558
Cloud Computing Security by Using Mobile OTP and an Encryption Algorithm for Hospital Management
Suvendu Kuila, Shruthi Shridhar, Chandan Patel and N. Ch. S.N Iyengar
School of Computer Science and Engineering, VIT University, Vellore-632014, INDIA.
email:[email protected],[email protected], (Received on: November 5, 2016)
ABSTRACT
This is the era of ‘cloud computing’. The technology ‘cloud computing’ is growing so fast. We can store our data in the cloud instead of using computer’s hard disk and we can access the data from anywhere through over the internet. Now a days, no. of diseases also increasing. So, patients can get their reports and others important information related to their diseases by using cloud instead of going hospital to collect their report. If, patients can access their important things through cloud they can easily avoid the rush while collecting from hospital. So, cloud computing is very helpful for hospital management. While in cloud, patients are storing their confidential data, we have to look into its security, that information can be accessed by only authorized person. The clients have to keep faith on the service providers, that they will keep their data in a correctly manner. In this paper, our main aim is to provide security on client’s data. To keep the clients data secure we are using here two methods- one is providing OTP to the client’s mobile which can only accessible by the authorized person only while they are logging in to access their data and another one is blowfish encryption algorithm that is used to transfer the information from server to client. The reason to use blowfish encryption algorithm is that it is a very flexible algorithm and mainly used to protect password. In security, protecting the password also a big deal.
Keywords: Blowfish Algorithm, Mobile One Time Password, Cloud Computing, Security.
INTRODUCTION
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers, storage,
application and services) that can be rapidly provisioned and released with minimum
management effort or service provider interaction
1. Cloud computing is rapidly growing. But, Security is the major thing where we have to look onto it. The main reason to use cloud for hospital management is that peoples can access their reports according to their diseases from anywhere at any time through over internet. Security is needed that authorized person only can access their reports, others can’t be able to access any other’s information because they can change the report by accessing others report. So, we have to provide a login page. By, login only authorized person can only access their data. Everyone should have their own credentials.
While a user is sign upping a new account they have to provide their mobile number. So, when they are willing to access their data they have to login, while logging in 4 digit Pin will come as a one-time password (OTP) to their mobile number which they have provided. After logging in the information will be transformed between server and client by using blowfish algorithm.
Fig1: Cloud Computing
Cloud Architecture: Depend on client-server services we can divide cloud computing in three types
2:
(a) Platform-as-a-Service (PaaS): Cloud Providers provide a platform where clients can run the applications means cloud providers are delivered the applications to the client that they are able to run the application on their own platform. Platforms are managed by the cloud providers.
(b) Software-as-a-Service (SaaS): This Services includes computing which is provided by cloud servers, consists of OS, coding language, database management, environment of the platform etc.
3. Without buying the hardware customers can run the applications by using the resources.
(c) Infrastructure-as-a-Service (IaaS): This is a service of pay-as-you-go same as PaaS and SaaS including resources, storage etc.
Fig 1: Cloud Computing Models Internet
Pc
Notebook Mobile
Database
Remote Server
Remote Desktop
Complexity of Model
Internet to End User Used by: End Users
E.g.: Google Docs Consume
SaaS
Used by: Application Developers E.g.: Force.com
Build PaaS
Used by: Network Architect E.g.: Amazon Web
Services host IaaS
560
Cloud Computing can be differentiate into four categories
4:
(a) Private Cloud: Private cloud is used by a big organisation. But this cloud will be restricted only in that organisation means others organisation can’t share that cloud.
(b) Public Cloud: This Cloud is owned by an organisation but others organisation also can share that cloud.
(c) Hybrid Cloud: An organisation buys a cloud from another cloud services and uses that cloud. After buying the cloud only the people of that organisations can only access that cloud. So, hybrid cloud consists of Private Cloud and Public Cloud.
(d) Community Cloud: This cloud is used by other organisation. E.g. - Skillrack.com is a community cloud and used by different organisation.
Fig 2: Cloud Deployment Model
Security Issues in Cloud Computing: The security issues
5we can face in cloud computing can be categorized into three types:
Conventional security issues
Availability issues
Third party control-related issues
METHODOLOGY
User can login to access their data from the cloud storage by using static password method but this method is not that much secure. To hack a static password is very easy now- a-days. But using of OTP method is more secure. While a user is logging in a 4-digit pin will come to the user provided mobile number. Some of the methods to implement OTP password technique are
11:
a) Time Synchronization: In this technique, both the client and server will be having synchronous time clocks and by using an algorithm it will generate the OTP. Both server site and client site OTP has to be matched. It will generate the OTP by using that synchronous time clocks. User token has to be connected to the server site clock time. If both clocks are not synchronized then the OTP value won’t be generated. The generated OTP will be validate for 60 sec.
b) Event Synchronization: In this technique, both the client and server will be having an initial counter value. When a user wants to login it will generate a one-time password from the initial counter value and will increment its counter value. Server will get the
Hybrid Cloud Organization
Private Cloud
Public Cloud
Community Cloud Peoples
Other Organiz ation
information about the generated OTP in the client site. Server also will generate an OTP and after generating it will increment its counter value. If both the OTP (client and server site) matches, then the server will authenticate the user to access his/her confidential information.
c) Asynchronous Challenge-Response Technique: In this technique, each time user wants to login server will provide a challenge to the client which is dynamically unique every time.
