98 | P a g e Website: www.mjbas.com
Migrating and Detection of Eavesdroppers in Esteemed Traffic in Cloud
P.Anshar
1, J.Senthil
2and Dr.T.Senthil kumar
31M.E. Student, Shree Venkateshwara Hi-tech Engineering College, Gobi, Tamilnadu, India. 2
Assistant Professor, Shree Venkateshwara Hi-tech Engineering College, Gobi, Tamilnadu, India. 3Professor & Head, Shree Venkateshwara Hi-tech Engineering College, Gobi, Tamilnadu, India.
Article Received: 30 January 2018 Article Accepted: 27 March 2018 Article Published: 10 June 2018
1.1INTRODUCTION
Cloud computing, or something being in the cloud, is an expression used to describe a variety of different types of
computing concepts that involve a large number of computers connected through a real-time communication
network such as the internet. In science, cloud computing is a synonym for distributed computing over a network
and means the ability to run a program on many connected computers at the same time. The phrase is also more
commonly used to refer to network-based services which appear to be provided by real server hardware, which in
fact is served up by virtual hardware, simulated by software running on one or more real machines. Such virtual
servers do not physically exist and can therefore be moved around and scaled up (or down) on the fly without
affecting the end user—arguably, rather like a cloud.
1.2 CLOUD COMPUTING SECURITY
As cloud computing is achieving increased popularity, concerns are being voiced about the security issues
introduced through adoption of this new model. The effectiveness and efficiency of traditional protection
mechanisms are being reconsidered as the characteristics of this innovative deployment model can differ widely
from those of traditional architectures. An alternative perspective on the topic of cloud security is that this is but
another, although quite broad, case of "applied security" and that similar security principles that apply in shared
multi-user mainframe security models apply with cloud security. The relative security of cloud computing services
is a contentious issue that may be delaying its adoption. Physical control of the Private Cloud equipment is more A B S T R A C T
Cloud computing opens a new era in IT as it can provide various elastic and scalable IT services in a pay-as-you-go fashion, where its users can reduce the huge capital investments in their own IT infrastructure. In this philosophy, users of cloud storage services no longer physically maintain direct control over their data, which makes data security one of the major concerns of using cloud. Existing research work already allows data integrity to be verified without possession of the actual data file. When the verification is done by a trusted third party, this verification process is also called data auditing, and this third party is called an auditor. However, such schemes in existence suffer from several common drawbacks. First, a necessary authorization/authentication process is missing between the auditor and cloud service provider, i.e., anyone can challenge the cloud service provider for a proof of integrity of certain file, which potentially puts the quality of the so-called `auditing-as-a-service' at risk; Second, although some of the recent work based on BLS signature can already support fully dynamic data updates over fixed-size data blocks, when efficient public auditing protocol with global and sampling blockless verification as well as batch auditing, where data dynamics are substantially more efficiently supported than is the case with the state of the art. Note that, the novel dynamic structure in our protocol consists of a doubly linked info table and a location array only support updates with fixed-sized blocks as basic unit, which we call coarse-grained updates. As a result, every small update will cause re-computation and updating of the authenticator for an entire file block, which in turn causes higher storage and communication overheads. In this paper, we provide a formal analysis for possible types of fine-grained data updates and propose a scheme that can fully support authorized auditing and fine-grained update requests. Based on our scheme, we also propose an enhancement that can dramatically reduce communication overheads for verifying small updates. Theoretical analysis and experimental results demonstrate that our scheme can offer not only enhanced security and flexibility, but also significantly lower overhead for big data applications with a large number of frequent small updates, such as applications in social media and business transactions.
secure than having the equipment off site and under someone else's control. Physical control and the ability to
visually inspect data links and access ports is required in order to ensure data links are not compromised. Issues
barring the adoption of cloud computing are due in large part to the private and public sectors' unease surrounding
the external management of security-based services. It is the very nature of cloud computing-based services, private
or public, that promote external management of provided services. This delivers great incentive to cloud computing
service providers to prioritize building and maintaining strong management of secure services. Security issues have
been categorized into sensitive data access, data segregation, privacy, bug exploitation, recovery, accountability,
malicious insiders, management console security, account control, and multi-tenancy issues. Solutions to various
cloud security issues vary, from cryptography, particularly public key infrastructure (PKI), to use of multiple cloud
providers, standardization of APIs, and improving virtual machine support and legal support.
