AU2021107080A4 - A system and method for storing user’s data securely in a cloud storage - Google Patents

A system and method for storing user’s data securely in a cloud storage Download PDF

Info

Publication number
AU2021107080A4
AU2021107080A4 AU2021107080A AU2021107080A AU2021107080A4 AU 2021107080 A4 AU2021107080 A4 AU 2021107080A4 AU 2021107080 A AU2021107080 A AU 2021107080A AU 2021107080 A AU2021107080 A AU 2021107080A AU 2021107080 A4 AU2021107080 A4 AU 2021107080A4
Authority
AU
Australia
Prior art keywords
key
data
module
password
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
AU2021107080A
Inventor
Malaya Dutta Borah
Ripon Patgiri
Laiphrakpam Dolendro Singh
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Borah Malaya Dutta Dr
Singh Laiphrakpam Dolendro Dr
Original Assignee
Borah Malaya Dutta Dr
Singh Laiphrakpam Dolendro Dr
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Borah Malaya Dutta Dr, Singh Laiphrakpam Dolendro Dr filed Critical Borah Malaya Dutta Dr
Priority to AU2021107080A priority Critical patent/AU2021107080A4/en
Application granted granted Critical
Publication of AU2021107080A4 publication Critical patent/AU2021107080A4/en
Ceased legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • G09C1/02Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system by using a ciphering code in chart form
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C5/00Ciphering apparatus or methods not provided for in the preceding groups, e.g. involving the concealment or deformation of graphic data such as designs, written or printed messages
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention generally relates to a system and method for storing user's data securely in a cloud storage. The system comprisesan identity management module associated with the cloud storage for maintaining identity of a user using an Elliptic-curve Diffie Hellman (ECDH) key exchange protocol, wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES); a password creation module for creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number; a key generating module connected to the password creation module for regenerating a secure private key, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user; an insertion module connected to the key generation module for uploading data through a network, wherein the private key is generated if the uploaded data is either greater or equal to 1; a retrieval module connected to the insertion module for issuing a retrieval message upon uploading the data, wherein the retrieval message is computed using Elliptic Curve Diffie Hellman Key Exchange (ECDH) technique; and wherein the uploaded data is encrypted using the private key by converting the uploaded data into a cipher text, wherein the uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data. 24 Q Id. 0 t 0

