a secure client access to encrypted cloud databases
TRANSCRIPT
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
1/26
A SEMINAR-III REPORT ON
A Secure Client Access to Encrypted Cloud Databases
SUBMITTED TO THE SAVITRIBAI PHULE PUNE
UNIVERSITY, PUNE IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE AWARD OF THE DEGREE
MASTER OF ENGINEERING (Computer Engineering)
BY
Dattatray B. Pawar Exam No:
Under the guidance of
Prof. V. S. Gaikwad
Department of Computer Engineering
JSPM Narhe Technical Campus, Narhe, Pune
Rajarshi Shahu School of Engineering and Research
Academic Year 2014-15
SAVITRIBAI PHULE PUNE UNIVERSITY, PUNE
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
2/26
JSPM NARHE TECHNICAL CAMPUS
Rajarshi Shahu School of Engineering and Research
Narhe Tal.Haweli Dist.Pune-41
DEPARTMENT OF COMPUTER ENGINEERING
CERTIFICATE
This is to certify that the seminar report entitled
A Secure Client Access to Encrypted Cloud Databases
Submitted by
DATTATRAY B. PAWAR Exam Seat No:
is a bonafide work carried out by him under the supervision of Prof. V. S. Gaikwad and
it is approved for the partial fulfillment of the requirement of Savitribai Phule University,
Pune. for the award of the degree of Master of Engineering (Computer Engineering)
Prof. V. S. Gaikwad
Internal Guide External Examinar
Dr. Sulochana Sonkamble Dr. D.M. Yadav
HOD Director
Place:
Date:
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
3/26
ACKNOWLEDGEMENT
I hereby take this opportunity to express my heartfelt gratitude towards the people
whose help was very useful to complete my seminar work on the topic of A Secure
Client Access to Encrypted Cloud Databases . It is my privilege to express sin-
cerest regards to my Dissertation Guide Prof. V. S. Gaikwadfor his valuable inputs,
valuable guidance, encouragement, whole-hearted cooperation and constructive criticism
throughout the duration of my dissertation work.
I deeply express my sincere thank to our HOD Dr. Mrs. S. B. Sonkamblefor
encouraging and allowing us to present the dissertation at our department premises for
the partial fulfilment of the requirements leading to the award of M.E. degree.
I am also thankful to our Director Dr. D. M. Yadav and the management. I
would also like to thank all the faculties who have cleared all the major concepts that
were involved in the understanding of the techniques behind my dissertation report. The
Dissertation Report is based on research work in Distributed ,concurrent and indepen-dent access to encrypted cloud databases . I am very much thankful to Author for such
a precious work.
DATTATRAY B. PAWARM.E.(Computer Engineering)
i
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
4/26
List of Tables
ii
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
5/26
List of Figures
iii
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
6/26
ABBREVIATIONS
CSP : Cloud Service Provider
SLA : Service Level Agreement
CSA : Cloud Security Alliance
SaaS : Software as a Service
Iaas : Infrastructure as a service
Paas : Platform as a Service
DBaaS : Database as a Service
DBA : Database Administrator
iv
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
7/26
ABSTRACT
Data security and confidentiality are crucial factors while considering cloud databases.
Data originality and reliability imposes extra attention towards cloud databases and its
service provisioning. Putting critical data in the hands of a cloud provider should come
with the guarantee of security and availability for data at rest, in motion, and in use.
Several alternatives exist for storage services, while data confidentiality solutions for the
database as a service paradigm are still immature. The efficacy of the proposed architec-ture is evaluated through theoretical analyses and extensive experimental results based
on a prototype implementation subject to the TPC-C standard benchmark for different
numbers of clients and network latencies.
This is the first solution supporting geographically distributed clients to connect di-
rectly to an encrypted cloud database, and to execute concurrent. We propose a novel
architecture that integrates cloud database services with data confidentiality and the
possibility of executing concurrent operations on encrypted data cannot apply fully ho-
momorphic encryption schemes because of their excessive computational complexity.