With the character of low maintenance, cloud computing provides an economical and efficient solution for sharing
group resource among cloud users. Unfortunately, sharing data in a multi-owner manner while preserving data and
identity privacy from an untrusted cloud is still a challenging issue, due to the frequent change of the membership.
As earlier proposed a secure multi-owner data sharing scheme, named Mona, for dynamic groups in the cloud. By
leveraging group signature and dynamic broadcast encryption techniques, any cloud user can anonymously share
data with others. Meanwhile, the storage overhead and encryption computation cost of this scheme are independent
with the number of revoked users. In addition, analyzed the security of this scheme with rigorous proofs, and
demonstrate the efficiency of this scheme in experiments.
1.3 VIRTUALIZATION TECHNOLOGY
Cloud computing has started taking shape incorporating virtualization and on demand deployment and internet
delivery of services. Server virtualization is the spark that is now driving the transformation of the IT infrastructure
from the traditional server centric computing architecture to a network-centric. The Characteristics of virtualization
are as follows:
Capacity utilization of servers can be increased Power consumption can be dramatically reduced Host a variety of workloads.
Batch style back end jobs.
Interactive user facing applications.
Workloads can be deployed and scaled out quickly through the rapid provisioning of virtual machines or
physical machines.
Support redundant, self-recovering, highly scalable programming models that allow workloads to recover
from many unavoidable hardware / software failures.
100 | P a g e Website: www.mjbas.com When cloud computing is to be efficient and effective replacement for in house data centres, high bandwidth
communication links must be available to connect to the cloud services. High-bandwidth network communication
provides access to a large pool of IT resources. On-demand self service enables users to use cloud computing
resources as needed without human interaction between the user and the provider. A consumer can schedule the use
of cloud services such as computation and storage as needed in addition to managing and deploying these services.
2. LITERATURE REVIEW
2.1 DupLESS: Server-Aided Encryption for Deduplicated Storage
Cloud storage service providers such as Google Drive, Dropbox, Mozy, and others perform data deduplication to
save space by only storing one copy of each data uploaded. Should users conventionally encrypt their datas, thus,
savings are lost. Message-locked encryption (the most prominent manifestation of which is convergent encryption)
determines this tension. Thus it is inherently subject to brute-force attacks that can recover datas falling into a
known set. This proposed an architecture that provides secure deduplicated storage resisting brute-force attacks,
and realizes it in a system called DupLESS. In DupLESS, users encrypt under message-based keys attained from a
key-server via an unaware PRF protocol. It enables users to store encrypted data/content with an existing service,
have the service perform data deduplication on their behalf, and yet achieves strong confidentiality guarantees.
2.2 Proofs of Ownership in Remote Storage Systems
Cloud storage systems are becoming increasingly accepted. A promising knowledge that keeps their cost down is
data deduplication, which stores only a single copy of repeating data/content. User-side data deduplication attempts
to identify data deduplication opportunities already at the user and save the bandwidth of uploading copies of
existing datas to the server. In this work This identify attacks that exploit user-side data deduplication, allowing an
attacker to gain access to arbitrary-size datas of other users based on a very small hash signatures of these datas.
More specifically, an attacker who knows the hash signature of a data can convince the storage service that it owns
that data, hence the server lets the attacker download the entire data. (In parallel to this work, a subset of these
attacks were recently introduced in the wild with respect to the Dropbox data synchronization service.)