Description

Q Id. 0
t 0
A SYSTEM AND METHOD FOR STORING USER'S DATA SECURELY IN A CLOUD STORAGE FIELD OF THE INVENTION
The present invention relates to a system and methodto store data securely in a cloud storage.
BACKGROUND OF THE INVENTION
Security and privacy are getting much attention due to emerging technologies for instance, Cloud Computing, Big Data, Healthcare etc., and these emerging technologies pose new challenges to overcome. As cloud storage becomes more widely used, data security is becoming more of a problem. User's probably worried about keeping their information private and if they were more confident in the security of their data, millions more people would save it online.
Furthermore, there are a slew of concerns about cloud security and privacy. However, in cloud computing, privacy is a major concern. Password secrecy poses the question, "why should anyone see any password in its raw or encrypted form?" According to Password Database, in order to implement a strict privacy standard in identity management systems, a strict privacy protocol is required. User ID and password should not be mapped together by the identity management. As a result, an identity manager establishes confidentiality. Another concern arises: why should others, including administrators, be able to see the data of their clients? This question suggests a fresh approach to data privacy. Cloud service providers, such as Google Drive, One Drive, Drop box, and I Cloud, store the clients' data, and the customers' administrator can read the users' data. As a result, it necessitates a new cloud computing architecture in which users can keep their secret data in the cloud and have that data remain secret after uploading. Furthermore, it necessitates secure storage even if the cloud storage server is hacked.
In the view of the foregoing discussion, it is clearly portrayed that there is a need to have a system and method to store data securely in a cloud storage.
SUMMARY OF THE INVENTION
The present disclosure seeks to providea system and method to store data securely in a cloud storage. More particularly the present invention relates to a tight security using the client-side symmetric cryptography method. In addition, a forgetful private key is devised to generate or regenerate a private key to encrypt or decrypt based on a secret word. The invention also show how to strengthen the weak password and finally, demonstrate how to implement the Secrecy as a Service model in Cloud Storage using highly unpredictable private keys.
In an embodiment, a system to store data securely in a cloud storage. The system includes an identity management module associated with the cloud storage for maintaining identity of a user using an Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol, wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES). The system further includes a password creation module for creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number. The system further includes a key generating module connected to the password creation module for regenerating a secure private key, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user. The system further includes an insertion module connected to the key generation module for uploading data through a network, wherein the private key is generated if the uploaded data is either greater or equal to 1. The system further includes a retrieval module connected to the insertion module for issuing a retrieval message upon uploading the data, wherein the retrieval message is computed using Elliptic Curve Diffie-Hellman Key Exchange (ECDH) technique. The system further includes a retrieval message upon uploading the data wherein the uploaded data is encrypted using the private key by converting the uploaded data into a cipher text, wherein the uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data.
In another embodiment, the uploaded data is encrypted upon being converted into an integer using a shared secret key.
In another embodiment, an insertion module comprises steps of converting the uploaded data into an integer during encryption. The insertion module further comprises converting the uploaded data into a cipher text. The insertion module further comprises computing shared secret key using the cipher text and stored in the server, wherein decrypting and retrieving the encrypted data.
In another embodiment, the password creation module uses two arrays, specifically, symbol array and alphabet array, wherein for the two arrays, the size should be a prime number due to hashing.
In another embodiment, the private keys are converted into a prime number, upon checking if the private key is a composite number, wherein generating a random number for correct input.
In another embodiment, at least 3 inputs are taken such as key, seed and bit length of the private key, wherein key is the secret word and seed is initial value for hash function, wherein the random number is generated based on the initial input upon performing iterations equal to the bit length of the private key and least significant bit (LSB) is extracted in each iteration and recorded to produce the private key.
In an embodiment, method to store data securely in a cloud storage is disclosed. The method comprises maintaining identity of a user using an Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol of an identity management module, wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES). The method further comprises creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number using a password creation module. The method further comprises regenerating a secure private key using a key generating module connected to the password creation module, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user. The method further comprises uploading data through a network using an insertion module connected to the key generation module, wherein the private key is generated if the uploaded data is either greater or equal to 1. The method further comprises issuing a retrieval message upon uploading the data using a retrieval module connected to the insertion module, wherein the retrieval message is computed using Elliptic Curve Diffie-Hellman Key Exchange (ECDH) technique. The method further comprises converting the uploaded data into a cipher text upon encryption using the private key, wherein the uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data.
An object of the present disclosure is to provide a system and a method to store data securely in a cloud storage.
Another object of the present disclosure is to provide tight security by applying access restrictions to all other users, including administrators and attackers.
Yet another object of the present disclosure isto provide a forgetful private key to generate or regenerate a private key to encrypt or decrypt based on a secret word.
Yet another object of the present disclosure is to strengthen the weak password for generating private keys to create a strong deterrence against password attackers.
To further clarify advantages and features of the present disclosure, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.
BRIEF DESCRIPTION OF FIGURES
These and other features, aspects, and advantages of the present disclosure will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:
Figure lillustrates a block diagram of a system to store data securely in a cloud storage in accordance with an embodiment of the present disclosure;
