Contents Abstract ………………………………………………………………………………………….. ii Acknowledgement ………………………………………………………………………………. iv Contents ………………………………………………………………………………………….. v List of Tables .………………………………………………………………………………....... vii List of Figures ………………………………………………………………………………... ..viii 1 Introduction ………………………………………………………………………………….. .1
1.1 Essential Characteristics……………………………………………………………... Characteristics……………………………………………………………........3 .....3 1.2 Deployment Models…………………………………………………………………… Models……………………………………………………………………..4 ..4 1.3 Architecture……………………………………… Architecture…………………………………………………………………… …………………………………… ………...6 ...6 1.4 Benefits Benefits of Cloud C loud Architecture………………………………………………………… Architecture………………………………………………………….7 .7 1.5 Examples of Cloud Architecture……………………… Architecture……………………………………………………… ………………………………..8 ..8 ………………………………………………………………………………..11 ……………..11 2 Related Work …………………………………………………………………
2.1 Comparison Comparison of Different Techniques…………………………………………………..12 Techniques…………………………………………………..12
iv
nts……………………………………………………………………………… ………………………16 3Requirements………………………………………………………
3.1 SoapUI………………………………………………………………………………...16 SoapUI………………………………………………………………………………. ..16 3.2 Mule Studio…………………………… Studio………………………………………………………… ……………………………………………... ………………...17 17 3.3 Eclipse………………………………………………………………………………... Eclipse………………………………………………………………………………....18 .18 4 Infrastructure …………………………………………………………………………… ..20
4.1 Registration Registration Process……………………… Process………………………………………………… ……………………………………… …………….....21 .....21 4.2 Upload Pr ocess………………………………………………… ocess……………………………………………………………………... ………………….....22 ..22 4.3 Retrieval Process……………………………… Process…………………………………………………………… ………………………………… …….. ..…24 …24 5Implementation Plan …………………………………………………………………...… 28 6Analysis …………………….…………………………………………………………...…. 30 ………………………………………………………....…. 31 7Conclusion and Future Work ………………………………………………………....….
7.1 Conclusion……………………………………………………………………. Conclusion…………………………………………………………………….………31 7.2
Future Work……………………… Work…………………………………………… ………………………………………………….31 …………………………….31
8 References…………………………………………………………………………………. 32 9Appendix ……………………………………………………………………………………35
List of Tables Table 1.1 .Multi-layer security…………………………………………………………………10 Table 2.1 System r equirements…………………………………………………………………12 equirements…………………………………………………………………12 Table 2.2 .Comparison of different different techniques…………………………………………………15 techniques…………………………………………………15
List of Figures Figure 1-1 Internet as a Cloud………………………………………………………………… 1 Figure 1-2 Deployment models in cloud co mputing………………………………………….. 5 Figure 1-3 Basic cloud architecture…………………………………………………………… .6 Figure 4-1 Infrastructure of the proposed method…………………………………………….20 Figure 4-2 Relationship Diagram for Registration Request…………………………………...21 Figure 4-3 Relationship Diagram for Upload Process…………………………………………22 Figure 4-4 Flow in Upload Process…………………………………………………………….23 Figure 4-5 Relationship Diagram for Retrieval Process………………………………………..24 Figure 4-6 Flow in Retrieval of Data Process…………………………………………………..25
Chapter 1 Introduction Cloud computing is an emerging paradigm in the field of Information Technology and it is here to stay and serve rest of the future. As it has become a global phenomenon, a lot of companies have joined the bandwagon of cloud computing. A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned a nd released with minimal management effort or service provider interaction. [21]
Figure 1-1: Internet as a cloud
Now, the question posed by renowned IT gurus is how far can one go with cloud i.e., trust and security of the cloud are being questioned. In a cloud computing environment, the equipment used for business operations can be leased from a single service provider along with the application, and the related business data can be stored on equipment provided by the same serviceprovider. [4] This type of arrangement can help a company save on hardware and 1
software infrastructure costs, but storing the company‟s data on the service provider‟s equipment raises the possibility that important business information may be improperly disclosed to others. There have been quite a number of security measures implemented in the cloud. These security measures have their own pros and cons. There have been a few security measures with respect to encryption. But the question is who has the control over encryption and decryption keys? Logically the control should be with the customer.
When an internet connection proto col is established, it is possible to share services within anyone of the following layers.
Client : The devices that we use to access the applications in cloud computing are t he clients. The
client consists of hardware and/or computer software that re ly on cloud computing for access to application and is useless without it. Some examples o f client may include laptops, phones and tablets.
Server : This layer consists of computer hardware and co mputer software products that are
specifically designed for delivery of cloud services.
Infrastructure: This is one among the services of cloud computing, also known as
“infrastructure as a service” (IaaS). This is typically a platform virtualization environment t hat allows us for raw storage and networking. Th is service allows the client to outsource the service instead of purchasing servers, software, data-center space or network equipment. This concept is
based on utility computing basis; the amount of resources utilized will reflect the level of activity.
