=πk1(t),at=ϕk2(t)(1tc) after receiving chal from the TPA. And then the proof T=ct=1Tatlt, ηj=ct=1atclt,j,1js is computed.

    ProofVerify: With the proof P=(T,η) and the challenge massage chal=(c,k1,k2), TPA computes lt=πk1(t),at=ϕk2(t)(1tc). Then the below verification equations are checked

    e(T,g)=e(ct=1(H3(name||lt)atsj=1uηjj),v),
    e(T,g)=ct=1e(H3(name||lt)atsj=1uηjj,vrt).

    If one of them passed, the proof is valid.

    The reasons why this improved proposal can resist the attack above is explained as follows: From the Upd,

    {uktag(r1(Cϵμ)1,1(Cϵ)1,1)1,uktag(r1(Cϵμ)1,2(Cϵ)1,2)2,,uktag(r1(Cϵμ)1,s(Cϵ)1,s)s},
    {uktag(r2(Cϵμ)2,1(Cϵ)2,1)1,uktag(r2(Cϵμ)2,2(Cϵ)2,2)2,,uktag(r2(Cϵμ)2,s(Cϵ)2,s)s},
    ,
    {uktag(rn(Cϵμ)n,1(Cϵ)n,1)1,uktag(rn(Cϵμ)n,2(Cϵ)n,2)2,,uktag(rn(Cϵμ)n,s(Cϵ)n,s)s},

    the adversary can not obtain the below values anymore

    {uktag(r(Cϵμ)1,1(Cϵ)1,1)1,uktag(r(Cϵμ)1,2(Cϵ)1,2)2,,uktag(r(Cϵμ)1,s(Cϵ)1,s)s},{uktag(r(Cϵμ)2,1(Cϵ)2,1)1,uktag(r(Cϵμ)2,2(Cϵ)2,2)2,,uktag(r(Cϵμ)2,s(Cϵ)2,s)s},{uktag(r(Cϵμ)3,1(Cϵ)3,1)1,uktag(r(Cϵμ)3,2(Cϵ)3,2)2,,uktag(r(Cϵμ)3,s(Cϵ)3,s)s},,{uktag(r(Cϵμ)n,1(Cϵ)n,1)1,uktag(r(Cϵμ)n,2(Cϵ)n,2)2,,uktag(r(Cϵμ)n,s(Cϵ)n,s)s},

    it can only obtain

    {uktag(r1(Cϵμ)1,1(Cϵ)1,1)1,uktag(r1(Cϵμ)1,2(Cϵ)1,2)2,,uktag(r1(Cϵμ)1,s(Cϵ)1,s)s},{uktag(r2(Cϵμ)2,1(Cϵ)2,1)1,uktag(r2(Cϵμ)2,2(Cϵ)2,2)2,,uktag(r2(Cϵμ)2,s(Cϵ)2,s)s},{uktag(r3(Cϵμ)3,1(Cϵ)3,1)1,uktag(r3(Cϵμ)3,2(Cϵ)3,2)2,,uktag(r3(Cϵμ)3,s(Cϵ)3,s)s},{uktag(rn(Cϵμ)n,1(Cϵ)n,1)1,uktag(rn(Cϵμ)n,2(Cϵ)n,2)2,,uktag(rn(Cϵμ)n,s(Cϵ)n,s)s},

    from these values, the adversary can not compute ur1ktag1, uktag1, ur2ktag2, uktag2, ,,, urnktagn, Bs=uktag2 anymore. Thus the above attack can not work anymore.

    In 2019, Hou et al. proposed an auditing scheme. However, in this paper, we demonstrate that their proposal is not secure. The main reason for this is that the core idea of their updated authenticator algorithm is vulnerable. Specifically, if the cloud storage server obtains many values of (ux)(rCiCi) for 1in, it can easily compute (ux)r and (ux), which allows it to forge an authenticator σi=(H(i)uCany)x for any block Cany. This attack is a generalization of attacks on many cloud storage auditing protocols based on the discrete logarithm hard problem, as shown in [31,32]. It highlights the need for caution when designing cloud storage auditing protocols using cryptographic techniques, as these schemes have rich algebraic structure that may result in vulnerabilities.

    To address these shortcomings, we have developed an improved cloud storage auditing scheme based on Hou et al.'s proposal. Our updated authenticator algorithm now uses (ux)(riCiCi) for 1in, which makes it impossible for the adversary to compute (ux)r and (ux). We have also analyzed why our improved scheme is secure. We hope that our work will help future researchers avoid similar shortcomings in their own cloud storage auditing schemes.

    This work is supported by the Key Research and Development Program of Xianyang City(No. L2022ZDYFSF061), Scientific Research Funding of Xianyang Vocational & Technical College on "Research on Key Technologies for Secure Outsouced Cloud Storage"(Grant No.2021KJB03).