Keywords:Cloud security, encryption, confidentiality, SecureDBaaS, database.
v
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
8/26
Contents
1 Introduction 2
1.1 Dissertation prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Cloud service models . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3 Cloud Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Problem statement 7
3 Motivation 8
4 Literature Survey 9
5 Methodology 11
5.1 Design of framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1.1 Cloud Database server . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1.2 Communication mechanism . . . . . . . . . . . . . . . . . . . . . 11
5.2 Algorithms of Existing System. . . . . . . . . . . . . . . . . . . . . . . . 12
6 Existing System With Mathematical Model 13
7 Proposed System With Mathematical model 14
8 Implementation 15
9 Data Table and Discussion 16
10 Conclusion 17
1
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
9/26
Chapter 1
INTRODUCTION
In a cloud context, where critical information is placed in infrastructures of untrusted
third parties, ensuring data confidentiality is of paramount importance [1], [2]. This re-
quirement imposes clear data management choices: original plain data must be accessible
only by trusted parties that do not include cloud providers, intermediaries, and Internet;
in any untrusted context, data must be encrypted. Satisfying these goals has different
levels of complexity depending on the type of cloud service. There are several solutions
ensuring confidentiality for the storage as a service paradigm (e.g., [3], [4], [5]), while
guaranteeing confidentiality in the database as a service (DBaaS) paradigm [6] is still an
open research area. In this context, we propose SecureDBaaS as the first solution that
allows cloud tenants to take full advantage of DBaaS qualities, such as availability, re-
liability, and elastic scalability, without exposing unencrypted data to the cloud provider.
The architecture design was motivated by a threefold goal: to allow multiple,
independent, and geographically distributed clients to execute concurrent operations on
encrypted data, including SQL statements that modify the database structure; to pre-
serve data confidentiality and consistency at the client and cloud level; to eliminate any
intermediate server between the cloud client and the cloud provider. The possibility
of combining availability, elasticity, and scalability of a typical cloud DBaaS with data
confidentiality is demonstrated through a prototype of SecureDBaaS that supports the
execution of concurrent and independent operations to the remote encrypted database
from many geographically distributed clients as in any unencrypted DBaaS setup. To
achieve these goals, SecureDBaaS integrates existing cryptographic schemes, isolation
mechanisms, and novel strategies for management of encrypted metadata on the un-
trusted cloud database. This paper contains a theoretical discussion about solutions for
data consistency issues due to concurrent and independent client accesses to encrypted
data.
In this context, we cannot apply fully homomorphic encryption schemes [7] be-
cause of their excessive computational complexity. The SecureDBaaS architecture is tai-
lored to cloud platforms and does not introduce any intermediary proxy or broker server
between the client and the cloud provider. Eliminating any trusted intermediate server
allows SecureDBaaS to achieve the same availability, reliability, and elasticity levels of
2
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
10/26
a cloud DBaaS. Other proposals (e.g., [6], [7], [8]) based on intermediate server(s) were
considered impracticable for a cloud-based solution because any proxy represents a single
point of failure and a system bottleneck that limits the main benefits (e.g., scalability,
availability, and elasticity) of a database service deployed on a cloud platform. Unlike
SecureDBaaS, architectures relying on a trusted intermediate proxy do not support themost typical cloud scenario where geographically dispersed clients can concurrently issue
read/write operations and data structure modifications to a cloud database. A large set
of experiments based on real cloud platforms demonstrate that SecureDBaaS is immedi-
ately applicable to any DBMS because it requires no modification to the cloud database
services.
Other studies where the proposed architecture is subject to the TPC-C standard
benchmark for different numbers of clients and network latencies show that the perfor-
mance of concurrent read and write operations not modifying the SecureDBaaS databasestructure is comparable to that of unencrypted cloud database. Workloads including
modifications to the database structure are also supported by SecureDBaaS, but at the
price of overheads that seem acceptable to achieve the desired level of data confidential-
ity. The motivation of these results is that network latencies, which are typical of cloud
scenarios, tend to mask the performance costs of data encryption on response time. The
overall conclusions of this paper are important because for the first time they demon-
strate the applicability of encryption to cloud database services in terms of feasibility and
performance.
1.1 Dissertation prerequisite
1.1.1 Cloud service models
Cloud service models achieved a major space in cloud computing area. The ser-
vice model helps to dictates an organizations scope and control with its computational
resources, and characterizes a level service for its use.
SaaS
Software as a Service is a service delivery model providing applications and computa-
tional resources for use on demand by the service user. Purpose of this model is to reduce
the total development cost, including maintenance, and operations. Security is responsi-
bility of cloud provider. The cloud consumer isnt involved in control and management of
cloud infrastructure or personal applications, except for priority selections and very less
administrative application settings.[3]
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
11/26
Paas
Platform as a Service is a service delivery model that provides the computing platform
and applications can be developed and deployed on it. Motivation behind this model is
to minimize cost, complexity of purchasing, hosting, and managing platform, including
programs and databases. The development culture is typically provided by cloud provider
and supplemented to the design and architecture of its platform[3].
