Research Article | Open Access
Attack on Privacy-Preserving Public Auditing Schemes for Cloud Storage
With the development of Internet, cloud computing has emerged to provide service to data users. But, it is necessary for an auditor on behalf of users to check the integrity of the data stored in the cloud. The cloud server also must ensure the privacy of the data. In a usual public integrity check scheme, the linear combination of data blocks is needed for verification. But, after times of auditing on the same data blocks, based on collected linear combinations, the auditor might derive these blocks. Recently, a number of public auditing schemes with privacy-preserving are proposed. With blinded linear combinations of data blocks, the authors of these schemes believed that the auditor cannot derive any information about the data blocks and claimed that their schemes are provably secure in the random oracle model. In this paper, with detailed security analysis of these schemes, we show that these schemes are vulnerable to an attack from the malicious cloud server who modifies the data blocks and succeeds in forging proof information for data integrity check.
With the development of Internet, cloud computing has emerged. Cloud computing is a new model of computing in contrast to conventional computing. This new paradigm allows data users to outsource their data to a cloud service provider. The term cloud refers to a thousand of virtualized servers distributed over a set of data centers with different geographical locations connected together through telecommunication links . The services on the cloud are delivered to the users as pay-as-you-go pricing model.
Although cloud computing offers various advantages to both users and the cloud service provider, and is envisioned as a promising service platform for the next generation Internet, security and privacy are the major challenges which inhibit the cloud computing wide acceptance in practice. Once data users transfer their data to the cloud, users lose their physical control over data. The outsourced data on the cloud are at risk from internal and external threats. The first threat is that the cloud service provider might delete less frequently accessed data. So, users need to make sure their data remain intact after uploading to the cloud, and data integrity check is becoming vital. As data users no longer physically possess the storage of their data and are confined by resource capability, traditional integrity checking technologies are not well suited for the cloud environment. Data users hope one-third party on their behalf to verify their data integrity. The issue of public auditing for data integrity check is proposed.
After Ateniese et al.’s first work , people proposed many public auditing schemes [3–16] for data integrity check. In a typical public auditing scheme, there are three characters, one data user, one cloud server, and one auditor. The data user transfers his data to the cloud for storage and computing. On behalf of the user the auditor, who has experience and capability, is responsible for the data integrity check. Before sending data to the cloud, the user divides a data file into many data blocks. Then, using signature technology the user generates an authentication tag for each block. These tags are sent to the cloud server with data blocks. To check the integrity of the outsourced data file, using sampling test idea, the auditor sends challenging information to the cloud server. Upon receiving the challenging information the cloud server generates a response by the data blocks and corresponding block tags and sends the response to the auditor. Then, the auditor verifies the validity of the response. If the response is valid, the auditor and the user believe the outsourced data file remain intact.
In the security model of public auditing schemes, the user is honest. But the cloud server is a semitrusted party. As mentioned earlier, the cloud server might delete less frequently accessed data for his benefit. The auditor is honest but curious. The auditor might obtain some information of the data in auditing process. So, secure public auditing scheme should also satisfy the privacy-preserving requirement. In fact, in many existing schemes, the linear combinations of data blocks are needed for verification without data privacy guarantee against the auditor. The users, who rely on the auditor just for the storage security of their data, do not want the auditing process leaking any information of their data. But, based on collected linear combinations of the same data blocks in times of check, the auditor might derive these data blocks.
Recently, some public auditing schemes [17–21] concerning privacy-preserving are proposed. In , Li et al. proposed a privacy-preserving cloud data auditing scheme with efficient key update and claimed their scheme is proved secure in the random oracle model. The difference between Li et al.’s scheme and other existing schemes is that in Li et al.’s scheme each block is further fragmented into a certain number of sectors, and the authenticator for each block is related to its each sector. In , Wang et al. proposed a privacy-preserving public auditing scheme for secure cloud storage and claimed that their scheme is provably secure and highly efficient. In , Wang et al. proposed a privacy-preserving public auditing scheme. But, in  Worku et al. showed that in Wang et al.’s scheme  the malicious cloud server can forge a signature for his any selected block. So, once the server possesses data from users, he can modify the data as he wants. Worku et al. also proposed an efficient privacy-preserving public auditing scheme and claimed that the proposed scheme is proved secure in the random oracle model. However, in this paper, we will point that these schemes [18, 19, 21] are insecure. The malicious cloud server against these schemes can break the data integrity without being found by the auditor.
The rest of the paper is organized as follows. In Section 2, we review bilinear pairing and computational Diffie-Hellman problem relevant to the security of the discussed schemes. In Section 3, we review Li et al.’s scheme. We show an attack on Li et al.’s scheme in Section 4. In Section 5, we review Worku et al.’s scheme. We demonstrate that Worku et al.’s scheme and Wang et al.’s scheme are subjected to the same attack In Sections 6 and 7, respectively. Conclusion is given in Section 8.
2.1. The Bilinear Pairing
Let be a cyclic additive group generated by , whose order is a prime , and be a cyclic multiplicative group of the same order. Let be a pairing map which satisfies the following conditions:
(1) Bilinearity: for any , thenIn particular, for any , .
