Keyword Search Scheme over Encrypted Data
in Cloud Storage Services
Chun-Ta Li1, Jau-Ji Shen2,, and Chin-Wen Lee2
1 Department of Information Management, Tainan University of Technology, 529 Zhongzheng Road, Tainan City 71002, Taiwan (R.O.C.)
2 Department of Management Information Systems, National Chung Hsing University,
250 Guoguang Road, Taichung City 40227, Taiwan (R.O.C.)
Abstract. With the growing popularity of cloud computing, cloud stor-age service becomes an essential part of cloud services and numerous researches have been widely studied in recent years. Recently, Hsu et al. proposed an ElGamal-based simple keyword search scheme over en-crypted data in cloud storage services. They claimed that a secure cloud storage service needs to achieve five security requirements, including: consistency, ciphertext indistinguishability, trapdoor indistinguishabil-ity, outside keyword guessing attack and inside keyword guessing attacks. However, in this paper, we observe that Hsu et al.’s scheme not only can-not prevent inside keyword guessing attack but also cancan-not prevent denial of service attack and has low efficiency problem in computing algorithms.
Keywords: Cloud storage service, ElGamal system, Inside keyword guessing attack, Keyword search.
1
Introduction
The more network technologies and communication technologies are being de-veloped [15, 18], many cloud services [2, 6, 10, 11, 16, 17] have been proposed such as cloud storage service, hardware infrastructure facilities and a variety of application software etc. People began to use the cloud storage service to re-place the physical hardware device for storing personal data or sensitive data. Users can obtain the important information in anytime and anywhere. On the other hand, enterprises can use the big cyberspace to store huge data and it can reduce operating costs of enterprises. However, there are some security threats when cloud users transmit data via public channel. Therefore, it is important to provide a secure cloud services.
Corresponding author.
R.C.-H. Hsu and W. Shangguang (Eds.): IOV 2014, LNCS 8662, pp. 367–375, 2014. c
For enhancing the privacy of cloud data [13, 14, 19–21], cloud users will en-crypt data before uploading them to the cloud storage space [1, 3–5, 7, 9, 12, 22]. When the data is encrypted, it will become an unrecognizable ciphertext and even the data owner or an authorized user cannot recognize its contents. There-fore, in 2013, Hsu et al. proposed a simple keyword search scheme [8] based on ElGamal system. Hsu et al.’s scheme has three participants, including: data sender, cloud server and data receiver. Moreover, Hsu et al.’s scheme has three phases, including: setup phase,KeyGenServerphase andKeyGenReceiverphase; and three algorithms, including:dP EKS algorithm, dT rapdoor algorithm and dT estalgorithm in Hsu et al.’s research scope. Finally, Hsu et al.’s scheme can achieve four security requirements, including: consistency, ciphertext indistin-guishability, trapdoor indistinguishability and outside keyword guessing attacks. The research scope of Hsu et al.’s scheme is shown in Figure 1.
However, in this paper, we found that Hsu et al.’s scheme has low efficiency problem in computing algorithms and it cannot resist denial of service and inside keyword guessing attacks. Unfortunately, to the best of our knowledge, none of researches (including Hsu et al.’s scheme) can against inside keyword guessing attacks in cloud storage services.
The remainder of the paper is organized as follows. Section 2 is a brief re-view of Hsu et al.’s simple keyword search scheme, and the denial of service and inside keyword guessing attacks are given in Section 3 and Section 4, respec-tively. Moreover, in Section 5, Hsu et al.’s scheme has low efficiency problem in computing algorithms. We concludes this paper in Section 6.
Data sender Cloud server Data receiver
1. Upload encrypted data
-2. Request encrypted data with keyword trapdoor
3. Verify the keyword trapdoor
4. Download encrypted data
-Fig. 1.Research scope of Hsu et al.’s scheme [8]
2
Review of Hsu et al.’s Scheme
In this section, we will review the Hsu et al.’s simple keyword search scheme [8]. Some notations used in [8] are defined in Table 1. Three roles participate in this scheme: the data sender, the cloud server, and the receiver. Data sender can use the cloud storage service to store personal data and download the data.
