Security Analysis and Improvement of a Dynamic-Hash-Table Based Auditing Scheme for Cloud Storage

Abstract

Cloud storage has emerged as a promising solution to the scalability problem of massive data management for both individuals and organizations, but it still faces some serious limitations in reliability and security. Recently, Tian et al. proposed a novel public auditing scheme for cloud storage (DHT-PA) based on dynamic hash table (DHT), with which their scheme achieves higher efficiency in dynamic auditing than the state-of-the-art schemes. They claimed that their scheme is provably secure against forging data signatures under the CDH assumption. Unfortunately, by presenting a concrete attack, we demonstrate that their scheme is vulnerable to the signature forgery attack, i.e., the cloud service provider (CSP) can forge a valid signature of an arbitrary data block. Thus, a malicious cloud service provider can pass the audit without correct data storage. The cryptanalysis shows that DHT-PA is not secure for public data verification. The purposed of our work is to help cryptographers and engineers design/implement more secure and efficient identity-based public auditing schemes for cloud storage by avoiding such kind of attacks.

1 Introduction

With the explosive growth of data in today’s world, the significance of cloud storage service is more and more highlighted [1]. Taking the advantages of elastic storage, ubiquitous access and affordable management, cloud storage providers have attracted an increasing number of individuals and organizations to enjoy this service, such as Microsoft Skydrive, Amazon S3 and Google cloud storage [2,3,4]. By shifting the data from their local storage system to the remote cloud server, individuals and organizations can greatly relieve themselves from the burden of data management and maintenance. Regardless of these benefits, outsourcing the local data to a remote cloud server still faces some security and privacy challenges. For example, the cloud infrastructure may suffer from some inevitable failures that leads to a data corruption, but the cloud service provider (CSP) may hide the accident to avoid financial loss [5]. Therefore, maintaining the integrity and privacy of cloud data is a key point for prompting the serviceability of cloud storage.

To address the security issues, many public auditing schemes have been proposed to verify the integrity of cloud data, which allow an honest-but-curious public auditor (also called trusted public auditor, TPA) verify the integrity of outsourced data periodically without downloading the entire data file from the remote cloud server. Ateniese et al. [6] first presented the notion of Provable Data Possession (PDP) to check the storage correctness of cloud data without downloading the whole file. On the basis of Ateniese et al.’s conception, Shacham and Waters [7] proposed an improved PDP scheme with Boneh-Lynn-Shacham (BLS) signature, which is widely adopted to construct auditing schemes with additional requirements, such as privacy preserving [8, 9] and efficient dynamic auditing [10, 11].

Note that a secure public auditing scheme should enable an external auditor to check the storage correctness of cloud data without learning any content of the data, as the introduced TPA is credible but curious. Otherwise, the TPA can reconstruct the while file by collecting all data blocks after several auditing procedures, so that the data copyright of the owner may be violated. Wang et al. [12] is the first to come up with a privacy-preserving auditing scheme by using the random masking technique. Later, there are many other improved privacy-preserving public auditing protocols have been proposed for higher efficiency, such as [13,14,15,16].

As for the dynamic data auditing, Erway et al. [17] first came up with a dynamic provable data possession (DPDP) scheme by utilizing a ranked-based skip list, but it cannot support public auditing. Then, Wang et al. [18] proposed a dynamic public auditing scheme with Merkle Hash Tree (MHT). However, both the two dynamic auditing schemes would arouse heavy computation and communication costs during the verification and updating processes. In view of these problems, Zhu et al. [19] came up with an efficient dynamic public auditing scheme (IHT-PA) based on an index-hash table (IHT) by storing the auditing metadata in the side of TPA rather than CSP. However, Tian et al. [20] pointed out that IHT-PA is still inefficient in updating procedure, although it can efficiently support dynamic auditing to some degree.

To get a better tradeoff between the dynamic properties and auditing efficiency, Tian et al. [20] presented a new public auditing scheme (DHT-PA) by exploiting the dynamic hash table (DHT) and Boneh-Lynn-Shacham (BLS) signature to achieve dynamic auditing and batch auditing. Tian et al. proved that DHT-PA is much more efficient than IHT-PA at the time of updating data blocks and files. They also claimed that DHT-PA is secure in terms of resisting the signature forgery attack and proof forgery attack. However, we demonstrate that their scheme is vulnerable to signature forgery attack, i.e., the CSP can forge a valid signature of any data block, with which the CSP can further generate a forged auditing proof to pass the TPA’s verification. By providing a new mathematical attack, our work is helpful for cryptographers and engineers to design and implement more secure and efficient identity-based public auditing schemes for cloud storage.