Figure 2illustrates a flow chart of a method to store data securely in a cloud storage in accordance with an embodiment of the present disclosure; Figure3 illustrates the architecture of Secret Store. User uploads data using two layered encryption where the server decrypts the first layer but cannot decrypts the second layer encryption. Therefore, the server stores the cipher data in its databasein accordance with an embodiment of the present disclosure; Figure 4 illustrates aninsertion process of Secret Store as client-server modelin accordance with an embodiment of the present disclosure; Figure 5 illustrates a retrieval process of Secret Store as client-server modelin accordance with an embodiment of the present disclosure; and Figure 6 illustrates table 1 depicts P-values and success rates of algorithms 1 for 32, 64 and 128 bits stream for the word "IEEE2021" in NIST SP 800-22 statistical tests in accordance with an embodiment of the present disclosure.
Further, skilled artisans will appreciate that elements in the drawings are illustrated for simplicity and may not have necessarily been drawn to scale. For example, the flow charts illustrate the method in terms of the most prominent steps involved to help to improve understanding of aspects of the present disclosure. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the drawings by conventional symbols, and the drawings may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the drawings with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.
DETAILED DESCRIPTION
For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.
It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the invention and are not intended to be restrictive thereof
Reference throughout this specification to "an aspect", "another aspect" or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, appearances of the phrase "in an embodiment", "in another embodiment" and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
The terms "comprises", "comprising", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such process or method. Similarly, one or more devices or sub-systems or elements or structures or components proceeded by "comprises...a" does not, without more constraints, preclude the existence of other devices or other sub-systems or other elements or other structures or other components or additional devices or additional sub-systems or additional elements or additional structures or additional components.
Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The system, methods, and examples provided herein are illustrative only and not intended to be limiting.
Embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings.
Referring to Figure 1, a block diagram of a system (100) to store data securely in a cloud storage is illustrated in accordance with an embodiment of the present disclosure. The system (100) includes an identity management module (102) associated with the cloud storage for maintaining identity of a user using an Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol, wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES).
In an embodiment, a password creation module (104) for creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number.
In an embodiment, a key generating module (106) connected to the password creation module for regenerating a secure private key, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user.
In another embodiment, an insertion module (108) connected to the key generation module for uploading data through a network, wherein the private key is generated if the uploaded data is either greater or equal to 1.
In another embodiment, a retrieval module (110) connected to the insertion module for issuing a retrieval message upon uploading the data, wherein the retrieval message is computed using Elliptic Curve Diffie-Hellman Key Exchange (ECDH) technique.
In another embodiment, the uploaded data (112) is encrypted using the private key by converting the uploaded data into a cipher text, wherein the uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data.
In another embodiment, the uploaded data (112) is encrypted upon being converted into an integer using a shared secret key.
In another embodiment, an insertion module (108) comprises steps of converting the uploaded data (112) into an integer during encryption. The insertion module (108) further comprises converting the uploaded data (112) into a cipher text. The insertion module (108) further comprises computing shared secret key using the cipher text and stored in the server, wherein decrypting and retrieving the encrypted data.
In another embodiment, the password creation module (104) uses two arrays, specifically, symbol array and alphabet array, wherein for the two arrays, the size should be a prime number due to hashing.
In another embodiment, the private keys are converted into a prime number, upon checking if the private key is a composite number, wherein generating a random number for correct input.
In another embodiment, at least 3 inputs are taken such as key, seed and bit length of the private key, wherein key is the secret word and seed is initial value for hash function, wherein the random number is generated based on the initial input upon performing iterations equal to the bit length of the private key and least significant bit (LSB) is extracted in each iteration and recorded to produce the private key.
Figure 2 illustrates a flow chart of a method (200)to store data securely in a cloud storage is disclosed in accordance with an embodiment of the present disclosure. At step 202, the method 200 includes maintaining identity of a user using an Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol of an identity management module (102), wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES).
At step 204, the method 200 includes creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number using a password creation module (104).
At step (206), the method (200) includes regenerating a secure private key using a key generating module (106) connected to the password creation module (104), wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user.
At step (208), the method (200) includes uploading data (112) through a network using an insertion module (108) connected to the key generation module (106), wherein the private key is generated if the uploaded data (112) is either greater or equal to 1.
At step (210), the method (200) includes issuing a retrieval message upon uploading the data using a retrieval module (110) connected to the insertion module (108), wherein the retrieval message is computed using Elliptic Curve Diffie-Hellman Key Exchange (ECDH) technique.
At step (212), the method (200) includes converting the uploaded data (112) into a cipher text upon encryption using the private key, wherein the uploaded data (112) is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data (112).
