02-11-2016, 10:36 AM
1463410666-NewMicrosoftWordDocument2.docx (Size: 31.12 KB / Downloads: 2)
Abstract— Cloud computing is an internet-based
computing, where shared resources, software, and information are
provided with consumers on-demand. They guarantee a way to
share distributed resources and services that belong to different
organizations. In order to build secure cloud environment, data
security and cryptography must be assured to share data through
distributed environment. So, this paper provides more flexibility
and secured communication environment by deploying a new
cryptographic service. This service entails both Quantum Key
Distribution (QKD) and enhanced version of Advanced
Encryption Standard (AES). Moreover, this service solves the key
distribution and key management problems in cloud environment
which emerged through the two implemented modes, on-line and
off-line modes.
INTRODUCTION
Nowadays, computing is categorized according to their
usage pattern. Parallel computing, cluster computing, and
distributed computing are well-known paradigms of these
categories [1]. A parallel computing is a form of computation
where a large task is divided into unrelated smaller tasks in
such a way that these smaller tasks can be concurrently
computed [2]. Whereas, a cluster computing acts a group of
linked computers that are tightly coupled with high speed
networking and work closely together [3]. Moreover, a
distributed computing is a collection of hardware and software
systems that contain more than one processing or storage
element but appearing as a single coherent system running
under a loosely or tightly controlled regime [4]. The computers
in the distributed system do not share a memory instead they
pass messages asynchronously or synchronously between them
[5].
The new generation of distributed computing environment
requires integration between distributed computing systems
and networking systems [6], which allows computer networks
to be involved in distributed computing as full participants like
other computing resources such as CPU capacity and
memory/disk space. Emerging trends in distributed computing
paradigm include Grid computing [7], Utility computing [8]
and Cloud computing [9], which have enabled the utilization of
a wide variety of distributed computational resources as a
unified resource. These emerging distributed computing
technologies, with the rapid development of new networking
technologies, are changing the entire computing paradigm
toward a new generation of distributed computing. This paper
discusses in detail the well-known emerging technology in
distributed computing is cloud computing and focuses on key
management and cryptographic issues in cloud environment.
Cloud computing is a specialized form of Distributed, grid,
and utility computing and it takes a style of grid computing
where dynamically stable and virtualized resources are
available as a service over the internet. Furthermore, cloud
computing technology provides many maturity features such as
on-demand, resources scalability, portal applications, etc.
However, these features influenced by many security issues
(defeating attackers, key distribution and cryptographic
aspects) due an open environment associated with cloud
computing [9].
In spite of different groups try to solve the security issue
in cloud communications, many gaps and threads are still
uncovered or handled. Consequently, in order to overcome
these vulnerabilities and secure those services, cryptographic
security mechanisms are installed and followed in many cloud
environments. The other major issue of Cloud is represented by
data security. Since a proper, cloud service provider
independent security model is not developed yet, there is a loss
of control over data in cloud computing. This is mainly
because of unknown physical location of hardware and
software, absence of cloud security standards, lack of
compliance standards, such as HIPAA [10], SOX[11], and a
risk of data loss due to improper backups or system failures in
the virtualized environment.
So, this paper deploys a secure quantum cryptographic
service in order to secure data transmission channels by
provisioning secret key among cloud’s instances. This service
combined between QKD system and an innovative version of
AES [12], and it is implement on cloud platform which builds
depending on bare-metal Hyber-V hypervisor and system
center manager.
The reset of the paper is organized as follows: Section 2
shows the existing studies related to cryptographic algorithms
and key management in cloud computing, Section 3 describes
the modern cloud cryptographic algorithms, the applied
algorithm and the performance evaluation of this algorithm are
discuss in Section 4, the developed cryptographic service is
explain in Section 5, Section 6 and 7 explain the experimental
environment of cloud computing architecture and discusses in
detail its main building modules including an illustrative
example that represents the main functions used through the
interaction between the main modules, Section8 provides the
empirical analysis for the proposed environment and finally,
Section 9 presents the conclusion and future works.
II. EXISTING STUDY
Different studies’ attempts to solve the security problem in
cloud communications and data security, nevertheless, many
gaps and threads are still uncovered or handled. In the
meantime, all proposed attempts consider the main
cryptography criteria such as data privacy and confidentiality.
For example, Bethencourt et al [11] presented an Attribute
Based Encryption (ABE) model in the cloud environment and
social networks. This model allows the clients to be involved
into two or more groups. To compute the key for the client
involved in two groups the logical expression are used.
However, the drawbacks are the computational cost in ABE
and rekeying the entire in revoked members in the same group.
In case he data are for all then rekeying should be to everyone
connected with the data owner. Consequently, Sun et al.[12]
proposed the model in which the clients are grouped according
to their roles. The clients can access the certain type of data
only. Sometimes it may possible to have two groups may see
the certain data. It is the freedom to the data owner to create the
groups and number roof users in the groups.