The remainder of this paper is organized as follows: In Sect. 2, we concisely review the scheme proposed by Tian et al. [20]. In Sect. 3, we demonstrate that Tian et al.’s scheme is vulnerable to signature forgery attack, and propose a probable fix to this weakness in Sect. 4. At last, we draw some conclusions for this paper in Sect. 5.

Fig. 1.

The auditing process of Tian et al.’s DHT-PA scheme

2 Review of DHT-PA

In this section, we give a brief review on Tian et al.’s scheme (DHT-PA) about achieving public dynamic data auditing for cloud storage.

To start with, some definition are presented. \( e:G_{1}\times G_{1}\rightarrow G_{2} \) is viewed as a bilinear map, where \( G_{1} \) and \( G_{2} \) are two additive cyclic groups with the same prime order p. \( H:\{0,1\}^{*}\rightarrow G_{1} \) is a secure hash function. Let \( F=\{m_{1},m_{2},\cdots ,m_{n}\} \) denote the outsourced file, which is divided into n blocks.

For the sake of simplicity, we will only describe the first auditing part of DHT-PA with setup phase and verification phase as shown in Fig. 1. And the more details for readers can be referred to [20].

2.1 Setup Phase

• 1) Key initiation: \( (SK=\{\alpha ,sk\},PK=\{g,u,y,pk\}) \) is a key pair generated by the user, where g and u are two different elements in \( G_{1} \), (sk, pk) generated for computing file tags.

• 2) Data information initiation: Let ID be the unique identifier of F. And denotes the latest version information of data blocks, where \( v_{i} \), \( t_{i} \) are the version and timestamp of block \( m_{i} \) respectively. Then, the user sends to the TPA as a delegation of data auditing.

• 3) Signature Generation: The user first computes the signature for each data block \( m_{i} \) as follows:

  $$\begin{aligned} \sigma _{i} = H(v_{i}\Vert t_{i})\cdot u^{m_{i}+H(v_{i}\Vert t_{i})},1 \le i \le n \end{aligned}$$

  (1)

  Then, the user calculates \( \rho = ID\Vert Sig_{sk}(ID) \) as the file tag, where \( Sig_{sk}(ID) \) is the signature of ID under the secret key sk. Finally, the user outsources \( (F,\rho ,{\varvec{\sigma }}) \) to the CSP before deleting them from the local storage, where \({\varvec{\sigma }} = \{\sigma _{i}\}_{1 \le i \le n}. \)

• 4) Tag Generation: Upon receiving the signatures \( \sigma _{i} \), the CSP computes a tag for each data block as follows:

  $$\begin{aligned} \theta _{i} = e(\sigma _{i},y),1 \le i \le n \end{aligned}$$

  (2)

  After that, the CSP will store \( (\rho ,\theta _{i})_{1 \le i \le n} \) along with the file \( F = \{m_{1},m_{2},\cdots ,m_{n}\} \).

2.2 Verification Phase

• 1) File identifier check: The TPA first verifies the file signature \( Sig_{sk}(ID) \) using the public key pk after receiving the tag \( \rho \). If the verification fails, TPA refuse the user’s delegation; otherwise, the TPA launches a challenge for data auditing on behalf of the user.

• 2) Challenge: The TPA randomly selects a c-element subset \( I = \{idx_{1},idx_{2},\cdots , idx_{c}\} \) from the set \( \{1,2,\cdots , n\} \) as the index set of the blocks to be checked. Then it sets \( chal = \{R,(idx_{i},s_{i})\}_{i \in I} \) as the auditing challenge and sends it to the CSP, where \( s_{i} \) is a random number from \( Z_{p} \), \( R = y^{r} \) ( \( r \in Z_{p} \) is also a random number).

• 3) Proof generation: Upon receiving the challenge, the CSP starts to compute the corresponding proof: \( \varTheta = \prod _{i \in I}\theta _{i}^{s_{i}} \), \( M = \sum _{i \in I}s_{i}m_{i} \) and \( \varLambda = e(u,R)^{M} \). Next, it sends \( \{\varTheta , \varLambda \} \) back to TPA as the auditing proof.

• 4) Proof check: To perform the verification, the TPA first computes the value of \( H = \prod _{i \in I}H(v_{i},t_{i})^{s_{i}} \), then it verifies the proof by checking the following equation:

  $$\begin{aligned} \varLambda \cdot e(H\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) {\mathop {=}\limits ^{?}} \varTheta ^{r}. \end{aligned}$$

  (3)

Fig. 2.

The forgery attack of Tian et al.’s DHT-PA scheme

If holds, the cloud data is stored correctly; otherwise, the data loses its integrity on the remote node.