People store their data in cloud storage for secure and permanent storage purposes. Cloud storage ensures that data are available even if a disaster happens, and thus, cloud storage is the safest place to store clients' data. It also protects the data from attackers. However, the data are unprotected from the administrators. Therefore, our proposed system, Secret Store, provides Secrecy as a Service (SaaS) or User Secret as a Service (USaaS) model. User (here, we analogously use user and client) can upload their data to the cloud for secure and permanent storage purposes. The data are encrypted at the client-side to ensure hard secrecy. The server stores the users' encrypted data, but the server cannot decrypt the raw data which is depicted in Figure 3. Therefore, the server stores the encrypted data in its database. Moreover, the server cannot scan viruses due to encrypted data by the user. The key objective of the proposed system is to provide tight security by applying access restrictions to all other users, including administrators and attackers. Therefore, a user can store the most sensitive data at Secret Store. It provides full secrecy with tight security on the data. Data can be accessed exclusively by the owner, and all other users (including the administrators and attackers) are restricted from accessing the data. Thus, a methodology required to store the encrypted data because encryption requires a private key at the client-side, and a user cannot maintain the private key permanently. Therefore, a regenerative private key technique is proposed to encrypt the data at the client-side and upload the encrypted data in cloud storage.
The server uses LDAP (Lightweight Directory Access Protocol) to keep track of its users' identities. LDAP, on the other hand, maintains no confidentiality. As a result, new research suggests that LDAP can be deployed while keeping complete anonymity. User identity data is the most sensitive information, and it should be handled with extreme caution to ensure complete secrecy. A user's validity is ensured by an identity management system. As a result, a thorough examination of identity management systems and the user-server relationship is omitted. The Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol is used in the proposed system, and AES is utilized for symmetric cryptography.
The key storage is the grand challenge for the user because a user cannot store its key permanently in its own devices. The device may be damaged or lost at any time, and it is highly unpredictable. Even a user can switch its platform frequently. Thus, a user requires a regenerative private key. Therefore, the necessary condition for a private key is that it should be reproducible, unpredictable, and cryptographically secure. Initially, a user needs to compute its private keys using Algorithm 1 and convert it into a prime number. The ISPRIME invokes AKS algorithm to check whether a given number is prime or not. The primality check walks towards the nearest prime number using AKS algorithm. This requires a time complexity of (/ogOn) since prime numbers are not rare. A user would like to encrypt its data using two keys; then, the user needs to generate two private keys, i.e., a user can choose its level of encryption t.
Algorithm 1 Algorithm to generate pseudo-random key based on initial input. 1. procedure GENKEY(key 9 seea) 2. j = LENGTH(key) 3. while i > fdo 4. d = MURMUR2(key, j, seed) 5. seed = d 6. e = MURMUR2(key, j, seed) 7. seed=e 8. bin[i]=(dAl) 9. end while 10. P = CONVERTTODECIMAL(bin,/#) 11. flag= false 12. while flag = f alse do 13. flag = ISPRIME(P) 14. P = P +1 15. end while 16. end procedure
Algorithm 1 can reproduce a previously generated private key for correct input. It generates an unpredictable and cryptographically secure random number. Therefore, Algorithm 1 takes three inputs, specifically, key,Band seedwhere the keyis a secret word, Ais the bit length of the private key to be generated, and seeais the initial value for the hash function.
Algorithm 1 iterates flimes to generate a random number based on the initial input. The least significant bit (LSB) is extracted in each iteration. The LSB bits are recorded and used to produce a key. The key size may vary depending on the requirements, for instance, 16 O8 2048.
Figure 4 demonstrates the uploading of user data through a network. A user is asked to input t, depending on the t >1 the private keys are generated. The message is converted into integer m for encryption. Let the private key be the PKi generated by Algorithm 1 where 1 < i< t. The user encrypts the message using t private keys as given in Equation (1). (i = Enc i(m)
(2 = EncPK2(fi)
(3 = EncP3(( 2 )
(1) (t = Enc (KK(t-1)
Equation (1) converts the raw message to cipher text. Now, the user and server compute the shared secret key using ECDH, and let it be SK. The user's cipher texts are encrypted using a shared secret key as given in (2). Therefore, the client encrypts the message using a shared secret key to send it to the server.
(= EncSK((t)(2)
The encrypted message ( in Equation (2) is sent to the server. The server receives the encrypted message ( and decrypts using shared secret SK as given in Equation (3).
(t=Decs( ) (3)
The server decrypts the data (, and retrieves (t, which is also encrypted using several private keys. These encrypted data are stored in the server's database. The server cannot decrypt the (t because the server does not have the private keys. Thus, the administrators cannot retrieve the original (raw) message.
Figure 5 demonstrates the retrieval process (downloading) of data from a server by a client. A client stores its data in cloud storage, and the client issues a retrieval message on the data to read. Therefore, the user and server need to compute the shared secret key using ECDH. The server encrypts the data using the shared secret key given in Equation (4).
(= En"()(4)
The server sent the encrypted message (of Equation (4) to the client. The client receives Trom the server and decrypts the encrypted code (using a shared secret key as given in Equation (5).
(r=DeK() (5)
Now, the user needs to decrypt the message using its private keys. Before decrypts, the client lookup the private keys in cache (local storage). If private keys are found, the client decrypts the message as given in Equation (6). Otherwise, the client regenerates all /private keys using Algorithm 1, and then the client can decrypt the incoming messages.
(t-1) = DecPK(tt)
(t-2) = 0__6K(r- 1)( (t-1))
(t-3) = DecPK(t- 2 ) ((t-2))
(6)
m= Dec 1((1)
Thus, a user decrypts the raw message using its private keys. However, we suggest that should not be too large. The large value of slows down the cryptography process. The ideal value of /is 2; however, it can be increased to more than 2 if the security requirement is high.
Algorithm 2 Generating a strong password using user password and a secret number. procedure GENPASSWORD(password g) A/ph[23], Symbo413],f-0 forpasswordandydo NewPasswor& Symbo[passwora(]%13] VewPasswor=A/hp[passworalj]%23]+32 VewPasswor -Symbo[ e%10 ]
/= 10/gi 0 %23] NlewPasswor=A/hp[passwora] NlewPassword passworaU] end for end procedure
Password-based solutions have an issue of weak passwords that the attacker can easily guess; however, most of the modem password-based solution asks for a combination of alphabet, number, and symbols for a new password. So, Secret Store follows the same rules for creating a new password with length of 8-32 which must have at least an alphabet, a special symbol, and a number. Still, there is a chance of creating a weak password, for instance, abc@1234. Therefore, we present a method to strengthen the weak password by Algorithm 2.