Data sender also can authorize other users (receiver) to have the permission to download the data. For enhancing the privacy of cloud data, data sender will encrypt data with the keyword w before uploading to the cloud storage space. The authorized receiver can use the keyword w to generate a request and send it to the cloud server when he/she wants to download the specific cloud data. When the cloud server receives the request which is sent by the receiver, cloud server will search the corresponding keyword ciphertexts from its database and response the specific data to the authorized receiver. Hsu et al.’s scheme is divided into three phases: setup phase,KeyGenServer(gp) phase, and KeyGenReceiver(gp) phase, three algorithms:dP EKS(gp, pkS, pkR, w) al-gorithm, dT rapdoor(gp, pkS, skR, w) algorithm, and dT est(gp, C, Tw, skS) al-gorithm. The flowchart of Hsu et al.’s scheme is depicted in Figure 2.
Table 1.Notations used throughout this paper Symbol Description
GA cyclic group of prime orderpwith generatorg Zp∗The field of integers modulop
pkS, skSCloud server’s public/private key pairs
pkR, skRData receiver’s public/private key pairs
wA keyword that the data sender sets for the encrypted data
wA keyword that the data receiver wants to search
CA keyword ciphertext
Tw A keyword trapdoor which contains w H(·) A secure one-way hashing function
KSwThe keyword space
Setup phase: Select a cyclic groupGwith prime orderpand a primitive root g. Choose a secure one-way hash functionH : {0,1}∗→ Zp∗. LetKSw de-notes the keyword space. The global parametergp= (G, p, g, H, KSw). KeyGenServer(gp)phase: Choose a random valueα∈Zp∗ and computepkS =
gα. Output the cloud server’s public/ private key pairs (pkS, skS) = (gα, α). KeyGenReceiver(gp) phase: Choose a random valueβ ∈Zp∗and computepkR=
gβ. Output the receiver’s public/ privat key pairs (pkR, skR) = (gβ, β). dP EKS(gp, pkS, pkR, w)algorithm: In this algorithm, the data sender will
encrypt the keyword w with the cloud server’s public key pkS. First, the data sender selects two random values r, θ ∈ Zp∗ and compute C1 = gr, C2 = θH(w)·pkSr and C3 = θpkR. It outputs the keyword ciphertext C= [C1, C2, C3] and sends ciphertext Cto the cloud server.
dT rapdoor(gp, pkS, skR, w)algorithm: In this algorithm, the authorized re-ceiver will generate a trapdoor with the keyword w that he/she wants to search and will create a signature with skR. First, the authorized re-ceiver selects two random values r, k ∈ Zp∗ and computes T1 = gr
, T2 = H(w)·(pkS)r,T3 =gk and T4 =k−1(H(T1||T2)−skR·T3) mod (p−1). Then he/she outputs trapdoorTw = [T1, T2, T3, T4] and sends trapdoorTw to the cloud server.
dT est(gp, C, Tw, skS) algorithm: After receiving the ciphertext C from the data sender and trapdoorTw from the authorized receiver, the cloud server starts to search the corresponding keyword ciphertext. First, this algorithm computesv=C2·(C1skS)− 1=θH(w) andu=T 2·(T1skS)− 1=H(w). Then, it computesZ =CT3 3 ·T3T4 =θT3gH
(T1||T2). Finally, the cloud server checks ifvT3·gH(T1||T2)=uT3·Z. If it holds, it meansw=w.