3 Cryptanalysis of Li et al.’s Scheme

Tian et al. claimed that their DHT-PA is secure because the CSP cannot keep \( m_{i}^{'} \) instead of \( m_{i} \) to pass the audit. However, in this section, we will analyze the security of DHT-PA on verifying the integrity of the outsourced data, and demonstrate that DHT-PA is insecure against the signature forgery attack, i.e., the CSP can create a legal signature of an arbitrary data block \( m_{i}^{'} \). In other words, the CSP can keep \( m_{i}^{'} \) instead of \( m_{i} \) to pass the audit successfully as shown in Fig. 2. Some details about the attack are presented as below.

Assume that the file F to be outsourced is divided into n blocks, i.e., \( F = m_{1}\Vert m_{2}\Vert \cdots \Vert m_{n} \). The signature of each data block \( m_{i} \) is denoted as \( \sigma _{i} \). Let \( \mathscr {A} \) denote the malicious CSP, and it can pass the verification even if it does not correctly store the data by executing the following steps:

• 1) \( \mathscr {A} \) randomly retrieves a signature \( \sigma _{i} \) of the data block \( m_{i} \). As the messages transmitted from a user to the CSP is over public channel, thus the step is easily to for an network adversary \( \mathscr {A} \) as the way referred in [21, 22].

• 2) \( \mathscr {A} \) randomly selects another data block \( m_{i}^{'} \) (\( m_{i}^{'} \ne m_{i} \)), and computes the value of \( \kappa = u^{-m_{i}}u^{m_{i}^{'}} \) due to the fact that \( m_{i}\), \( m_{i}^{'}\) and u are public to the CSP.

• 3) \( \mathscr {A} \) computes \( \sigma _{i}^{'} = \sigma _{i}\cdot \kappa \), and outputs it as the signature of data block \( m_{i}^{'} \). Since \( \sigma _{i} = H(v_{i}\Vert t_{i})\cdot u^{m_{i}+H(v_{i}\Vert t_{i})} \), we would get

  $$\begin{aligned} \begin{aligned} \sigma _{i}\cdot \kappa&= H(v_{i}\Vert t_{i})\cdot u^{m_{i}+H(v_{i}\Vert t_{i})} \cdot u^{-m_{i}}u^{m_{i}^{'}} \\&= H(v_{i}\Vert t_{i})\cdot u^{m_{i}^{'+H(v_{i}\Vert t_{i})}} \\&= \sigma _{i}^{'} \end{aligned} \end{aligned}$$

  Obviously, \( \sigma _{i}^{'} \) is a valid signature on \( m_{i}^{'} \) according to the above equation.

• 4) Replace \( (m_{i},\sigma _{i})_{1 \le i \le n} \) with \( (m_{i}^{'},\sigma _{i}^{'})_{1 \le i \le n} \).

• 5) Upon receiving the auditing challenge, \( \mathscr {A} \) computes the forged response proof: \( \varTheta ^{'} = \prod _{i \in I}(\theta _{i}^{'})^{s_{i}} \), \( M^{'} = \sum _{i \in I}s_{i}m_{i}^{'} \) and \( \varLambda ^{'} = e(u,R)^{M^{'}} \), where \( \theta _{i}^{'} = e(\sigma _{i}^{'},y) \).

• 6) \( \mathscr {A} \) returns \( (\varTheta ^{'}, \varLambda ^{'}) \) as auditing proof.

  \( \mathscr {A} \)’s response can surely pass the TPA’s verification, we prove it as below:

  $$\begin{aligned} \begin{aligned}&\varLambda ^{'} \cdot e(H\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) \\&=e(u,R)^{\sum _{i \in I}s_{i}m_{i}^{'}}e(\prod _{i \in I}H(v_{i}\Vert t_{i})^{s_{i}}\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) \\&=e(u^{\sum _{i \in I}s_{i}m_{i}^{'}},R)e(\prod _{i \in I}H(v_{i}\Vert t_{i})^{s_{i}}\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) \\&=e(\prod _{i \in I}H(v_{i}\Vert t_{i})^{s_{i}}\cdot u^{\sum _{i \in I}s_{i}(m_{i}^{'}+H(v_{i},t_{i}))},R) \\&=e(\prod _{i \in I}(H(v_{i}\Vert t_{i})\cdot u^{m_{i}^{'}+H(v_{i},t_{i})})^{s_{i}},g^{r\cdot \alpha }) \\&=e(\prod _{i \in I}(\sigma _{i}^{'})^{s_{i}},g^{\alpha })^{r} \\&=\prod _{i \in I}e(\sigma _{i}^{'},y)^{s_{i}r} \\&=(\varTheta ^{'})^{r} \end{aligned} \end{aligned}$$

Hence, the proof \( (\varTheta ^{'}, \varLambda ^{'}) \) provided by \( \mathscr {A} \) can certainly pass the verification of TPA without being detected when it does not store the user’s data correctly. In other words, a malicious CSP can hide the corrupted data blocks caused by hardware/software failures; and it also can replace the large data blocks with smaller ones or directly deletes the unfrequently accessed data for space saving. So DHT-PA is not secure as an auditing scheme.