Algorithm 2 uses two arrays, specifically, symbol array and alphabet array. For both the array, the size should be a prime number due to hashing. For instance, the size of the alphabet and symbol array can be 11, 13, 17, 19, and 23, but both the array's size should not be equal. In the algorithm, we assume that a user remembers its password and a number 7. The necessary condition for password length is 8 < / 32 and number size is 4 < Y 10 digits. Therefore, a user needs to enter a password and a number. A user can enter the date of birth (eg.,ddmmyyyy, mmddyyyy, yyyymmdd, ddmmyy, mmddyy, yyddmm, yymmdd, etc.), zip code, mobile number, year, or any number which is greater than three digits and easy to remember. Thus, the output of Algorithm 2 is ":plEI:goAE@tlAE!oAE!i3@m6*t9@bl" "IEEE" and "19630101". Also, it produce a output "*ulAEs2Ql uOAs#c2Je" for the input "Elsevier" and "2021". Similarly, for the input "ACM" and "1947", the output of Algorithm 2 is ":p7TA?k4VC*t9IM@bl". The output of Algorithm 2 is input into Algorithm 1 for generating the private keys. This procedure removes the weakness of the password-based solution. Most of the sensitive users use high quality secret word, for instance, "TIFS@!EEE:2o21" which makes easy to rememberbut difficult for adversaries.
Our proposed system works on regenerative private keys. Unlike a server, a user cannot maintain its private key because the user can change its platform. Moreover, a user device can be damaged or lost at any time, and therefore, it requires a regenerative private key which is highly unpredictable for its adversaries. We assume that a user can remember its secret word to generate or regenerate the private keys.
Table I demonstrates the statistical tests on "IEEE2021" for key generation. If a user lost its private keys, the user can regenerate the private keys using the secret word. Now, a user wants more than one private keys to be generated by the Algorithm 1. Then, Algorithm 1 iterates Aimes to generate the first private key. The algorithm continues with the same key with different seed values for the second private key, and it iterates for another Aimes. Similarly, it continues for the third private key too. Thus, it is not required to maintain the private keys by the users; however, the private keys can be cached in the user's devices for faster processing.
Secret Store provides tighter security than any state-of-the art security protocol. The user encrypts the data before storing it in the cloud and then encrypted the ciphered data using a shared secret key to upload in the cloud. Therefore, Secret Store ensures its security even if the first layer of security is compromised, but the adversary cannot extract the raw data from the user. In any condition, the security is intact. Suppose an adversary gains access to the server and retrieves all the data from Secret Store. The adversary cannot retrieve the raw data even if the adversary can access the server. Moreover, the administrators cannot decrypt the stored data to misuse. Thus, hard secrecy is strictly maintained by Secret Store. In a conventional system, if an adversary is able to gain access to the server, then the adversary can easily read all those data from the server, for instance, wikileaks.org. Our proposed method prevents such kinds of attacks.
Algorithm 2 is designed to strengthen the weak password. A user needs to input two secret codes; particularly, a password and a number. A user requires to remember both password and the number for later usage. The number must be greater than three digits. Therefore, a user can enter the date of birth in any format, zip code, mobile number, year, or any number to Algorithm 2 that can be easy to remember by the user. Let us assume that the password is easy to be guessed the attacker. In that case, the number plays a critical role where the attacker cannot guess the number. An attacker needs to uncover both password and a number for a particular user.
Theorem 1. The probability of breaking the password and the secret number by Brute
force attacker is(1 x ) ~ 0.
Proof Let us assume that the password length is 1. The probability of breaking the
password using Brute-force (BF) attacker is where 8 < I < 32. Let the digit 5 represents the
digits in the number. Now, the probability of breaking the number using BF attacker is as low
as where 4 < Y< 10. Then the total probability of breaking the secret code is given in
Equation (7).
F= Ppasswora)n P771) (7)
The secret number and the password are independent events; therefore, the probability is given in Equation (8). Pt(BF)=P7ipasswora)P7Q)
x (8) For the lowest case, the password's size is /- 8 and secret number size is6-4, then
the probability becomes 26104 0.Similarly, the highest case, the probability becomes 1 0 0 26 32 X101 0
Corollary 1. The probability of not able to break the secret code of SecretStore is
1- x1 0. 261 106
A dictionary attack is another issue in password-based solutions. The attacker collects a massive amount of possible passwords to break the security. Similarly, a dictionary attacker has to constructs an enormous amount of most used numbers to break the security of Algorithm 2. Thus, it adds another complexity for the attackers to break the Algorithm 2. However, most of the users may use year. An attacker may construct a dictionary of the user's date of birth, phone number, year (1950-2021), and zip code, since these are the most common to use in Algorithm 2 but a user may pick any number. Moreover, birthday attack is also an issue of password-based solutions. Birthday attackers try to find two password collisions; however, the secret number can create a strong deterrence to such kinds of attacks. Therefore, our proposed solution provides a good defense on such kind attacks even if a user chooses a weak password or a weak number.
Brute-force attacks: A brute-force attack is the most common attack which accomplishes the attack by performing an exhaustive search in the key space. It can break almost any kind of security, but it may take many years; however, it is a severe attack. Therefore, we propose many levels of encryption to defeat such kinds of attacks. For instance, a client encrypts two times by its private key at t =2 and encrypts it again using a shared secret key. Therefore, it is not possible to attack our proposed system by the brute force attack since the attacker has to break three security layers at t =2.
Cryptanalysis attacks: There are various attacks in computer networking, for instance, DDoS. However, the proposed system follows a symmetric communication protocol; therefore, we do not consider many attacks which are not applicable in our proposed system; for instance, MITM and DDoS attacks are out of the scope of the proposed system.
A cryptanalysis attack is an attack based on the cipher text analysis and reveals the secret keys or retrieves the plaintext. It applies in most symmetric cryptography protocols where studying the cipher text gives a secret key or plaintext pattern. Therefore, it is essential to protect against such kinds of attacks. There are many kinds of Cryptanalysis attacks, particularly cipher text-only, known-plaintext, chosen-cipher text or chosen-plaintext, adaptive chosen-plaintext, related-key attack, frequency analysis, index of coincidence, Boomerang, differential cryptanalysis, linear cryptanalysis, etc. attacks, which are the most commonly known in symmetric cryptography. These attacks are possible one-keyed symmetric cryptography; however, it also takes many years to break the one-keyed cryptography. Our proposed system depends on t key to encrypt before being sent to the receiver, and then, the cipher text is encrypted using a shared secret key. The attacker has to break the first layer of security, and then the attacker can break the t layer of encryption. This system provides a tight coating over a plaintext such that the adversaries cannot retrieve the original message even if the attacker can break the first layer of security.
