a secure client access to encrypted cloud databases

7/24/2019 A Secure Client Access to Encrypted Cloud Databases

1/26

A SEMINAR-III REPORT ON

A Secure Client Access to Encrypted Cloud Databases

SUBMITTED TO THE SAVITRIBAI PHULE PUNE

UNIVERSITY, PUNE IN PARTIAL FULFILLMENT OF THE REQUIREMENTS

FOR THE AWARD OF THE DEGREE

MASTER OF ENGINEERING (Computer Engineering)

BY

Dattatray B. Pawar Exam No:

Under the guidance of

Prof. V. S. Gaikwad

Department of Computer Engineering

JSPM Narhe Technical Campus, Narhe, Pune

Rajarshi Shahu School of Engineering and Research

Academic Year 2014-15

SAVITRIBAI PHULE PUNE UNIVERSITY, PUNE


2/26

JSPM NARHE TECHNICAL CAMPUS

Rajarshi Shahu School of Engineering and Research

Narhe Tal.Haweli Dist.Pune-41

DEPARTMENT OF COMPUTER ENGINEERING

CERTIFICATE

This is to certify that the seminar report entitled

A Secure Client Access to Encrypted Cloud Databases

Submitted by

DATTATRAY B. PAWAR Exam Seat No:

is a bonafide work carried out by him under the supervision of Prof. V. S. Gaikwad and

it is approved for the partial fulfillment of the requirement of Savitribai Phule University,

Pune. for the award of the degree of Master of Engineering (Computer Engineering)

Prof. V. S. Gaikwad

Internal Guide External Examinar

Dr. Sulochana Sonkamble Dr. D.M. Yadav

HOD Director

Place:

Date:


3/26

ACKNOWLEDGEMENT

I hereby take this opportunity to express my heartfelt gratitude towards the people

whose help was very useful to complete my seminar work on the topic of A Secure

Client Access to Encrypted Cloud Databases . It is my privilege to express sin-

cerest regards to my Dissertation Guide Prof. V. S. Gaikwadfor his valuable inputs,

valuable guidance, encouragement, whole-hearted cooperation and constructive criticism

throughout the duration of my dissertation work.

I deeply express my sincere thank to our HOD Dr. Mrs. S. B. Sonkamblefor

encouraging and allowing us to present the dissertation at our department premises for

the partial fulfilment of the requirements leading to the award of M.E. degree.

I am also thankful to our Director Dr. D. M. Yadav and the management. I

would also like to thank all the faculties who have cleared all the major concepts that

were involved in the understanding of the techniques behind my dissertation report. The

Dissertation Report is based on research work in Distributed ,concurrent and indepen-dent access to encrypted cloud databases . I am very much thankful to Author for such

a precious work.

DATTATRAY B. PAWARM.E.(Computer Engineering)

i


4/26

List of Tables

ii


5/26

List of Figures

iii


6/26

ABBREVIATIONS

CSP : Cloud Service Provider

SLA : Service Level Agreement

CSA : Cloud Security Alliance

SaaS : Software as a Service

Iaas : Infrastructure as a service

Paas : Platform as a Service

DBaaS : Database as a Service

DBA : Database Administrator

iv


7/26

ABSTRACT

Data security and confidentiality are crucial factors while considering cloud databases.

Data originality and reliability imposes extra attention towards cloud databases and its

service provisioning. Putting critical data in the hands of a cloud provider should come

with the guarantee of security and availability for data at rest, in motion, and in use.

Several alternatives exist for storage services, while data confidentiality solutions for the

database as a service paradigm are still immature. The efficacy of the proposed architec-ture is evaluated through theoretical analyses and extensive experimental results based

on a prototype implementation subject to the TPC-C standard benchmark for different

numbers of clients and network latencies.

This is the first solution supporting geographically distributed clients to connect di-

rectly to an encrypted cloud database, and to execute concurrent. We propose a novel

architecture that integrates cloud database services with data confidentiality and the

possibility of executing concurrent operations on encrypted data cannot apply fully ho-

momorphic encryption schemes because of their excessive computational complexity.