Application: This service allows the user to eliminate maintenance of hardware and software by
allowing him to access the application over internet. By this process the user doesn‟t require to install the application on customer‟s own computer. This service model is also known as software as a service.
Platform: This service facilitates deployment of applications without the cost and co mplexity of
buying and managing the underlying hardware and software layers. This service model is also known as platform as a service (PaaS).
1.1 Essential Characteristics On-demand self-service: Computing capabilities used as needed and automatically without requiring Human Computer Interaction. Broad network access: Capabilities available over network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). Resource pooling : Computing resources pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
Rapid elasticity: Capabilities can be rapidly and elastically provisioned to quickly scale out and rapidly released to quickly scale in. Capabilities available for provisioning often appear to be unlimited to the consumer and can be purchased in any quantity at any time. Measured Service: Automatic control and optimize use of resources by leveraging a metering capability at some level of abstraction, appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).
1.2 Deployment Models The four types of deployment models in cloud computing are [22]:
Public cloud - Public cloud infrastructure is owned by an organization selling cloud services and it is made available to the normal users or a large industry. This is based on utility computing where the customer has to pay for the resources used. The third party provider or service provider bills the customer based on the utility. E.g., Google, Facebook.
Private cloud - private cloud infrastructure is owned by a single organization. This allows the user to avoid the criticism of buying, building and managing the software application that he is working on. E.g., Amazon VPC, VMware Cloud.
Hybrid cloud -This infrastructure is a combination of two or more clouds i.e. private, public or community. These clouds remain unique but are bound together by standardized technology that enables application and data portability. An example for hybrid cloud would be cloud-bursting (load balancing between clouds). E.g., Windows Azure, VMWare vCloud.
Community cloud -Community as the name suggests is a shared cloud. It is shared by several organizations and supports a particular community that has common concerns viz. mission, policy, security requirements. It can be managed by the organization or a third party. E.g., GoogleApp, IBM SmartCloud.
• Public/ Large Industry • Owned by organization selling cloud services • Google, Facebook
• • • •
Public
Private
Hybrid
Community
• 2 or more clouds • Common technology • Windows Azure, VMWare vCloud
Figure 1-2: Deployment Models in Cloud Computing
Single Organization Location? Managed by? Amazon VPC, VMWare Cloud
• Several Organizations • Location? • Managed by? • Google App, IBM Smart Cloud
1.3 Architecture Cloud architecture, the systems architecture of the software systems involved in the delivery of cloud computing, typically involves multiple cloud components communicating with each other over a loose coupling mechanism such as a messaging queue. Sample architecture is shown in the diagram below.
Figure 1-3: Basic Cloud Architecture
Cloud Architectures address key difficulties surrounding large-scale data processing. In traditional data processing it is difficult to get as many machines as an application needs. Second, it is difficult to get the machines when one needs them. Third, it is difficult to distribute and co-ordinate a large-scale job on different machines, run processes on them, and provision another machine to recover if one machine fails. Fourth, it is difficult to auto-scale up and down based on dynamic workloads. Fifth, it is difficult to get rid of all those machines when the job is done. Cloud Architectures solve such difficulties. Applications built on Cloud Architectures run in-the-cloud where the physical location of the infrastructure is determined by the provider. They take advantage of simple APIs of Internet-
accessible services that scale on-demand, that are industrial-strength, where the complex reliability and scalability logic of the underlying services remains implemented and hidden inside-the-cloud. The usage of resources in Cloud Architectures is as needed, sometimes ephemeral or seasonal, thereby providing the highest utilization and optimum bang for the buck.
1.4 Benefits of Cloud Architecture [23] i.
Almost zero upfront infrastructure investment : If you have to build a large-scale system it may cost a fortune to invest in real estate, hardware (racks, machines, routers, backup power supplies), hardware management (power management, cooling), and operations personnel. Because of the upfront costs, it would typically need several rounds of management approvals before the project could even get started. Now, with utility-style computing, there is no fixed cost or startup cost.
ii.
Just-in-time Infrastructure: In the past, if you got famous and your systems or your infrastructure did not scale you became a victim of your own success. Conversely, if you invested heavily and did not get famous, you became a victim of your failure. By deploying applications in-the-cloud with dynamic capacity management software architects do not have to worry about pre-procuring capacity for large-scale systems. The solutions are low risk because you scale only as you grow. Cloud Architectures can relinquish infrastructure as quickly as you got t hem in the first place (in minutes).
iii.
More efficient resource utilization: System administrators usually worry about hardware procuring (when they run out of capacity) and better infrastructure utilization (when the y have excess and idle capacity). With Cloud Architectures they can manage resources
more effectively and efficiently by having the applications request and relinquish resources only what they need (on-de mand).
iv.
