Elsevier

Computer Communications

Volume 174, 1 June 2021, Pages 1-12
Computer Communications

HBRSS: Providing high-secure data communication and manipulation in insecure cloud environments

https://doi.org/10.1016/j.comcom.2021.03.018Get rights and content

Abstract

Cloud storage and cloud services provide a stronger computing power and distributed computing capability for IoT users with a minimal cost. However, the security issues of cloud always limit the development of cloud computing and storage. In the meanwhile, the channel instability and exposure of the public network make the security of data in transmission challenged (HTTPS protocol cannot guarantee the security of data after receiving by servers). Even if homomorphic encryption can protect IoTs’ sensitive data, attackers still can infer sensitive behaviors about users by listening to the frequency of cloud services usage. To solve the above problems, in this paper, we propose a novel data transmission structure named HBRSS for high-security data transmission and data processing in insecure cloud environments and channels. HBRSS harnesses proposed data splitting principle to divide the data into blocks, packages the block data and forms a block ring based on the concept of blockchain to ensure the non-tamperability and non-destructibility of data. In addition, we propose an improved partial homomorphic encryption algorithm, which adds fuzzy processing for the data service functions to improve function-privacy. We also build a virtual mistrusted cloud service scene by using Docker and Kubernetes to evaluate our method’s performance, which can also be utilized as a standard attack drill platform for all researchers to test their own security algorithms. Based on our best knowledge, this platform is the first open-source automatic cloud attack exploitation system that contains attacks against browsers, channels, and servers. The experimental results indicate that our new encryption algorithm brings larger key-space and lower power consumption compared with some encryption algorithms.

Introduction

With the increasing popularity of the Internet of things (IoTs), massive data is generated every day. However, the perception devices in the IoTs are resource-limited, the collected data need to be continuously uploaded to the cloud server. Besides, communication in cloud environment is via the internet [1], which is facing many threats, and the IoTs data in the transmission process is likely to be eavesdropped or tampered by attackers. Homomorphic security system (HSS), is an encryption algorithm to process massive data in cloud computing, has attracted wide attention from academia. Based on HSS, many methods are proposed to ensure data security and privacy. In 2009, Gentry proposed the first fully homomorphic encryption system using ideal lattices [2]. But the computational overhead of the fully homomorphic encryption (FHE) is enormous. To improve the efficiency of homomorphic encryption algorithms, somewhat homomorphic encryption (SWHE) [3] model is proposed by researchers, which owns low overhead. But the security of SWHE is sometimes slightly weaker than that of FHE.

To achieve the secure processing of encrypted images, Lizhi Xiong et al. [4] propose a high-capacity reversible data hiding scheme based on SWHE. In their scheme, the image provider divides the original image into groups of three adjacent pixels, and based on SWHE, each group is encrypted. Then, the encrypted image is sent to the data hider who divides the ciphertext pixels into groups of three adjacent pixels and obtains the absolute difference histogram. By shifting the histogram, the additional data can be embedded in the encrypted image. As for the receiving, the receiver can obtain additional information based on the data hiding key. Finally, based on the auxiliary information and the decryption key, the original image can be restored. But if an attacker sequentially obtains the encrypted data which is sent by the image provider, the original data may be inferred.

HSS brings high security for private data, but it can only be used after the data reaches the cloud server, which means that an attacker has the possibility to modify the ciphertext during the data transmission. The current encryption models can be used to avoid attacker cracking the data successfully in a large degree, but almost all of them cannot prevent the data from insecure cloud (HE may ensure the semantic security of users’ sensitive data, but it still allow malicious cloud to collect and analyze user’s behavior (f()), which may make the cloud infer users’ sensitive data).

Cyber attack range [5], [6], [7], [8], [9] brings opportunities to researchers to verify the performance of their proposed attack or defense strategies. Despite some cloud environment ranges have been built, they still meet a large number of problems. Firstly, almost all of them aim at finding vulnerabilities existing in the cloud [10], [11], the malicious cloud is not considered, i.e., automatic launching attacks against users’ sensitive data on the cloud. Besides, the vast majority of them are not completed open source [12], [13], [14]. Finally, there is a huge difference between the attack range and commercial cloud platform [10], [15], which means they are not practical enough.

How to prevent IoT user’s data from being tampered and collected by the insecure cloud has become the pivotal issue in cloud security. However, due to the difficulty of establishing practical insecure cloud environments and designing high-secure and low-overhead algorithm, researchers always focus on reinforcing the security of the cloud environment (i.e., prevent an attack against cloud environment) and communication channel. Based on the best knowledge of us, preventing attacks on user data from insecure clouds is a largely underexplored domain. In this paper, we design a novel cloud security system to keep high-security of data when it is transmitted in the network. In our model, the data structure is a blockchain-typed ring. More concretely, before sending a data, the data is split into several blocks, for each block, apart from the part of the original encrypted data, there is a hash value of the previous block and a block ID. The last block records the hash of the first block. Then a block-ring is built. Besides, a timestamp is added to the ring to avoid the fake data. To sum up, the block-ring renders the Server-side data which can be homomorphically operated by authorized users, while when the data is transferring, this closed ring can guarantee that data is protected from malicious tampering from the unauthorized users (attackers). Besides, the block-ring will also prevent the data from eavesdropping attack and illegal data analysis since the block is divided and re-ordered randomly.

We also propose a corresponding homomorphic-based encryption model based on Paillier cryptosystem, named homomorphic block ring encryption model (HBREM or HBR). HBR can help users to handle data quickly when they build the block-ring, and ensure security during data processing. Compared with some other HE operating in block-ring, HBR brings higher security and dramatically improves the homomorphic encryption efficiency. The data (ciphertext) is divided into a certain number of blocks based on our split standard. These blocks are stored sequentially and connected into a ring. By using HBR, all blocks in the ring are homomorphically processed quickly after they are received by the cloud server. Meanwhile, the HBR also remains all the benefits of HE model. To verify the efficiency of our method, for the first time, we develop an open-source insecure cloud architecture which is similar to the current mainstream commercial-level cloud services and cloud storage. The main contributions of our method are shown as follows:

A data transmission structure named HBRSS is proposed for high-security data transmission and data processing in public networks and mistrusted cloud environments. Based on the concept of blockchain, a data splitting standard is designed to divide the data into blocks, packages the block data and forms a block ring to ensure the non-tamperability and non-destructiveness of the data. The ring structure ensures that data stored in blocks cannot be monitored or modified by unauthorized user during transmission, and only the authorized users can perform homomorphic operations on the data. Other encryption algorithms (e.g. ECC, RSA) cannot achieve this function, because the block-ring has the same property with blockchain, namely, it is determined by the hash value of the previous block, which cannot be modified in any condition. Besides, as the HBR is a ring, for an attacker, it is almost impossible to gain the source node of the ring, which can avoid that data encounter the eavesdropping attack when users are uploading or downloading their private data from the cloud. The timestamps can be used to verify whether the data is fake. The malicious cloud cannot illegally analyze the sensitive data of users or inject malicious code into the returned results.

A Paillier-based homomorphic encryption function is proposed to help cloud server to build a block-ring more quick and safe than using other homomorphic encryption models. Fuzzy processing for the data service functions prevents the cloud service from obtaining the frequency of requests for the cloud and the preferred services, i.e., improving the function-privacy. In addition, because of the homogeneity between fuzzy functions and target function, the dispose of data can be done in the distrusted cloud. Compared with conventional Paillier homomorphic cryptosystem, our method owns much lower complexity and much higher security. If we compare the HBR with FHE and Paillier, the encryption time and resource usage is about a quarter that of FHE and Paillier.

A scalable automatic attack drill platform is established for the client, the communication channel, and the cloud server. This platform is completely open-source, including the attack on insecure cloud service (e.g. illegal data analysis, illegal data collection, etc.), communication channel attacks during network communication, and the embedding of Trojan in the returned results. To our best knowledge, the platform provides a unified scenario for academic verification, which means that this attack drill platform is the first open-source automatic cloud attack exploitation, which contains attacks against browsers, channels, and servers.

We design a comprehensive experiment to test the performance of different methods. From the experiments, we find that the HBRSS’s CPU and Memory utilization is near half that of Paillier homomorphic cryptosystem and 30% that of FHE. For the encryption time, the HBRSS is also much better than these two methods.

The remainder of this paper is organized as follows. In the rest of this paper, we introduce some related work of the homomorphic security system in Section 2. The somewhat homomorphic encryption and fully homomorphic encryption are briefly described in Section 3. Section 4 outlines the problem and threat model. In Sections 5 Establishing the attack drill platform, 6 Homomorphic block-ring security system design, the structure and principle of the novel security system will be discussed in detail. Experiment and performance evaluation of the homomorphic block-ring encryption model and homomorphic block-ring security system are given in Section 7. Finally, Section 8 concludes the whole paper and describes future work.

Section snippets

Related work

Saurabh Singh et al. [1] analyze cloud security from a wide aspect, and discuss existing related problem. Besides, they provide efficient security requirement and some better encryption methods in cloud environment. Weihong Han et al. [16] introduce Network Security Situation Awareness System YHSAS, which can achieve the Collection and High-Dimensional Vector Space Analysis. Besides, YHSAS includes Knowledge Representation and Management of Super Large-Scale Network Security, Multi-Level,

Preliminary

Homomorphic Encryption (HE) is proposed by Rivest et al. [3], [41], [42] in 1978, which allows a trusted third party to process encrypted data without decryption. Gentry first constructs the fully homomorphic encryption (FHE) [2], which is plausible and achievable.

Problem model

To improve the availability and security of data, many homomorphic encryption-based models are proposed by researchers in recent years. In the case of studies, the contradiction between efficiency and security has become the key to researchers’ study.