    The authors declare there is no conflict of interest.



    [1] J. Nowaková, M. Pokorný, Intelligent controller design by the artificial intelligence methods, Sensors, 20 (2020), 4454. https://doi.org/10.3390/s20164454 doi: 10.3390/s20164454
    [2] M. Pawlicki, R. Kozik, M. Choras, A survey on neural networks for (cyber-) security and (cyber-) security of neural networks, Neurocomputing, 500 (2022), 1075–1087. https://doi.org/10.1016/j.neucom.2022.06.002 doi: 10.1016/j.neucom.2022.06.002
    [3] H. Xu, M. Guo, N. Nedjah, J. Zhang, P. Li, Vehicle and Pedestrian Detection Algorithm Based on Lightweight YOLOv3-Promote and Semi-Precision Acceleration, IEEE Trans. Intell. Transp. Syst., 23 (2022), 19760–19771. https://doi.org/10.1109/TITS.2021.3137253 doi: 10.1109/TITS.2021.3137253
    [4] B. Furht, A. Escalante, Handbook of Cloud Computing, Springer, 2010. https://doi.org/10.1007/978-1-4419-6524-0
    [5] G. Fenza, V. Loia, G. Nota, Patterns for visual management in industry 4.0, Sensors, 21 (2021), 6440. https://doi.org/10.3390/s21196440 doi: 10.3390/s21196440
    [6] M. Hasal, J. Nowaková, K. A. Saghair, H. M. Dahwa Abdulla, Václav Snásel, Lidia Ogiela, Chatbots: Security, privacy, data protection, and social aspects. Concurr. Comput. Pract. Exp., 33 (2021). https://doi.org/10.1002/cpe.6426
    [7] N. Capuano, G. Fenza, V. Loia, C. Stanzione, Explainable artificial intelligence in cybersecurity: {A} survey. IEEE Access, 10 (2022), 93575–93600. https://doi.org/10.1109/ACCESS.2022.3204171
    [8] M. Choras, M. Wozniak, The double-edged sword of AI: ethical adversarial attacks to counter artificial intelligence for crime, AI Ethics, 3 (2022), 631–634. https://doi.org/10.1007/s43681-021-00113-9
    [9] V. Snásel, J. Nowaková, F. Xhafa, L. Barolli, Geometrical and topological approaches to big data, Future Gener. Comput. Syst., 67 (2017), 286–296. https://doi.org/10.1016/j.future.2016.06.005 doi: 10.1016/j.future.2016.06.005
    [10] H. Hou, J. Yu, R. Hao, Cloud storage auditing with deduplication supporting different security levels according to data popularity, J. Network Comput. Appl., 134 (2019), 26–39. https://doi.org/10.1016/j.jnca.2019.02.015 doi: 10.1016/j.jnca.2019.02.015
    [11] G. Asharov, G. Segev, I. Shahaf, Tight tradeoffs in searchable symmetric encryption, LNCS, Springer, Heidelberg, 2018, 407–436. https://doi.org/10.1007/978-3-319-96884-1_14
    [12] R. Cheng, J. Yan, C. Guan, F. Zhang, K. Ren, Verifiable searchable symmetric encryption from indistinguishability obfuscation. In Feng Bao, Steven Miller, Jianying Zhou, Gail-Joon Ahn, ASIACCS 15, ACM Press, 2015, 621–626. https://doi.org/10.1145/2714576.2714623
    [13] R. Curtmola, J. A. Garay, S. Kamara, R. Ostrovsky, Searchable symmetric encryption: improved definitions and efficient constructions, In Ari Juels, Rebecca N. Wright, Sabrina De Capitani di Vimercati, ACM CCS 06, ACM Press, 2006, 79–88. https://doi.org/10.1145/1180405.1180417
    [14] S. Kamara, C. Papamanthou, T. Roeder, Dynamic searchable symmetric encryption. In Ting Yu, George Danezis, Virgil D. Gligor, ACM CCS 12, ACM Press, October 2012, 965–976. https://doi.org/10.1145/2382196.2382298
    [15] K. Lee, S. G. Choi, D. H. Lee, J. H. Park, M. Yung, Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency, In Kazue Sako, Palash Sarkar, ASIACRYPT 2013, Part I, volume 8269 of LNCS, Springer, Heidelberg, 2013, 235–254. https://doi.org/10.1007/978-3-642-32009-5_13
    [16] A. Sahai, H. Seyalioglu, B. Waters, Dynamic credentials and ciphertext delegation for attribute-based encryption, In Reihaneh Safavi-Naini, Ran Canetti, CRYPTO 2012, volume 7417 of LNCS, Springer, Heidelberg, 2012, 199–217. https://doi.org/10.1007/978-3-642-32009-5_13
    [17] M. Bellare, S. Keelveedhi, T. Ristenpart, Message-locked encryption and secure deduplication, In Thomas Johansson, Phong Q. Nguyen, EUROCRYPT 2013, volume 7881 of LNCS, Springer, Heidelberg, 2013, 296–312. https://doi.org/10.1007/978-3-642-38348-9_18