Usage-based costing : Utility-style pricing allows billing the customer only for the infrastructure that has been used. The customer is not liable for the entire infrastructure that may be in place. This is a subtle difference between desktop applications and web applications. A desktop application or a traditional client-server application runs on customer‟s own infrastructure (PC or server), whereas in a Cloud Architectures application, the customer uses a third party infrastructure and gets billed only for the fraction of it that was used.
v.
Potential for shrinking the processing time: Parallelization is the one of the great ways to speed up processing. If one compute-intensive or data-intensive job that can be run in parallel takes 500 hours to process on one machine, with Cloud Architectures, it would be possible to spawn and launch 500 instances and process the same job in 1 hour. Having available an elastic infrastructure provides the application with the ability to exploit parallelization in a cost-effective.
1.5 Examples of Cloud Architecture There are plenty of examples of applications that could utilize the power of Cloud Architectures. These range from back-office bulk processing systems to web applications. Some are listed below:
Processing Pipelines
Document processing pipelines – convert hundreds of thousands of documents from Microsoft Word to PDF, OCR millions of pages/images into raw searchable text
Image processing pipelines – create thumbnails or low resolution variants of an image, resize millions of images, Picasa, flickr.
Video transcoding pipelines – transcode AVI to MPEG movies, YouTube.
Indexing – create an index of web crawl data
Data mining – perform search over millions of records
Batch Processing Systems
Back-office applications (in financial, insurance or retail sectors)
Log analysis – analyze and generate daily/weekly reports
Nightly builds – perform nightly automated builds o f source code repository every night in parallel
Automated Unit Testing and Deployment Testing – Test and deploy and perform automated unit testing (functional, load, quality) on different deployment configurations every night
Websites
Social Networking websites
Websites that ”sleep” at night and auto-scale during the day
Instant Websites – websites for conferences or events (Super Bowl, sports tournaments)
“Seasonal Websites” - websites that only run during the t ax season or the holiday season (“Black Friday” or Christmas).
Security in cloud computing must be provided in each and every layer. The table below depicts the security needed in a cloud. Application Layer
Identify management, authorization, auditing
Data encryption, backup,
Data Layer
recovery System Layer
System hardening, antivirus protection, host intrusion detection
Network Layer
Firewall, Network intrusion detection
Table 1.1: Multi-layer Security [14]
Chapter 2 Related Work There have been a few security measures with respect to encryption. But the question is who has the control over encryption and decrypt ion keys? Logically the control should be with the customer. Software as a service layer of the cloud computing would be the best option for method described in this project. As software needs are to be addressed even after handing it over to a client, one has control over it. Software as a service also known as on demand service is hosted on the internet. So, one need not install and run the required software all the time and just use it as per the requirements. This service is cost effective .This is an e merging trend in the information technology. Undoubtedly, this trend has a great potential in the near future as it provides computing in an easy and efficient manner with low cost. This trend is ever growing due to its cost effective way of sharing large amount of information anywhere in the world. As the demand for cloud computing is sky high there is a serious issue of security. In order to ensure security in cloud computing the cloud provider must guarantee the customer with eminent security measures. There have been a number of encryption mechanism used for secu rity in cloud computing. But each o f them failed to provide control to the customer. So, a technique using encryption is proposed in this project which provides control to the customer. The user/customer has the maximum control of the data here. The major part of encryption and decryption is done at the user level which is the motive of this project.
Confidentiality
Ensure the Confidentiality of the data being stored
Integrity
Maintain the Integrity of the data to ensure that it has not been tampered with.
File Sharing
Ensure that File Sharing can be catered for.
Key-Revocation
Allow for Key-Revocation when user rights need to be removed.
Compromised Key pair
Ensue that the system can recover from a Compromised Key pair.
Access Control
Ensure Access Control to the server. Table 2.1: System Requirements [16]
2.1 Comparison of different security techniques There have been many encryption techniques employed in the cloud. But the main question is who has the control over these encryption keys. Is the control with the user, or the third party or the cloud? Logically the control should be with the customer. As in any cloud computing atmosphere we need to assume that the system comprises of the following parties: the data owner, cloud server, data consumers and a Third Party Auditor (TPA) if necessary. [13] The use of a semi-trusted mediator (SEM) in conjunction with a simple var iant of the RSA cryptosystem (mediated RSA) offers a number of practical advantages over current revo cation
techniques. This approach simplifies validation of digital signatures and enables certificate revocation within legacy systems. [15] Encryption scheme using Residue Number System (RNS). In this scheme, a secret is split into multiple shares on which computations can be performed independently. Security is enhanced by not allowing the independent clouds to collude. Efficiency is achieved through the use of smaller shares. [3] Technique
Description
Benefits
Usability Issues
Cloud Key
CKMI‟s introduction
Complexity of
Encrypting data at rest
Management
will reduce the
encryption management
within Paas is generally
(CKMI)[1]
encryption
is reduced and
complex process and
management
infrastructure costs and
involves more
complexity by
risks are lowered.
customization. In case of
building
SaaS, Cloud customers
interoperability into
cannot implement
the key management
directly and they need to
environment.[1]
request the provider.