Dictionary attacks: Diction attacks is accomplished by creating dictionary, i.e., collecting huge set of text to capture the communication. The collected text are used build dictionary of cipher text, and therefore, it becomes easy to break the password-based security. However, it is almost impossible to attack our proposed system using dictionary based attack. On the contrary, our proposed system relies on password-based private-key generation as shown in Algorithm 1. Therefore, it is wise-way to attack the private key generation system rather than the direct attacking on the cipher text.
Probability: Let I be the length of the password, # be the length of private keys, and y be the length of a shared secret key. The probability of breaking guessing the correct
password is where the total sample space is 62 characters, including the upper and
lowercase letters and ten digits excluding special symbols. Therefore, the probability of not
getting correct password is(1 - ). It is a probability ofa brute-force attack. However, the 62
dictionary-based password attack is much simpler, and it is the weakness of all password based solutions. Therefore, the password is strictly composed using at least a capital letter, a small letter, a digit and a special symbol, and a length of at least eight. This restriction makes it difficult for dictionary-based attackers. Let us assume that the probability of guessing a password is 1. Thus, an adversary can generate the private keys; however, the adversary has to break the security of shared secret key encryption. The probability of breaking the shared
secret key is. 2Y The total probability of breaking the entire security is given in Equation (9).
7'ota/probabi/ity-P7Passwora)n P7SecretKey)
=-x (9)
Since the password breaking and encrypting the code using the shared secret keys are independent events. The probability of getting entire private keys without knowing the password is given in Equation (10).
Total probability (10) Since the private keys are dependent on each other, and if an adversary gets the first private key, it is easy to capture entire private keys. However, if an adversary wishes to break security directly from the cipher text, then the total probability is given in Equation (11).
Total probability = 1x x (11)
Equation (11) gives the complexity to break our proposed solutions. Now, the adversary is attacking the private keys without any order, then, Equation (12) gives the total probability.
Total probability = X x (12)
Therefore, the total probability of breaking the proposed security is given in Equation (12). The total probability of not breaking the security of the proposed system is given in Equation (13).
Total probability = 1 - x 1 x (13)
Thus, Equation (13) gives the security tightness of our proposed system. Above analysis shows that it is quite difficult to break the security of our proposed solution for the adversaries due to multiple layer of encryption.
We have conducted a series of rigorous tests to validate the randomness of the generated number in the Ubuntu desktop computer. The computer configuration is as follows- Intel Core i7-7700 CPU @ 3.60GHz x 8, Ubuntu 18.04.5 LTS, 8GB RAM, 1TB HDD, and GCC Version 7.5.0. This experimentation is essential analysis is required to test the randomness of the generated private keys. The generated private keys are reproducible and highly random, as shown in Table I. In the experimental evaluation, we have used "IEEE2021" as a secret word and input it into Algorithm 1. The output is tested in NIST SP 800-22 statistically tests for the approximation entropy, frequency, block frequency, cumulative sums, runs, longest runs, rank, FFT, non-overlapping template, overlapping template, random excursions, random excursions variant, serial, universal, and linear complexity tests.
We have generated 1OM random bits and tested 32bits, 64 bits and 128 bits stream at NIST SP 800-22 test suite. The test results are drawn in Table. The necessary condition for P value is > 0.01 to be accepted as random; otherwise, it cannot be accepted as random. The pass rate of the test indicates the successful test percentage. In this test, the P-value and pass rate are equally important to consider for randomness. Higher P-value and pass rate ensure high randomness in generated private keys. It indicates that there are no patterns in the generated bits. Moreover, it also indicates that it is cryptographically secure due to highly randomness of the generated bits.
The highest P-value of 32bits, 64 bits and 128 bits stream for the secret word for "IEEE2021" are 0.976060, 0.985035 and 0.985035, respectively, with a 100% success rate. The lowest P-value of 32 bits, 64 bits and 128 bits stream for the secret word for "IEEE2021" are 0.066882, 0.018879 and 0.031497, respectively. The lowest success rates of 32 bits, 64 bits, and 128 bits stream for the secret word for "IEEE2021" are 0.96875, 0.96875, and 0.984375, respectively. Thus, this statistical test proves the randomness of proposed private keys.
Secrecy is an urgent requirement to be implemented. Current state-of-the-art cloud storage technology does not implement hard secrecy. On the contrary, the administrator can easily read the users' data and misuse their data. Users' data are not safe from the administrators, and thus, it is required to remove the administrators from the valid and intended users list. However, administrators are valid and intended users by default, but it should be valid and intended users. There is no difference between the administrators and the attackers if they read the users' data without permission. Moreover, administrators should not read any data of users. Why should they read the data of a user? There is no sufficient reason for reading the users' data by the administrators except the recommender systems. Therefore, it is time to remove the administrators from the list of the valid and intended users.
The key weakness of our proposed system lies within the password-based solution. Even though we provide the strengthen mechanism of users' passwords, users may create a weak password that will be easy for adversaries to guess. However, there is another layer of security to protect, i.e., shared secret keys. Our proposed system is quite valuable for storing the most sensitive data in Cloud Storage. Moreover, many users do not want their data to be read by anyone except themselves. It applies to everyone. Many people have secret data to store permanently, but they cannot store it due to valid and employed Mallory in the cloud. Moreover, there is a chance of data leakage, such as Wiki Leaks. Also, there are many techniques available on data leakage prevention, but these works do not consider administrators as a Mallory. Therefore, it creates a difference between Secret Store and state of-the-art data leakage prevention techniques. Our proposed system ensures tight security against data leakage. Another weakness of our proposed system is the many layers of encryption. It slows down the cryptography process. People use low-powered computing devices; therefore, multiple encryptions create computation overhead on such devices. The computation overhead is justifiable when it comes to sensitive data.
The drawings and the forgoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, orders of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts necessarily need to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of embodiments is at least as broad as given by the following claims.
Benefits, other advantages, and solutions to problems have been described above with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any component(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential feature or component of any or all the claims.