Mather et al [13] discuss the inadequate encryption and key
management capabilities currently offered, as well as the need
for multi-entity key management. Moreover, they are discussed
the status of cloud security, the result is a compilation of
security related subjects to be developed on topics like security
management, data security and storage, and identity and access
management. They also explore the unquestionable urge for
more transparency regarding which party provides each
security capability, as well as the need for standardization and
for the creation of legal agreements reflecting operational
Service Level Agreement (SLA’s).
Cutillo et al [14] presented the Simple Shared Key 1-Client
side storage model. With this model, the encryption key (Ka)
will be generated for the attribute and shard with all clients in
the group given by data owner using the public key of the
clients. In case the data owner want to change the data
encryption key (Ka) to revoke a particular client then data
owner needs to change the Ka by Ka’ and again the new key
Ka’ needs to be distributed to everyone. Here the data
decryption key will be stored with the clients. In this, the key
should be transferred only to that group not to all the clients
connected to the network. This is a useful advantage of this
model.
Rawal et al [15] looks for the perfect alliance between
cloud computing and quantum computing, which guarantees
data protection for hosted files on remote computers or servers.
He encrypted heavy duty of data by using the data processing
servers as a quantum computer, which hides input, processing
and output data from malicious and attacks.
Miao Zhou [16] present the tree-based key management in
cloud computing. The fundamental idea of this work is to
design a secure and flexible key management mechanism for
the outsourced data in cloud computing. In this thesis, an
innovative tree-based key management scheme is proposed.
The outsourced database remains private and secure, while
some selected data and key nodes are shared with other parties
in the cloud. Flexibility of key management is achieved and the
security is proved in the standard model. Finally, TABLE I
summarizes the key management and cryptographic studies in
cloud environment and shows the innovative model which
contributed and main pros and cons.
TABLE I. STUDIES OF CLOUD KEY MANAGEMENT
III. MODERN CLOUD CRYPTOGRAPHIC ALGORITHMS
Data in the cloud environment are described as data
transmitted, stored or processed by CSP. Any client or
enterprise applies the same data classification used when the
data are resident on own machine or locally platform.
Therefore, they are applying necessary cryptographic security
requirements to data stored, transmitted or processed by CSP.
The SLA cannot achieve all these requirements; it must be
done by an efficient cryptographic algorithm and
authentication function such as AES, Kerberos, and SHA-256
[17]. Once data is safely transmitted to a CSP, it should be
stored, transmitted and processed in a secure way.
Trust, security, and privacy are some of the challenges
existing in cloud computing, they have grown up to be a major
the cloud environment are encryption and authentication.
Generally, the encryption is a key component to protect data at
rest in the cloud [17]. Whereas, the authentication mechanism
is the process of insuring that both connection sides “CSP side
and the end client side” are trusted and integrity. Employing an
appropriate strength encryption is essential strong encryption is
preferable when data at rest have continuing value for an
extended time period. Many encryption algorithms have been
developed and implemented in order to provide more secured
data transmission process in the cloud computing environment,
such as DES, AES, RC4, Blowfish, and 3DES for symmetric
category [18] and RSA, DH for asymmetric category [19].
In [17], authors implemented the mentioned symmetric and
asymmetric algorithms in order to ensure the data security in a
cloud environment, and examine the performance of such
algorithms, considering the time of the encryption/ decryption
process and the size of the output encrypted files. This study
reveals that the symmetric encryption techniques are faster than
the asymmetric encryption techniques and AES algorithm
guarantees more efficiency from others.
Despite the encryption process uses complex techniques for
random key generation based on mathematical models and
computations, its encryption strategy considered vulnerable. So,
if the intruder is good enough in the mathematical computation
field such quantum attack, he/she can easily decrypt the cipher
and retrieve the original transmitted or stored documents.
Furthermore, a key distribution is another critical issue which
noticed in most modern encryption algorithms. It arises from
the fact that communicating parties must somehow share a
secret key before any secure communication can be initiated,
and both parties must then ensure that the key remains secret. Of
course, direct key distribution is not always feasible due to risk,
inconvenience, and cost factors [18].
In some situations, direct key exchange is possible through
secure communication channel. However, this security can
never guarantee. A fundamental problem remains because, in
principle, any classical private channel can be monitored
passively, without the sender or receiver knowing that the
eavesdropper has taken place [19]. This is because classical
physics-the theory of ordinary-scale bodies and phenomena such
as magnetic tapes and radio signals- allows all physical
properties of an object to be measured without disturbing those
proprieties. So, a Quantum Key Distribution technology (QKD)
overcomes these barriers depending on unconditional security
aspects and quantum physics phenomena [20].
IV. APPLIED ALGORITHM
Data transformation through communication channels needs
highly secured levels; therefore, many cryptographic encryption
algorithms rely on unpredictable complex encryption key. To
assure the strength of such keys, QKD has been integrated and
QAES, a new version of the AES, has been developed [21].