In the fully homomorphic encryption-based models, since the encryption function is random, and people can operate the function at any time, the security of the FHE is much higher than SWHE. But for the SWHE-based models, the efficiency of them

System structure of attack drill platform

The system architecture of our attack drill platform is shown in Fig. 2, which is built based on Docker and Kubernetes. The reasons why we use Docker are shown as follows:

The quick and lightweight container: Compared with traditional virtualization technologies, containers have a lower performance loss on CPU, memory, network IO and other resources.

Once built, running everywhere: The produced image packages the applications, dependencies, and runtime environments that are needed to run the

Homomorphic block-ring security system design

To solve the eavesdropping attack during the data transmission and improve the speed and security of data processing in the cloud, in this section, we propose the homomorphic block-ring security system which can generate a block-typed ring structure and improve the data security dramatically. In Section 6.1, we introduce the basic model of our security system. In Section 6.2, the data processing method is discussed in detail. From 6.3 and 6.4, we will introduce how to build the homomorphic

Insecure cloud attack drill platform

This section will show the hardware and software requirements for building the attack drill platform. The detail requirement is shown in Table 1.

Table 2 represents attacks that we support launching on the insecure cloud currently. We should note that attacks still can launch eavesdropping attacks or tampering attacks if they just want to capture encrypted packets or destroy the encrypted data. The if use HTTP in this table means attackers can capture or modify the user’s plaintext successfully.

Conclusion

In this paper, we propose a homomorphic block-ring security system (HBRSS) to ensure that data can keep high security during the data transmission and let any third party can process encrypted data quickly and safely. The encrypted data is divided into a certain number of blocks. These blocks stored and connected into a ring. Besides, during the data transmission, we can highly protect data from eavesdropping attacks and tampering attacks from unauthorized users, and flaws injection attacks and

CRediT authorship contribution statement

Hui Xie: Theoretical development, System or experimental design, Prototype development, Designed the HBRSS system model and the encryption algorithm, Designed and implemented the verification experiment of overall algorithm security. Zhengyuan Zhang: Theoretical development, Analysis and interpretation of data associated with the work contained in the article, Approved the final version of the article as accepted for publication, Sorted out all the references, Wrote all the chapters together

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work was supported by the Defense Industrial Technology Development Program JCKY (Grant no. 2017204B063).

References (45)

  • SinghSaurabh et al.

    A survey on cloud computing security: Issues, threats, and solutions

    J. Netw. Comput. Appl.

    (2016)
  • YuXixun et al.

    Verifiable outsourced computation over encrypted data

    Inf. Sci.

    (2019)
  • HoltC.C.

    Forecasting seasonals and trends by exponentially weighted moving averages

    Int. J. Forecast.

    (2004)
  • GentryCraig

    Fully homomorphic encryption using ideal lattices

  • AcarAbbas et al.

    A survey on homomorohic encrypting schemes: Theory and implementation

    ACM Comput. Surv.

    (2018)
  • XiongL. et al.

    High-capacity reversible data hiding for encrypted multimedia data with somewhat homomorphic encryption

    IEEE Access

    (2018)
  • T. Debatty, W. Mees, Building a cyber range for training CyberDefense situation awareness, in: 2019 International...
  • BrunnerRyan et al.

    Design for an educational cyber range

  • M. Kianpour, S. Kowalski, E. Zoto, C. Frantz, H. Øverby, Designing serious games for cyber ranges: A socio-technical...
  • B. Ferguson, A. Tall, D. Olsen, National cyber range overview, in: 2014 IEEE Military Communications Conference, 2014,...
  • E. Russo, G. Costa, A. Armando, Scenario design and validation for next generation cyber ranges, in: 2018 IEEE 17th...
  • WinterH.

    System Security Assessment Using a Cyber Range, vol. 2012

    (2012)
  • J. Vykopal, M. Vizvary, R. Oslejsek, P. Celeda, D. Tovarnak, Lessons learned from complex hands-on defence exercises in...
  • Cyber range, website

    (2018)
  • Raytheon cyber range, website

    (2020)
  • SystemsCisco

    Cisco cyber range, website

    (2017)
  • TianZ. et al.

    A real-time correlation of host-level events in cyber range service for smart campus

    IEEE Access

    (2018)
  • HanWeihong et al.

    System architecture and key technologies of network security situation awareness system YHSAS

    Comput. Mater. Continua.

    (2019)
  • DengZhiliang et al.

    Blockchain-based trusted electronic records preservation in cloud storage

    Comput. Mater. Continua.

    (2019)
  • Shahid Dildar Muhammad, Khan Nayeem, Bin Abdullah Johari, Shahid Khan Adnan, Effective way to defend the hypervisor...
  • Tansu Alpcan Yi Han, Christopher Leckie, Virtual machine allocation policies against co-resident attacks in cloud...
  • XiaojunZhang et al.

    Efficent fully homomorphic encryption from RLWE with an extension to a threshold encryption scheme

    Future Gener. Comput. Syst.

    (2014)
  • 1

    These authors contributed equally to this work and should be considered co-first authors.

    View full text