In this work this put forward the notion of proof-of-ownership, by which a user can prove to a server that it has a
copy of a data without actually sending the data. This can be used to counter attacks on data-data deduplication
systems where the attacker obtains a ―short summary‖ of the data and uses it to fool the server into thinking that the
attacker owns the entire data. This gave three definitions for security in this setting and three matching protocols,
the last of which is very practical. This streaming protocol allows the designer of the approach to set a threshold for
how ―short‖ a summary can a data have (e.g., 64MBytes in this implementation). This seems suitable for the attack
scenarios of common hash functions, malicious software, or unintentional leakage that were explained in the
introduction. This remark that the new attacks that considers and solution to them are more relevant for data-level
de-duplication than for block-level data deduplication. (Indeed, if an intruder can learn a hash cost for each 8KByte
server.) Note, Thus, that the attack remains relevant (and this solution useful) when a service uses both data- and
block-level data deduplication, as is likely to be the case in practical systems.
2.3 ClouDedup: Secure Data deduplication with Encrypted Data/content for Cloud Storage
With the constant and exponential raise of the number of users and the size of their data/content, data/content
deduplication becomes more and more a requirement for cloud storage providers. By storing a unique copy of
duplicate data/content, cloud providers greatly reduce their storage and data/content transfer costs. The advantages
of data/content deduplication unfortunately come with a high value in terms of new security and privacy
challenges. This Proposed Cm, a data and a receiver’s identity IDi , a data sender encrypts a data to a first level
encryption
Second-level ciphertext phase: after receiving the first- level ciphertext of a data from the data sender, the cloud
server generates the second-level ciphertext. Knowing public parameters param, a first level encryption for the
user, and the information (IDi , tpki ) stored in List, the cloud server encrypts
3. PROPOSED METHOD
In this project, aiming at efficiently solving the problem of Construction Roadmap. two different encryption
technologies: one is IBE and the other is traditional Public Key Encryption (PKE). We first allow a user to generate
a first level ciphertext under a receiver’s identity.
The firstlevel ciphertext will be further transformed into a second level ciphertext corresponding to a security
device. The resulting ciphertext can be decrypted by a valid receiver with secret key and security device. Here, one
might doubt that our construction is a trivial and straightforward combination of two different encryptions.
Unfortunately, this is not true due to the fact that we need to further support security device revocability. A trivial
combination of IBE and PKE cannot achieve our goal. To support revocability, we employ re-encryption
technology such that the part of ciphertext for an old security device can be updated for a new device if the old
device is revoked.
Meanwhile, we need to generate a special key for the above ciphertext conversion. We also guarantee that the cloud
server cannot achieve any knowledge of message by accessing the special key, the old ciphertext and the updated
ciphertext. We further use hash-signature method to ―sign‖ ciphertext such that once an component of ciphertext is
tempered by adversary, the cloud and ciphertext receiver can tell. From the above presentations, we can see that our
two-factor protection system with security device revocability cannot be obtained by trivially combining an IBE
with a PKE.
Setup phase: the setup phase generates all public parameters and master secret key used throughout the execution
of system. The public parameters are shared with all parties participating into the system (including data
102 | P a g e Website: www.mjbas.com Key and device issued phase: A SDI and a PKG will respectively generate a security device and a secret key for a
registered user IDi in secure channel such that the user can combine the security device with the secret key to
recover message from its encrypted format.
First-level ciphertext generation phase: a data sender encrypts a data under the identity of a data receiver, and
further sends the encrypted data to the cloud server. Knowing public parameters param, a data and a receiver’s
identity IDi , a data sender encrypts a data to a first level encryption
Second-level ciphertext phase: after receiving the first- level ciphertext of a data from the data sender, the cloud
server generates the second-level ciphertext. Knowing public parameters param, a first level encryption for the
user, and the information (IDi , tpki ) stored in List, the cloud server encrypts
4. TWO-FACTOR DATA SECURITY
Double encryption: A security device (with an additional public key or serial number) is still required. The
encryption process is executed twice. First encrypt the plaintext corresponding to the public key or identity of the
user. Then encrypt it again corresponding to the public key or serial number of the security device. For the
decryption stage, the security device first decrypts once. The partially decrypted ciphertext is then passed to the
computer which uses the user secret key to further decrypt it. Without either part (user secret key or security device)
one cannot decrypt the ciphertext.