(2) Nondegeneracy: there exists , such that .
(3) Computability: there is an efficient algorithm to compute for all .
2.2. Computational Diffie-Hellman (CDH) Problem
Given a generator of an additive cyclic group with order and given for unknown , one computes .
3. Brief Review of Li et al.’s Scheme
In , Li et al. proposed a privacy-preserving cloud data auditing scheme with key update. Here we review it but omit the content related to key update.
CrsGen. On input of a security parameter , this algorithm outputs a large prime and , , two multiplicative cyclic groups of the same order . is a generator of . denotes a bilinear map and represent two collision resistant cryptographic hash functions. In addition, this algorithm picks randomly and computes . The common reference string crs is .
KeyGen. On input of the common reference string crs, a cloud user generates a signing key pair , , and another key pair for generating authenticators of file blocks, where and . The secret key of the data user is and the public key is . For convenience, Let , .
AuthGen. Given a file , the data owner firstly applies erasure codes such as RS code to obtain a processed file and splits into blocks. Each block is further fragmented into sectors , which is an element of . The data user selects a file name from a sufficiently large domain. Let . The data user computes and denotes the file tag . Then, for each , the user computes an authenticator for block as Finally, the data owner storesto the cloud, where .
Proof. This is a 5-move interactive proof protocol executed between the cloud server and the auditor (TPA) as follows.
(1) The TPA picks a random integer and , computing . For , the TPA selects a random . The commitment and the challenge , which locates the positions of the challenged blocks in this auditing process, are sent to the cloud server.
(2) Upon receiving , the cloud server firstly chooses randomly and then computesand forwards to the TPA.
(3) The TPA sends to the server.
(4) The server checks if . If the equation does not hold, the server aborts. Otherwise, he computesand sends to the TPA.
(5) The TPA verifies the file tag firstly by checking if the following equation holds:Then, TPA verifies the equation
4. Attack on Li et al.’s Scheme
In this section, we show that Li et al.’s scheme is vulnerable to a modifying attack on data integrity check.
In proof phase, the malicious cloud server can change data blocks by modifying blocks sectors. He changes into respectively, where is randomly selected by the server. Other computations remain unchanged. Now, the forged proof information can pass the author’s verification.
Theorem 1. The forged proof information produced in the above analysis can pass the auditor’s verification.
Proof. In fact, But,So, passes the auditor’s verification; it is valid proof information. The malicious cloud server succeeds in modifying attack on data integrity check.
5. Brief Review of Worku et al.’s Scheme
In this section, we give a brief review of Worku et al.’s scheme , which is composed of four algorithms.
Let and be a bilinear map, where and are multiplicative cyclic groups of prime order . Let be a generator of . Let be a hash function, which maps strings to , and let be another hash function which maps group of elements of uniformly to .
KeyGen. The data user first generates a random signing key pair and then chooses and and computes . The user then states as his/her secret key and as public parameters.
SigGen. For file naming, the user chooses a random element name in for file and computes the file tag as . Next, for each block , user generates a signature as follows:Then, finally, the user sends to the cloud server for storage and deletes the file and its corresponding set of signatures from local storage. Any time when the auditor wants to start the auditing protocol, first he retrieves the file tag for and checks its validity using and quits if failed. If the proof on is correct, the auditor sends a challenge to the server. That is, the auditor picks random elements in and sends to the server where and are pseudorandom permutation keys chosen randomly by the auditor for each auditing.
ProofGen. After receiving the challenge, the server first determines the subset of set using pseudorandom permutation as and it also determines using pseudorandom function . Finally, for , server computes
For blinding, the server chooses a random element , using the same pseudorandom function, as , where is a pseudorandom function key generated by the server for each auditing. The server then calculates and computes and, then, sends to the auditor.
VerifyProof. Upon receiving the proof TPA computes and , where . Finally, the auditor verifies the proof by checking the following equation and outputs ‘‘True’’ if valid and ‘‘False’’ otherwise:
6. Attack on Worku et al.’s Scheme
In this section, we demonstrate that the malicious cloud server can break the integrity check by modification attack.
Suppose a file from the data user is divided into blocks; that is, . Let be ’s authentication tag. Let be a malicious cloud server. When receives the file , might replace each file block with . Here is randomly selected by . Upon receiving the challenge information, in ProofGen phase, can change into respectively. Other computations remain unchanged. Then, the forged proof information can pass the author’s verification.
Theorem 2. The forged proof information produced in the above analysis can pass the auditor’s verification
Proof. In fact, based on the equationsproduced by the malicious cloud server, the following derivation is established:So, passes the auditor’s verification, and it is valid proof information. The malicious cloud server that modifies the file blocks succeeds in deceiving the auditor.
7. Attack on Wang et al.’s Scheme
To save space we do not review Wang et al.’s scheme. For its detailed description, readers can refer to literature . Due to similarity, Wang et al.’s scheme is subjected to the above attack.