IaaS
Infrastructure as a Service is a service delivery model services basic computing infras-
tructure including servers, software, and network equipment provided on-demand service.
Platform for developing and executing applications can be established on it. Main motto
is to avoid purchasing, and management of software and infrastructure components, and
instead get such resources as virtualized objects controllable via a service interface. Thecloud user has great freedom for the choice of operating system and development envi-
ronment to be used. Security is sole responsibility of cloud consumer.[3]
DBaaS
Database as a Service (DBaaS) potentially will be the next big era in IT. It is a
service that is hosted by a cloud operator (public or private) and includes applications,
where the application team doesnt have any responsibility for old database administra-
tion. With a DBaaS, the application developers need not to be expertise in database,
and there is no need to hire a database administrator (DBA) to operate and maintain
the database.[6] The recent market analysis from 451 research projects shows stunning
86 percent. progressive annul growth rate, with revenues from DBaaS providers rising
from 150 million dollar in 2012 to 1.8 billion dollar by 2016.[1] DBaaS is gaining popu-
larity because it eases businesses to setup new databases quickly with high security and
at very minimal cost . Database as a Service (DBaaS) offers organizations speed up
deployment, elasticity, fair consolidation efficiency, higher availability, and minimal cost
and complexity.[2],[4] Following facts shows why DBaaS will hit the upcoming IT market.
1.DBaaS reduces database straggle.2.Supports ease provision.
3.Enhance high Security and minimal complexity
1.1.2 Cloud Deployment Models
Four deployment models are present for cloud service solutions:
Private cloud
Infrastructure provided for a private organization. It may be responsibility of orga-
nization to manage it or third party can manage it. Existence of such cloud may be on
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
12/26
the premise or off the promise.
Community cloud
Many organizations share the infrastructure and support a distinct community that
has general concerns. Organization can manage it or third party can also operate it.
Existence of such cloud may be on the premise or off the promise [3].
Public cloud
This cloud infrastructure is available to public or a large industry group. An orga-
nization may own it to sale cloud services [3]. The growth in workload migration from
private cloud to public cloud has increased. The average workload in public cloud will
not have more difference than the private cloud.
Hybrid cloud
Cloud infrastructure is a combination of two clouds i.e. private, community, or
public, it doesnt change its properties, but tightened together by standard or proprietary
techniques, that enables communication of data and applications.
1.1.3 Cloud Security Issues
Data security is an important aspect where quality of service is considered as a
prime focus, Cloud Computing undoubtedly raise new security threats for various reasons.Traditional cryptosystems can not directly used because user does not have control over
data under Cloud Computing. Checksum for correct data storage in the cloud must be
done without knowledge of whole database or data.
Trust
In cloud trust rely on deployment model as it provides administration of data. Trust
is considered as mandatory security policy in old architectures. In public cloud whoever
is the owner of infrastructure they have the controls over it. While the public cloud iddeployed the infrastructure owner is supposed to take all assurance regarding the suitable
security policies so that the risk related to security are reduced. Security is considered
about trusting the process or implementations that are made by owner. Deployment mod-
els must differentiate among themselves as the private cloud infrastructure is controlled
by private organizations and it do not need any other security policies as organization
maintains same trust level.[10]
Threats
The CSA (Cloud Security Alliance) has discovered various cloud computing threatsduring last year. The report reflects the current issue among experts around the IT
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
13/26
business industry analysed by CSA, pointing on threats specifically related to shared
technology ,on demand service nature of cloud computing.
1.2 Objective
To provide security based architecture to cloud users.
To provide data confidentiality with minimal latency and improved throughput over cloud
network.
To maintain better trust relation between cloud user and cloud service provider.
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
14/26
Chapter 2
PROBLEM STATEMENT
The throughput for increasing numbers of concurrent clients in contexts character-
ized by modifications of the database structure are supported, but at the price of high
computational costs. Existing encryption techniques imposes high time complexity over
the cloud which causes performance degradation.
7
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
15/26
Chapter 3
MOTIVATION
To provide secure access to multiple users with high confidentiality.