Keywords:Cloud security, encryption, confidentiality, SecureDBaaS, database.

v


8/26

Contents

1 Introduction 2

1.1 Dissertation prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1.1 Cloud service models . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1.2 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . 4

1.1.3 Cloud Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Problem statement 7

3 Motivation 8

4 Literature Survey 9

5 Methodology 11

5.1 Design of framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5.1.1 Cloud Database server . . . . . . . . . . . . . . . . . . . . . . . . 11

5.1.2 Communication mechanism . . . . . . . . . . . . . . . . . . . . . 11

5.2 Algorithms of Existing System. . . . . . . . . . . . . . . . . . . . . . . . 12

6 Existing System With Mathematical Model 13

7 Proposed System With Mathematical model 14

8 Implementation 15

9 Data Table and Discussion 16

10 Conclusion 17

1


9/26

Chapter 1

INTRODUCTION

In a cloud context, where critical information is placed in infrastructures of untrusted

third parties, ensuring data confidentiality is of paramount importance [1], [2]. This re-

quirement imposes clear data management choices: original plain data must be accessible

only by trusted parties that do not include cloud providers, intermediaries, and Internet;

in any untrusted context, data must be encrypted. Satisfying these goals has different

levels of complexity depending on the type of cloud service. There are several solutions

ensuring confidentiality for the storage as a service paradigm (e.g., [3], [4], [5]), while

guaranteeing confidentiality in the database as a service (DBaaS) paradigm [6] is still an

open research area. In this context, we propose SecureDBaaS as the first solution that

allows cloud tenants to take full advantage of DBaaS qualities, such as availability, re-

liability, and elastic scalability, without exposing unencrypted data to the cloud provider.

The architecture design was motivated by a threefold goal: to allow multiple,

independent, and geographically distributed clients to execute concurrent operations on

encrypted data, including SQL statements that modify the database structure; to pre-

serve data confidentiality and consistency at the client and cloud level; to eliminate any

intermediate server between the cloud client and the cloud provider. The possibility

of combining availability, elasticity, and scalability of a typical cloud DBaaS with data

confidentiality is demonstrated through a prototype of SecureDBaaS that supports the

execution of concurrent and independent operations to the remote encrypted database

from many geographically distributed clients as in any unencrypted DBaaS setup. To

achieve these goals, SecureDBaaS integrates existing cryptographic schemes, isolation

mechanisms, and novel strategies for management of encrypted metadata on the un-

trusted cloud database. This paper contains a theoretical discussion about solutions for

data consistency issues due to concurrent and independent client accesses to encrypted

data.

In this context, we cannot apply fully homomorphic encryption schemes [7] be-

cause of their excessive computational complexity. The SecureDBaaS architecture is tai-

lored to cloud platforms and does not introduce any intermediary proxy or broker server

between the client and the cloud provider. Eliminating any trusted intermediate server

allows SecureDBaaS to achieve the same availability, reliability, and elasticity levels of

2


10/26

a cloud DBaaS. Other proposals (e.g., [6], [7], [8]) based on intermediate server(s) were

considered impracticable for a cloud-based solution because any proxy represents a single

point of failure and a system bottleneck that limits the main benefits (e.g., scalability,

availability, and elasticity) of a database service deployed on a cloud platform. Unlike

SecureDBaaS, architectures relying on a trusted intermediate proxy do not support themost typical cloud scenario where geographically dispersed clients can concurrently issue

read/write operations and data structure modifications to a cloud database. A large set

of experiments based on real cloud platforms demonstrate that SecureDBaaS is immedi-

ately applicable to any DBMS because it requires no modification to the cloud database

services.

Other studies where the proposed architecture is subject to the TPC-C standard

benchmark for different numbers of clients and network latencies show that the perfor-

mance of concurrent read and write operations not modifying the SecureDBaaS databasestructure is comparable to that of unencrypted cloud database. Workloads including

modifications to the database structure are also supported by SecureDBaaS, but at the

price of overheads that seem acceptable to achieve the desired level of data confidential-

ity. The motivation of these results is that network latencies, which are typical of cloud

scenarios, tend to mask the performance costs of data encryption on response time. The

overall conclusions of this paper are important because for the first time they demon-

strate the applicability of encryption to cloud database services in terms of feasibility and

performance.

1.1 Dissertation prerequisite

1.1.1 Cloud service models

Cloud service models achieved a major space in cloud computing area. The ser-

vice model helps to dictates an organizations scope and control with its computational

resources, and characterizes a level service for its use.