RSA encryption
A digital signatureor
Hashing algorithm and
Public and private keys
algorithm with
digitalsignature
message digest are used
are used and there is no
digital
schemeis a
in this algorithm which
back up for loss of
signature[2]
mathematical
makes it secure.
key(s).
scheme for demonstrating the
authenticity of a digital message or document.[2] Homomorphic
Security is enhanced
A secret is split in to
Issues like overflow and
encryption
by not allowing the
multiple shares and
sign detection to apply
scheme using
independent clouds to
computations on each
RNS (Residue Number
residue number
collude. Efficiency is
share are performed
System) for
system[3]
achieved through the
independently. There is
homomorphic
use of smaller
no collision between the
computations need to be
shares.[3]
independent clouds and
addressed. Also issues
hence security is
like confidentiality,
enhanced.
integrity and cloud collusion need to be addressed.
YI cloud[6]
This system allows the
The primary key is
Single encryption key is
users to encrypt their
shared between trusted
used for all files stored in
files and store it in the
entities so even if the
the cloud. Encryption key
cloud.[6]
user loses the key
is fixed in YI cloud.
he/she can recover it from the entities. Use of secret sharing algorithm reduces the risk of losing data.
A Generic
It is a generic scheme
This scheme has
Like every other scheme,
Scheme for
to enable fine-grained
advantages as it makes
even this scheme has
Secure Data
data sharing over the
use of attribute-
some potential risks.
Sharing in
cloud, which does not
based/predicate
There is no mechanism to
Cloud[5]
require key-
encryption and proxy
overcome the ill effects
redistribution and data
re-encryption.
performed by the revoked
re-encryption.[5] Table 2.2: Comparison of different techniques
user.
Chapter 3 Requirements 3.1 SoapUI SoapUI is a free and open source cross-platform Functional Testing solution. With an easy-touse graphical interface, and enterprise-class features, SoapUI allows you to easily and rapidly create and execute automated functional, regression, compliance, and load tests. In a single test environment, SoapUI provides complete test coverage and suppo rts all the standard protocols and technologies. There are simply no limits to what you can do with your tests. Features of SoapUI [19]:
Functional Testing - Automated Functional and Regression Testing. Powerful and
innovative features help to validate and improve th e quality of the services and applications.
Service Simulation - SoapUI Mock Services let you mimic and create robust tests against
Web Services before they are implemented.
Security Testing - Using a complement of tests and scans, protect t he services on
websites against the most common security vulnerabilities.
Load Testing - SoapUI lets you create even the most advanced Load Tests quickly and
easily.
Technology Support - Loaded with advanced technologies, SoapUI provides support for
all the common protocols and standards.
Automation -SoapUI packs advanced end-to-end automation features, allowing the user
to dramatically reduce labor costs and improve your time-to-market.
Analytics -With powerful and integrated analytics, SoapUI Pro makes your testing faster
than ever and saves countless hours.
Recording - Built from the ground up to offer advanced recording capabilities, So apUI
records, monitors and displays all the data that is sent and rece ived between a client, such as your web browser, and a server.
Ecosystem - A big part of what makes SoapUI great is the universe of the open source
community and partners around it, who have accelerated the pace of innovation on SoapUI. Role of SoapUI in this project: SoapUI acts as a client in this project.
3.2 Mule Studio It is the world‟s most widely used integration platform for connecting applications. If you have more than a couple of applications, services, or legacy systems, custom point-to-point integration is painful. It is way too expensive and time-consuming to build and once in place, creates a complex web of brittle connections that breaks every time you change an endpo int modify a data structure or change a business process. Mule ESB is the one which helps to overcome all the above situations with ease.
Features of Mule Studio[18]:
Service Mediation - Business logic is separated from protocols and message formats for
rapid, nimble development and long-term long-ter m flexibility. flexibility.
Message Routing - Messages can be routed based on content or complex rules and
filtered, filtered, aggregated, or re-sequenced as required. requ ired.
t ransformed to and from virtually any format across Data Transformation - Data can be transformed heterogeneous transport protocols and data types and incomplete messages can enhanced through data retrieval. In addition, message payload can be encrypted, compressed or encoded to ensure security.
Event Handling - Mule ESB supports synchronous and asynchronous events,
transactions, streaming, routing patterns, and SEDA architecture.
co ntain lightweight service orchestration to Service Orchestration - Message flows can contain support SOA initiatives.
endpo int can be exposed as a service Service Creation & Hosting - Functionality in any endpoint and organized into an efficient, unified, standards-based architecture. Existing services can be hosted as lightweight service containers.