To establish reliable and consistent connection between client and cloud database service
provider.
To provide security based architecture to cloud users.
To provide data confidentiality with minimal latency and improved throughput over cloud
network.
To maintain better trust relation between cloud user and cloud service provider.
8
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
16/26
Chapter 4
LITERATURE SURVEY
[1]Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward
W. Felten has published paper on Group Collaboration using Untrusted Cloud Re-
sources. They have implemented a system that provides a generic collaboration service
in which users can create a document, modify its access control list, edit it concurrently,
experience fully automated merging of updates, and even perform these operations while
disconnected. The system framework supports a broad range of collaborative applica-
tions. Data updates are encrypted before being sent to a cloud-hosted server. The server
assigns a total order to all operations and redistributes the ordered updates to clients. If
a malicious server drops or reorders updates, the system clients can detect the servers
misbehaviour, switch to a new server, restore a consistent state, and continue. The same
mechanism that allows system to merge correct concurrent operations also enables it to
transparently recover from attacks that fork clients views.
[2] Jinyuan Li, Maxwell Krohn, David Mazires, and Dennis Shasha has
published paper on Secure Untrusted Data Repository. They have mentioned net-
work file system designed to store data securely on untrusted servers. System lets clients
detect any attempts at unauthorized file modification by malicious server operators or
users. SUNDRs protocol achieves a property called fork consistency, which guarantees
that clients can detect any integrity or consistency failures as long as they see each others
file modifications. An implementation is described that performs comparably with NFS
(sometimes better and sometimes worse), while offering significantly stronger security.
[3] PRINCE MAHAJAN, SRINATH SETTY, SANGMIN LEE, ALLEN
CLEMENT,LORENZO ALVISI, MIKE DAHLIN, and MICHAEL WALFISH
has published paper on Cloud Storage with Minimal Trust. It supports many strategies
for coping with the failure of an SSP. In a single SSP deployment, clients are configured
such that each client stores a copy of the data that it authors. If the SSP fails, clients
can ensure availability by exchanging metadata with each other directly and by using the
data stored at the authoring clients. If the SSP later recovers, clients can continue using
the SSP (after sending the missed updates to the SSP servers).
9
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
17/26
[4]Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and
Hari Balakrishnanhas published paper on Protecting Confidentiality with Encrypted
Query Processing.Authors have given a system that explores an intermediate design
point to provide confidentiality for applications that use database management systems
(DBMSes). CryptDB leverages the typical structure of database-backed applications,consisting of a DBMS server and a separate application server, the latter runs the appli-
cation code and issues DBMS queries on behalf of one or more users. CryptDBs approach
is to execute queries over encrypted data, and the key insight that makes it practical is
that SQL uses a well-defined set of operators, each of which we are able to support effi-
ciently over encrypted data.
[5] Luca Ferretti, Michele Colajanni, and Mirco Marchetti has published
paper on Supporting Security and Consistency for Cloud Database.they proposed a
novel architecture that allows cloud customers to leverage untrusted DBaaS with theguarantee of data confidentiality. Unlike previous solutions, our architecture does not
rely on a trusted proxy, and allows multiple distributed clients to execute SQL queries
concurrently and independently on the same encrypted database. All the encryption and
decryption operations are carried out by a software module that is executed on each
client machine. Their design choice does not introduce any bottleneck and single point of
failure be-cause clients connect directly to the cloud database. Moreover, our architecture
guarantees the same availability, scalability and elasticity of the unencrypted DBaaS and
it is applicable to any commercial DBaaS because it does not require modifications to
the database.
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
18/26
Chapter 5
METHODOLOGY
5.1 Design of framework
This framework is the prime step towards achieving the goals of the cloud infrastructure.
In this section, the details of the proposed framework are highlighted and in the sections
below describe the components and their implementations.
Figure presents the architecture of the proposed framework. The service component
including the run-time server represents the application layer where services are deployed
using a Web Service container.
5.1.1 Cloud Database server
This section describes the database server component, which is located at the Cloud
infrastructure resource level. We first explain its design and later present the implemen-
tation details
5.1.2 Communication mechanism
The implemented communication model is a sort of queuing mechanism. It realizes aninter-process communication for passing messages within the cloud infrastructure and
between components of the cloud server framework, due to the fact that the components
can run on different machines at different locations. This queue makes the communica-
tion mechanism highly efficient and scalable.