This provide a better security. User enter the challenge into its own system. Then the client system will use some cryptography technique and will generate a password by the use of challenge and any other information (PIN). For intruder, it’s very difficult to hack the password which is generating by the use of dynamically created challenge.
Blowfish Algorithm: Blowfish algorithm is designed by Bruce Schneier, which is a symmetric encryption decryption cryptographic algorithm in 1993. This algorithm consists of large number of cipher suites and encryption products, including SplashID. By testing it is proved that the security of blowfish algorithm is much better than other symmetric cryptographic algorithm. From the use of blowfish algorithm by public domain, we can come into a significant conclusion that this algorithm has never been broken. In public use, this encryption algorithm is called also as fastest block ciphers among other encryption algorithms. As it is a fastest block cipher, it is ideal for a product like SplashID. It functions on different types of processors found in mobile phones as well as in notebook and desktop computers.
Blowfish has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits.
It is a 16-round Feistel Cipher and uses large key-dependent S-Boxes. It is similar in structure CAST-128, which uses fixed S-boxes.
The diagram to the left shows the action of Blowfish. Each line represents 32 bits. The algorithm keeps two sub key arrays: the 18-entry P-array and four 256-entry S-boxes. The S- boxes accept 8-bit input and produce 32-bit output. One entry of the P-array is used every round, and after the final round, each half of the data block is XORed with one of the two remaining unused P-entries.
The diagram to the right shows Blowfish's F-function. The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit output.
Fig 3: The Diagram of Blowfish Encryption Algorithm
562
RELATED WORK
In this paper
6they have proposed three different ways how to secure the data from the unauthorized person by logging in and access from the cloud. They have used static password method while logging in. They have also proposed about two-factor authentication with OTP’s. Further they have given different proposals to register as a new user and the data will be accessed by only their authorized person.
In this paper
7they have proposed OTP based cloud access control. By using they are enhancing the security. They have used the AES encryption algorithm
8to generate the OTP while a user is logging in to access his personal data. In this proposed method, the security risk has been reduced. Cail and Abel tool is used for cracking the OTP which is generating while a user is logging in but the tool has failed to hack the OTP.
In this paper
9they have explained about the mobile cloud computing, benefits of cloud computing, characteristics and deployment model. Later, they have discussed briefly about the security issues in mobile cloud computing and how to secure mobile devices from unauthorized accesses. They have discussed about the finger print authentication and the benefits of using the fingerprint authentication while a user is logging in to access their personal data from cloud storage.
In this paper
5they have discussed about multi-factor authentication, one is something that have to memorize and another one is physically token.
In this paper
10they have presented an authentication mechanism in mobile cloud computing. This mechanism is combined by two factors – one is two factor authentication and another is dynamic token which is called as mobile OTP. They have proposed the encryption method by using REAL encryption algorithm. The advantage of using this encryption technique is that it don’t require any computation method to decrypt the OTP code.
In this paper
2they have discussed by using static password method or two- factor authentication method doesn’t satisfy the security need, performance and cost. Here they have proposed three different techniques by using user can securely logging in and can access their confidential data. They have evaluated the safety and speed. At end, they have come to a solution that use of mobile OTP authentication, a very secure registration system and for data transmission between server and client they have used RC4 algorithm.
In this paper
4they have discussed about the security algorithms and authentication methods in cloud computing environment. This algorithms are such as symmetric, asymmetric and authentication techniques. The Symmetric and asymmetric techniques are: DES, AES, Blowfish, RSA, and Diffie-Hellman. The authentication methods are: one-time password, Digital Signature and Bio-metric. This paper says that blowfish algorithm is faster than other all encryption algorithm.
PROPOSED METHOD
For hospital management they can use hybrid cloud. It means they can buy a cloud
from some cloud services and they can give access to that cloud only those people who are
registered with that cloud. This cloud can’t access by the customers of another organisation.
They can also use private cloud means they can own their own cloud and accessible to the customers among the organization.
Our proposed method is followed by some steps:
(a) First user has to register (if not registered) to access their information from hospital cloud (b) User wants to login, they have to provide their username and password.
(c) After logging in one OTP will be provided to their mobile, which is unique every time they login.
(d) If OTP matches which is generated by the server, user can access their confidential information.
(e) Information will be sent by the server by using Blowfish encryption algorithm.
The Proposed method works in two phases:
(a) Registration Phase (b) Login Phase
(a) Registration Phase: If User is not registered, first they have to register to access information from that cloud by providing some information. They have to provide one mobile number which is valid because when they will login, OTP will be sent to that mobile number.
(b) Login Phase: While a user log in they have to enter the user name and password. After entering the credentials they have to enter the OTP sent from the server to their mobile number.
After a user is logged in the information will transfer from server to user by using blowfish encryption algorithm. The method is shown below:
User Name:
Enter Mobile OTP:
Password:
Log In
564