3.3 Eclipse The Eclipse Software Development Kit (SDK) contains everything you need to build Java applications. Considered by many to be the best Java development tool available, t he Eclipse Java Development Tools (JDT) provides superior Java editing w ith on-the-fly validation, incremental compilation, cross-referencing, code assist and much more. [20]
The new Eclipse 3.2 release features some exciting new capabilities, including:
Java 6 support
Refactoring scripts
Static analysis of Java code
Improved code completion and quick fix support
Improved usability and performance
Support for Mac OSX on Intel Inte l and preview support for Windows Vista
Chapter 4 Infrastructure
Cloud Storage (S3 Storage)
Amazon S3/ Amazon Ubuntu Server with Mysql DB Client Worstation
Third Party Services
e c n d a u t l o s C n I t B a D
Ubuntu 12-0.4 Cloud Server
Figure 4-1: Infrastructure of the proposed method
The figure above depicts the infrastructure infrastructure of the proposed propo sed method. The communication among the key components of client c lient workstation, third party services and the amazon cloud sto rage is vital in this method. Here, the t he client is the SoapUI, third party server is the Mule Studio and t he cloud is Amazon S3. The structure of the method is clearly shown in the a bove figure. The flow of the method and the t he structure of each component is discussed in the following pages of th is document.
4.1 Registration Process
1
Registration Request
2
1:* Registration Information
Registration Service User Key (First Half)
Response
User
3
6
Encrypted Key
5
4 y e K r e v r e S
s u t a t S
Server Key Percistance
User – SOAP UI Client Registration Request: User Name, Email Address, First Name, Last Name 3RD Party Service – Registration Service (Web Service) Takes the above parameters and generates the encrypted key. Split the key and provide the first half to user as part of response. Second half will be saved in server. Figure 4-2: Relationship Diagram for Registration Request
Java Custom Component (Generate Key and Splitter)
4.2 Upload Process
File
Get the file
Encrypt the data using User Key
User
1 Prepare Service Request
Upload Document Service Request
2
Upload Document Service Req
Upload Document Service 3 4 t n d e a o m l p u c U o D
5
Encrypted Content
Java Custom Component (Get the content and encrypt the data using server key) - Second Encryption Phase
s u t a t S
Persist the data at S3 (Cloud Persistence)
User – SOAP UI Client - Identify the file which needs to be uploaded to Cloud. - Encrypt the data using the first half of the key (Eclipse – Test project) - Take the encrypted content and fill in SOAP UI Request RD
Server - 3 Party Service – Upload Document Service (Web Service) - Receive the User Encrypted Data - Get the Server Key (second half of the key) and encrypt the above content (second phase of encryption) - Call Amazon Cloud Service and send the document for its persistence. - Data stored in cloud is having double protection. - If Web service exposed thru security layer (HTTPS), data across the wire will be encrypted and cannot be intercepted. Figure 4-3: Relationship Diagram for Upload Process
Upload Phase
r e s U
Registration
y t s r a e c P i v d r r i e h S T
Registration
d u o l C
Account Setup
Initiate File Upload Process
Encrypt the Content using the first half
Call Service with encrypted Data for cloud storage
Receive the Content
Encrypt the Content using the second Half
Upload the content to cloud
Persist the data
Figure4-4:Flow in Upload Process
The upload process in the proposed method is shown in the above figure. Firstly, registration is done by providing details as first name, last name, email Id. Then, the user uploads the file by encrypting it with the first half of the key. This is sent to the third party services and the content is again encrypted with the second half key. Now, the file is uploaded in to the cloud.
4.3 RetrievalProcess
1
Get Document By Doc Name
2
Get Content By S3 KEY
Document Service
n t n t e o d C 6 e t p c r y E n
3
Response
User
Get the Content Decrypt the content using User Key (first Half)
Store the data in file or view
Amazon S3
4 d t r e n e t p e v t r y n e r c o S n C E
Content from Cloud
5 d t r e n e t p e v t r y n e r c o S e C D
Java Custom Component (Retrieve Server Key Decrypt Content using server Key)
User – SOAP UI Client - Identify the file name which needs to be retrieved - Fill in the SOAP UI Request with document name
RD
Server - 3 Party Service – Document Service (Web Service) - Receive the Document Name. - Call the Cloud Service to retrieve the content using the document name as Key. - Get the Server Key (second half of the key) and Decrypt the content received from cloud - Return the data to user (at this time one layer of decryption was done) User – SOAP UI - Receive the data from server - Decrypt this content using User first half of the key (using java program in eclipse) - If needed, save the content in file. Figure 4-5: Relationship Diagram for Retrieval Process
Retrieve Data Phase
r e s U
y t s r a e c P i v d r r i e h S T
d u o l C
Initiate the File Retreival
Call Service with filename and user info
Validate the User Get second part of Key
Receive the encrypted data
Call Cloud service to retrieve the data
Decrypt the data using second part of the key
Decrypt the data using first half of the key
Return the data to user
Data Retrieval
Figure 4-6: Flow in Retrieval of Data Process
The process for the retrieval of data is shown in the above figure. The user will initiate the retrieval of the file. Retrieval is done by calling the service with filename and the user information. The user will call the third party service for validation. After validation, the third party service will get the second part of the key and call the cloud service to retrieve the data. Third party service will decrypt the data using the second part of the key and return the data to the user. Here, the data is only half decrypted. Now, the user receives the encrypted (half decrypted) data and decrypts the data using the first half of the key. Thus, we get the original data.