When the malicious cloud server receives a data file , similarly, might replace each file block with . Here is selected by . Upon receiving the challenge information, in ProofGen phase malicious cloud server can change into respectively. Other computations remain unchanged. Then, the forged proof information can pass the author’s verification.
Theorem 3. The forged proof information produced in the above analysis can pass the auditor’s verification
Proof. In fact, due to the equationsproduced by the malicious cloud server, the following derivation is established:So, passes the auditor’s verification, it is valid proof information. The malicious cloud server succeeds in deceiving the auditor.
In this paper, we analyze three existing privacy-preserving public auditing schemes for secure cloud storage. We demonstrate an attack against them. In the attack, the malicious cloud server that modifies the data blocks succeeds in forging proof information for data integrity check. As far as we know, it is an open problem to propose secure privacy-preserving public auditing schemes.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).
- M. Sookhak, H. Talebian, E. Ahmed, A. Gani, and M. K. Khan, “A review on remote data auditing in single cloud server: taxonomy and open issues,” Journal of Network and Computer Applications, vol. 43, pp. 121–141, 2014.
- G. Ateniese, R. Burns, R. Curtmola et al., “Provable data possession at untrusted stores,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 598–609, Virginia, Va, USA, November 2007.
- G. Ateniese, S. Kamara, and J. Katz, “Proofs of storage from homomorphic identification protocols,” in Proceedings of the International Conference on Theory and Application of Cryptology and Information Security: Advances in Cryptology, vol. 5912, pp. 319–333, 2009.
- R. Lu, X. Lin, T. H. Luan, X. Liang, and X. Shen, “Pseudonym changing at social spots: an effective strategy for location privacy in VANETs,” IEEE Transactions on Vehicular Technology, vol. 61, no. 1, pp. 86–96, 2012.
- N. Kaaniche, A. Boudguiga, and M. Laurent, “ID-based cryptography for secure cloud data storage,” in Proceedings of the IEEE Sixth International Conference on Cloud Computing, pp. 375–382, 2013.
- Q.-A. Wang, C. Wang, K. Ren, W.-J. Lou, and J. Li, “Enabling public auditability and data dynamics for storage security in cloud computing,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 5, pp. 847–859, 2011.
- J. Yuan and S. Yu, “Public integrity auditing for dynamic data sharing with multiuser modification,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 8, pp. 1717–1726, 2015.
- K. Zeng, “Publicly verifiable remote data integrity,” in Proceedings of the 10th International Conference on Information and Communications Security, pp. 419–434, 2008.
- Y. Zhu, H. Hu, G.-J. Ahn, and M. Yu, “Cooperative provable data possession for integrity verification in multicloud storage,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 12, pp. 2231–2244, 2012.
- Y. Zhu, H. Wang, Z. Hu, G. J. Ahn, H. Hu, and S. S. Yau, “Dynamic audit services for integrity verification of outsourced storages in clouds,” in Proceedings of the 26th Annual ACM Symposium on Applied Computing (SAC '11), pp. 1550–1557, March 2011.
- L. Xue, J. Ni, Y. Li, and J. Shen, “Provable data transfer from provable data possession and deletion in cloud storage,” Computer Standard & interfaces, March 14, 2016.
- H. Jin, K. Zhou, H. Jiang, D. Lei, R. Wei, and C. Li, “Full integrity and freshness for cloud data,” Future Generation Computer Systems, 2016.
- H. Wang, J. Domingo-Ferrer, Q. Wu, and B. Qin, “Identity-based remote data possession checking in public clouds,” IET Information Security, vol. 8, no. 2, pp. 114–121, 2014.
- J. Zhang and Q. Dong, “Efficient ID-based public auditing for the outsourced data in cloud storage,” Information Sciences, vol. 343-344, pp. 1–14, 2016.
- Y. Yu, L. Xue, M. H. Au et al., “Cloud data integrity checking with an identity-based auditing mechanism from RSA,” Future Generation Computer Systems, vol. 62, pp. 85–91, 2016.
- L. Wei, H. Zhu, Z. Cao et al., “Security and privacy for storage and computation in cloud computing,” Information Sciences, vol. 258, pp. 371–386, 2014.
- C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public auditing for data storage security in cloud computing,” in Proceedings of the IEEE INFO-COM, pp. 525–533, March 2010.
- S. Worku, C. Xu, J. Zhao, and X. He, “Secure and efficient privacy-preserving public auditing scheme,” Computer and Electrical Engineering, vol. 40, pp. 1703–1713, 2014.
- C. Wang, S. S. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public auditing for secure cloud storage,” IEEE Transactions on computers, vol. 62, no. 2, pp. 362–375, 2013.
- J. Zhang and X. Zhao, “Privacy-preserving public auditing scheme for shared data with supporting multi-function,” Journal of Communications, vol. 10, no. 7, pp. 535–542, 2015.
- Y. Li, Y. Yu, B. Yang, G. Min, and H. Wu, “Privacy preserving cloud data auditing with efficient key update,” Future Generation Computer Systems, 2016.
Copyright © 2017 Baoyuan Kang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.