It seems that this naive approach can achieve our goal. However, there exist many practical issues that it cannot
solve. For example, If the user has lost his security device, then his/her corresponding ciphertext in the cloud cannot
be decrypted forever! That is, the approach cannot support security device update/Revocability.
The sender needs to know the serial number / public key of the security device, in additional to the user’s identity /
public key. That makes the encryption process more complicated. In the case of identity-based encryption, the
concept of ―identity-based‖ has been totally lost as the sender needs to know not only the identity but
another serial number!
Split the secret key into two parts: Another naive way to think of is to simply split the secret key into two parts. The
first part is stored in the computer while the second part is embedded into a security device. Similar to the above
approach, without either part one cannot decrypt the ciphertext.
Again it seems that this approach can achieve our goal. However, note that the security of a normal encryption
scheme cannot be guaranteed if part of the secret key has been exposed. The security is only guaranteed if the whole
secret key has not been exposed to the adversary. In other words, if we simply split the secret key into two parts, the
adversary with either part may have non-negligible chance to decrypt (or at least to know some information about
REGISTRATION AND AUTHENTICATION MECHANISM
In a conventional password authentication scheme, the server has the ability to allow or prevent any remote user
based on username and password. The weakness of password authentication system is, it can be break and very
much vulnerable to attack. Passwords have suffered from attacks such as dictionary or brute-force attacks. In
registration mechanism, new users are not asked to submit any documents to open an account. They can submit
on-line registration form which includes user information along with email-id, just as we do it while opening an
email account. Then user information will get stored in cloud where password gets stored in hash format so that if
any attack on password would be ineffective. After registration client has to authenticate with the CSP at the time of
using service.
Authentication factor 1
In this client has to provide username and password which client has entered at the time of registration.
Authentication factor 2
In this level CSP send OTP on clients registered email-id. After two authentication levels are cleared then only
client is allowed to access cloud service.
SCHEME NO.1: STORING AND ACCESSING OWN DATA
Once user is authenticated to the Cloud Server, user can access the file storage and can upload any type document in
the cloud storage. Here the file is first encrypted before uploading and the same is decrypted at the time of
downloading. Or user can simple store original format file in common folder which he/she wants to share with
other authenticated user directly without worrying about key sharing mechanism
Uploading encrypted file
If user is authenticated then cloud server will load Emodule to clients end to perform encryption operation. Here
client upload encrypted file on cloud server private folder using symmetric key encryption technique. At the time
downloading encrypted file user will ask to provide the decryption key if key is valid then only file will get
downloaded at clients end. This encryption and decryption of data will be done at client side by making use of a
symmetric key so it is not possible for CSP to gain access to key so even if the data stored is in encrypted format and
the algorithm used to encrypt it is available to cloud, it is difficult to decrypt it. User is assured about security of
data stored in cloud. This ensures data privacy of private compartment.
Uploading plaintext file
At the time of uploading plain text file user need not worry about encryption. Here cloud will load Emodule to
clients end upon request and then user can select file to upload. User can store file to either common folder or
private folder. At the time of downloading the file user can simply request file without worrying about decryption
104 | P a g e Website: www.mjbas.com DATA SHARING BETWEEN CLOUD USERS
In this scheme cloud user can share file which is stored in private folder with other authenticated cloud User. Here
first cloud user request file to second cloud user by using any communication media which is possible. Then first
user creates sharing key and store that in folder created on cloud. Then second user check sharing key and encrypt
that encryption key with sharing key then second user send requested encrypted file and encrypted encryption key
to first user. On the first user side when he receives the encrypted file and encrypted encryption key then he first
decrypt the encryption key with own private key then he get encryption key which can be use for decryption of
encrypted file
ADVANTAGES
i. Our system is designed to solve the differential privilege problem in secure deduplication.
ii. In our system, the S-CSP is honest but curious and will honestly perform the duplicate check upon
receiving the duplicate request from users.
iii.In our system a higher level confidentiality is defined and achieved.
iv.Our authorized duplicate check scheme incurs minimal overhead compared
5.RESULTS AND DISCUSSION
Implementation is stage in the report where the theoretical design is turned into the working system. The most
crucial stage is giving the users confidence that the new system will work effectively and efficiently. The
performance of reliability of the system is tested and it gained acceptance.