SaaS

Software as a Service is a service delivery model providing applications and computa-

tional resources for use on demand by the service user. Purpose of this model is to reduce

the total development cost, including maintenance, and operations. Security is responsi-

bility of cloud provider. The cloud consumer isnt involved in control and management of

cloud infrastructure or personal applications, except for priority selections and very less

administrative application settings.[3]


11/26

Paas

Platform as a Service is a service delivery model that provides the computing platform

and applications can be developed and deployed on it. Motivation behind this model is

to minimize cost, complexity of purchasing, hosting, and managing platform, including

programs and databases. The development culture is typically provided by cloud provider

and supplemented to the design and architecture of its platform[3].

IaaS

Infrastructure as a Service is a service delivery model services basic computing infras-

tructure including servers, software, and network equipment provided on-demand service.

Platform for developing and executing applications can be established on it. Main motto

is to avoid purchasing, and management of software and infrastructure components, and

instead get such resources as virtualized objects controllable via a service interface. Thecloud user has great freedom for the choice of operating system and development envi-

ronment to be used. Security is sole responsibility of cloud consumer.[3]

DBaaS

Database as a Service (DBaaS) potentially will be the next big era in IT. It is a

service that is hosted by a cloud operator (public or private) and includes applications,

where the application team doesnt have any responsibility for old database administra-

tion. With a DBaaS, the application developers need not to be expertise in database,

and there is no need to hire a database administrator (DBA) to operate and maintain

the database.[6] The recent market analysis from 451 research projects shows stunning

86 percent. progressive annul growth rate, with revenues from DBaaS providers rising

from 150 million dollar in 2012 to 1.8 billion dollar by 2016.[1] DBaaS is gaining popu-

larity because it eases businesses to setup new databases quickly with high security and

at very minimal cost . Database as a Service (DBaaS) offers organizations speed up

deployment, elasticity, fair consolidation efficiency, higher availability, and minimal cost

and complexity.[2],[4] Following facts shows why DBaaS will hit the upcoming IT market.

1.DBaaS reduces database straggle.2.Supports ease provision.

3.Enhance high Security and minimal complexity

1.1.2 Cloud Deployment Models

Four deployment models are present for cloud service solutions:

Private cloud

Infrastructure provided for a private organization. It may be responsibility of orga-

nization to manage it or third party can manage it. Existence of such cloud may be on


12/26

the premise or off the promise.

Community cloud

Many organizations share the infrastructure and support a distinct community that

has general concerns. Organization can manage it or third party can also operate it.

Existence of such cloud may be on the premise or off the promise [3].

Public cloud

This cloud infrastructure is available to public or a large industry group. An orga-

nization may own it to sale cloud services [3]. The growth in workload migration from

private cloud to public cloud has increased. The average workload in public cloud will

not have more difference than the private cloud.

Hybrid cloud

Cloud infrastructure is a combination of two clouds i.e. private, community, or

public, it doesnt change its properties, but tightened together by standard or proprietary

techniques, that enables communication of data and applications.

1.1.3 Cloud Security Issues

Data security is an important aspect where quality of service is considered as a

prime focus, Cloud Computing undoubtedly raise new security threats for various reasons.Traditional cryptosystems can not directly used because user does not have control over

data under Cloud Computing. Checksum for correct data storage in the cloud must be

done without knowledge of whole database or data.

Trust

In cloud trust rely on deployment model as it provides administration of data. Trust

is considered as mandatory security policy in old architectures. In public cloud whoever

is the owner of infrastructure they have the controls over it. While the public cloud iddeployed the infrastructure owner is supposed to take all assurance regarding the suitable

security policies so that the risk related to security are reduced. Security is considered

about trusting the process or implementations that are made by owner. Deployment mod-

els must differentiate among themselves as the private cloud infrastructure is controlled

by private organizations and it do not need any other security policies as organization

maintains same trust level.[10]

Threats

The CSA (Cloud Security Alliance) has discovered various cloud computing threatsduring last year. The report reflects the current issue among experts around the IT


13/26

business industry analysed by CSA, pointing on threats specifically related to shared

technology ,on demand service nature of cloud computing.

1.2 Objective

To provide security based architecture to cloud users.

To provide data confidentiality with minimal latency and improved throughput over cloud

network.

To maintain better trust relation between cloud user and cloud service provider.


14/26

Chapter 2

PROBLEM STATEMENT

The throughput for increasing numbers of concurrent clients in contexts character-

ized by modifications of the database structure are supported, but at the price of high

computational costs. Existing encryption techniques imposes high time complexity over

the cloud which causes performance degradation.

