Abstract
The authors of (Bentajer, Hedabou et al. 2018) point out that confidentiality of secret data, in public cloud, is a significant issue. Cryptography provides a solution by which this issue can be solved. Based upon ID-based encryption, the CS-IBE builds up confidentiality by using the user identity (ID) as the encryption key. Before being outsourced, the files go through encryption by utilizing the identity key of the user (Bentajer, Hedabou et al. 2018). CS-IBE functions as an overlay system on top of solutions for cloud storage. A prototype has been tested by the authors who claim that the results have given an insight into confidentiality. Along with trade-off in performance, the process of key management has been simplified (Bentajer, Hedabou et al. 2018). The statistical result shows that the cost-time (overhead) of the suggested design is very less, especially when files, of a large size, are considered.
Introduction
Due to mobile devices, which have a storage restraint, Storage-as-a-Service is very beneficial but it gives birth to many security issues (Bentajer, Hedabou et al. 2018). The most significant one is confidentiality of the data and the cloud user has no facilities for monitoring it. To justify their approach, the authors discussed eight different approaches (based upon encryption) along with their achievements, for increasing the confidentiality in the cloud. One approach (Chow, Chu et al. 2012) is a scheme, which utilizes pairing-based cryptography, for storing group signature and data, in order to provide access control. Another approach, suggested by (Feng, Chen et al. 2011), makes use of group encryption to bring about confidentiality in storage of data on the cloud. This system focused on providing integrity along with an adeuqate degree of non-repudiation. It demonstrated itself as an effective system against many threats.
Then, the authors go on to propose their model, CS-IBE. It is based upon Identity-based Encryption (Boneh, Franklin 2001) through Pairing Based Cryptography (Chatterjee, Sarkar 2011) to bring about data confidentiality, even during malicious, illegal or accidental access. Along with enabling secure storage, it also promotes adaptable, extensible and secure management without an increasing key store.
Architectural Solution (CS-IBE)
Considering CS-IBE, at least, one policy “P” (ID of the owner) and other features like DateTime expiration, are associated with each file (Bentajer, Hedabou et al. 2018). By using the data key, made by the user by using AES-128 (CBC mode), the encryption of the file takes place. Then, the encryption of the data key is done by using the control key, made by IBE. No engineering changes are required by CS-IBE, to be implemented, on the cloud storage (Bentajer, Hedabou et al. 2018). The architecture of CS-IBE is depicted in Figure 1.
Figure 1: CS-IBE system (Architecture)
According to Figure 1, the parts of the suggested design are the Cloud User, Cloud Storage and the KM (Bentajer, Hedabou et al. 2018). The Cloud User generates the data key and carries out file encryption/decryption on the file and the data key. He or she also transfers the data to cloud storage. The KM produces the parameters for the entire system and gives the Master Public Key, mpk, to the cloud user, which is related to the user’s ID. Then, the corresponding private key, called dp, is made. Cloud Storage represents the service (to be used for storage) which is not trustworthy (Dropbox, in this case). Firstly, the cloud user gets the mpk for the operations, related to cryptography. The key can be stowed away for use in the future. For every file F, the user makes a symmetric key, K, for encrypting and producing the ciphertext, CF. After that, the data key is encrypted by IBE mechanism, CK.
During the uploading of the data by the user, the POST function is utilized. The inputs are the cloud user, P, the file, F, and mpk. Then, the data key, K, is generated. K carries out the encryption of F and produces the encrypted file, CF. Later, the Encrypt function of IBE takes the data key, K, the mpk and the ID and makes the IBE public key (Bentajer, Hedabou et al. 2018). Then, it carries out the encryption of the data key. As a result, it generates the encrypted data key, named CK. An HMAC is also generated to check the integrity of the data before it is uploaded.
For downloading of the data, the GET function is brought into use. First, the cloud user downloads the CK and CF. After authenticating himself/herself, the user requests the matching private key (Bentajer, Hedabou et al. 2018). After checking the ID of the cloud user, the KM makes sure that the policy or policies do need the private key. It computes and gives the key to the user. If the ID does not correspond, the user is told by the user that either there was a failure of authentication or the policy did not need a dP.
Evaluation of CS-IBE
By testing a prototype of CS-IBE, it was found out that if the size of the file is less, the time of the data transmission and cryptographic operations was equal to transmission of a plain file with an insignificant time overhead. In case of a large file, the time of the cryptographic operations and data transmission is still inconsiderable, as compared to plain file transmission (Bentajer, Hedabou et al. 2018). It does not increase more than 4 % of the whole operation. Overall, it was observed that when the size of the file increases, the overhead of the design becomes less and no considerable performance overhead is generated. The CS-IBE does not depend on a certificate authority, which results in a small computation overhead for the KM. Additionally, the confidentiality of the protected data is ensured. Even if an attacker gets access to the storage, he or she will be unable to extract the sensitive operation because it will be encrypted (Bentajer, Hedabou et al. 2018). In comparison to other designs, CS-IBE brings confidentiality for the data to be outsourced and makes it unreadable for other entities.
Conclusion
The authors of (Bentajer, Hedabou et al. 2018) have chosen IBE for developing their tool because it offers a lot of flexibility and security in the management of the secret keys of large distributed systems. Also, due to it, the user can get access to his or her encrypted data whenever he or she requires. They tested a prototype with Dropbox as the base to show its practicality. Keeping in mind that mobile devices will be more common in the future, which have less storage, the authors have stressed upon the secure development of cloud services.
References
BENTAJER, A., HEDABOU, M., ABOUELMEHDI, K. and ELFEZAZI, S., 2018. CS-IBE: a data confidentiality system in public cloud storage system. Procedia Computer Science, 141, pp. 559-564.
BONEH, D. and FRANKLIN, M., 2001Identity-based encryption from the Weil pairing, Annual international cryptology conference 2001, Springer, pp. 213-229.
CHATTERJEE, S. and SARKAR, P., 2011. Identity-based encryption. Springer Science & Business Media.
CHOW, S.S., CHU, C., HUANG, X., ZHOU, J. and DENG, R.H., 2012. Dynamic secure cloud storage with provenance. Cryptography and security: From theory to applications. Springer, pp. 442-464.
FENG, J., CHEN, Y. and SUMMERVILLE, D.H., 2011A fair multi-party non-repudiation scheme for storage clouds, 2011 International Conference on Collaboration Technologies and Systems (CTS) 2011, IEEE, pp. 457-465.