Data sender Cloud server Data receiver
1. Generate public key pairs
skS=αandpkS=gα 2. Generate public key pairs skR=βandpkR=gβ 3. ComputeC= [C1, C2, C3] SendC= [C1, C2, C3] -4. ComputeTw= [T1, T2, T3, T4] SendTw= [T1, T2, T3, T4] 5. Computev=C2·(CskS 1 )−1=θH(w) Computeu=T2·(TskS 1 )−1=H(w) ComputeZ=CT3 3 ·T3T4=θT3gH(T1||T2) Check ifvT3·gH(T1||T2)=uT3·Z
Fig. 2.The flowchart of Hsu et al.’s scheme [8]
3
Denial of Service Attack on Hsu et al.’s Scheme
In Hsu et al.’s scheme, we found that the malicious attacker can perform the denial of service attack on their scheme. Let us consider the following scenario. During dP EKS algorithm, the data sender uploads the encrypted data with ciphertextCvia public channel and we suppose that the attacker has the ability to change the ciphertextC into the attacker’s ciphertextCA. Moreover, during the dT rapdoor and dT est algorithms, the authorized receiver sends download request Tw to the cloud server and he/she will not pass the authentication by the cloud server due to the legal sender’s ciphertext C has been changed
into attacker’sCA. Thus the authorized receiver has no permission to download the corresponding encrypted data anymore. Finally, only malicious attacker has the ability to download the encrypted data and the denial of service attack is described by the following steps:
Step 1. IndP EKSalgorithm, the malicious attacker can intercept data sender’s ciphertextC and replace it into the attacker’s fake ciphertextCAdue to the data sender uploads the encrypted data with ciphertextC via public chan-nel. In the end, the attacker sends the encrypted data with ciphertext CA to the cloud server.
Step 2. IndT rapdoor algorithm, when the receiver wants to search the corre-sponding encrypted data which is sent by the data sender, he/she needs to generate the trapdoor requestTw and sends it to the cloud server.
Step 3. In dT est algorithm, when the cloud server receives the download re-quest from the data receiver, the data receiver cannot pass thedT est algo-rithm authentication by the cloud server. Finally, the data receiver is rejected to download specify encrypted data.
Step 4. On the other hand, due to the data sender’s ciphertext C has been changed into the attacker’s ciphertextCAduringdP EKS algorithm. There-fore, the unauthorized attacker can generate the fake trapdoorTw
A to the cloud server indT rapdooralgorithm and the malicious attacker can still pass cloud server’s verification and obtain the encrypted data indT estalgorithm. From above-mentioned steps show, the attacker can successfully perform the denial of service attack and the legal data receiver has no permission to download specify encrypted data. Instead, only malicious attacker has ability to download the encrypted data and the cloud server is not aware of having caused weakness in cloud storage service.
4
Inside Keyword Guessing Attack on Hsu et al.’s
Scheme
For enhancing the security of the cloud computing environments, a secure cloud storage service must resist not only outside keyword guessing attacks but also inside keyword guessing attacks. However, to the best of our knowledge, none of the existing schemes can prevent the inside keyword guessing attack from a malicious cloud server due to the cloud server has plentiful information to perform thedT estalgorithm. In this section, we show inside keyword guessing attacks on Hsu et al.’s scheme.
Step 1. IndP EKS(gp, pkS, pkR, w) algorithm, data sender computesC1=gr, C2=θH(w)·pkrSandC3=θpkRand sendsC= [C1, C2, C3] to the malicious cloud server.
Step 2. IndT rapdoor(gp, pkS, skR, w) algorithm, authorized receiver computes T1 = gr
, T2 = H(w)·(pkS)r
, T3 = gk and T4 = k−1(H(T1||T2)−skR· T3) mod (p−1) and sendsTw = [T1, T2, T3, T4] to the malicious cloud server.
Step 3. Due to the valuesCandTwhave been collected from Step 1 and Step 2, the malicious cloud server can use them to derivev=C2·(C1skS)−1=θH(w), u=T2·(T1skS)−1=H(w) andZ=C3T3·T3T4 =θT3gH(T1||T2)by performing dT est(gp, C, Tw, skS) algorithm.
Step 4. In this step, the malicious cloud server can execute thedT estalgorithm to derive the keywordw=w and the details ofdT estalgorithm execution are shown in Figure 3.