The whole system falls into two subsystems under dynamic data sharing; the two are evaluated individually
authentication, accuracy, storage and response between our system and existing system. We presented the design
and implementation of an automated dynamic authentication management system that achieves a good balance
between the user authentication and deduplication efficiency.
We discussed the key issues for proposed system implementation, including private cloud support (registration and
authentication), dynamic multi public cloud management and optimization of data sharing with deduplication
models. Evaluations are performed on a prototype system. We achieved some more features which described in
terms of performance as follows,
Modularity and extensibility: Modularity and extensibility are closely related to each other. In achieving tight
cohesion as well as loose coupling, the roles embedded in our system have independent functions and can be
integrated into most cloud computing environments as an independent subsystem. Besides, information generated
or passed is designed in file format in order to support new resource types and interact with other components.
However under these features our proposed work exhibited more security and utilization.
Transparency: Cloud users do not need traversal of all the nodes or cloud expertise to get information. We design
a uniform and friendly interface component for accessing the information authenticated and shared. Thus client
query response time is reduced when compared the existing system with our proposed system.
6. CONCLUSION
In this work, the examination is based on the notion of authorized data deduplication was proposed to protect the
data security by including differential privileges of users novel two-factor data security protection mechanism for
106 | P a g e Website: www.mjbas.com receiver only, while the receiver is required to use both his/her secret key and a security device to gain access to the
data. Our solution not only enhances the confidentiality of the data, but also offers the revocability of the device so
that once the device is revoked, the corresponding ciphertext will be updated automatically by the cloud server
without any notice of the data owner .As proof of idea, we showed that our secure proposed system incurs to reduce
the bandwidth, storage capacity, and also reduces amount of response time.
REFERENCES
[1] OpenSSL Project, (1998). [Online]. Available: http://www.openssl.org/
[2] P. Anderson and L. Zhang, ―Fast and secure laptop backups with encrypted de-duplication,‖ in Proc. 24th Int.
Conf. Large Installation Syst. Admin., 2010, pp. 29–40.
[3] M. Bellare, S. Keelveedhi, and T. Ristenpart, ―Dupless: Serveraided encryption for deduplicated storage,‖ in
Proc. 22nd USENIX Conf. Sec. Symp., 2013, pp. 179–194.
[4] M. Bellare, S. Keelveedhi, and T. Ristenpart, ―Message-locked encryption and secure deduplication,‖ in Proc.
32nd Annu. Int. Conf. Theory Appl. Cryptographic Techn., 2013, pp. 296–312.
[5] M. Bellare, C. Namprempre, and G. Neven, ―Security proofs for identity-based identification and signature
schemes,‖ J. Cryptol., vol. 22, no. 1, pp. 1–61, 2009.
[6] M. Bellare and A. Palacio, ―Gq and schnorr identification schemes: Proofs of security against impersonation
under active and concurrent attacks,‖ in Proc. 22nd Annu. Int. Cryptol. Conf. Adv. Cryptol., 2002, pp. 162–177.
[7] S. Bugiel, S. Nurnberger, A. Sadeghi, and T. Schneider, ―Twin clouds: An architecture for secure cloud
computing,‖ in Proc. Workshop Cryptography Security Clouds, 2011, pp. 32–44.
[8] J. R. Douceur, A. Adya, W. J. Bolosky, D. Simon, and M. Theimer, ―Reclaiming space from duplicate files in a
serverless distributed file system,‖ in Proc. Int. Conf. Distrib. Comput. Syst., 2002, pp. 617–624.
[9] D. Ferraiolo and R. Kuhn, ―Role-based access controls, ‖ in Proc. 15th NIST-NCSC Nat. Comput. Security
Conf., 1992, pp. 554–563.
