Abstract

Nowadays, Software Defined Network (SDN) develops rapidly for its novel structure which separates the control plane and the data plane of network devices. Many researchers devoted themselves to the study of such a special network. However, some limitations restrict the development of SDN. On the one hand, the single controller in the conventional model bears all threats, and the corruption of it will result in network paralysis. On the other hand, the data will be increasing more in SDN switches in the data plane, while the storage space of these switches is limited. In order to solve the mentioned issues, we propose two corresponding protocols in this paper. Specifically, one is an anonymous protocol in the control plane, and the other is a verifiable outsourcing protocol in the data plane. The evaluation indicates that our protocol is correct, secure, and efficient.

1. Introduction

Nowadays, as cloud computing develops rapidly [16], an increasing number of applications and services are transplanted to the cloud to satisfy the requirements of cloud clients. As time goes by, the burden on the cloud and the management of services and applications become heavier. In addition, the cloud is not flexible enough for the reconfiguration of the underlying networking when facing different applications. Therefore, SDN is proposed, which has caught the attention of a large number of researchers [7, 8].

SDN originates from the Clean Slate research project of Stanford University in 2006. Three years later, professor Nick McKeown proposed the specific definition of SDN. Since the data plane and the control plane of network are separated, which differs from the cloud, SDN is equipped with unprecedented flexibility [912]. As a breakthrough, SDN will never suffer from the reconfiguration of the underlying networking when facing different applications. The network devices named “SDN switches” form the data plane, which are responsible for the transmission of data packets merely. Since data transmission is an uncomplicated work and these switches should carry nothing else, the data packets on transmission can be dealt with substantially quickly, which is more suitable for the popularized network. The control plane consists of the controller, and this plane holds the global information of the whole network and controls SDN switches in the data plane. There is a unified interface named south-bound API between the control plane and the data plane, which realizes the interaction between the two planes. In a word, the management of the network can be well-bedded and convenient with the proposal of SDN.

Although SDN brings benefits to network, there are still some problems impeding its development. On the one hand, there is only one controller in the control plane of the conventional SDN model, and the single controller is the core of the whole network. Once the only controller is attacked or corrupted, the network will be imploded. In this paper, we aim to involve more than one controller in SDN, and the data transmission commands will be sent from a random and anonymous controller. On the other hand, when more and more applications are deployed in SDN, the information in the data plane will be more. Since the storage space of SDN switches is limited, the burden on these switches will be heavier as time goes by. Compared with the limited storage space in SDN switches, the space in the cloud is almost endless. Moreover, cloud storage is equipped with on-demand outsourcing function, ubiquitous network access, and location-independent resources. Hence, we aim to employ the cloud for data storage in this paper.

The main contributions of the paper are summarized as follows:(1)We propose an anonymous control protocol in the control plane. The threats on a certain controller can be relieved and SDN will be substantially more secure by the design of this protocol.(2)We design a verifiable outsourcing protocol in the data plane. Through the protocol, SDN switches with limited space can employ the cloud for data storage. In addition, the outsourced data can be verified for security.

The remainder of the paper is organized as follows. In Section 2, we present the system and security model. In Section 3, we introduce some preliminary works to allow the reader to obtain better understanding of the topic. In Section 4, we describe the two protocols in this paper in detail, including the anonymous control protocol and the verifiable outsourcing protocol. In Section 5, we present the correctness analysis, security analysis, and cost analysis of our protocols. The conclusion is drawn in Section 6.

2. Problem Statement

2.1. The System Model

In the application plane, there are many software applications, and we define the number of them as . As time goes by, the applications will be more for the popularity of SDN. In the control plane, there is traditionally one controller in the system merely. However, the network will be paralyzed when the only controller is attacked or corrupted. Therefore, we aim to deploy more than one controller in our system, the number of which is not confined to “4” in Figure 1. With several controllers, the data transmission instructions will be commanded by a random controller anonymously and the threats on a certain controller will be relieved. Suppose that there are one hundred controllers in the system; then the possibility of attacks on a certain controller can be relieved from 100% to 1%. There is a north-bound API between the application plane and the control plane, which is used for information interactions. Through north-bound API, the network can be customized by the actual requirements of each application. In the data plane, there are a large number of SDN switches, which are responsible for data transmission. Controllers command the process of transmission through the interface between the control plane and the data plane called south-bound API. Generally, the functions of south-bound API are realized through OpenFlow, which is a standardized protocol. Moreover, since we consider the limited storage in SDN switches, we introduce an additional plane—the storage plane consisting of one or more cloud service providers (CSPs). CSPs provide SDN switches with storage services in the cloud.