7


15/26

Chapter 3

MOTIVATION

To provide secure access to multiple users with high confidentiality.

To establish reliable and consistent connection between client and cloud database service

provider.

To provide security based architecture to cloud users.

To provide data confidentiality with minimal latency and improved throughput over cloud

network.

To maintain better trust relation between cloud user and cloud service provider.

8


16/26

Chapter 4

LITERATURE SURVEY

[1]Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward

W. Felten has published paper on Group Collaboration using Untrusted Cloud Re-

sources. They have implemented a system that provides a generic collaboration service

in which users can create a document, modify its access control list, edit it concurrently,

experience fully automated merging of updates, and even perform these operations while

disconnected. The system framework supports a broad range of collaborative applica-

tions. Data updates are encrypted before being sent to a cloud-hosted server. The server

assigns a total order to all operations and redistributes the ordered updates to clients. If

a malicious server drops or reorders updates, the system clients can detect the servers

misbehaviour, switch to a new server, restore a consistent state, and continue. The same

mechanism that allows system to merge correct concurrent operations also enables it to

transparently recover from attacks that fork clients views.

[2] Jinyuan Li, Maxwell Krohn, David Mazires, and Dennis Shasha has

published paper on Secure Untrusted Data Repository. They have mentioned net-

work file system designed to store data securely on untrusted servers. System lets clients

detect any attempts at unauthorized file modification by malicious server operators or

users. SUNDRs protocol achieves a property called fork consistency, which guarantees

that clients can detect any integrity or consistency failures as long as they see each others

file modifications. An implementation is described that performs comparably with NFS

(sometimes better and sometimes worse), while offering significantly stronger security.

[3] PRINCE MAHAJAN, SRINATH SETTY, SANGMIN LEE, ALLEN

CLEMENT,LORENZO ALVISI, MIKE DAHLIN, and MICHAEL WALFISH

has published paper on Cloud Storage with Minimal Trust. It supports many strategies

for coping with the failure of an SSP. In a single SSP deployment, clients are configured

such that each client stores a copy of the data that it authors. If the SSP fails, clients

can ensure availability by exchanging metadata with each other directly and by using the

data stored at the authoring clients. If the SSP later recovers, clients can continue using

the SSP (after sending the missed updates to the SSP servers).

9


17/26

[4]Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and

Hari Balakrishnanhas published paper on Protecting Confidentiality with Encrypted

Query Processing.Authors have given a system that explores an intermediate design

point to provide confidentiality for applications that use database management systems

(DBMSes). CryptDB leverages the typical structure of database-backed applications,consisting of a DBMS server and a separate application server, the latter runs the appli-

cation code and issues DBMS queries on behalf of one or more users. CryptDBs approach

is to execute queries over encrypted data, and the key insight that makes it practical is

that SQL uses a well-defined set of operators, each of which we are able to support effi-

ciently over encrypted data.

[5] Luca Ferretti, Michele Colajanni, and Mirco Marchetti has published

paper on Supporting Security and Consistency for Cloud Database.they proposed a

novel architecture that allows cloud customers to leverage untrusted DBaaS with theguarantee of data confidentiality. Unlike previous solutions, our architecture does not

rely on a trusted proxy, and allows multiple distributed clients to execute SQL queries

concurrently and independently on the same encrypted database. All the encryption and

decryption operations are carried out by a software module that is executed on each

client machine. Their design choice does not introduce any bottleneck and single point of

failure be-cause clients connect directly to the cloud database. Moreover, our architecture

guarantees the same availability, scalability and elasticity of the unencrypted DBaaS and

it is applicable to any commercial DBaaS because it does not require modifications to

the database.


18/26

Chapter 5

METHODOLOGY

5.1 Design of framework

This framework is the prime step towards achieving the goals of the cloud infrastructure.

In this section, the details of the proposed framework are highlighted and in the sections

below describe the components and their implementations.

Figure presents the architecture of the proposed framework. The service component

including the run-time server represents the application layer where services are deployed

using a Web Service container.

5.1.1 Cloud Database server

This section describes the database server component, which is located at the Cloud

infrastructure resource level. We first explain its design and later present the implemen-

tation details

5.1.2 Communication mechanism

The implemented communication model is a sort of queuing mechanism. It realizes aninter-process communication for passing messages within the cloud infrastructure and

between components of the cloud server framework, due to the fact that the components

can run on different machines at different locations. This queue makes the communica-

tion mechanism highly efficient and scalable.