    [18] M. Bellare, S. Keelveedhi, Interactive message-locked encryption and secure deduplication. In Jonathan Katz, PKC 2015, volume 9020 of LNCS, Springer, Heidelberg, 2015, 516–538. https://doi.org/10.1007/978-3-662-46447-2_23
    [19] G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy re-encryption schemes with applications to secure distributed storage, In NDSS 2005, The Internet Society, February 2005.
    [20] G. Ateniese, R. C. Burns, R. Curtmola, J. Herring, L. Kissner, Z. N. J. Peterson, et al., Provable data possession at untrusted stores, In Peng Ning, Sabrina De Capitani di Vimercati, Paul F. Syverson, ACM CCS 07, ACM Press, 2007, 598–609. https://doi.org/10.1145/1315245.1315318
    [21] C. C. Erway, A. Kupccu, C. Papamanthou, R. Tamassia, Dynamic provable data possession, In Ehab Al-Shaer, Somesh Jha, Angelos D. Keromytis, ACM CCS 09, ACM Press, 2009, 213–222. https://doi.org/10.1145/1653662.1653688
    [22] A. Juels, B. S. Kaliski Jr., Pors: Proofs of retrievability for large files. In Peng Ning, Sabrina De Capitani di Vimercati, Paul F. Syverson, ACM CCS 07, ACM Press, 2007, 584–597. https://doi.org/10.1145/1315245.1315317
    [23] E. Shi, E. Stefanov, C. Papamanthou, Practical dynamic proofs of retrievability, In Ahmad-Reza Sadeghi, Virgil D. Gligor, Moti Yung, ACM CCS 13, ACM Press, 2013, 325–336. https://doi.org/10.1145/2508859.2516669
    [24] H. Shacham, B. Waters, Compact proofs of retrievability, In Josef Pieprzyk, ASIACRYPT 2008, volume 5350 of LNCS, Springer, Heidelberg, 2008, 90–107. https://doi.org/10.1007/978-3-540-89255-7_7
    [25] Q. Wang, C. Wang, J. Li, K. Ren, W. Lou, Enabling public verifiability and data dynamics for storage security in cloud computing, In ESORICS, volume 5789 of Lecture Notes in Computer Science, Springer, 2009, 355–370. https://doi.org/10.1007/978-3-642-04444-1_22
    [26] Q. Wang, C. Wang, K. Ren, W. Lou, J. Li, Enabling public auditability and data dynamics for storage security in cloud computing. IEEE Trans. Parallel Distrib. Syst., 22(5): 847–859, 2011. https://doi.org/10.1109/TPDS.2010.183
    [27] Y. Yu, L. Xue, M. H. Au, W. Susilo, J. Ni, Y. Zhang, et al., Cloud data integrity checking with an identity-based auditing mechanism from RSA, Future Generation Comp. Syst., 62 (2016), 85–91. https://doi.org/10.1016/j.future.2016.02.003 doi: 10.1016/j.future.2016.02.003
    [28] Y. Yu, M. H. Au, G. Ateniese, X. Huang, W. Susilo, Y. Dai, et al., Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage, IEEE Trans. Inf. Forens. Secur., 12 (2017), 767–778. 2017. https://doi.org/10.1109/TIFS.2016.2615853
    [29] Y. Yu, Y. Li, B. Yang, W. Susilo, G. Yang, J. Bai, Attribute-based cloud data integrity auditing for secure outsourced storage, IEEE Trans. Emerg. Top. Comput., 8 (2020), 377–390. https://doi.org/10.1109/TETC.2017.2759329
    [30] Y. Huang, Y. Yu, H. Li, Y. Li, A. Tian, Blockchain-based continuous data integrity checking protocol with zero-knowledge privacy protection, Digit. Commun. Networks, 8 (2022), 604–613. https://doi.org/10.1016/j.dcan.2022.04.017 doi: 10.1016/j.dcan.2022.04.017
    [31] J. Zhang, B. Wang, X. A. Wang, H. Wang, S. Xiao, New group user based privacy preserving cloud auditing protocol. Future Gener. Comput. Syst., 106 (2020), 585–594. https://doi.org/10.1016/j.future.2020.01.029
    [32] J. Zhang, B. Wang, M. R. Ogiela, X. A. Wang, A. K. Sangaiah, New public auditing protocol based on homomorphic tags for secure cloud storage, Concurr. Comput. Pract. Exp., 32 (2020). https://doi.org/10.1002/cpe.5600
  • Reader Comments
  • © 2023 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(1604) PDF downloads(78) Cited by(0)

Figures and Tables

Figures(5)

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog