A Secure Client Access to Encrypted Cloud Databases

Embed Size (px)

Citation preview

  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    A Secure Client Access to Encrypted Cloud Databases




    MASTER OF ENGINEERING (Computer Engineering)


    Dattatray B. Pawar Exam No:

    Under the guidance of

    Prof. V. S. Gaikwad

    Department of Computer Engineering

    JSPM Narhe Technical Campus, Narhe, Pune

    Rajarshi Shahu School of Engineering and Research

    Academic Year 2014-15


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    Rajarshi Shahu School of Engineering and Research

    Narhe Tal.Haweli Dist.Pune-41



    This is to certify that the seminar report entitled

    A Secure Client Access to Encrypted Cloud Databases

    Submitted by

    DATTATRAY B. PAWAR Exam Seat No:

    is a bonafide work carried out by him under the supervision of Prof. V. S. Gaikwad and

    it is approved for the partial fulfillment of the requirement of Savitribai Phule University,

    Pune. for the award of the degree of Master of Engineering (Computer Engineering)

    Prof. V. S. Gaikwad

    Internal Guide External Examinar

    Dr. Sulochana Sonkamble Dr. D.M. Yadav

    HOD Director



  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    I hereby take this opportunity to express my heartfelt gratitude towards the people

    whose help was very useful to complete my seminar work on the topic of A Secure

    Client Access to Encrypted Cloud Databases . It is my privilege to express sin-

    cerest regards to my Dissertation Guide Prof. V. S. Gaikwadfor his valuable inputs,

    valuable guidance, encouragement, whole-hearted cooperation and constructive criticism

    throughout the duration of my dissertation work.

    I deeply express my sincere thank to our HOD Dr. Mrs. S. B. Sonkamblefor

    encouraging and allowing us to present the dissertation at our department premises for

    the partial fulfilment of the requirements leading to the award of M.E. degree.

    I am also thankful to our Director Dr. D. M. Yadav and the management. I

    would also like to thank all the faculties who have cleared all the major concepts that

    were involved in the understanding of the techniques behind my dissertation report. The

    Dissertation Report is based on research work in Distributed ,concurrent and indepen-dent access to encrypted cloud databases . I am very much thankful to Author for such

    a precious work.

    DATTATRAY B. PAWARM.E.(Computer Engineering)


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    List of Tables


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    List of Figures


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    CSP : Cloud Service Provider

    SLA : Service Level Agreement

    CSA : Cloud Security Alliance

    SaaS : Software as a Service

    Iaas : Infrastructure as a service

    Paas : Platform as a Service

    DBaaS : Database as a Service

    DBA : Database Administrator


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    Data security and confidentiality are crucial factors while considering cloud databases.

    Data originality and reliability imposes extra attention towards cloud databases and its

    service provisioning. Putting critical data in the hands of a cloud provider should come

    with the guarantee of security and availability for data at rest, in motion, and in use.

    Several alternatives exist for storage services, while data confidentiality solutions for the

    database as a service paradigm are still immature. The efficacy of the proposed architec-ture is evaluated through theoretical analyses and extensive experimental results based

    on a prototype implementation subject to the TPC-C standard benchmark for different

    numbers of clients and network latencies.

    This is the first solution supporting geographically distributed clients to connect di-

    rectly to an encrypted cloud database, and to execute concurrent. We propose a novel

    architecture that integrates cloud database services with data confidentiality and the

    possibility of executing concurrent operations on encrypted data cannot apply fully ho-

    momorphic encryption schemes because of their excessive computational complexity.

    Keywords:Cloud security, encryption, confidentiality, SecureDBaaS, database.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    1 Introduction 2

    1.1 Dissertation prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    1.1.1 Cloud service models . . . . . . . . . . . . . . . . . . . . . . . . . 3

    1.1.2 Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . 4

    1.1.3 Cloud Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . 5

    1.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

    2 Problem statement 7

    3 Motivation 8

    4 Literature Survey 9

    5 Methodology 11

    5.1 Design of framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    5.1.1 Cloud Database server . . . . . . . . . . . . . . . . . . . . . . . . 11

    5.1.2 Communication mechanism . . . . . . . . . . . . . . . . . . . . . 11

    5.2 Algorithms of Existing System. . . . . . . . . . . . . . . . . . . . . . . . 12

    6 Existing System With Mathematical Model 13

    7 Proposed System With Mathematical model 14

    8 Implementation 15

    9 Data Table and Discussion 16

    10 Conclusion 17


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 1


    In a cloud context, where critical information is placed in infrastructures of untrusted

    third parties, ensuring data confidentiality is of paramount importance [1], [2]. This re-

    quirement imposes clear data management choices: original plain data must be accessible

    only by trusted parties that do not include cloud providers, intermediaries, and Internet;

    in any untrusted context, data must be encrypted. Satisfying these goals has different

    levels of complexity depending on the type of cloud service. There are several solutions

    ensuring confidentiality for the storage as a service paradigm (e.g., [3], [4], [5]), while

    guaranteeing confidentiality in the database as a service (DBaaS) paradigm [6] is still an

    open research area. In this context, we propose SecureDBaaS as the first solution that

    allows cloud tenants to take full advantage of DBaaS qualities, such as availability, re-

    liability, and elastic scalability, without exposing unencrypted data to the cloud provider.

    The architecture design was motivated by a threefold goal: to allow multiple,

    independent, and geographically distributed clients to execute concurrent operations on

    encrypted data, including SQL statements that modify the database structure; to pre-

    serve data confidentiality and consistency at the client and cloud level; to eliminate any

    intermediate server between the cloud client and the cloud provider. The possibility

    of combining availability, elasticity, and scalability of a typical cloud DBaaS with data

    confidentiality is demonstrated through a prototype of SecureDBaaS that supports the

    execution of concurrent and independent operations to the remote encrypted database

    from many geographically distributed clients as in any unencrypted DBaaS setup. To

    achieve these goals, SecureDBaaS integrates existing cryptographic schemes, isolation

    mechanisms, and novel strategies for management of encrypted metadata on the un-

    trusted cloud database. This paper contains a theoretical discussion about solutions for

    data consistency issues due to concurrent and independent client accesses to encrypted


    In this context, we cannot apply fully homomorphic encryption schemes [7] be-

    cause of their excessive computational complexity. The SecureDBaaS architecture is tai-

    lored to cloud platforms and does not introduce any intermediary proxy or broker server

    between the client and the cloud provider. Eliminating any trusted intermediate server

    allows SecureDBaaS to achieve the same availability, reliability, and elasticity levels of


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    a cloud DBaaS. Other proposals (e.g., [6], [7], [8]) based on intermediate server(s) were

    considered impracticable for a cloud-based solution because any proxy represents a single

    point of failure and a system bottleneck that limits the main benefits (e.g., scalability,

    availability, and elasticity) of a database service deployed on a cloud platform. Unlike

    SecureDBaaS, architectures relying on a trusted intermediate proxy do not support themost typical cloud scenario where geographically dispersed clients can concurrently issue

    read/write operations and data structure modifications to a cloud database. A large set

    of experiments based on real cloud platforms demonstrate that SecureDBaaS is immedi-

    ately applicable to any DBMS because it requires no modification to the cloud database


    Other studies where the proposed architecture is subject to the TPC-C standard

    benchmark for different numbers of clients and network latencies show that the perfor-

    mance of concurrent read and write operations not modifying the SecureDBaaS databasestructure is comparable to that of unencrypted cloud database. Workloads including

    modifications to the database structure are also supported by SecureDBaaS, but at the

    price of overheads that seem acceptable to achieve the desired level of data confidential-

    ity. The motivation of these results is that network latencies, which are typical of cloud

    scenarios, tend to mask the performance costs of data encryption on response time. The

    overall conclusions of this paper are important because for the first time they demon-

    strate the applicability of encryption to cloud database services in terms of feasibility and


    1.1 Dissertation prerequisite

    1.1.1 Cloud service models

    Cloud service models achieved a major space in cloud computing area. The ser-

    vice model helps to dictates an organizations scope and control with its computational

    resources, and characterizes a level service for its use.


    Software as a Service is a service delivery model providing applications and computa-

    tional resources for use on demand by the service user. Purpose of this model is to reduce

    the total development cost, including maintenance, and operations. Security is responsi-

    bility of cloud provider. The cloud consumer isnt involved in control and management of

    cloud infrastructure or personal applications, except for priority selections and very less

    administrative application settings.[3]

  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    Platform as a Service is a service delivery model that provides the computing platform

    and applications can be developed and deployed on it. Motivation behind this model is

    to minimize cost, complexity of purchasing, hosting, and managing platform, including

    programs and databases. The development culture is typically provided by cloud provider

    and supplemented to the design and architecture of its platform[3].


    Infrastructure as a Service is a service delivery model services basic computing infras-

    tructure including servers, software, and network equipment provided on-demand service.

    Platform for developing and executing applications can be established on it. Main motto

    is to avoid purchasing, and management of software and infrastructure components, and

    instead get such resources as virtualized objects controllable via a service interface. Thecloud user has great freedom for the choice of operating system and development envi-

    ronment to be used. Security is sole responsibility of cloud consumer.[3]


    Database as a Service (DBaaS) potentially will be the next big era in IT. It is a

    service that is hosted by a cloud operator (public or private) and includes applications,

    where the application team doesnt have any responsibility for old database administra-

    tion. With a DBaaS, the application developers need not to be expertise in database,

    and there is no need to hire a database administrator (DBA) to operate and maintain

    the database.[6] The recent market analysis from 451 research projects shows stunning

    86 percent. progressive annul growth rate, with revenues from DBaaS providers rising

    from 150 million dollar in 2012 to 1.8 billion dollar by 2016.[1] DBaaS is gaining popu-

    larity because it eases businesses to setup new databases quickly with high security and

    at very minimal cost . Database as a Service (DBaaS) offers organizations speed up

    deployment, elasticity, fair consolidation efficiency, higher availability, and minimal cost

    and complexity.[2],[4] Following facts shows why DBaaS will hit the upcoming IT market.

    1.DBaaS reduces database straggle.2.Supports ease provision.

    3.Enhance high Security and minimal complexity

    1.1.2 Cloud Deployment Models

    Four deployment models are present for cloud service solutions:

    Private cloud

    Infrastructure provided for a private organization. It may be responsibility of orga-

    nization to manage it or third party can manage it. Existence of such cloud may be on

  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    the premise or off the promise.

    Community cloud

    Many organizations share the infrastructure and support a distinct community that

    has general concerns. Organization can manage it or third party can also operate it.

    Existence of such cloud may be on the premise or off the promise [3].

    Public cloud

    This cloud infrastructure is available to public or a large industry group. An orga-

    nization may own it to sale cloud services [3]. The growth in workload migration from

    private cloud to public cloud has increased. The average workload in public cloud will

    not have more difference than the private cloud.

    Hybrid cloud

    Cloud infrastructure is a combination of two clouds i.e. private, community, or

    public, it doesnt change its properties, but tightened together by standard or proprietary

    techniques, that enables communication of data and applications.

    1.1.3 Cloud Security Issues

    Data security is an important aspect where quality of service is considered as a

    prime focus, Cloud Computing undoubtedly raise new security threats for various reasons.Traditional cryptosystems can not directly used because user does not have control over

    data under Cloud Computing. Checksum for correct data storage in the cloud must be

    done without knowledge of whole database or data.


    In cloud trust rely on deployment model as it provides administration of data. Trust

    is considered as mandatory security policy in old architectures. In public cloud whoever

    is the owner of infrastructure they have the controls over it. While the public cloud iddeployed the infrastructure owner is supposed to take all assurance regarding the suitable

    security policies so that the risk related to security are reduced. Security is considered

    about trusting the process or implementations that are made by owner. Deployment mod-

    els must differentiate among themselves as the private cloud infrastructure is controlled

    by private organizations and it do not need any other security policies as organization

    maintains same trust level.[10]


    The CSA (Cloud Security Alliance) has discovered various cloud computing threatsduring last year. The report reflects the current issue among experts around the IT

  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    business industry analysed by CSA, pointing on threats specifically related to shared

    technology ,on demand service nature of cloud computing.

    1.2 Objective

    To provide security based architecture to cloud users.

    To provide data confidentiality with minimal latency and improved throughput over cloud


    To maintain better trust relation between cloud user and cloud service provider.

  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 2


    The throughput for increasing numbers of concurrent clients in contexts character-

    ized by modifications of the database structure are supported, but at the price of high

    computational costs. Existing encryption techniques imposes high time complexity over

    the cloud which causes performance degradation.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 3


    To provide secure access to multiple users with high confidentiality.

    To establish reliable and consistent connection between client and cloud database service


    To provide security based architecture to cloud users.

    To provide data confidentiality with minimal latency and improved throughput over cloud


    To maintain better trust relation between cloud user and cloud service provider.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 4


    [1]Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward

    W. Felten has published paper on Group Collaboration using Untrusted Cloud Re-

    sources. They have implemented a system that provides a generic collaboration service

    in which users can create a document, modify its access control list, edit it concurrently,

    experience fully automated merging of updates, and even perform these operations while

    disconnected. The system framework supports a broad range of collaborative applica-

    tions. Data updates are encrypted before being sent to a cloud-hosted server. The server

    assigns a total order to all operations and redistributes the ordered updates to clients. If

    a malicious server drops or reorders updates, the system clients can detect the servers

    misbehaviour, switch to a new server, restore a consistent state, and continue. The same

    mechanism that allows system to merge correct concurrent operations also enables it to

    transparently recover from attacks that fork clients views.

    [2] Jinyuan Li, Maxwell Krohn, David Mazires, and Dennis Shasha has

    published paper on Secure Untrusted Data Repository. They have mentioned net-

    work file system designed to store data securely on untrusted servers. System lets clients

    detect any attempts at unauthorized file modification by malicious server operators or

    users. SUNDRs protocol achieves a property called fork consistency, which guarantees

    that clients can detect any integrity or consistency failures as long as they see each others

    file modifications. An implementation is described that performs comparably with NFS

    (sometimes better and sometimes worse), while offering significantly stronger security.



    has published paper on Cloud Storage with Minimal Trust. It supports many strategies

    for coping with the failure of an SSP. In a single SSP deployment, clients are configured

    such that each client stores a copy of the data that it authors. If the SSP fails, clients

    can ensure availability by exchanging metadata with each other directly and by using the

    data stored at the authoring clients. If the SSP later recovers, clients can continue using

    the SSP (after sending the missed updates to the SSP servers).


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    [4]Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and

    Hari Balakrishnanhas published paper on Protecting Confidentiality with Encrypted

    Query Processing.Authors have given a system that explores an intermediate design

    point to provide confidentiality for applications that use database management systems

    (DBMSes). CryptDB leverages the typical structure of database-backed applications,consisting of a DBMS server and a separate application server, the latter runs the appli-

    cation code and issues DBMS queries on behalf of one or more users. CryptDBs approach

    is to execute queries over encrypted data, and the key insight that makes it practical is

    that SQL uses a well-defined set of operators, each of which we are able to support effi-

    ciently over encrypted data.

    [5] Luca Ferretti, Michele Colajanni, and Mirco Marchetti has published

    paper on Supporting Security and Consistency for Cloud Database.they proposed a

    novel architecture that allows cloud customers to leverage untrusted DBaaS with theguarantee of data confidentiality. Unlike previous solutions, our architecture does not

    rely on a trusted proxy, and allows multiple distributed clients to execute SQL queries

    concurrently and independently on the same encrypted database. All the encryption and

    decryption operations are carried out by a software module that is executed on each

    client machine. Their design choice does not introduce any bottleneck and single point of

    failure be-cause clients connect directly to the cloud database. Moreover, our architecture

    guarantees the same availability, scalability and elasticity of the unencrypted DBaaS and

    it is applicable to any commercial DBaaS because it does not require modifications to

    the database.

  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 5


    5.1 Design of framework

    This framework is the prime step towards achieving the goals of the cloud infrastructure.

    In this section, the details of the proposed framework are highlighted and in the sections

    below describe the components and their implementations.

    Figure presents the architecture of the proposed framework. The service component

    including the run-time server represents the application layer where services are deployed

    using a Web Service container.

    5.1.1 Cloud Database server

    This section describes the database server component, which is located at the Cloud

    infrastructure resource level. We first explain its design and later present the implemen-

    tation details

    5.1.2 Communication mechanism

    The implemented communication model is a sort of queuing mechanism. It realizes aninter-process communication for passing messages within the cloud infrastructure and

    between components of the cloud server framework, due to the fact that the components

    can run on different machines at different locations. This queue makes the communica-

    tion mechanism highly efficient and scalable.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    5.2 Algorithms of Existing System

    Algorithm 1

    Input: Request for cloud database.