2.2. The Security Model

It is assumed that the introduced key generation center (KGC) is trustworthy enough and will never attack the system. Although CSPs are curious about the data in the data plane which are outsourced in the cloud, they will never collude with any switch. We say that protocols proposed in this paper are secure if the following conditions hold:(1)Unforgeability of controllers: the possibility that an adversary can pretend to be any one valid controller in the control plane and hold the public and private key pair of the controller is negligible.(2)Unforgeability of BLS-based homomorphic verifiable authenticator: CSPs will never succeed in forging the data tag of any outsourced data to deceive the challenger.(3)Resistance of replay attack: it is impossible for CSPs to generate the proof matched with the challenge using the previous proofs , without retrieving the actual cloud data .(4)Resistance of replacement attack: CSPs can never find out another valid proof of data to replace the challenged data proof, when they already discarded or damaged cloud data .

3. Preliminaries

This section presents some preliminaries to facilitate the reader’s understanding, including bilinear pairing [1316], ring signature, BLS-based homomorphic verifiable authenticator, and computational Diffie–Hellman (CDH) problem.

Definition 1 (bilinear pairing). Suppose that , , and are multiplicative cyclic groups of a large prime , and a map function is a bilinear pairing only if the following properties are satisfied:(1)Bilinearity: for all the generators and , there always exists , where .(2)Nondegeneracy: there exist and satisfying the equation .(3)Computability: for all the generators and , there exists an efficient algorithm to compute .

Definition 2 (ring signature). Given a group of entities each having public and private key pair ranging from to , suppose that the th entity is the signer, and the message is . Then, the signature on can be computed when is inputted. Anyone can check the validity of a ring signature when , , and to are given. All the members in the ring can sign a message with their own private keys and the others’ public keys without the agreement of them [1723]. With ring signature, the message can be transmitted securely and the identity of the actual signer is protected as well.

Definition 3 (BLS-based homomorphic verifiable authenticator). Given two multiplicative cyclic groups and and a bilinear pairing , select random as the private key. The public key is . The BLS-based homomorphic authenticator for some data is computed as , where is a one-way hash function. For verification, the verifier will simply check the equality of the equation [2429]. If the equation holds, the verifier will believe that the BLS-based homomorphic authenticator is valid; otherwise, the validity of the authenticator cannot be proved.

Definition 4 (CDH problem). Given and , where is a generator of and , compute .

4. The Proposed Protocol

In this section, the core part of this paper will be introduced, which consists of two protocols: the anonymous protocol in the control plane for controllers and the verifiable outsourcing protocol in the data plane for data on SDN switches, which are in Sections 4.2 and 4.3 separately. Some primary notations are introduced as follows.

4.1. Notations

As is shown in Notations section, some primary notations used in protocols are listed. , , , and are four multiplicative cyclic groups of a large prime order . is the generator of , and , are generators of . is a set of nonnegative integers less than . and are bilinear pairings. , , and are cryptographic collision-resistant hash functions from strings to elements in , , and .

4.2. The Anonymous Protocol in the Control Plane

In this section, the proposed anonymous protocol in the control plane will be described in detail, which aims to decentralize the power of and the attacks on a certain controller. Specifically, the protocol can be divided into 4 phases: setup phase, key generation phase, sign phase, and verification phase. Note that the second phase consists of 4 algorithms: partial-private-key extraction, secret-value selection, private-key generation, and public-key generation. The details of the protocol are shown as follows.

4.2.1. Setup Phase

In this phase, some preparation works are made for system setup. First, the whole network selects a trustworthy third party as a KGC, which is responsible for extracting the partial private keys in key generation phase. Then, the KGC will finish the remaining preparations.

Firstly, the KGC selects random as the master key of the network, which is kept secret by the KGC itself. Secondly, the KGC picks random generator and computes . Consequently, the secret and public key pair of the KGC is . Thirdly, the identities of all the controllers are aggregated together as a set . Finally, all the public parameters of the system are .

4.2.2. Key Generation Phase

This phase performs the generation of private and public key pairs of all the controllers, and we define that there are totally controllers in our system. In order to decentralize the power of the KGC, we aim to employ the KGC to extract the partial private keys of controllers merely. Therefore, even though the KGC is attacked by hackers or leaks out some secrets, the data and information of the system will keep secure. The detailed design of the four algorithms is shown as follows:(i)Partial-private-key extraction: this algorithm is performed by the KGC, which takes the public parameters and as input. The KGC computes and for all the controllers as the partial private keys, where ranges from 1 to . After that, the KGC sends the pair of and to each controller separately.(ii)Secret-value selection: for the generation of the complete private and public key pair, each controller selects random number as the secret value, which is kept secret by the corresponding controller itself.(iii)Private-key generation: since each controller has selected a secret value and received the partial key pair from the KGC, they will compute as the complete private key separately.(iv)Public-key generation: each controller computes as the public key, where ranges from 1 to .

Finally, the private and public key pairs for all the controllers are generated.

4.2.3. Sign Phase

Inspired by [30, 31], a certain controller will sign the message sent to SDN switches using the aux information of other controllers. We define that the message is and the identity of the randomly chosen actual signer is of the identity . In order to reduce the risk of attacks on a single controller, the signer will employ the public keys of all the other controllers to sign the message, which realizes the anonymity.

Specifically, the singer picks random and computes . If there are collisions among , the signer reselects randomly. Then, the signer computes for . Through , can be calculated by . After that, computes and . Finally, the signature on the message is and it will be sent by the controller which generates the signature to SDN switches through secure channels.

4.2.4. Verification Phase

This phase is designed to check the validity of the signature. First, the verifier computes for . Then, it checks the equality of the equationIf (1) holds, the signature is valid; otherwise, it is not.

4.3. Verifiable Outsourcing Protocol in the Data Plane

The second protocol proposed in this paper is designed for the limited storage space in SDN switches. We employ the cloud for data storage in the data plane, which is of great convenience. As for the attacks in the cloud threatening the security of these data, our protocol is designed to be verifiable, so that it can ensure the correctness and integrity of the outsourced data. Specifically, the second protocol can be divided into 2 phases: setup phase and verification phase. The following are the details.

4.3.1. Setup Phase

Setup phase is for some preparations of the protocol, which consists of two algorithms: key generation and tag generation. The public and private parameters are generated in key generation, and the tag for the outsourced data is computed in tag generation. The designs of the two algorithms are shown below.(i)Key generation: the SDN switch which wants to outsource data in cloud selects random as the private key and keeps it secret. Then, it generates . Finally, the outputs of the algorithm key generation are the private and public key pair .(ii)Tag generation: it is obvious that the data outsourced in the cloud should be encrypted. We define that the time point to outsource the data is and the identity of the switch is the concatenation of its latitude and longitude , which is unique enough. First, the switch computes . Then, the tag is calculated as . Finally, the switch uploads the data and the corresponding tags to the cloud for storage.

4.3.2. Verification Phase

The second phase performs data verification, which enables switches that outsource their data to ensure the correctness and completeness of these data. Specifically, the switch asks the cloud for the proof which indicates the integrity of the outsourced data, and the cloud should respond with the corresponding valid proof. If the proof is invalid, it will never pass the verification equation. This phase includes two algorithms: proof generation and verification proof. The details are as follows:(i) Proof generation: upon receiving the challenge request from a certain switch, the cloud should generate the corresponding data proof to claim that these data are correctly and completely stored in cloud services. Specifically, the cloud generates the tag proof and the data proof , where is randomly picked from . Then, the cloud sends the proof to the switch (challenger).(ii) Verification proof: when the switch receives the proof, it will check the validity of the proof. Specifically, the switch checks whether the equationholds. If (2) holds, the outsourced data in the cloud proves to be correct and complete; otherwise, the data is corrupted.

5. Evaluation

In this section, some analysis concerning the proposed protocols is presented, including correctness analysis, security analysis, and computational cost analysis.

5.1. Correctness Analysis

The correctness analysis of the proposed two protocols will be presented. Equation (1) can verify the signatures of controllers and (2) can verify the outsourced data of SDN switches in the cloud. Specifically, the correctness of the two equations will be elaborated separately in the following.

If (1) is correct, only the valid signatures generated by controllers can pass the verification of this equation. Otherwise, the invalid signatures can pass the verification as well. The correctness of (1) is demonstrated as follows:

If (2) is correct, only the valid proofs sent from the cloud can pass the verification of this equation. Otherwise, either the cloud or the SDN switches will be cheated by the incorrect check results. The correctness of (2) is proved as follows:

In summary, (1) and (2) are both correct, which indicates the correctness of our protocols.

5.2. Security Analysis

We will prove the security of our protocols with proofs of the following several theorems.

Theorem 5. In the anonymous protocol, the adversary can never pretend to be any controller in the control plane to generate a valid signature. In other words, the signature signed by the adversary will never pass verification phase.

Proof. We define that the adversary has not been broken through KGC and has no knowledge about the partial private keys of controllers. In order to forge a valid signature, the adversary should compute the complete private key for a controller. The private key is computed as , where . Since the adversary has no knowledge of and , the possibility of generating the correct private key of a controller is negligible. In this theorem, although and are known to the adversary, it is difficult for the adversary to figure out , due to the CDH problem in bilinear groups. Therefore, the adversary will fail to forge a valid signature of any controller.

Theorem 6. In the verifiable outsourcing protocol, the BLS-based homomorphic verifiable authenticator cannot be forged by any adversary if the computational Differ-Hellman assumption in bilinear pairing holds.

Proof. This theorem suggests that forging an BLS-HVA is computationally infeasible. As shown in the security analysis of the protocol in Shen et al. [5], the HVA scheme has been proved to be effectively unforgeable, the reason for which is that BLS is secure when the CDH problem is difficult in bilinear groups. The proof can be found in [5] and is omitted here.

Theorem 7. In the verifiable outsourcing protocol, replay attacks would be never effective. In other words, the cloud can never pass the verification if it responds to the challenges with some previous information.

Proof. We define that in the replay attack game, the cloud does not protect the challenged data of the switch. In order to pass the verification, the cloud finds out a previous version of these data and sends the corresponding proof to the switch. Since the verification equation is in the verification proof, where the time to outsource the data is , obviously, data of different versions are outsourced at different times. Hence, the replay attacks can never succeed under our protocol.

Theorem 8. In the verifiable outsourcing protocol, replacement attacks would never work. In other words, the cloud can never pass verification if it responds the challenges with other switches’ completely preserved information.

Proof. We define that in the replacement attack game, the challenged data in cloud is corrupted for some reasons. In order to pass the verification, the cloud decides to send the perfectly protected data information of some other switches back to the challenger. Consequently, the proof will be . Since the equation is in the verification proof, where indicates the unique and specific location of the switch, obviously, though the time to outsource the data is exactly the same, the locations of any two different switches differ from each other. Hence, the replacement attacks will never succeed in our design.

5.3. Computational Cost Analysis

The computational cost analysis of the two protocols is presented in this section. In addition, some simulation experiments have been conducted to prove the low cost of our protocols. The experiments were performed by C programming language with the pairing-based cryptography (PBC) library and the GUN multiple precision arithmetic (GMP) library on a VMware workstation machine with Intel Core i5-2450M processors running at 2.50 GHz and 12 G memory, Ubuntu 12.04 × 64.

First, the brief descriptions of the cost of the two protocols will be introduced. For simplicity, we denote multiplication as , modular exponentiation as , and hash function as . As for the anonymous protocol in the control plane, it costs in setup phase, in key generation phase, and in sign phase, where is the number of controllers in the control plane. As for the second protocol in the data plane, it costs in key generation algorithm, in tag generation algorithm, and in proof generation algorithm, when an SDN switch outsources its data.

Then, the experimental results will be analyzed. In Figure 2, the time cost of the system changes with the increase of the number of controllers in the control plane. It is obvious that when there are more controllers, the computational cost of the system will be higher. However, when there are more controllers in the control plane, the system will be more secure in practical terms. Hence, for different applications, there exists a tradeoff between energy and security in the choice of the specific number of controllers. Figure 3 describes the computational cost of each algorithm in the verifiable outsourcing protocol in the data plane. It is clear that outsourcing the data of an SDN switch to the cloud costs about 0.018 seconds. Compared with the limited storage space in these switches, using 0.018 seconds to trade off on-demand and convenient storage service is worthwhile.

6. Conclusion

In this paper, two protocols are proposed to realize anonymous control and cloud based data protection in SDN. The first protocol in the control plane employs the ring signature technique, which makes the controller anonymously command the process of data transmission over the SDN switches. The second protocol in the data plane employs the storage services in cloud computing, which extends the limited storage space of SDN switches. Moreover, the data outsourcing is secure enough for its verifiability. Finally, the evaluation demonstrates the correctness, security, and efficiency of our protocols.

Notations

, , , :Multiplicative cyclic groups
:Prime order of , , ,
, , :Generators of multiplicative cyclic groups
:Set of nonnegative integers less than
:A bilinear pairing
:A bilinear pairing
:Cryptographic collision-resistant hash function
:Cryptographic collision-resistant hash function
:Cryptographic collision-resistant hash function.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is supported by the National Science Foundation of China under Grants no. 61672295, no. 61672290, no. 61772280, no. U1405254; the State Key Laboratory of Information Security under Grant no. 2017-MS-10; the 2015 Project of six personnel in Jiangsu Province under Grant no. R2015L06; the CICAEET fund; and the PAPD fund.