The QAES algorithm developed system incorporates both
the QKD and the AES algorithm in order to provide an
unconditional security level [22] for any cipher system built on
symmetric encryption algorithms or other algorithms. The AES
enhanced version exploits the generated key based QKD in the
encryption /decryption process. Since the unconditional
security depends on the Heisenberg uncertainty principle [19]
[20], instead of the complex mathematical model in key
generation and truly randomness characteristic associated with
quantum key generation [23], more attack resistance is assured
and the cipher system is hard to be attacked. Furthermore, the
randomness characteristic helps to adopt the QT as a source to
generate random numbers that are used with various encryption
algorithms.
The round key session enjoy the dynamic mechanism, in
which the contents of each key session changes consequently in
each round with the change of the key generation. Such dynamic
mechanism aids in solving the mechanism problems like
avoiding the off-line analysis attack, and resistance to the
quantum attack.
Figure 1 examines the performance of our applied algorithm
on private cloud environment (illustrated below), considering
the time of the encryption/ decryption process and the size of the
output encrypted files, this examination implemented using
several input file sizes: 500kb, 1000kb, 1500kb, 2000kb,
3000kb, and 4000kb and the running time is calculated in
milliseconds.
Figure 1. An efficient of QAES on our cloud environment
Comparing the QAES with other encryption algorithms
reflects a higher security level. However, as shown in Eq.2, this
algorithm takes time more than others due to the time required
for quantum key generation (time for quantum negotiation and
time required for the encryption / decryption process) for more
elaborates see [22, 23].
Tqenc =Tqkg+ T (Enc (P)) (1)
Where Tqenc = Total encryption, Tqkg= time for key generation and
T(Enc (P))= time requires by encryption algorithm
V. CRYPTOGRAPHY SERVICE
This section presents a new cryptographic service layer in
the cloud environment, Quantum Cryptography as a Service
(QCaaS), this service provides the secret key provisioning to
VMs’ clients, separating both clients’ cryptographic primitive
and credential accounts based on secure cloud domain. It is
applied to the multiple clients, who renting the VMs,
concurrently. Integrating such service achieves both
confidentiality and integrity protection.
Figure 2. QCaaS architecture
More precisely, figure 2 show that the QCaaS has mini-OS
directly connected with the cloud platform and isolated from
the cloud instances. Consequently, it assures both the
appropriate load for cloud performance optimization and the
client controlling activities (client prevent the cloud
administrator from gained or preserve his own data).
Accordingly, a secured environment for each client’s VMs,
with no possibility for insiders or external attackers, is
guaranteed. To sum up, After the signing in verification and the
VM renting, QCaaS deploys the client wizard and the CSP
wizard to achieve the encryption/decryption processes and
connect to the Quantum Cloud environment see figure in
section.
VI. EXPERIMENTAL CLOUD COMPUTING ENVIRONMENT
In the cloud computing environment many operations such
as the number of VMs, quality of services (QoS), storage
capacity and other features are realized depending on the IaaS
layer. This essential layer helps clients to rent virtual resources
like network, cloud instances, VM and configure them
according their needs. Generally, these VMs provide public
services (web services and self-portal applications) offered to
clients over either the public cloud or the private cloud.
Accordingly, the bare-metal Hyper-V hypervisor and the
System Center 2012 SP1 components are explained and
implemented, these components are: system center virtual
machine manager (SCVMM), system center operation manager
(SCOM), Application controller (APPC), Operation services
manager (OSM), data protection manager (DPM), and
orchestrator (OC). The host server (Cloud Providers) utilizes
the Core i5 (4.8GHz) with 16GB of RAM with 2TB-HDD as
the main hardware. Our cloud environment generates the
encryption keys based on quantum mechanics instead of
mathematics and computations, which in turn, provides
unbroken key and eavesdropper detection.
Our proposed environment aims to (i) improve the
availability and the reliability of the cloud computing
cryptographic mechanisms by deploying both key generation
and key management techniques based on QCaaS layer, (ii)
manipulate heavy computing processes that cannot be executed
using personal computer only.
Generally, our cryptographic service in this environment is
deployed in two implemented modes, online and off line
modes. With online mode, consumer and cloud provider are
directly negotiation in order to encrypted file transmission and
key generation. However, in off-line, the cloud provider
deploys a stream of quantum keys as a Pseudo Random
Number (PRN) [23] which exploit to build the initial key
session (seed) for selected encryption algorithm.
Figure 3. Experimental environment
Figure 3 shows that the our cloud environment consists of
the cloud network that entails the windows server 2012 data
center server and the Hyper-V installations and configurations
with N- full-VMs. These VMs classified as, cloud
infrastructure such SCVMM, SCOM, APPC, SQL, domain
controller (DC), cloud instances (VMs rented from the client),
and VMs for cryptographic processes. Finally, in order to build
sheer knowledge about proposed cryptographic service,
following pseudo code and illustrative example in section
describe the main phases in the proposed cloud environment.
VII. ILLUSTRATIVE EXAMPLE
This is a simple example that illustrates the sending
operation done by the QCaaS using online connection and
explains the corresponding results and actions taken by the
system.