    Output: Secure cloud database access to user.Begin

    1. Tenant wants to store and process remotely.

    2. Tenant sends request to CSP

    3. Authenticates tenant

    4. If(n=1)

    5. Access to database

    6. Else

    7. Response with no access

    8. CSP sends cloud decrypted data and metadata and encrypted tables.9. Tenant operates on remote data.

    10. Metadata updated before tenant exit the system.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 6




  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 7




  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 8



  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 9



  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    Chapter 10


    Proposed architecture guarantees the confidentiality of data stored in public cloud

    databases. It yields better performance characteristics through minimal latency and im-

    proved throughput. The proposed architecture does not require modifications to the

    cloud database, and it can be immediately applicable to existing cloud DBaaS, such as

    the PostgreSQL Plus, Cloud Database, Windows Azure, Amazon S3 and Xeround.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases



    [1] Cheng-Kang Chu, Sherman S. M. Chow, Wen-Guey Tzeng, Jianying Zhou, and

    Robert H. Deng Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud

    Storage IEEE Transactions on Parallel and Distributed Systems. Volume: 25, Issue:

    2. Year :2014

    [2] S. G. Akl and P. D. Taylor, Cryptographic Solution to a Problem of Access Control

    in a Hierarchy, ACM Transactions on Computer Systems (TOCS), vol. 1, no. 3, pp.

    239248, 1983.

    [3] G. C. Chick and S. E. Tavares, Flexible Access Control with Master Keys, in Pro-

    ceedings of Advances in Cryptology CRYPTO 89, ser. LNCS, vol. 435. Springer,

    1989, pp. 316322.

    [4] W.-G. Tzeng, A Time-Bound Cryptographic Key Assignment Scheme for Access

    Control in a Hierarchy, IEEE Transactions on Knowledge and Data Engineering

    (TKDE), vol. 14, no. 1, pp. 182188, 2002.

    [5] G. Ateniese, A. D. Santis, A. L. Ferrara, and B. Masucci, Provably-Secure Time-

    Bound Hierarchical Key Assignment Schemes, J. Cryptology, vol. 25, no. 2, pp.

    243270, 2012.

    [6] R. S. Sandhu, Cryptographic Implementation of a Tree Hierarchy for Access Control,

    Information Processing Letters, vol. 27, no. 2, pp. 9598, 1988.

    [7] Y. Sun and K. J. R. Liu, Scalable Hierarchical Access Control in Secure Group Com-

    munications, in Proceedings of the 23th IEEE International Conference on Computer

    Communications (INFOCOM04). IEEE, 2004.

    [8] Q. Zhang and Y. Wang, A Centralized Key Management Scheme for Hierarchi-

    cal Access Control, in Proceedings of IEEE Global Telecommunications Conference

    (GLOBECOM 04). IEEE, 2004, pp. 20672071

    [9] G. 9. M. J. Atallah, M. Blanton, N. Fazio, and K. B. Frikken, Dynamic and Efficient

    Key Management for Access Hierarchies, ACM Transactions on Information and

    System Security (TISSEC), vol. 12,no. 3, 2009.

    [10] 10. J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, Patient Controlled Encryption:

    Ensuring Privacy of Electronic Medical Records, in Proceedings of ACM Workshop

    on Cloud Computing Security (CCSW 09). ACM, 2009, pp. 103114.


  • 7/24/2019 A Secure Client Access to Encrypted Cloud Databases


    [11] 11. F. Guo, Y. Mu, and Z. Chen, Identity-Based Encryption: How to Decrypt Mul-

    tiple Ciphertexts Using a Single Decryption Key, in Proceedings of Pairing-Based

    Cryptography (Pairing 07), ser. LNCS, vol. 4575. Springer, 2007, pp. 392406.

    [12] 12. V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-Based Encryption for

    Fine-Grained Access Control of Encrypted data,in Proceedings of the 13th ACM

    Conference on Computer and Communications Security (CCS 06). ACM, 2006, pp.