Finally, the malicious cloud insider succeeds to derive the low-entropy keyword w=w and Hsu et al.’s scheme is vulnerable to inside keyword guessing attack.
vT3·gH(T1||T2)=uT3·Z
⇒(θH(w))T3·gH(T1||T2)=H(w)T3·θT3·gH(T1||T2)
⇒H(w)T3·θT3·gH(T1||T2)=H(w)T3·θT3·gH(T1||T2) ⇒H(w)T3 =H(w)T3
⇒H(w) =H(w)
Fig. 3.ThedT estalgorithm is performed by the attackers
5
Low Efficiency Problem on Hsu et al.’s Scheme
In Hsu et al.’s protocol, their scheme has low efficiency problem in computing dP EKS algorithm,dT rapdooralgorithm anddT estalgorithm. Let us consider the following scenario. We assume the data sender uploads encrypted data to cloud storage server with multiple keywords and authorizes uploaded data to multiple receivers in dP EKS algorithm. Moreover, we assume there are many authorized receivers sending download request to cloud server simultaneously in dT rapdooralgorithm. Finally, the cloud server will take such long time indT est algorithm. The low efficiency problem in computing algorithms is described by the following steps:
Step 1. In dP EKS algorithm, we assume the data sender uploads the en-crypted data with j keywords and authorizes uploaded data to k receivers for having the permission to download the encrypted data, the data sender needs to takej times calculations to computeC2and needs to takektimes calculations to computeC3.
Step 2. IndT rapdoor algorithm, we assume that there aren receivers use m keywords to generate the download requests to the cloud server simultane-ously, wherem≤j andn≤k. Thus, it takes (2×m×n) times calculations to generateT2and T4 for all receivers.
Step 3. Due to the valuesCandTw have been collected from Step 1 and Step 2, the cloud server can use them to compute (v, u, Z). Therefore, the cloud server must takejtimes calculations to derivevand take (2×m×n) times calculations to deriveuandZ.
Step 4. IndT testalgorithm, the cloud server takesj×m×ntimes calculations to computevT3·gH(T1||T2)and takes (2×m×n) times calculations to compute uT3·Z.
From above-mentioned steps show, Hsu et al.’s scheme requires enormous computation overheads to executedP EKSalgorithm,dT rapdooralgorithm and dT estalgorithm. However, in practice, it exhibits a low efficiency and in appli-cation their scheme becomes infeasible for cloud participants to wait for the respondent results for such long time in cloud storage services.
6
Conclusions
Supporting data privacy has become an important topic in the field of cloud storage services, and keyword search over encrypted data has received a great deal of attention in recent years. The cloud server provides the storage spaces for data senders to upload encrypted data and it performs the specific algorithms to search the corresponding encrypted data that data receivers want to query. In this paper, we showed that Hsu et al.’s simple keyword search scheme based on ElGamal system is insecure due to a malicious cloud server may launch the denial of service and off-line inside keyword guessing attacks in cloud storage services. Moreover, we have also found that their scheme has low efficiency problem in computing algorithms due to it is not practical for cloud participants to wait for the respondent results for such long time in the keyword search processes of Hsu et al.’s scheme. In the future work, we plan to propose an improvement on their scheme and we also encourage readers can propose their improvement to remedy security and efficiency flaws of Hsu et al.’s scheme.
Acknowledgements. The authors would like to thank the anonymous review-ers for their valuable suggestions and comments. In addition, this research was partially supported by the National Science Council, Taiwan, R.O.C., under contract no.: NSC 102-3114-C-165-001-ES and NSC 102-2221-E-005-039.
References
1. Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: Gervasi, O., Murgante, B., Lagan`a, A., Taniar, D., Mun, Y., Gavrilova, M.L. (eds.) ICCSA 2008, Part I. LNCS, vol. 5072, pp. 1249–1259. Springer, Heidelberg (2008)
2. Baliga, J., Ayre, R.W.A., Hinton, K., Tucker, R.S.: Green cloud computing: Bal-ancing energy in processing, storage, and transport. Proc. of the IEEE 99, 149–167 (2011)
3. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004)
4. Byun, J.W., Rhee, H.S., Park, H.-A., Lee, D.H.: Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Jonker, W., Petkovi´c, M. (eds.) SDM 2006. LNCS, vol. 4165, pp. 75–83. Springer, Heidelberg (2006) 5. Cao, N., Yang, Z., Wang, C., Ren, K., Lou, W.: Privacy-preserving query over
encrypted graph-structured data in cloud computing. In: IEEE International Con-ference on Distributed Computing Systems, pp. 393-402 (2011)
6. Cheng, Z.Y., Liu, Y., Chang, C.C., Chang, S.C.: A smart card based authentication scheme for remote user login and verification. International Journal of Innovative Computing, Information and Control 8(8), 5499–5511 (2012)
7. Hsu, S.T., Yang, C.C., Hwang, M.S.: A study of public key encryption with keyword search. International Journal of Network Security 15(2), 71–79 (2013)
8. Hsu, S.T., Hwang, M.S., Yang, C.C.: A study of keyword search over encrypted data in cloud storage service. Master Thesis of National Chung Hsing University, Department of Management Information System (2013)
9. Hu, C., Liu, P.: A secure searchable public key encryption scheme with a designated tester against keyword guessing attacks and its extension. In: Lin, S., Huang, X. (eds.) CSEE 2011, Part II. CCIS, vol. 215, pp. 131–136. Springer, Heidelberg (2011) 10. Iosup, A., Ostermann, S., Yigitbasi, M.N., Prodan, R., Fahringer, T., Epema, D.H.J.: Performance analysis of cloud computing services for many-tasks scientific computing. IEEE Transactions on Parallel and Distributed Systems 22(6), 931–945 (2011)
11. Lee, C.C., Chung, P.S., Hwang, M.S.: A survey on attribute-based encryption schemes of access control in cloud environments. International Journal of Network Security 15(4), 231–240 (2013)
12. Li, X., Qiu, W., Zheng, D., Chen, K., Li, J.: Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Transac-tions on Industrial Electronics 57(2), 793–800 (2010)
13. Rhee, H.S., Park, J.H., Susilo, W., Lee, D.H.: Improved searchable public key en-cryption with designated tester. In: Proceedings of the 4th International Sympo-sium on Information, Computer, and Communications Security, Sydney, Australia, pp. 376–379 (2009)
14. Rhee, H.S., Park, J.H., Susilo, W., Kee, D.H.: Trapdoor security in a searchable public-key encryption scheme with a designated tester. The Journal of Systems and Software 83(5), 763–771 (2010)
15. Rajkumar, B., Yeo, C., Venugopal, S., Malpani, S.: Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems 25(6), 599–616 (2009)
16. Ranchal, R., Othmane, L.B., Kim, A., Kang, M., Linderman, M.: Protection of identity information in cloud computing without trusted third party. In: IEEE International Symposium on Reliable Distributed Systems, pp. 368–372 (2010) 17. Tserpes, K., Aisopos, F., Kyriazis, D., Varvarigou, T.: Service selection decision
support in the Internet of services. In: Altmann, J., Rana, O.F. (eds.) GECON 2010. LNCS, vol. 6296, pp. 16–33. Springer, Heidelberg (2010)
18. Wang, Q., Wang, C., Ren, K., Lou, W., Li, J.: Enabling public auditability and data dynamics for storage security in cloud computing. IEEE Transactions on Parallel and Distributed Systems 22(5), 847–859 (2011)
19. Yoon, E.J., Kim, S.H., Yoo, K.Y.: A security enhanced remote user authentica-tion scheme using smart cards. Internaauthentica-tional Journal of Innovative Computing, Information and Control 8(5(B)), 3661–3675 (2012)
20. Yoon, E.J., Choi, S.B., Yoo, K.Y.: A secure and efficiency ID-based authenticated key agreement scheme based on elliptic curve cryptosystem for mobile devices. In-ternational Journal of Innovative Computing, Information and Control 8(4), 2637– 2653 (2012)
21. Yoon, E.J., Yoo, K.Y.: Improving the Lee-Lee’s password based authenticated key agreement protocol. International Journal of Innovative Computing, Information and Control 8(8), 5657–5675 (2012)
22. Zhao, Y., Chen, X., Ma, H., Tang, Q., Zhu, H.: A new trapdoor-indistinguishable public key encryption with keyword search. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 3(1/2), 72–81 (2012)