Encryption and Decryption Keys:
The process involves encryption of the data and decryption of the data. Here, we have two encryption keys and two decryption keys. Use of two keys. How do you justify?
Use of two keys is justified as it ensures more safety and security in this model. Firstly, in order to encrypt the given data, user encrypts the data file and sends it to the third party server which again encrypts the data and stores it in the cloud. Secondly, when the user wants to decrypt the data, the data file from the cloud is retrieved by the third party server and it is partially decrypted. This file is sent to the user who decrypts it with the decryption key. So, it does make sense to use two keys. The user loses the key. How often can this happen?
No one or no mechanism can ensure that the user will never lose the key. Key can be lost any moment. There is no exact probability for losing a key. Even if the key is lost, we can make use of YI cloud mechanism which is used for the key recovery. In this mechanism the key is divided in to a number of parts and each part is stored with a trusted party. So when a user loses the key, the user can gain the key from the trusted parties. None of the trusted parties can gain access to the data as the trusted party does not know each other.
What if the second part of the key is made using the first key?
The second part of the key cannot be made using the first key. The two keys are not symmetrical. Keys are generated in a random manner and even if the same file is used again for storage in the cloud another key is generated and is not at all related to the old key.
Chapter 5 Implementation Plan Requirements for the implementation:
Client - SoapUI
Server (Third party) - Mule Studio
Cloud – Amazon S3 The first step in the implementation of this project is to run the mule studio. Mule studio (Third party server) should be up and running to start the implementation. Then, the registration request in SoapUI is used for the user to register. User credentials like username email ID, first name and last name are needed here. Now, the SoapUI request with the user credentials is executed. A token is generated here. This token is taken and pasted in the „TestRead.java‟ in the eclipse. The path of the file to be stored is also given here. This program is executed as a java application. The output o this program is the encryption key. By using this encryption key, the data file is encrypted. This key is pasted in the content of the upload request in the SoapUI. This request is executed and there will be a response indicating that the file is uploaded. Now, if the user wants the file back, the Get document request in the SoapUI is used. Here, the File name to be retrieved is given and a document ID(any random number) should be provided. This request is executed and a key is generated. This key is the decryption key. This key along with the first token generated are pasted in the „DecryptContent.java‟ in
the eclipse and this program is executed. Now, the original data is obtained. This proves that the encryption and decryption keys are in working state and the encryption and decryption of data is possible in this method. Now, in order to make sure that the file is stored in an encrypted format, we have to take a look at the Amazon S3 cloud where there is a bucket created namely „tejatest‟. Here, we have the file stored in an encrypted format. Hence, the proposed method is up and running. The flow of the method is shown in the appendix as screen shots.
Chapter 6 Analysis
Security is the first priority in any method. In ord er to ensure the security of the data to be stored in the cloud, we use two step encryption and decryption. The data in the cloud is stored in encrypted format. So, even if a malicious user gets access to the data, he/she cannot get the original data. The keys used in this method for encryption and decryption are not symmetrical, so even if the malicious users get hold of one key, they cannot generate the other key and hence cannot get the original data. Firstly, the data with the user is encrypted and sent to a third party. Here, it is again encr ypted and stored in the cloud. This way the data is secure in the cloud. Decryption is also done in a two-step process to ensure security of the data. A retrieval request is sent to the cloud by the t hird party. This request is sent when the user initiates the file retrieval. The user receives the half decrypted data from the third party and the second level of decryption is done at the user side. Hence, the user has the original data. The data stored in the cloud is on Amazon S3 and it is in encrypted form. Thus, it is proven that the mechanism works.
Chapter 7 Conclusion and Future Work 7.1 Conclusion Security is the key aspect in any method and this aspect has been primarily focused in this method. Encryption at two levels ensures that the data is safe and secure and more importantly it‟s the user who has the original data. The logical control over the data is with the user. There is no way that the third party server or the cloud can get access to the original data. So, this method will be of good use in the coming future of cloud computing security.
7.2 Future Work This method can be extended by making the whole process automatic. This can be done by creating a GUI in java. SoapUI, Mule Studio and eclipse have to be connected in order to make the whole process automatic. This method can a lso be modified by using different client, server and cloud and also by changing the key mechanism of this method. Finally, by implementing this method, cloud provider can attract a number of users.