11


19/26

5.2 Algorithms of Existing System

Algorithm 1

Input: Request for cloud database.

Output: Secure cloud database access to user.Begin

1. Tenant wants to store and process remotely.

2. Tenant sends request to CSP

3. Authenticates tenant

4. If(n=1)

5. Access to database

6. Else

7. Response with no access

8. CSP sends cloud decrypted data and metadata and encrypted tables.9. Tenant operates on remote data.

10. Metadata updated before tenant exit the system.

End


20/26

Chapter 6

EXISTING SYSTEM WITH MATHEMATICAL

MODEL

13


21/26

Chapter 7

PROPOSED SYSTEM WITH MATHEMATICAL

MODEL

14


22/26

Chapter 8

IMPLEMENTATION

15


23/26

Chapter 9

DATA TABLE AND DISCUSSION

16


24/26

Chapter 10

CONCLUSION

Proposed architecture guarantees the confidentiality of data stored in public cloud

databases. It yields better performance characteristics through minimal latency and im-

proved throughput. The proposed architecture does not require modifications to the

cloud database, and it can be immediately applicable to existing cloud DBaaS, such as

the PostgreSQL Plus, Cloud Database, Windows Azure, Amazon S3 and Xeround.

17


25/26

Bibliography

[1] Cheng-Kang Chu, Sherman S. M. Chow, Wen-Guey Tzeng, Jianying Zhou, and

Robert H. Deng Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud

Storage IEEE Transactions on Parallel and Distributed Systems. Volume: 25, Issue:

2. Year :2014

[2] S. G. Akl and P. D. Taylor, Cryptographic Solution to a Problem of Access Control

in a Hierarchy, ACM Transactions on Computer Systems (TOCS), vol. 1, no. 3, pp.

239248, 1983.

[3] G. C. Chick and S. E. Tavares, Flexible Access Control with Master Keys, in Pro-

ceedings of Advances in Cryptology CRYPTO 89, ser. LNCS, vol. 435. Springer,

1989, pp. 316322.

[4] W.-G. Tzeng, A Time-Bound Cryptographic Key Assignment Scheme for Access

Control in a Hierarchy, IEEE Transactions on Knowledge and Data Engineering

(TKDE), vol. 14, no. 1, pp. 182188, 2002.

[5] G. Ateniese, A. D. Santis, A. L. Ferrara, and B. Masucci, Provably-Secure Time-

Bound Hierarchical Key Assignment Schemes, J. Cryptology, vol. 25, no. 2, pp.

243270, 2012.

[6] R. S. Sandhu, Cryptographic Implementation of a Tree Hierarchy for Access Control,

Information Processing Letters, vol. 27, no. 2, pp. 9598, 1988.

[7] Y. Sun and K. J. R. Liu, Scalable Hierarchical Access Control in Secure Group Com-

munications, in Proceedings of the 23th IEEE International Conference on Computer

Communications (INFOCOM04). IEEE, 2004.

[8] Q. Zhang and Y. Wang, A Centralized Key Management Scheme for Hierarchi-

cal Access Control, in Proceedings of IEEE Global Telecommunications Conference

(GLOBECOM 04). IEEE, 2004, pp. 20672071

[9] G. 9. M. J. Atallah, M. Blanton, N. Fazio, and K. B. Frikken, Dynamic and Efficient

Key Management for Access Hierarchies, ACM Transactions on Information and

System Security (TISSEC), vol. 12,no. 3, 2009.

[10] 10. J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, Patient Controlled Encryption:

Ensuring Privacy of Electronic Medical Records, in Proceedings of ACM Workshop

on Cloud Computing Security (CCSW 09). ACM, 2009, pp. 103114.

18


26/26

[11] 11. F. Guo, Y. Mu, and Z. Chen, Identity-Based Encryption: How to Decrypt Mul-

tiple Ciphertexts Using a Single Decryption Key, in Proceedings of Pairing-Based

Cryptography (Pairing 07), ser. LNCS, vol. 4575. Springer, 2007, pp. 392406.

[12] 12. V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-Based Encryption for

Fine-Grained Access Control of Encrypted data,in Proceedings of the 13th ACM

Conference on Computer and Communications Security (CCS 06). ACM, 2006, pp.

8998.

a secure client access to encrypted cloud databases

Documents