4 Possible Countermeasure

In the above attack, \( \mathscr {A} \) just uses the value of \( \kappa = u^{-m_{i}}\cdot u^{m_{i}^{'}} \) to compute a legal signature \( \sigma _{i}^{'} \) for another data block \( m_{i}^{'} \), and then constructs a legal proof to pass the TPA’s audit. Therefore, to withstand this attack, we should prevent \( \mathscr {A} \) from computing \( \kappa = u^{-m_{i}}\cdot u^{m_{i}^{'}} \) to derive a valid signature. To achieve this goal, we can modify the Signature Generation step and Tag Generation step as follows.

Signature Generation: Given each data block \( m_{i} \) and public key u, the user generates a corresponding signature \( \sigma _{i} \) by following equation:

$$\begin{aligned} \sigma _{i} = (H(v_{i}\Vert t_{i})\cdot u^{m_{i}+H(v_{i}\Vert t_{i})})^{\alpha } \end{aligned}$$

(4)

where \( \alpha \) is the user’s private key generated in Key Initiation step. Next, the user sends (\( F, \rho , {\varvec{\sigma }} \)) to the CSP, where \( \rho = ID\Vert Sig_{sk}(ID) \), \({\varvec{\sigma }}=\{\sigma _{i}|1 \le i \le n\} \).

Compared to the Eq. (1), we exploit the private key to sign the data block, with which \( \mathscr {A} \) is not able to obtain the forged signature \( \sigma _{i}^{'} \), because nobody knows the private key \( \alpha \) except the data owner.

Tag Generation: Based on the received signature \( \sigma _{i} \), the CSP generates a tag \( \theta _{i} \) for each data block \( m_{i} \), namely,

$$\begin{aligned} \theta _{i} = e(\sigma _{i},g) \end{aligned}$$

(5)

Compared to the Eq. (2), we replace the public key y with g which are both generated in Key Initiation step.

As for the verification phase, it does not need to have any modification. Now, we verify the correctness of Eq. (3) based on the Eq. (4) and Eq. (5) as follows:

$$\begin{aligned} \begin{aligned}&\varLambda \cdot e(H\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) \\&=e(u,R)^{\sum _{i \in I}s_{i}m_{i}}e(\prod _{i \in I}H(v_{i}\Vert t_{i})^{s_{i}}\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) \\&=e(u^{\sum _{i \in I}s_{i}m_{i}},R)e(\prod _{i \in I}H(v_{i}\Vert t_{i})^{s_{i}}\cdot u^{\sum _{i \in I}s_{i}H(v_{i},t_{i})},R) \\&=e(\prod _{i \in I}H(v_{i}\Vert t_{i})^{s_{i}}\cdot u^{\sum _{i \in I}s_{i}(m_{i}+H(v_{i},t_{i}))},R) \\&=e(\prod _{i \in I}(H(v_{i}\Vert t_{i})\cdot u^{m_{i}+H(v_{i},t_{i})})^{s_{i}},g^{r\cdot \alpha }) \\&=e(\prod _{i \in I}(H(v_{i}\Vert t_{i})\cdot u^{m_{i}+H(v_{i},t_{i})})^{\alpha \cdot s_{i}},g^{r}) \\&=e(\prod _{i \in I}(\sigma _{i})^{s_{i}},g)^{r} \\&=\prod _{i \in I}e(\sigma _{i},g)^{s_{i}r} \\&=\prod _{i \in I}\theta _{i}^{s_{i}r} \\&=(\varTheta )^{r} \end{aligned} \end{aligned}$$

Remark. From the above correctness analysis, we can see that the proposed countermeasure can be used to audit the cloud data at the cost of only small performance loss in computing block signatures. By adding a random exponent to the original tag, it will break the linear relationship between different message tags. And from this point, it may improve the security level of the original DHT-PA scheme by avoiding the attack described in Sect. 3.

5 Conclusion

In this paper, we reviewed the scheme DHT-PA proposed by Tian et al. [20], which is a public auditing scheme using the dynamic hash table to support dynamic auditing. Tian et al. claimed that DHT-PA is secure due to the unforgeability of data signatures and auditing proofs. However, the cryptanalysis of their DHT-PA scheme demonstrates that a malicious CSP can create a valid signature of any data block, so that it can pass the audit of TPA without correct data storage. Therefore, DHT-PA is not secure for practical application. To address the problem, we come up with a possible countermeasure to enhance the security of DHT-PA. And in the near future, we will be devoted ourselves to design a more secure and efficient public auditing scheme.