11
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
19/26
5.2 Algorithms of Existing System
Algorithm 1
Input: Request for cloud database.
Output: Secure cloud database access to user.Begin
1. Tenant wants to store and process remotely.
2. Tenant sends request to CSP
3. Authenticates tenant
4. If(n=1)
5. Access to database
6. Else
7. Response with no access
8. CSP sends cloud decrypted data and metadata and encrypted tables.9. Tenant operates on remote data.
10. Metadata updated before tenant exit the system.
End
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
20/26
Chapter 6
EXISTING SYSTEM WITH MATHEMATICAL
MODEL
13
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
21/26
Chapter 7
PROPOSED SYSTEM WITH MATHEMATICAL
MODEL
14
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
22/26
Chapter 8
IMPLEMENTATION
15
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
23/26
Chapter 9
DATA TABLE AND DISCUSSION
16
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
24/26
Chapter 10
CONCLUSION
Proposed architecture guarantees the confidentiality of data stored in public cloud
databases. It yields better performance characteristics through minimal latency and im-
proved throughput. The proposed architecture does not require modifications to the
cloud database, and it can be immediately applicable to existing cloud DBaaS, such as
the PostgreSQL Plus, Cloud Database, Windows Azure, Amazon S3 and Xeround.
17
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
25/26
Bibliography
[1] Cheng-Kang Chu, Sherman S. M. Chow, Wen-Guey Tzeng, Jianying Zhou, and
Robert H. Deng Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud
Storage IEEE Transactions on Parallel and Distributed Systems. Volume: 25, Issue:
2. Year :2014
[2] S. G. Akl and P. D. Taylor, Cryptographic Solution to a Problem of Access Control
in a Hierarchy, ACM Transactions on Computer Systems (TOCS), vol. 1, no. 3, pp.
239248, 1983.
[3] G. C. Chick and S. E. Tavares, Flexible Access Control with Master Keys, in Pro-
ceedings of Advances in Cryptology CRYPTO 89, ser. LNCS, vol. 435. Springer,
1989, pp. 316322.
[4] W.-G. Tzeng, A Time-Bound Cryptographic Key Assignment Scheme for Access
Control in a Hierarchy, IEEE Transactions on Knowledge and Data Engineering
(TKDE), vol. 14, no. 1, pp. 182188, 2002.
[5] G. Ateniese, A. D. Santis, A. L. Ferrara, and B. Masucci, Provably-Secure Time-
Bound Hierarchical Key Assignment Schemes, J. Cryptology, vol. 25, no. 2, pp.
243270, 2012.
[6] R. S. Sandhu, Cryptographic Implementation of a Tree Hierarchy for Access Control,
Information Processing Letters, vol. 27, no. 2, pp. 9598, 1988.
[7] Y. Sun and K. J. R. Liu, Scalable Hierarchical Access Control in Secure Group Com-
munications, in Proceedings of the 23th IEEE International Conference on Computer
Communications (INFOCOM04). IEEE, 2004.
[8] Q. Zhang and Y. Wang, A Centralized Key Management Scheme for Hierarchi-
cal Access Control, in Proceedings of IEEE Global Telecommunications Conference
(GLOBECOM 04). IEEE, 2004, pp. 20672071
[9] G. 9. M. J. Atallah, M. Blanton, N. Fazio, and K. B. Frikken, Dynamic and Efficient
Key Management for Access Hierarchies, ACM Transactions on Information and
System Security (TISSEC), vol. 12,no. 3, 2009.
[10] 10. J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, Patient Controlled Encryption:
Ensuring Privacy of Electronic Medical Records, in Proceedings of ACM Workshop
on Cloud Computing Security (CCSW 09). ACM, 2009, pp. 103114.
18
-
7/24/2019 A Secure Client Access to Encrypted Cloud Databases
26/26
[11] 11. F. Guo, Y. Mu, and Z. Chen, Identity-Based Encryption: How to Decrypt Mul-
tiple Ciphertexts Using a Single Decryption Key, in Proceedings of Pairing-Based
Cryptography (Pairing 07), ser. LNCS, vol. 4575. Springer, 2007, pp. 392406.
[12] 12. V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-Based Encryption for
Fine-Grained Access Control of Encrypted data,in Proceedings of the 13th ACM
Conference on Computer and Communications Security (CCS 06). ACM, 2006, pp.
8998.