Claims (7)

WE CLAIM:
1. A system to store data securely in a cloud storage, the system comprises of:
an identity management module associated with the cloud storage for maintaining identity of a user using an Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol, wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES); a password creation module for creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number; a key generating module connected to the password creation module for regenerating a secure private key, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user; an insertion module connected to the key generation module for uploading data through a network, wherein the private key is generated if the uploaded data is either greater or equal to 1; a retrieval module connected to the insertion module for issuing a retrieval message upon uploading the data, wherein the retrieval message is computed using Elliptic Curve Diffie-Hellman Key Exchange (ECDH) technique; and wherein the uploaded data is encrypted using the private key by converting the uploaded data into a cipher text, wherein the uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data.
2. The system as claimed in claim 1, wherein the uploaded data is encrypted upon being converted into an integer using a shared secret key.
3. The system as claimed in claim 1, wherein insertion module comprises steps of:
converting the uploaded data into an integer during encryption; converting the uploaded data into a cipher text; and computing shared secret key using the cipher text and stored in the server, wherein decrypting and retrieving the encrypted data.
4. The system as claimed in claim 1, wherein the password creation module uses two arrays, specifically, symbol array and alphabet array, wherein for the two arrays, the size should be a prime number due to hashing.
5. The system as claimed in claim 1, wherein the private keys are converted into a prime number, upon checking if the private key is a composite number, wherein generating a random number for correct input.
6. The system as claimed in claim 5, wherein at least 3 inputs are taken such as key, seed and bit length of the private key, wherein key is the secret word and seed is initial value for hash function, wherein the random number is generated based on the initial input upon performing iterations equal to the bit length of the private key and least significant bit (LSB) is extracted in each iteration and recorded to produce the private key.
7. The method to store data securely in a cloud storage, the method comprises of:
maintaining identity of a user using an Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol of an identity management module, wherein symmetric cryptography is obtained using Advanced Encryption Standard (AES); creating a strong password using a combination of letter, number and a special character using an algorithm that combines user chosen password with a secret number using a password creation module; regenerating a secure private key using a key generating module connected to the password creation module, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user; uploading data through a network using an insertion module connected to the key generation module, wherein the private key is generated if the uploaded data is either greater or equal to 1; issuing a retrieval message upon uploading the data using a retrieval module connected to the insertion module, wherein the retrieval message is computed using Elliptic Curve Diffie-Hellman Key Exchange (ECDH) technique; and wherein converting the uploaded data into a cipher text upon encryption using the private key, wherein the uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data.
identity management password creation module 102 module 104
key generating insertion retrieval module uploaded module 106 module 108 110 data 112
Figure 1 maintaining identity of a user using an Elliptic maintaining identity of a user using an Elliptic‐curve curve Diffie Diffie‐Hellman Hellman (ECDH) key exchange protocol of an (ECDH) key exchange protocol of an identity management module, wherein symmetric cryptography is obtained using Advanced Encryption 202 Standard (AES) creating a strong password using a combination of letter, number and a special character using an ti t d i bi ti f l tt b d i l h t i 204 algorithm that combines user chosen password with a secret number using a password creation module regenerating a secure private key using a key generating module connected to the password creation 206 module, wherein the secure private key is converted into a prime number, wherein either a pseudo random module, wherein the secure private key is converted into a prime number, wherein either a pseudo random key is generated or a strong password is generated based on requirement of the user uploading data through a network using an insertion module connected to the key generation module, 208 wherein the private key is generated if the uploaded data is either greater or equal to 1 issuing a retrieval message upon uploading the data using a retrieval module connected to the insertion 210 module, wherein the retrieval message is computed using Elliptic Curve Diffie–Hellman Key Exchange (ECDH) technique wherein converting the uploaded data into a ciphertext upon encryption using the private key, wherein the 212 uploaded data is encrypted using a shared secret key and received by the cloud server, wherein the encrypted data is decrypted using the shared secret key allotted to the user for retrieval of the uploaded data
Figure 2
Figure 3 Figure 3
Figure 4
Figure 5 Figure 5
Figure 6 Figure 6
AU2021107080A 2021-08-25 2021-08-25 A system and method for storing user’s data securely in a cloud storage Ceased AU2021107080A4 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2021107080A AU2021107080A4 (en) 2021-08-25 2021-08-25 A system and method for storing user’s data securely in a cloud storage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
AU2021107080A AU2021107080A4 (en) 2021-08-25 2021-08-25 A system and method for storing user’s data securely in a cloud storage