References [1] Research on Key Management Infrastructure in Cloud Computing Environment: Sun Lei, Dai Zishan, Guo Jindi. [2]Implementing Digital Signature with RSA Encryption Algorithm to Enhance the Data Security of Cloud in cloud computing: Uma Somani, Kanika Lakhani, Manish Mundra. [3] HORNS: A Homomorphic Encryption Scheme for C loud Computing using Residue Number System. Mahadevan Gomathisankaran, Akhilesh Tyagi, Kamesh Namuduri. [4] A Business Model for Cloud Computing Based o n a Separate Encryption and Decryption Service: Jing-Jang Hwang and Hung-Kai Chuang, Yi-Chang Hsu and Chien-Hsing Wu. [5] A Generic Scheme for Secure Data Sharing in Cloud: Yanjiang Yang, Youcheng Zhang. [6] YI Cloud: Improving user privacy with secret key reco very in cloud storage. Zheng Huang,Qiang Li,Dong Zheng,Kefei Chen, XiangXue Li. [7] Cloud Computing Security: From Single to Multi Clouds Mohammed A. AlZain #, Eric Pardede #, Ben Soh #, James A. Thom* # Department of Computer Science and Computer Engineering. [8] Cloud Computing Security Challenges and Methods to Remotely Augment A Cloud‟s Security Posture Robert E. Johnson, III Cimcor, Inc.
[9] Implementing Digital Signature with RSA Encryption Algorithm to Enhance the Data Security of Cloud in Cloud Computing #1 Uma Somani, #2 Kanika Lakhani, #3 Manish Mundra. [10]Analysis and Research about Cloud Computing Security Protect Yin Hu Network center Huang gang normal university Huang gang, China e-mail: huyin @hgnu.edu.cn Haoyong Lv Network center Huang gang normal university Huang gang. [11] Cloud Hooks: Security and Privacy Issues in Cloud Computing Wayne A. Jansen, NIST. [12] An architecture based on proactive model for security in cloud computing Prashant Srivastava1, Satyam Singh2, Ashwin Alfred Pinto3, S hvetank Verma4, Vijay K. Chaurasiya5, Rahul Gupta 6 MBA & MS-CLIS Division, IIIT-Allahabad, India. [13] Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Co mputing Shucheng Yu_, Cong Wang†, Kui Ren†, and Wenjing Lou_Dept. of ECE, Worcester Polytechnic Institute, Email: {yscheng, wjlou}@ece.wpi.edu Dept. of ECE, Illinois Institute of Technology, Email: {cong, kren}@ece.iit.edu [14] A Benchmark of Transparent Data Encr yption for Migration of Web Applications in the Cloud. Ji Hu SAP Research Center Karlsruhe, Germany
[email protected] Andreas Klein SAP Research Center Karlsruhe, Germany
[email protected] [15] A Method for Fast Revocation of Public Key Certificates and Security Capabilities Dan Boneh
[email protected] Xuhua Ding
[email protected] Gene Tsudik
[email protected] Chi Wing Mong
[email protected]
[16] An Architecture for Secure Searchable C loud Storage Robert Koletka Department of Computer Science University of CapeTown, South Africa Email:
[email protected] Andrew Hutchison Department of Computer Science University of Cape Town Cape Town, South Africa Email:
[email protected] [17] Source: tecnorati.com [18] http://www.mulesoft.com/mule-esb-features [19] http://www.soapui.org/About-SoapUI/features.html [20] http://www.eclipse.org/downloads/moreinfo/java.php [21] http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf [22] http://www.techno-pulse.com/2011/10/cloud-deployment-private-public-example.html [23] http://www.databarracks.com/media/93800/aws_cloud_best_practices.pdf
Appendix Appendix A
Figure A-1: Working of Mule Studio
Figure A-2: SoapUI Registration Request
Figure A-3: SoapUI Upload Document Request
Figure A-4: SoapUI Get Document Request
Figure A-5: SoapUI Registration Request Execution
Figure A-6: SoapUI Registration Request generates a token
Figure A-7: The token generated in SoapUI is placed in the ‘TestRead.java’ in Eclipse
Figure A-8: The path of the file to be stored and the token are placed in ‘TestRead.java’. Execute this and a key is obtained
Figure A-9: Place the obtained key in the content part of the SoapUI (Upload) and execute
Figure A-10: Executed screen shot of the Upload SoapUI
Figure A-11: Change the key in the Mule Studio Configuration XML to the name given in the Get Document SoapUI
Figure A-12: Document name is given and any random Id can be given. Execute this
Figure A-13: After execution we get a key in the document content
.
Figure A-14: Place this key and the token obtained in the first step in the DecryptContent.java and execute
Figure A-15: We get the original data
Figure A-16: Amazon Web Services
Figure A-17: A bucket named ‘tejatest’ has already been created
Figure A-18: 'rapid' file is stored in the cloud
Appendix B Test Client: Authentication(or registration) and upload of data
package com.test.teja.client; import java.net.MalformedURLException; import java.net.URL; import java.rmi.RemoteException; import javax.xml.rpc.ServiceException; import com.toledo.university.test.AuthenticationResponse; import com.toledo.university.test.AuthenticationService; import com.toledo.university.test.AuthenticationServiceServiceLocator; import com.toledo.university.test.UploadDocumentService; import com.toledo.university.test.UploadDocumentServiceServiceLocator; public class TestClient { public static final String serviceUrl = "http://localhost:9777/services/register"; public static final String uploadServiceUrl = "http://localhost:9777/services/upload"; public static AuthenticationService service; public static UploadDocumentService uploadService; public static void main(String[] args) throws ServiceException, RemoteException { // TODO Auto-generated method stub URL portAddress; AuthenticationResponse resp = new AuthenticationResponse(); try { portAddress = getServiceURL(serviceUrl); AuthenticationServiceServiceLocator locator = new AuthenticationServiceServiceLocator(); service = locator.getAuthenticationServicePort(portAddress); resp = service.authenticate("userName", "email", "firstName", "lastName"); System.out.println(resp.getToken()); uploadcontent(resp.getToken()); } catch (MalformedURLException e) { // TODO Auto-generated catch block e.printStackTrace(); } }
private static void uploadcontent(String token) throws ServiceException, RemoteException { URL uploadPortAddress; try { System.err.println("call update service"); uploadPortAddress = getServiceURL(uploadServiceUrl); UploadDocumentServiceServiceLocator uploadLocator = new UploadDocumentServiceServiceLocator(); uploadService = uploadLocator.getUploadDocumentServicePort(uploadPortAddress); String fileName = "C:/temp/test.txt"; String encryptContent = encryptContentData(fileName, token); uploadService.uploadDocument("uploadedtestdoc", encryptContent, "plain/text"); System.err.println("upload co mplete"); } catch (MalformedURLException e) { // TODO Auto-generated catch block e.printStackTrace(); } } private static String encryptContentData(String filename, String token) { GenerateContent gcon = new GenerateContent(); return gcon.generateContent(filename, token); } private static URL getServiceURL(String url) throws MalformedURLException { // TODO Auto-generated method stub return new URL(url);
Test read: Encryption package com.test.teja.client; publicclass TestRead {
/** * @param args */ publicstaticvoid main(String[] args) { // TODO Auto-generated method stub String fileName ="C://Users//Bandaru//Documents//bin.txt"; String userKey= "h7ZBm1IniyalBMvzCIPNbOv6nQwELnDvVzNRhNhhobrRyDumwDbBaimj4Y6GCztrPlZ4D oL0XYQ="; GenerateContent gcn = new GenerateContent(); System.out .println(gcn.generateContent(fileName, userKey)); } }
Decrypt content: Decryption package com.test.teja.client;
publicclass DecryptContent {
/** * @param args */ publicstaticvoid main(String[] args) { // TODO Auto-generated method stub String encryptedServerData = "vYjQ8T+wr5GmoUSotW6nUBefNFpSoxJsSkdXY4wdpp1OLPh93l7fdXYtdoZHtBpav2N6Lbl NUYP02QRs8bDtWsIS/R/iQ0JEaiPU3wI/H+akreSzXPLM8mfQ6pG4U8Qvm7RGDfhYMr3A C/ViuURvhz69eMmEGG+Lyb6fVaD3HrlyBdptRZFWutR4y5WsNhLRuWKJHihBzUnhnX521 5qwsRFE2VZ62XCllPRZM/ehmO6ux3sMHuPeUL02M/IgA/TMH+hLXn6xCfw="; String userToken = "h7ZBm1IniyalBMvzCIPNbOv6nQwELnDvVzNRhNhhobrRyDumwDbBaimj4Y6GCztrPlZ4D oL0XYQ="; GenerateContent gcn = new GenerateContent(); System.err .println(gcn.decryptContent(encryptedServerData, userToken)); } }
Amazon Upload: Upload of data file in to the cloud
package com.teja.authentication; import java.io.File; import java.io.IOException; import java.util.ArrayList; import java.util.List; import com.amazonaws.auth.PropertiesCredentials; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3Client; import com.amazonaws.services.s3.model.AbortMultipartUploadRequest; import com.amazonaws.services.s3.model.CompleteMultipartUploadRequest; import com.amazonaws.services.s3.model.InitiateMultipartUploadRequest; import com.amazonaws.services.s3.model.InitiateMultipartUploadResult; import com.amazonaws.services.s3.model.PartETag; import com.amazonaws.services.s3.model.UploadPartRequest; publicclass AmazonUpload { publicstaticvoid main(String[] args) throwsIOException { String existingBucketName="tejatest"; String keyName = "republicday"; String filePath = "C:\\bandaru\\TAS\\republic-day-1.jpg"; AmazonS3 s3Client = new AmazonS3Client(new PropertiesCredentials( AmazonUpload.class.getResourceAsStream( "AwsCredentials.properties"))); // Create a list of UploadPartResponse objects. You get o ne of these // for each part upload. List
partETags = new ArrayList(); // Step 1: Initialize. InitiateMultipartUploadRequest initRequest = new InitiateMultipartUploadRequest(existingBucketName, keyName); InitiateMultipartUploadResult initResponse = s3Client.initiateMultipartUpload(initRequest); File file = newFile(filePath); long contentLength = file.length(); long partSize = 5242880; // Set part size to 5 MB. try { // Step 2: Upload parts.