Publications (1)

Publication Number Publication Date
AU2021107080A4 true AU2021107080A4 (en) 2021-12-02

Family

ID=78716603

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2021107080A Ceased AU2021107080A4 (en) 2021-08-25 2021-08-25 A system and method for storing user’s data securely in a cloud storage

Country Status (1)

Country Link
AU (1) AU2021107080A4 (en)

Similar Documents

Publication Publication Date Title
Devi Importance of cryptography in network security
Kaur et al. Chaos-based joint speech encryption scheme using SHA-1
CN108833390B (en) Matrix transformation-based packet physical layer encryption method
Abusukhon et al. A novel network security algorithm based on private key encryption
CN112737764A (en) Lightweight multi-user multi-data all-homomorphic data encryption packaging method
Poonia et al. Comparative study of various substitution and transposition encryption techniques
Noura et al. A physical encryption scheme for low-power wireless M2M devices: a dynamic key approach
Oleiwi et al. Overview and Performance Analysis of Encryption Algorithms
Khan et al. On secure OFDM system: Chaos based constellation scrambling
Shirole et al. Review paper on data security in cloud computing environment
Ni et al. PHY‐Aided Secure Communication via Weighted Fractional Fourier Transform
Mohamed et al. Confidential algorithm for golden cryptography using haar wavelet
AU2021107080A4 (en) A system and method for storing user’s data securely in a cloud storage
Naidu et al. Data hiding using meaningful encryption algorithm to enhance data security
Pandey et al. Data security using various cryptography Techniques: A Recent Survey
Patgiri et al. SecretStore: A Secrecy as a Service model to enable the Cloud Storage to store user's secret data
Kumar et al. Invo-substitute: Three layer encryption for enhanced e-commerce website security using substitution cipher and involution function
Arshad et al. Hill Matrix and Radix-64 Bit Algorithm to Preserve Data Confidentiality.
Mohamed Wireless Communication Systems: Confidentiality: Encryption and Decryption
Krishnan et al. Modified AES with Random S box generation to overcome the side channel assaults using cloud
Indriani et al. Chat message security enhancement on wlan network using hill cipher method
Choudhury et al. Proposal and implementation of cloud security algorithm to enhance the security of the layers
Geetha et al. Survey on security mechanisms for public cloud data
Kevadia et al. A literature survey on image encryption
Mohamed et al. Cryptography concepts: Confidentiality

Legal Events

Date Code Title Description
FGI Letters patent sealed or granted (innovation patent)
MK22 Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry